Ghidra
- Ghidra's API documentation
- Ghidra's Online Courses
- awesome-ghidra
- Ghidra - Journey from Classified NSA Tool to Open Source Black Hat 2019 talk
- Mike Bell: Extending Ghidra: from Script to Plugins and Beyond Mike Bell speaking at the Jailbreak Brewing Company Security Summit on Friday, October 11, 2019
- ghidraninja/ghidra_scripts
- Decompiler Analysis Engine
- WORKING WITH GHIDRA'S P-CODE TO IDENTIFY VULNERABLE FUNCTION CALLS
- Writing a wasm loader for Ghidra. Part 1: Problem statement and setting up environment
- ghidra-firmware-utils Ghidra utilities for analyzing PC firmware
- Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra
- how to run a python 3 script with headless analyzer
- Save Ghidra's control flow graph into a parsable format
- GHIDRA + MSDN OFFLINE LIBRARY = love
- Reversing Raw Binary Firmware Files in Ghidra
- An Introduction To Code Analysis With Ghidra
- SVD-Loader for Ghidra: Simplifying bare-metal ARM reverse engineering
- leveldown-security/SVD-Loader-Ghidra
- Analysing RPC With Ghidra and Neo4j
- How to get the address of vertex in Function graph by using some python api?
- Ghidra -- A quick start guide with pictures and a C++ example
- astrelsky/Ghidra-Cpp-Class-Analyzer C++ Class and Run Time Type Information Analyzer
- Ghidra Plugin: JNIAnalyzer
- AN ABSTRACT INTERPRETATION-BASED DEOBFUSCATION PLUGIN FOR GHIDRA
- Blog with a couple of posts about developing for it without eclipse
- Reverse Engineering Go, Part II This post is on how the Ghidra decompiler works, and how to make it work for Go
- Reverse Engineering Go Binaries with Ghidra
- Ghidra Decompiler wireformat
- threatrack/ghidra-fidb-repo Ghidra Function ID dataset repository
- esaulenka/ghidra_v850 Ghidra support for Renesas V850 MCUs
- reb311ion/replica Ghidra Analysis Enhancer
- cetfor/GhidraSnippets is a collection of Python examples showing how to work with Ghidra APIs
- HackOvert/GhidraSnippets Python snippets for Ghidra's Program and Decompiler APIs
- GhidraJupyter/ghidra-jupyter-kotlin
- Ghidra: the story of _check_sec_cookie
- Introduction to Reverse Engineering with Ghidra: A Four Session Course
- Writing a GHIDRA Loader: STM32 Edition
- Implementing a brainfuck CPU in Ghidra - part 1: Setup and disassembly
- A first look at Ghidra's Debugger - Game Boy Advance Edition
- Rhabdomancer.java A Ghidra vulnerability research assistant
- Ghidra script to decrypt strings in Amadey 1.09
- PositiveTechnologies/ghidra_nodejs plugin to parse, disassemble and decompile NodeJS Bytenode (JSC) binaries
- Ghidra Script To Name Function From Capabilities and the scripts described in the video
- Creating a Ghidra processor module in SLEIGH using V8 bytecode as an example
- Guide to P-code Injection: Changing the intermediate representation of code on the fly in Ghidra
- Ghidra script to handle stack strings
- EXPANDING THE DRAGON: ADDING AN ISA TO GHIDRA
- Automating binary vulnerability discovery with Ghidra and Semgrep
Tools
- GhidraEmu Native Pcode emulator
- Ghidra Bridge Python 3 bridge to Ghidra's Python scripting
- ghidra_ExportToX64dbg A Ghidra script to export data to a x64dbg database
- GhiHorn: Path Analysis in Ghidra Using SMT Solvers
- airbus-cyber/ghidralligator is a C++ multi-architecture pcode emulator based on the Ghidra libsla, designed for fuzzing with AFL++.
- https://github.com/zxgio/ghidra_stack_strings
- nccgroup/Cartographer Code Coverage Exploration Plugin for Ghidra
PCode
Scripting
It is possible to use python
>>> currentProgram.getImageBase()
00400000
>>> bytearray(getBytes(toAddr(0x4c00), 0x2a10))
>>> getCurrentProgram().getCodeManager().getCodeUnitBefore(toAddr(0xa0010004))
addiu sp,sp,-0x38
>>> function = currentProgram.getFunctionManager().getFunctionContaining(toAddr(0x005259c0))
>>> import ghidra.app.decompiler as decomp
>>> decomp = decomp.DecompInterface()
>>> decomp.openProgram(currentProgram)
True
>>> results = decomp.decompileFunction(function, 10, None)
>>> dec = results.getDecompiledFunction()
>>> print(dec.getC())
void FUN_005259c0(int param_1,int *param_2,int param_3)
{
bool bVar1;
undefined *puVar2;
int iVar3;
int iVar4;
iVar4 = 0;
while( true ) {
puVar2 = PTR_strlen_0058eb64;
bVar1 = param_3 <= iVar4;
iVar4 = iVar4 + 1;
if (bVar1) break;
*param_2 = param_1;
iVar3 = (*(code *)puVar2)(param_1);
param_1 = param_1 + iVar3 + 1;
param_2 = param_2 + 1;
}
return;
}
>>> [_ for _ in currentProgram.getFunctionManager().getFunctionsNoStubs(True)]
[FUN_c14001f0, FUN_c14002c8, FUN_c1400434, FUN_c14004a8, FUN_c14005d8,
FUN_c1400760, FUN_c14007f0, FUN_c1400818, FUN_c1400c40, FUN_c1400ec8,
FUN_c1401004, FUN_c1401080, FUN_c14010ac, FUN_c1401118, FUN_c140114c,
FUN_c14011d0, FUN_c1401240, FUN_c14012b0, FUN_c1401318, FUN_c140139c,
FUN_c1401450, FUN_c1401500, FUN_c1401594, FUN_c14017e8, FUN_c140196c,
FUN_c140199c, FUN_c1401b6c, FUN_c1401d2c, FUN_c1401f90, FUN_c1401fb4,
FUN_c1401fd8, FUN_c1401ffc, FUN_c1402020, FUN_c1402050, FUN_c1402074,
FUN_c140209c, FUN_c14020c4, FUN_c1402108, FUN_c1402148, FUN_c14021b8,
FUN_c1402228, FUN_c14022c0, FUN_c1402340, FUN_c14024ac, FUN_c140253c,
FUN_c1402548, FUN_c1402554, FUN_c1402560, FUN_c140256c, FUN_c1402578,
FUN_c1402584, FUN_c1402590, FUN_c140259c, FUN_c14025a8, FUN_c14025b4,
FUN_c14025c0, FUN_c14025cc, FUN_c14025d8, FUN_c14025e4, FUN_c14025f0,
FUN_c14025fc, FUN_c1402608, FUN_c1402614, FUN_c1402620, FUN_c140262c,
FUN_c1402638, FUN_c1402644, FUN_c1402974]
>>> [_ for _ in currentProgram.getListing().getInstructions(f.getBody(), True)]
[addiu sp,sp,-0x40, sw ra,0x3c(sp), sw s8,0x38(sp), move s8,sp, sw a0,0x40(s8),
sw a1,0x44(s8), sw a2,0x48(s8), sw zero,0x10(s8), lw v0,0x44(s8), bne
v0,zero,0xc140022c, _nop, li v0,-0x16, sw v0,0x30(s8), b 0xc14002ac, _nop, lw
v1,0x40(s8), lw v0,0x48(s8), addu v0,v1,v0, sltiu v0,v0,0x201, bne
v0,zero,0xc1400254, _nop, li v0,-0x16, sw v0,0x30(s8), b 0xc14002ac, _nop, addiu
v0,s8,0x18, move a0,v0, clear a1, li a2,0x18, jal 0xc14025e4, _nop, lw
v0,0x44(s8), sw v0,0x18(s8), lw v0,0x40(s8), addiu v0,v0,0x200, sw v0,0x1c(s8),
lw v0,0x48(s8), sw v0,0x20(s8), li v0,0x9, sw v0,0x24(s8), addiu v0,s8,0x18,
move a0,v0, jal 0xc14024ac, _nop, sw v0,0x10(s8), lw v0,0x10(s8), sw
v0,0x30(s8), lw v0,0x30(s8), move sp,s8, lw ra,0x3c(sp), lw s8,0x38(sp), addiu
sp,sp,0x40, jr ra, _nop]
>>> function = currentProgram.getFunctionManager().getFunctionContaining(toAddr(0x005259c0))
>>> list(currentProgram.getReferenceManager().getReferencesTo(function.getEntryPoint()))
[From: 00525a78 To: 005259c0 Type: UNCONDITIONAL_CALL Op: 0 DEFAULT, From: 00525a90 To: 005259c0 Type: UNCONDITIONAL_CALL Op: 0 DEFAULT, From: 00525aa8 To: 005259c0 Type: UNCONDITIONAL_CALL Op: 0 DEFAULT, From: 00525ac0 To: 005259c0 Type: UNCONDITIONAL_CALL Op: 0 DEFAULT, From: 00525ad8 To: 005259c0 Type: UNCONDITIONAL_CALL Op: 0 DEFAULT]
>>> [(getInstructionAt(_.getFromAddress()).getMnemonicString(), getFunctionContaining(_.getFromAddress()),_.getReferenceType()) for _ in currentProgram.getReferenceManager().getReferencesTo(function.getEntryPoint())]
[(u'jal', http_get_code_text, UNCONDITIONAL_CALL), (u'jal', http_get_code_text, UNCONDITIONAL_CALL), (u'jal', http_get_code_text, UNCONDITIONAL_CALL), (u'jal', http_get_code_text, UNCONDITIONAL_CALL), (u'jal', http_get_code_text, UNCONDITIONAL_CALL)]
>>> v = jarray.zeros(0x100, "b")
>>> createMemoryBlock("syscall", toAddr("OTHER:0x00000000"), v, True)
>>> lookup = getCurrentProgram().getSymbolTable().getSymbol("LOOKUP_TABLE").getObject()
>>> [hex(lookup.getUnsignedInt(_*4)) for _ in range(lookup.getLength()/4)]
['0x0L', '0x77073096L', '0xee0e612cL', '0x990951baL', '0x76dc419L',
'0x706af48fL', '0xe963a535L', '0x9e6495a3L', '0xedb8832L', '0x79dcb8a4L',
'0xe0d5e91eL', '0x97d2d988L', '0x9b64c2bL', '0x7eb17cbdL', '0xe7b82d07L',
'0x90bf1d91L', '0x1db71064L', '0x6ab020f2L', '0xf3b97148L', '0x84be41deL',
'0x1adad47dL', '0x6ddde4ebL', '0xf4d4b551L', '0x83d385c7L', '0x136c9856L',
'0x646ba8c0L', '0xfd62f97aL', '0x8a65c9ecL', '0x14015c4fL', '0x63066cd9L',
'0xfa0f3d63L', '0x8d080df5L', '0x3b6e20c8L', '0x4c69105eL', '0xd56041e4L',
'0xa2677172L', '0x3c03e4d1L', '0x4b04d447L', '0xd20d85fdL', '0xa50ab56bL',
'0x35b5a8faL', '0x42b2986cL', '0xdbbbc9d6L', '0xacbcf940L', '0x32d86ce3L',
'0x45df5c75L', '0xdcd60dcfL', '0xabd13d59L', '0x26d930acL', '0x51de003aL',
'0xc8d75180L', '0xbfd06116L', '0x21b4f4b5L', '0x56b3c423L', '0xcfba9599L',
'0xb8bda50fL', '0x2802b89eL', '0x5f058808L', '0xc60cd9b2L', '0xb10be924L',
'0x2f6f7c87L', '0x58684c11L', '0xc1611dabL', '0xb6662d3dL', '0x76dc4190L',
'0x1db7106L', '0x98d220bcL', '0xefd5102aL', '0x71b18589L', '0x6b6b51fL',
'0x9fbfe4a5L', '0xe8b8d433L', '0x7807c9a2L', '0xf00f934L', '0x9609a88eL',
'0xe10e9818L', '0x7f6a0dbbL', '0x86d3d2dL', '0x91646c97L', '0xe6635c01L',
'0x6b6b51f4L', '0x1c6c6162L', '0x856530d8L', '0xf262004eL', '0x6c0695edL',
'0x1b01a57bL', '0x8208f4c1L', '0xf50fc457L', '0x65b0d9c6L', '0x12b7e950L',
'0x8bbeb8eaL', '0xfcb9887cL', '0x62dd1ddfL', '0x15da2d49L', '0x8cd37cf3L',
'0xfbd44c65L', '0x4db26158L', '0x3ab551ceL', '0xa3bc0074L', '0xd4bb30e2L',
'0x4adfa541L', '0x3dd895d7L', '0xa4d1c46dL', '0xd3d6f4fbL', '0x4369e96aL',
'0x346ed9fcL', '0xad678846L', '0xda60b8d0L', '0x44042d73L', '0x33031de5L',
'0xaa0a4c5fL', '0xdd0d7cc9L', '0x5005713cL', '0x270241aaL', '0xbe0b1010L',
'0xc90c2086L', '0x5768b525L', '0x206f85b3L', '0xb966d409L', '0xce61e49fL',
'0x5edef90eL', '0x29d9c998L', '0xb0d09822L', '0xc7d7a8b4L', '0x59b33d17L',
'0x2eb40d81L', '0xb7bd5c3bL', '0xc0ba6cadL', '0xedb88320L', '0x9abfb3b6L',
'0x3b6e20cL', '0x74b1d29aL', '0xead54739L', '0x9dd277afL', '0x4db2615L',
'0x73dc1683L', '0xe3630b12L', '0x94643b84L', '0xd6d6a3eL', '0x7a6a5aa8L',
'0xe40ecf0bL', '0x9309ff9dL', '0xa00ae27L', '0x7d079eb1L', '0xf00f9344L',
'0x8708a3d2L', '0x1e01f268L', '0x6906c2feL', '0xf762575dL', '0x806567cbL',
'0x196c3671L', '0x6e6b06e7L', '0xfed41b76L', '0x89d32be0L', '0x10da7a5aL',
'0x67dd4accL', '0xf9b9df6fL', '0x8ebeeff9L', '0x17b7be43L', '0x60b08ed5L',
'0xd6d6a3e8L', '0xa1d1937eL', '0x38d8c2c4L', '0x4fdff252L', '0xd1bb67f1L',
'0xa6bc5767L', '0x3fb506ddL', '0x48b2364bL', '0xd80d2bdaL', '0xaf0a1b4cL',
'0x36034af6L', '0x41047a60L', '0xdf60efc3L', '0xa867df55L', '0x316e8eefL',
'0x4669be79L', '0xcb61b38cL', '0xbc66831aL', '0x256fd2a0L', '0x5268e236L',
'0xcc0c7795L', '0xbb0b4703L', '0x220216b9L', '0x5505262fL', '0xc5ba3bbeL',
'0xb2bd0b28L', '0x2bb45a92L', '0x5cb36a04L', '0xc2d7ffa7L', '0xb5d0cf31L',
'0x2cd99e8bL', '0x5bdeae1dL', '0x9b64c2b0L', '0xec63f226L', '0x756aa39cL',
'0x26d930aL', '0x9c0906a9L', '0xeb0e363fL', '0x72076785L', '0x5005713L',
'0x95bf4a82L', '0xe2b87a14L', '0x7bb12baeL', '0xcb61b38L', '0x92d28e9bL',
'0xe5d5be0dL', '0x7cdcefb7L', '0xbdbdf21L', '0x86d3d2d4L', '0xf1d4e242L',
'0x68ddb3f8L', '0x1fda836eL', '0x81be16cdL', '0xf6b9265bL', '0x6fb077e1L',
'0x18b74777L', '0x88085ae6L', '0xff0f6a70L', '0x66063bcaL', '0x11010b5cL',
'0x8f659effL', '0xf862ae69L', '0x616bffd3L', '0x166ccf45L', '0xa00ae278L',
'0xd70dd2eeL', '0x4e048354L', '0x3903b3c2L', '0xa7672661L', '0xd06016f7L',
'0x4969474dL', '0x3e6e77dbL', '0xaed16a4aL', '0xd9d65adcL', '0x40df0b66L',
'0x37d83bf0L', '0xa9bcae53L', '0xdebb9ec5L', '0x47b2cf7fL', '0x30b5ffe9L',
'0xbdbdf21cL', '0xcabac28aL', '0x53b39330L', '0x24b4a3a6L', '0xbad03605L',
'0xcdd70693L', '0x54de5729L', '0x23d967bfL', '0xb3667a2eL', '0xc4614ab8L',
'0x5d681b02L', '0x2a6f2b94L', '0xb40bbe37L', '0xc30c8ea1L', '0x5a05df1bL',
'0x2d02ef8dL']
Script to obtain local variables from a function (taken from this issue)
from ghidra.app.decompiler import DecompileOptions
from ghidra.app.decompiler import DecompInterface
from ghidra.util.task import ConsoleTaskMonitor
func = getFunctionContaining(currentAddress)
print "Analyzing variables for function '%s'@%s" % (func.name, currentAddress)
options = DecompileOptions()
monitor = ConsoleTaskMonitor()
ifc = DecompInterface()
ifc.setOptions(options)
ifc.openProgram(func.getProgram())
res = ifc.decompileFunction(func, 60, monitor)
high_func = res.getHighFunction()
lsm = high_func.getLocalSymbolMap()
symbols = lsm.getSymbols()
for i, symbol in enumerate(symbols):
print("\nSymbol {}:".format(i+1))
print(" name: {}".format(symbol.name))
print(" dataType: {}".format(symbol.dataType))
hs = symbol.getHighVariable() # note important part here
instances = hs.getInstances() # note important part here
for instance in instances:
print("\n instance: {}".format(instance))
print(" type: {}".format(type(instance)))
print(" uniqueID: {}".format(instance.uniqueId))
print(" PCAddress: {}".format(instance.getPCAddress()))
for desc in instance.getDescendants():
print(" Descendant: {}".format(desc))
with the following output
Analyzing variables for function 'CheckImplicitLoad'
Symbol 1:
name: bVar1
dataType: byte
instance: (register, 0x8, 1)
type: <type 'ghidra.program.model.pcode.VarnodeAST'>
uniqueID: 193
PCAddress: 10004886
Descendant: (unique, 0x10000018, 4) INT_ZEXT (register, 0x8, 1)
instance: (register, 0x8, 1)
type: <type 'ghidra.program.model.pcode.VarnodeAST'>
uniqueID: 22
PCAddress: 1000486e
Descendant: (register, 0x8, 1) MULTIEQUAL (register, 0x8, 1) , (register, 0x8, 1) , (register, 0x8, 1)
Descendant: (register, 0x8, 1) MULTIEQUAL (register, 0x8, 1) , (register, 0x8, 1) , (register, 0x8, 1)
instance: (register, 0x8, 1)
type: <type 'ghidra.program.model.pcode.VarnodeAST'>
uniqueID: 114
PCAddress: 10004884
Descendant: (register, 0x8, 1) MULTIEQUAL (register, 0x8, 1) , (register, 0x8, 1) , (register, 0x8, 1)
Symbol 2:
name: param_1
dataType: uint
instance: (register, 0x0, 4)
type: <type 'ghidra.program.model.pcode.VarnodeAST'>
uniqueID: 186
PCAddress: 10004886
Descendant: (unique, 0x10000014, 4) INT_AND (register, 0x0, 4) , (const, 0xffffff00, 4)
instance: (register, 0x0, 4)
type: <type 'ghidra.program.model.pcode.VarnodeAST'>
uniqueID: 184
PCAddress: 1000487f
Descendant: (register, 0x0, 4) MULTIEQUAL (stack, 0x4, 4) , (stack, 0x4, 4) , (register, 0x0, 4)
instance: (stack, 0x4, 4)
type: <type 'ghidra.program.model.pcode.VarnodeAST'>
uniqueID: 141
PCAddress: NO ADDRESS
Descendant: (register, 0x206, 1) INT_NOTEQUAL (stack, 0x4, 4) , (const, 0x0, 4)
Descendant: (unique, 0x41f80, 4) INT_AND (stack, 0x4, 4) , (const, 0xffff0000, 4)
Descendant: (register, 0x0, 4) INT_AND (stack, 0x4, 4) , (const, 0xffff, 4)
Descendant: (register, 0x0, 4) MULTIEQUAL (stack, 0x4, 4) , (stack, 0x4, 4) , (register, 0x0, 4)
Descendant: (register, 0x0, 4) MULTIEQUAL (stack, 0x4, 4) , (stack, 0x4, 4) , (register, 0x0, 4)
It's also possible to take a look at the all the analyzers available:
>>> from ghidra.util.classfinder import ClassSearcher
>>> from ghidra.app.services import Analyzer
>>> print '\n'.join(["%80s\t%s.%s"% (_.name, _.__class__.__module__, _.__class__.__name__) for _ in ClassSearcher.getInstances(Analyzer)])
Apple Single/Double Header Annotation ghidra.app.analyzers.AppleSingleDoubleAnalyzer
COFF Header Annotation ghidra.app.analyzers.CoffAnalyzer
COFF Archive Header Annotation ghidra.app.analyzers.CoffArchiveAnalyzer
Condense Filler Bytes ghidra.app.analyzers.CondenseFillerBytesAnalyzer
ELF Header Annotation ghidra.app.analyzers.ElfAnalyzer
Function Start Search ghidra.app.analyzers.FunctionStartAnalyzer
Function Start Search After Data ghidra.app.analyzers.FunctionStartDataPostAnalyzer
Function Start Search ghidra.app.analyzers.FunctionStartFuncAnalyzer
Function Start Search After Code ghidra.app.analyzers.FunctionStartPostAnalyzer
Mach-O Header Annotation ghidra.app.analyzers.MachoAnalyzer
PEF Header Annotation ghidra.app.analyzers.PefAnalyzer
PE Header Annotation ghidra.app.analyzers.PortableExecutableAnalyzer
AARCH64 ELF PLT Thunks ghidra.app.plugin.core.analysis.AARCH64PltThunkAnalyzer
ARM Pre-Pattern Analyzer ghidra.app.plugin.core.analysis.ARMPreAnalyzer
Apply Data Archives ghidra.app.plugin.core.analysis.ApplyDataArchiveAnalyzer
ARM Constant Reference Analyzer ghidra.app.plugin.core.analysis.ArmAnalyzer
ARM Symbol ghidra.app.plugin.core.analysis.ArmSymbolAnalyzer
CLI Metadata Token Analyzer ghidra.app.plugin.core.analysis.CliMetadataTokenAnalyzer
Basic Constant Reference Analyzer ghidra.app.plugin.core.analysis.ConstantPropagationAnalyzer
DWARF ghidra.app.plugin.core.analysis.DWARFAnalyzer
Data Reference ghidra.app.plugin.core.analysis.DataOperandReferenceAnalyzer
Call Convention ID ghidra.app.plugin.core.analysis.DecompilerCallConventionAnalyzer
Decompiler Parameter ID ghidra.app.plugin.core.analysis.DecompilerFunctionAnalyzer
Decompiler Switch Analysis ghidra.app.plugin.core.analysis.DecompilerSwitchAnalyzer
DWARF Line Number ghidra.app.plugin.core.analysis.DwarfLineNumberAnalyzer
ELF Scalar Operand References ghidra.app.plugin.core.analysis.ElfScalarOperandAnalyzer
Embedded Media ghidra.app.plugin.core.analysis.EmbeddedMediaAnalyzer
Non-Returning Functions - Discovered ghidra.app.plugin.core.analysis.FindNoReturnFunctionsAnalyzer
Demangler GNU ghidra.app.plugin.core.analysis.GnuDemanglerAnalyzer
HCS12 Constant Reference Analyzer ghidra.app.plugin.core.analysis.HCS12ConstantAnalyzer
HCS12 Calling Convention ghidra.app.plugin.core.analysis.HCS12ConventionAnalyzer
Demangler Microsoft ghidra.app.plugin.core.analysis.MicrosoftDemanglerAnalyzer
MIPS Constant Reference Analyzer ghidra.app.plugin.core.analysis.MipsAddressAnalyzer
MIPS UnAlligned Instruction Fix ghidra.app.plugin.core.analysis.MipsPreAnalyzer
MIPS Symbol ghidra.app.plugin.core.analysis.MipsSymbolAnalyzer
68000 Constant Reference Analyzer ghidra.app.plugin.core.analysis.Motorola68KAnalyzer
Non-Returning Functions - Known ghidra.app.plugin.core.analysis.NoReturnFunctionAnalyzer
Objective-C Class ghidra.app.plugin.core.analysis.ObjectiveC1_ClassAnalyzer
Objective-C Message ghidra.app.plugin.core.analysis.ObjectiveC1_MessageAnalyzer
Objective-C 2 Class ghidra.app.plugin.core.analysis.ObjectiveC2_ClassAnalyzer
Objective-C 2 Decompiler Message ghidra.app.plugin.core.analysis.ObjectiveC2_DecompilerMessageAnalyzer
Objective-C 2 Message ghidra.app.plugin.core.analysis.ObjectiveC2_MessageAnalyzer
Reference ghidra.app.plugin.core.analysis.OperandReferenceAnalyzer
PPC64 ELF Call Stubs ghidra.app.plugin.core.analysis.PPC64CallStubAnalyzer
PDB MSDIA ghidra.app.plugin.core.analysis.PdbAnalyzer
PDB Universal ghidra.app.plugin.core.analysis.PdbUniversalAnalyzer
PEF Indirect Addressing ghidra.app.plugin.core.analysis.PefAnalyzer
PEF Debug ghidra.app.plugin.core.analysis.PefDebugAnalyzer
PIC-12C5xx or PIC-16C5x ghidra.app.plugin.core.analysis.Pic12Analyzer
PIC-16 Constant Reference Analyzer ghidra.app.plugin.core.analysis.Pic16Analyzer
PIC-17C7xx ghidra.app.plugin.core.analysis.Pic17c7xxAnalyzer
PIC-18 ghidra.app.plugin.core.analysis.Pic18Analyzer
DInit Analyzer ghidra.app.plugin.core.analysis.Pic24DInitAnalyzer
PIC Switch Tables ghidra.app.plugin.core.analysis.PicSwitchAnalyzer
PowerPC Constant Reference Analyzer ghidra.app.plugin.core.analysis.PowerPCAddressAnalyzer
RISCV Constant Reference Analyzer ghidra.app.plugin.core.analysis.RISCVAddressAnalyzer
Scalar Operand References ghidra.app.plugin.core.analysis.ScalarOperandAnalyzer
Segmented X86 Calling Conventions ghidra.app.plugin.core.analysis.SegmentedCallingConventionAnalyzer
Sparc Constant Reference Analyzer ghidra.app.plugin.core.analysis.SparcAnalyzer
x86 Constant Reference Analyzer ghidra.app.plugin.core.analysis.X86Analyzer
Create Address Tables ghidra.app.plugin.core.disassembler.AddressTableAnalyzer
Call-Fixup Installer ghidra.app.plugin.core.disassembler.CallFixupAnalyzer
Call-Fixup Installer ghidra.app.plugin.core.disassembler.CallFixupChangeAnalyzer
Disassemble Entry Points ghidra.app.plugin.core.disassembler.EntryPointAnalyzer
Subroutine References ghidra.app.plugin.core.function.CreateThunkAnalyzer
External Entry References ghidra.app.plugin.core.function.ExternalEntryFunctionAnalyzer
Subroutine References ghidra.app.plugin.core.function.FunctionAnalyzer
Shared Return Calls ghidra.app.plugin.core.function.SharedReturnAnalyzer
Shared Return Calls ghidra.app.plugin.core.function.SharedReturnJumpAnalyzer
Stack ghidra.app.plugin.core.function.StackVariableAnalyzer
X86 Function Callee Purge ghidra.app.plugin.core.function.X86FunctionPurgeAnalyzer
ASCII Strings ghidra.app.plugin.core.string.StringsAnalyzer
Variadic Function Signature Override ghidra.app.plugin.core.string.variadic.FormatStringAnalyzer
GCC Exception Handlers ghidra.app.plugin.exceptionhandlers.gcc.GccExceptionAnalyzer
Windows x86 PE Exception Handling ghidra.app.plugin.prototype.MicrosoftCodeAnalyzerPlugin.PEExceptionAnalyzer
WindowsPE x86 Propagate External Parameters ghidra.app.plugin.prototype.MicrosoftCodeAnalyzerPlugin.PropagateExternalParametersAnalyzer
Windows x86 PE RTTI Analyzer ghidra.app.plugin.prototype.MicrosoftCodeAnalyzerPlugin.RttiAnalyzer
WindowsResourceReference ghidra.app.plugin.prototype.MicrosoftCodeAnalyzerPlugin.WindowsResourceReferenceAnalyzer
Aggressive Instruction Finder ghidra.app.plugin.prototype.analysis.AggressiveInstructionFinderAnalyzer
ARM Aggressive Instruction Finder ghidra.app.plugin.prototype.analysis.ArmAggressiveInstructionFinderAnalyzer
Function ID ghidra.feature.fid.analyzer.FidAnalyzer
Android Boot or Recovery Image Annotation ghidra.file.formats.android.bootimg.BootImageAnalyzer
Android DEX Condense Filler Bytes ghidra.file.formats.android.dex.analyzer.DexCondenseFillerBytesAnalyzer
Android DEX Exception Handlers ghidra.file.formats.android.dex.analyzer.DexExceptionHandlersAnalyzer
Android DEX Header Format ghidra.file.formats.android.dex.analyzer.DexHeaderFormatAnalyzer
Android DEX Data Markup ghidra.file.formats.android.dex.analyzer.DexMarkupDataAnalyzer
Android DEX Instruction Markup ghidra.file.formats.android.dex.analyzer.DexMarkupInstructionsAnalyzer
Android DEX Switch Table Markup ghidra.file.formats.android.dex.analyzer.DexMarkupSwitchTableAnalyzer
Android ODEX Header Format ghidra.file.formats.android.odex.OdexHeaderFormatAnalyzer
Binary Property List (BPLIST) Annotation ghidra.file.formats.bplist.BinaryPropertyListAnalyzer
Ext4 Analyzer ghidra.file.formats.ext4.Ext4Analyzer
Ext4 Analyzer NEW ghidra.file.formats.ext4.NewExt4Analyzer
Apple 8900 Annotation ghidra.file.formats.ios.apple8900.Apple8900Analyzer
DMG ghidra.file.formats.ios.dmg.DmgAnalyzer
DYLD Cache Annotation ghidra.file.formats.ios.dyldcache.DyldCacheAnalyzer
iOS Analyzer for iBoot, LLB, iBSS, and iBEC files ghidra.file.formats.ios.generic.iOS_Analyzer
Apple iOS ARM Symbol Fixup ghidra.file.formats.ios.generic.iOS_FixupArmSymbolsAnalyzer
iOS Kext STUB Section Fixup ghidra.file.formats.ios.generic.iOS_KextStubFixupAnalyzer
iBoot Image (iBootIm) Annotation ghidra.file.formats.ios.ibootim.iBootImAnalyzer
IMG2 Annotation ghidra.file.formats.ios.img2.Img2Analyzer
IMG3 Annotation ghidra.file.formats.ios.img3.Img3Analyzer
ISO9660 File Format Annotation ghidra.file.formats.iso9660.ISO9660Analyzer
LZSS Compression Annotation ghidra.file.formats.lzss.LzssAnalyzer
YAFFS2 Image Annotation (used in Android System and Userdata image files) ghidra.file.formats.yaffs2.YAFFS2Analyzer
Java Class Analyzer ghidra.javaclass.analyzers.JavaAnalyzer
JVM Switch Analyzer ghidra.javaclass.analyzers.JvmSwitchAnalyzer
CFStrings ghidra.macosx.analyzers.CFStringAnalyzer
Mach-O Constructor/Destructor ghidra.macosx.analyzers.MachoConstructorDestructorAnalyzer
Test ghidra.macosx.analyzers.TestAnalyzer
def getXref(func):
target_addr = func.entryPoint
references = getReferencesTo(target_addr)
callers = []
for xref in references:
call_addr = xref.getFromAddress()
caller = getFunctionContaining(call_addr)
callers.append(caller)
return list(set(callers))
def getCallerInfo(caller, options = DecompileOptions(), monitor = ConsoleTaskMonitor(), ifc = DecompInterface()):
ifc.setOptions(options)
ifc.openProgram(currentProgram)
res = ifc.decompileFunction(caller, 60, monitor)
high_func = res.getHighFunction()
lsm = high_func.getLocalSymbolMap()
symbols = lsm.getSymbols()
if high_func:
opiter = high_func.getPcodeOps()
while opiter.hasNext():
op = opiter.next()
mnemonic = str(op.getMnemonic())
if mnemonic == "CALL":
inputs = op.getInputs()
addr = inputs[0].getAddress()
args = inputs[1:] # List of VarnodeAST types
if addr == target_addr:
print("Call to {} at {} has {} arguments: {}".format(addr, op.getSeqnum().getTarget(), len(args), args))
for arg in args:
# Do stuff with each `arg` here...
# Not sure what to do? Check out this great article by Lars A. Wallenborn for some ideas:
# https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/
# Specifically, search for the function implementation of "traceVarnodeValue"
pass
Decompiler
From this issue some indication on how to debug the decompiler
$ cd Ghidra/Features/Decompiler/src/decompile/cpp
$ make decomp_dbg
$ export SLEIGHHOME=~/git/ghidra/
$ ./decomp_dbg
[decomp]>