Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/allsafecybersecurity/ghidra_scripts
Ghidra scripts for malware analysis
https://github.com/allsafecybersecurity/ghidra_scripts
ghidra python reverse-engineering
Last synced: about 2 months ago
JSON representation
Ghidra scripts for malware analysis
- Host: GitHub
- URL: https://github.com/allsafecybersecurity/ghidra_scripts
- Owner: AllsafeCyberSecurity
- Created: 2019-09-09T10:14:42.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-01-11T06:31:39.000Z (12 months ago)
- Last Synced: 2024-10-28T00:02:02.805Z (about 2 months ago)
- Topics: ghidra, python, reverse-engineering
- Language: Python
- Homepage:
- Size: 5.05 MB
- Stars: 89
- Watchers: 6
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# shellcode_hashes
shellcode_hashs was created inspired by a [script of the same name in flare](https://github.com/fireeye/flare-ida/tree/master/shellcode_hashes).
Find the name that matches the [hash](https://www.fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html) used in the shellcode.
Use the database created by flare script.## sqlite2json.py
Since Ghidra could not import sqlite, I created a script to convert it to json.
Convert with the following command:
```
python sqlite2json.py
```## shellcode_hash_search.py
Open the target shellcode and execute the script.
![ch03_shellcodehash](https://user-images.githubusercontent.com/18203311/64575824-a5bf6700-d3b0-11e9-8294-c6b045c127a5.png)
![ch03_shellcodehash_decompile](https://user-images.githubusercontent.com/18203311/64575814-9c35ff00-d3b0-11e9-8cb8-3b686ae553a9.png)
# non-zero_xor_search.py
Finds XOR instructions whose source and destination operands are not equivalent.
It is registered in the bookmark.![ch03_non-zero_xor](https://user-images.githubusercontent.com/18203311/64575818-9fc98600-d3b0-11e9-8732-bccf8d0e3c1f.png)
# coloring_call_jmp.py
Coloring of CALL and JMP instructions.
Color the following instructions
* CALL
* JE
* JZ
* JNE
* JNZ
* JA
* JAE
* JBE
* JB
* JL
* JLE
* JG
* JGE![ch03_coloring_call_jmp](https://user-images.githubusercontent.com/18203311/64575795-87596b80-d3b0-11e9-847b-f46ab6aefa4b.png)
# stackstrings.py
Deobfuscate stackstrings used by Godzilla Loader.
### before
![stackstrings_execute_before](https://user-images.githubusercontent.com/18203311/65371013-13fe0680-dc9a-11e9-910a-37329767a26a.png)### after
![stackstrings_execute_after](https://user-images.githubusercontent.com/18203311/65371015-15c7ca00-dc9a-11e9-80c2-5028a8c3d03f.png)### console output
![stackstrings_console_result](https://user-images.githubusercontent.com/18203311/65371016-16f8f700-dc9a-11e9-981c-552a7e9152a4.png)