/ghidra_scripts

Ghidra scripts for malware analysis

Primary LanguagePython

shellcode_hashes

shellcode_hashs was created inspired by a script of the same name in flare.
Find the name that matches the hash used in the shellcode.
Use the database created by flare script.

sqlite2json.py

Since Ghidra could not import sqlite, I created a script to convert it to json.
Convert with the following command:

python sqlite2json.py

shellcode_hash_search.py

Open the target shellcode and execute the script.

ch03_shellcodehash

ch03_shellcodehash_decompile

non-zero_xor_search.py

Finds XOR instructions whose source and destination operands are not equivalent.
It is registered in the bookmark.

ch03_non-zero_xor

coloring_call_jmp.py

Coloring of CALL and JMP instructions.
Color the following instructions

  • CALL
  • JE
  • JZ
  • JNE
  • JNZ
  • JA
  • JAE
  • JBE
  • JB
  • JL
  • JLE
  • JG
  • JGE

ch03_coloring_call_jmp

stackstrings.py

Deobfuscate stackstrings used by Godzilla Loader.

before

stackstrings_execute_before

after

stackstrings_execute_after

console output

stackstrings_console_result