/ghidra-headless-scripts

Ghidra Headless Scripts for Automated Analysis (Decompilation and Disassembly)

Primary LanguagePython

Ghidra - Headless Scripts (Python)

Headless Scripts for Ghidra's Headless Analyzer written in Python 2 for Automated Analysis (Decompilation and Disassembly).

Legend

Before jumping into the commands, it is important to explain what are the arguments passed to analyzeHeadless:

Argument Type Description
<PROJECT_PATH> Mandatory Path where the new Ghidra Project will be created.
<PROJECT_NAME> Mandatory Name of the new Project to create in the previous path.
-import <FILE_TO_ANALYZE> Mandatory Path to the binary that you want to analyze with Ghidra. Here you can use -import or -process depending on your needs. For more information, check Ghidra Documentation.
-scriptPath <PATH_TO_YOUR_SCRIPTS_FOLDER> Mandatory Path to your scripts folder.
-postScript <SCRIPT_FILENAME> Mandatory Filename of the script you want to execute with Ghidra's Headless Analyzer.
[OUTPUT_FILENAME] Optional Filename of the output file that will be generated by Headless Scripts. If this argument is not passed, decompiler.py and disassembler.py will create a file with the following structure: <FILE_TO_ANALYZE>_decompiled.c and <FILE_TO_ANALYZE>.asm respectively. For decompile_simple.py the output filename will always be decompiled_output.c

Decompile Simple

decompile_simple.py decompiles all the functions recognized by Ghidra, and writes them into an output file (Pseudo C). It does exactly the same as decompiler.py but with a simplified code, recommended for beginners.

Usage:

$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -import <FILE_TO_ANALYZE> -scriptPath <PATH_TO_YOUR_SCRIPTS_FOLDER> -postScript <SCRIPT_FILENAME>

Example:

$ analyzeHeadless /home/galoget/ HeadlessAnalysis -import /home/galoget/malware-sample.exe -scriptPath /home/galoget/ghidra-headless-scripts/ -postscript decompile_simple.py

By default the script will create an output file in the path where the command was executed, the output file will be named: output_malware.c

Decompiler

decompiler.py decompiles all the functions recognized by Ghidra, and writes them into an output file (Pseudo C).

Usage:

$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -process <TARGET_FILENAME> -scriptPath <PATH_TO_YOUR_SCRIPT> -postScript <SCRIPT_FILENAME> <OUTPUT_FILENAME>

Example:

$ analyzeHeadless /home/galoget/ HeadlessAnalysis -import /home/galoget/malware-sample.exe -scriptPath /home/galoget/ghidra-headless-scripts/ -postscript decompiler.py decompiled_malware_sample.c

Disassembler

disassembler.py disassembles all the functions recognized by Ghidra, and writes them into an output file (ASM).

Usage:

$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -process <TARGET_FILENAME> -scriptPath <PATH_TO_YOUR_SCRIPT> -postScript <SCRIPT_FILENAME> <OUTPUT_FILENAME>

Example:

$ analyzeHeadless /home/galoget/ HeadlessAnalysis -import /home/galoget/malware-sample.exe -scriptPath /home/galoget/ghidra-headless-scripts/ -postscript disassembler.py.py disass_malware_sample.asm