Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/AllsafeCyberSecurity/ghidra_scripts

Ghidra scripts for malware analysis
https://github.com/AllsafeCyberSecurity/ghidra_scripts

ghidra python reverse-engineering

Last synced: 3 months ago
JSON representation

Ghidra scripts for malware analysis

Host: GitHub
URL: https://github.com/AllsafeCyberSecurity/ghidra_scripts
Owner: AllsafeCyberSecurity
Created: 2019-09-09T10:14:42.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2024-01-11T06:31:39.000Z (6 months ago)
Last Synced: 2024-01-22T15:54:54.602Z (5 months ago)
Topics: ghidra, python, reverse-engineering
Language: Python
Homepage:
Size: 5.05 MB
Stars: 72
Watchers: 6
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md

Lists

awesome-ida-x64-olly-plugin - Ghidra Scripts 2
awesome-ghidra - ghidra_script by Allsafe - Ghidra scripts for malware analysis (Ghidra Scripts/Plugins/Extension)
awesome-ida-x64-olly-plugin - Ghidra Scripts 2

README

# shellcode_hashes

shellcode_hashs was created inspired by a [script of the same name in flare](https://github.com/fireeye/flare-ida/tree/master/shellcode_hashes).
Find the name that matches the [hash](https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html) used in the shellcode.
Use the database created by flare script.

## sqlite2json.py
Since Ghidra could not import sqlite, I created a script to convert it to json.
Convert with the following command:
```
python sqlite2json.py
```

## shellcode_hash_search.py

Open the target shellcode and execute the script.

![ch03_shellcodehash](https://user-images.githubusercontent.com/18203311/64575824-a5bf6700-d3b0-11e9-8294-c6b045c127a5.png)

![ch03_shellcodehash_decompile](https://user-images.githubusercontent.com/18203311/64575814-9c35ff00-d3b0-11e9-8cb8-3b686ae553a9.png)

# non-zero_xor_search.py
Finds XOR instructions whose source and destination operands are not equivalent.
It is registered in the bookmark.

![ch03_non-zero_xor](https://user-images.githubusercontent.com/18203311/64575818-9fc98600-d3b0-11e9-8732-bccf8d0e3c1f.png)

# coloring_call_jmp.py

Coloring of CALL and JMP instructions.
Color the following instructions
* CALL　
* JE
* JZ
* JNE
* JNZ
* JA
* JAE
* JBE
* JB
* JL
* JLE
* JG
* JGE

![ch03_coloring_call_jmp](https://user-images.githubusercontent.com/18203311/64575795-87596b80-d3b0-11e9-847b-f46ab6aefa4b.png)

# stackstrings.py

Deobfuscate stackstrings used by Godzilla Loader.

### before
![stackstrings_execute_before](https://user-images.githubusercontent.com/18203311/65371013-13fe0680-dc9a-11e9-910a-37329767a26a.png)

### after
![stackstrings_execute_after](https://user-images.githubusercontent.com/18203311/65371015-15c7ca00-dc9a-11e9-80c2-5028a8c3d03f.png)

### console output
![stackstrings_console_result](https://user-images.githubusercontent.com/18203311/65371016-16f8f700-dc9a-11e9-981c-552a7e9152a4.png)