{"id":13610506,"url":"https://github.com/Washi1337/ghidra-nativeaot","last_synced_at":"2025-04-12T22:34:02.940Z","repository":{"id":217068639,"uuid":"719768741","full_name":"Washi1337/ghidra-nativeaot","owner":"Washi1337","description":"Helper scripts for analyzing NativeAOT compiled .NET binaries with Ghidra","archived":false,"fork":false,"pushed_at":"2023-11-16T21:33:09.000Z","size":1349,"stargazers_count":68,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-12T21:52:14.126Z","etag":null,"topics":["dotnet","ghidra","ghidra-scripts","nativeaot"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Washi1337.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-16T21:31:06.000Z","updated_at":"2025-03-31T10:36:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"a92d2746-0046-4f5e-840b-35497a633905","html_url":"https://github.com/Washi1337/ghidra-nativeaot","commit_stats":null,"previous_names":["washi1337/ghidra-nativeaot"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Washi1337%2Fghidra-nativeaot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Washi1337%2Fghidra-nativeaot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Washi1337%2Fghidra-nativeaot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Washi1337%2Fghidra-nativeaot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Washi1337","download_url":"https://codeload.github.com/Washi1337/ghidra-nativeaot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248642224,"owners_count":21138349,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dotnet","ghidra","ghidra-scripts","nativeaot"],"created_at":"2024-08-01T19:01:45.363Z","updated_at":"2025-04-12T22:34:02.915Z","avatar_url":"https://github.com/Washi1337.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# Ghidra + NativeAOT\r\n\r\nNativeAOT-compiled programs are binaries that have the .NET runtime as well as all the .NET metadata statically linked into a single binary that can run natively on the target host.\r\nBecause of the sheer amount of code and data, it can be difficult to analyze them sometimes.\r\nThis is why, since the release of NativeAOT, malware developers have taken an interest in using this technique not just for portability but also as a means of obfuscation.\r\n\r\nThis repo contains a collection of Ghidra scripts that may help in analyzing these types of files with Ghidra.\r\n\r\n## How to Use\r\n\r\nAdd the `src` folder of this repo to the Ghidra scripts folders.\r\nThe scripts should then appear in the Script Manager under the `NativeAOT` category.\r\n\r\n## Disclaimer \r\n\r\nThe scripts have been tested with Ghidra 10.4 and only on Windows x64 PEs and Linux x64 ELFs.\r\n\r\n\r\n## Contents\r\n\r\n### NativeAotStringFinder\r\n\r\nFinds and annotates string literals based on a provided Method Table address representing `System.String`.\r\n\r\n![](assets/string_finder.gif)\r\n\r\n\r\n### NativeAotMethodTableAnalyzer\r\n\r\nRecursively (but non-exhaustively) discovers and parses Method Tables (essentially .NET's version of types/vtables) based on an initial Method Table address.\r\n\r\n![](assets/mt_crawler.gif)\r\n\r\n\r\n## License\r\n\r\nMIT","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWashi1337%2Fghidra-nativeaot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FWashi1337%2Fghidra-nativeaot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FWashi1337%2Fghidra-nativeaot/lists"}