DISASSEMBLER/GHIDRA SCRIPTING

as a reverse engineer this is immensely valuable as it can automate repetitive tasks. below are some tasks that are useful in reverse engineering automation

  • scanning a program for vulnerable functions (software exploitation)

  • figuring the context of de-obfuscated byte patterns from an obfuscated malware (malware analysis)

disassembler scripting (ghidra)

this is immensely useful for sre for repetitive tasks such as vulnerable functions...
this also applies to apis


#step 1: figure out where to put the user-defined scripts - this
ghidra > script manager (green play button)

 * when starting to write script for an API, look at ghidra examples located in "Script Manager > Scripts > Examples"
    - this will show how ghidra scripts are constructed, its important pieces, common layout, frequently used functions, etc
	
ghidra > script manager > bundle manager (hamburger icon)

 * this shows all the directories for all the scripts for ghidra
 * the one specific for ghidra is $USER_HOME/ghidra_scripts
    - add this directory if it is missing then refresh. its normally located in  the HOME directory "~/ghidra_scripts" in linux
	

#step 2: baseline script format - use vscode or nano with an example python format from ghidra
ghidra > script manager > Scripts > Examples > Python > python_basics.py
 ...
 #TODO write a description for this script
 #@author
 #@category Functions
 #@keybinding
 #@menupath
 #@toolbar
 
 #TODO Add User Code here
 
 
 
 * review the format!
    - the # is used for commenting and script description
	- the @category is used for folder location
	   - example @category Functions
	      - this will be displayed in the GUI on the left-hand side under "script manager > scripts > examples > Functions
		  - this will also show up in the category column!
	- the @keybinding is used for keyboard shortcuts and is case sensitive
	   - [ctrl][alt][shift][A-Z, )-9, F1-F12]
	      - @keybinding ctrl alt shift F1 COMMA                                      //this is an example key sequence to execute a script
	- the @menupath is used to add script into one fo the menus
	   - @menupath File.Run.My Script
	- the @toolbar is used to pull image from script directory and add it to the UI
	   - @toolbar myScriptImage.gif
 
root@sre:~$ nano ~/ghidra_scripts/vulnFuncs.py
 #find known vulnerable C functions (not handling memory appropriately such as bounds checking) - gets, strcpy
 #@author SRazon
 #@category Functions     //it'll be cool if Vulnerability is on the list

 #test output to confirm that the script is working
 print("Hello, CNODP!")
 
 * save the script
 
#test whether the script is working within ghidra
ghidra > import file > lab06.exe

 * the file to be scanned by the script MUST be loaded in ghidra before anything else!
 
ghidra > script manager > scripts > functions > refresh > double-click vulnFuncs.py
 Console - Scripting
 vulnFuncs.py> Running...
 Hello, CNODP!
 vulnFuncs.py> Finished!

 * refresh the script manager listing view to see the new script!

root@sre:~$ nano ~/ghidra_scripts/vulnFuncs.py
 #find known vulnerable C functions (not handling memory appropriately such as bounds checking) - gets, strcpy
 #@author SRazon
 #@category Functions     //it'll be cool if Vulnerability is on the list

 #test output to confirm that the script is working
 print("Hello, CNODP!")
 
 #PSEUDOCODE (this is just the game plan on what need to be accomplished, but not how - the how is the actual code implementation)
 #1.define a listing of common vulnerable functions
 #2.find the first function in the binary //once this is found, it'll give us a reference point to start looping through things including every single function within the file/program
 
 
 #loop through every function that exists in the binary, find names and entry points - this assumes that there is debug symbol applied in the program
    # check against the list of vuln funcs
       # once found print the vulnerable function name and address of the function
	   # then add comment and change the background color
	   
	   
ghidra > script manager > scripting documentation (RED PLUS BUTTON)
 search: getFirstFunction
 select: ghidra.program.flatapi.FlatProgramAP
  - once selected it'll show the usage of the function getFirstFunction

 * ghidra's local script documentation can be viewed from the script manager by clicking on the RED PLUS button
    - this script documentation is used in advanced scripting
	   - always use the "FlatProgramAPI" class first! "ghidra.program.flatapi.FlatProgramAPI" when building your scripts!

root@sre:~$ nano ~/ghidra_scripts/vulnFuncs.py
 #find known vulnerable C functions (not handling memory appropriately such as bounds checking) - gets, strcpy
 #@author SRazon
 #@category Functions     //it'll be cool if Vulnerability is on the list

 #test output to confirm that the script is working
 print("Hello, CNODP!")
 
 #PSEUDOCODE (this is just the game plan on what need to be accomplished, but not how - the how is the actual code implementation)
 #1.define a listing of common vulnerable functions
 #2.find the first function in the binary //once this is found, it'll give us a reference point to start looping through things including every single function within the file/program
 function = getFirstFunction()
 
 funcName = function.getName()
 funcEntry = function.getEntryPoint()
 print("First function - %s at %s" % (funcName, funcEntry))
 getFunctionAfter()
 
 #loop through every function that exists in the binary, find names and entry points - this assumes that there is debug symbol applied in the program
    # check against the list of vuln funcs
       # once found print the vulnerable function name and address of the function
	   # then add comment and change the background color

Last updated