{"id":13803421,"url":"https://github.com/Dump-GUY/ghidra_scripts","last_synced_at":"2025-05-13T15:33:27.396Z","repository":{"id":45838978,"uuid":"280526350","full_name":"Dump-GUY/ghidra_scripts","owner":"Dump-GUY","description":null,"archived":false,"fork":false,"pushed_at":"2023-09-04T17:16:51.000Z","size":913,"stargazers_count":71,"open_issues_count":1,"forks_count":10,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-13T14:06:22.967Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dump-GUY.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-17T21:13:47.000Z","updated_at":"2025-04-17T00:36:48.000Z","dependencies_parsed_at":"2024-08-04T01:12:35.832Z","dependency_job_id":null,"html_url":"https://github.com/Dump-GUY/ghidra_scripts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dump-GUY%2Fghidra_scripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dump-GUY%2Fghidra_scripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dump-GUY%2Fghidra_scripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dump-GUY%2Fghidra_scripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dump-GUY","download_url":"https://codeload.github.com/Dump-GUY/ghidra_scripts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253970613,"owners_count":21992533,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T01:00:31.840Z","updated_at":"2025-05-13T15:33:26.906Z","avatar_url":"https://github.com/Dump-GUY.png","language":"Python","readme":"# ghidra_scripts\nScripts for the Ghidra software reverse engineering suite.\nFor developing python scripts in context of Ghidra SRE please visit WIKI.\n\n## Installation\nInsert script to Ghidra script directory. Example:$USER_HOME/ghidra_scripts.\n\n## tiny_tracer_tag_annotate.py\nThe tags generated by the Tiny Tracer are helpful in deobfuscating obfuscated API calls.\u003cbr/\u003e\nThis script will annotate and bookmark the code with tags produced by tool Tiny Tracer.\u003cbr/\u003e\nTiny Tracer repo: https://github.com/hasherezade/tiny_tracer.\u003cbr/\u003e\nTested on Tiny_tracer version 1.4\n\nHow to use:\u003cbr/\u003e\nRun script via Ghidra Script Manager, import relevant .tag file for analyzed sample, produced by Tiny Tracer.\n\nGhidra annotated Graph_View:\n\n![Ghidra annotated Graph view](/Images/GHIDRA_GRAPHVIEW_annotated.PNG)\n\n\nGhidra annotated Listing_View and Bookmarks:\n\n![Ghidra annotated_Listing_bookmark_view](/Images/GHIDRA_listing%20view_bookmarks_annotated.PNG)\n\n\n\n## CAPA_Importer.py\nThis script works with exported .txt or .json results of CAPA tool.\u003cbr/\u003e\nCapa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do.\u003cbr/\u003e\nFor example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.\u003cbr/\u003e\nCAPA repo: https://github.com/fireeye/capa\u003cbr/\u003e\nCAPA blog post: https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html\n\nScript \"CAPA_Importer.py\" will annotate (PRE_COMMENT) code with Capability, bookmark the code with Capability, Matched RVA location and Scope. If more than one Capability for relevant RVA is presented, script will add annotation for the capability to RVA in code and \u003cbr/\u003e\nalso edit bookmark so the bookmark with location (RVA) will contain all Capabilities.\u003cbr/\u003e\nIf matched capability in CAPA result has scope 'file', no annotation (PRE_COMMENT) will be presented in code, bookmark will be created with RVA = ImageBase.\u003cbr/\u003e\nTested on CAPA version 1.0.0 - 1.2.0\u003cbr/\u003e\n\u003cbr/\u003e\n\nHow to use:\u003cbr/\u003e\nAnalyze sample with CAPA.\u003cbr/\u003e\nExample1: CAPA -v malware.exe \u003e exported.txt\u003cbr/\u003e\nExample2: CAPA -j malware.exe \u003e exported.json\u003cbr/\u003e\nParameter '-v' must be presented in cmdline argument to export Capa results in supported text format.\u003cbr/\u003e\nParameter '-j' must be presented in cmdline argument to export Capa results in supported json format.\u003cbr/\u003e\nRun this script, import exported.txt or exported.json and it will annotate (with PRE_COMMENT) and bookmark the code with Capability, Matched RVA location and Scope.\n\u003cbr/\u003e\nIf no PRE_COMMENT presented in Decompile window or Graph window --\u003e Check if you have in relevant windows option \"Display PRE comments\" enabled.\n\nGhidra annotated Listing view, Decompile view and Bookmarks (1):\n\n![Ghidra annotated Listing view](/Images/CAPA_Importer_All_in_one_view.PNG)\n\n\nGhidra annotated Listing view, Decompile view and Bookmarks (2):\n\n![Ghidra annotated Listing view2](/Images/CAPA_Importer_All_in_one_view2.PNG)\n\n\n\nGhidra annotated Function Graph view and Bookmarks:\n\n![Ghidra annotated Graph view](/Images/CAPA_Importer_Graph_Bookmarks_view.PNG)\n\n\n","funding_links":[],"categories":["Ghidra Scripts/Plugins/Extension"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDump-GUY%2Fghidra_scripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDump-GUY%2Fghidra_scripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDump-GUY%2Fghidra_scripts/lists"}