├── Images ├── Pydev_Install.PNG ├── NEW_Script_debug.png ├── GHIDRA_GRAPHVIEW_annotated.PNG ├── CAPA_Importer_All_in_one_view.PNG ├── CAPA_Importer_All_in_one_view2.PNG ├── GhidraScripting_project_creation .PNG ├── CAPA_Importer_Graph_Bookmarks_view.PNG └── GHIDRA_listing view_bookmarks_annotated.PNG ├── tiny_tracer_tag_annotate.py ├── README.md └── CAPA_Importer.py /Images/Pydev_Install.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/Pydev_Install.PNG -------------------------------------------------------------------------------- /Images/NEW_Script_debug.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/NEW_Script_debug.png -------------------------------------------------------------------------------- /Images/GHIDRA_GRAPHVIEW_annotated.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/GHIDRA_GRAPHVIEW_annotated.PNG -------------------------------------------------------------------------------- /Images/CAPA_Importer_All_in_one_view.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/CAPA_Importer_All_in_one_view.PNG -------------------------------------------------------------------------------- /Images/CAPA_Importer_All_in_one_view2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/CAPA_Importer_All_in_one_view2.PNG -------------------------------------------------------------------------------- /Images/GhidraScripting_project_creation .PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/GhidraScripting_project_creation .PNG -------------------------------------------------------------------------------- /Images/CAPA_Importer_Graph_Bookmarks_view.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/CAPA_Importer_Graph_Bookmarks_view.PNG -------------------------------------------------------------------------------- /Images/GHIDRA_listing view_bookmarks_annotated.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Dump-GUY/ghidra_scripts/HEAD/Images/GHIDRA_listing view_bookmarks_annotated.PNG -------------------------------------------------------------------------------- /tiny_tracer_tag_annotate.py: -------------------------------------------------------------------------------- 1 | #The tags generated by the Tiny Tracer are helpful in deobfuscating obfuscated API calls. 2 | #This script will annotate and bookmark the code with tags produced by tool Tiny Tracer. 3 | #Tiny Tracer repo: https://github.com/hasherezade/tiny_tracer 4 | #@author Jiri_Vinopal 5 | #@category Annotation 6 | #@keybinding 7 | #@menupath 8 | #@toolbar 9 | 10 | from ghidra.program.model.listing import CodeUnit 11 | def add_bookmark_comment(addr, apicall): 12 | cu = currentProgram.getListing().getCodeUnitAt(addr) 13 | createBookmark(addr, "tiny_tracer", apicall) 14 | cu.setComment(CodeUnit.EOL_COMMENT, apicall) 15 | 16 | f = askFile("Give me a .tag file to import!", "Import") 17 | 18 | for line in file(f.absolutePath): 19 | if line[0] != '>': 20 | fields = line.split(";") 21 | RVA = fields[0] 22 | ApiCall= fields[1].replace('\n', '') 23 | addr_int = int(RVA, 16) 24 | addr = currentProgram.minAddress.add(addr_int) 25 | add_bookmark_comment(addr,ApiCall) 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ghidra_scripts 2 | Scripts for the Ghidra software reverse engineering suite. 3 | For developing python scripts in context of Ghidra SRE please visit WIKI. 4 | 5 | ## Installation 6 | Insert script to Ghidra script directory. Example:$USER_HOME/ghidra_scripts. 7 | 8 | ## tiny_tracer_tag_annotate.py 9 | The tags generated by the Tiny Tracer are helpful in deobfuscating obfuscated API calls.
10 | This script will annotate and bookmark the code with tags produced by tool Tiny Tracer.
11 | Tiny Tracer repo: https://github.com/hasherezade/tiny_tracer.
12 | Tested on Tiny_tracer version 1.4 13 | 14 | How to use:
15 | Run script via Ghidra Script Manager, import relevant .tag file for analyzed sample, produced by Tiny Tracer. 16 | 17 | Ghidra annotated Graph_View: 18 | 19 | ![Ghidra annotated Graph view](/Images/GHIDRA_GRAPHVIEW_annotated.PNG) 20 | 21 | 22 | Ghidra annotated Listing_View and Bookmarks: 23 | 24 | ![Ghidra annotated_Listing_bookmark_view](/Images/GHIDRA_listing%20view_bookmarks_annotated.PNG) 25 | 26 | 27 | 28 | ## CAPA_Importer.py 29 | This script works with exported .txt or .json results of CAPA tool.
30 | Capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do.
31 | For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
32 | CAPA repo: https://github.com/fireeye/capa
33 | CAPA blog post: https://www.fireeye.com/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html 34 | 35 | Script "CAPA_Importer.py" will annotate (PRE_COMMENT) code with Capability, bookmark the code with Capability, Matched RVA location and Scope. If more than one Capability for relevant RVA is presented, script will add annotation for the capability to RVA in code and
36 | also edit bookmark so the bookmark with location (RVA) will contain all Capabilities.
37 | If matched capability in CAPA result has scope 'file', no annotation (PRE_COMMENT) will be presented in code, bookmark will be created with RVA = ImageBase.
38 | Tested on CAPA version 1.0.0 - 1.2.0
39 |
40 | 41 | How to use:
42 | Analyze sample with CAPA.
43 | Example1: CAPA -v malware.exe > exported.txt
44 | Example2: CAPA -j malware.exe > exported.json
45 | Parameter '-v' must be presented in cmdline argument to export Capa results in supported text format.
46 | Parameter '-j' must be presented in cmdline argument to export Capa results in supported json format.
47 | Run this script, import exported.txt or exported.json and it will annotate (with PRE_COMMENT) and bookmark the code with Capability, Matched RVA location and Scope. 48 |
49 | If no PRE_COMMENT presented in Decompile window or Graph window --> Check if you have in relevant windows option "Display PRE comments" enabled. 50 | 51 | Ghidra annotated Listing view, Decompile view and Bookmarks (1): 52 | 53 | ![Ghidra annotated Listing view](/Images/CAPA_Importer_All_in_one_view.PNG) 54 | 55 | 56 | Ghidra annotated Listing view, Decompile view and Bookmarks (2): 57 | 58 | ![Ghidra annotated Listing view2](/Images/CAPA_Importer_All_in_one_view2.PNG) 59 | 60 | 61 | 62 | Ghidra annotated Function Graph view and Bookmarks: 63 | 64 | ![Ghidra annotated Graph view](/Images/CAPA_Importer_Graph_Bookmarks_view.PNG) 65 | 66 | 67 | -------------------------------------------------------------------------------- /CAPA_Importer.py: -------------------------------------------------------------------------------- 1 | #This script works with exported .txt or .json results of CAPA tool. 2 | #Simply analyze sample with CAPA. Example: CAPA -v malware.exe > exported.txt 3 | # Example: CAPA -j malware.exe > exported.json 4 | #Run this script, import exported.txt or exported.json and it will annotate (with PRE_COMMENT) and bookmark the code with Capability, Matched RVA location and Scope. 5 | #capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. 6 | #For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. 7 | #CAPA repo: https://github.com/fireeye/capa 8 | 9 | #@author Jiri_Vinopal 10 | #@category Annotation 11 | #@keybinding 12 | #@menupath 13 | #@toolbar 14 | 15 | from ghidra.program.model.listing import CodeUnit 16 | from ghidra.program.database.bookmark import BookmarkDBManager 17 | import re 18 | import json 19 | 20 | def Parse_json(data): 21 | Capabilities = list(data['rules'].keys()) 22 | for i in range (0,len(Capabilities)): 23 | Current_capability = Capabilities[i] 24 | Current_scope = data['rules'][Capabilities[i]]['meta']['scope'] 25 | Matches_list = list(data['rules'][Capabilities[i]]['matches'].keys()) 26 | if 'lib' in data['rules'][Capabilities[i]]['meta'].keys() and data['rules'][Capabilities[i]]['meta']['lib'] == True: 27 | pass 28 | else: 29 | if Current_scope == 'file': 30 | add_bookmark_comment(Current_scope,Current_capability,int(0)) 31 | else: 32 | for j in range (0,len(Matches_list)): 33 | add_bookmark_comment(Current_scope,Current_capability,int(Matches_list[j])) 34 | 35 | def add_bookmark_comment(scope,capability,RVAaddr): 36 | if RVAaddr == 0: 37 | bookmarks= getBookmarks(currentProgram.getMinAddress()) 38 | if not bookmarks: 39 | minAddress = currentProgram.getMinAddress() 40 | createBookmark(minAddress, "CAPA_ANALYZER",scope.upper() + ': ' + capability) 41 | else: 42 | originalCapabiliy = bookmarks[0].getComment() 43 | minAddress = currentProgram.getMinAddress() 44 | createBookmark(minAddress, "CAPA_ANALYZER",originalCapabiliy + '; ' + scope.upper() + ': ' + capability) 45 | 46 | else: 47 | bookmarks= getBookmarks(toAddr(RVAaddr)) 48 | if not bookmarks: 49 | cu = currentProgram.getListing().getCodeUnitAt(toAddr(RVAaddr)) 50 | createBookmark(toAddr(RVAaddr), "CAPA_ANALYZER",scope.upper() + ': ' + capability) 51 | cu.setComment(CodeUnit.PRE_COMMENT, "CAPA_ANALYZER: Scope - " + scope.upper() + ': ' + capability) 52 | else: 53 | cu = currentProgram.getListing().getCodeUnitAt(toAddr(RVAaddr)) 54 | originalPreComment = cu.getComment(CodeUnit.PRE_COMMENT) 55 | cu.setComment(CodeUnit.PRE_COMMENT,originalPreComment + "\n" + "CAPA_ANALYZER: Scope - " + scope.upper() + ': ' + capability) 56 | originalCapabiliy = bookmarks[0].getComment() 57 | createBookmark(toAddr(RVAaddr), "CAPA_ANALYZER",originalCapabiliy + '; ' + scope.upper() + ': ' + capability) 58 | 59 | file_imported = askFile("Give me a .txt or .json file to import!", "Import") 60 | filename= file_imported.name 61 | #txt import 62 | if filename.endswith('.txt'): 63 | text_file = open(file_imported.absolutePath,'r').read() 64 | x= text_file.split("\n\n") 65 | for i in range(1, len(x)): 66 | if x[i] != "": 67 | Capability = x[i].split("\n")[0] 68 | Capability = re.sub(r'\(.*','',Capability) 69 | for j in range(1, len(x[i].split("\n"))): 70 | if "scope" in x[i].split("\n")[j]: 71 | Scope = x[i].split("\n")[j].split(" ")[-1] 72 | if Scope == 'file': 73 | add_bookmark_comment(Scope,Capability,int(0)) 74 | if "matches" in x[i].split("\n")[j]: 75 | Matches = [] 76 | for k in range (j,len(x[i].split("\n"))): 77 | if "0x" in x[i].split("\n")[k]: 78 | Matches.append(x[i].split("\n")[k].split("0x")[-1]) 79 | for l in range (0,len(Matches)): 80 | add_bookmark_comment(Scope,Capability,int(Matches[l], 16)) 81 | 82 | #Json import 83 | if filename.endswith('.json'): 84 | with open(file_imported.absolutePath) as f: 85 | data = json.load(f) 86 | Parse_json(data) 87 | else: 88 | print 'No .json or .txt file !!!' 89 | 90 | 91 | --------------------------------------------------------------------------------