https://github.com/AllsafeCyberSecurity/ghidra_scripts
Ghidra scripts for malware analysis
https://github.com/AllsafeCyberSecurity/ghidra_scripts
ghidra python reverse-engineering
Last synced: about 1 month ago
JSON representation
Ghidra scripts for malware analysis
- Host: GitHub
- URL: https://github.com/AllsafeCyberSecurity/ghidra_scripts
- Owner: AllsafeCyberSecurity
- Created: 2019-09-09T10:14:42.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-01-11T06:31:39.000Z (over 1 year ago)
- Last Synced: 2025-02-24T07:36:54.665Z (about 2 months ago)
- Topics: ghidra, python, reverse-engineering
- Language: Python
- Homepage:
- Size: 5.05 MB
- Stars: 91
- Watchers: 6
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-ghidra - ghidra_script by Allsafe - Ghidra scripts for malware analysis (Ghidra Scripts/Plugins/Extension)
README
# shellcode_hashes
shellcode_hashs was created inspired by a [script of the same name in flare](https://github.com/fireeye/flare-ida/tree/master/shellcode_hashes).
Find the name that matches the [hash](https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html) used in the shellcode.
Use the database created by flare script.
## sqlite2json.py
Since Ghidra could not import sqlite, I created a script to convert it to json.
Convert with the following command:
```
python sqlite2json.py
```
## shellcode_hash_search.py
Open the target shellcode and execute the script.
# non-zero_xor_search.py
Finds XOR instructions whose source and destination operands are not equivalent.
It is registered in the bookmark.
# coloring_call_jmp.py
Coloring of CALL and JMP instructions.
Color the following instructions
* CALL
* JE
* JZ
* JNE
* JNZ
* JA
* JAE
* JBE
* JB
* JL
* JLE
* JG
* JGE
# stackstrings.py
Deobfuscate stackstrings used by Godzilla Loader.
### before
### after
### console output
