Плагины Ghidra


Соломенные сандалии
Тема по плагинам для Ghidra, основная тема по Ghidra здесь - GHIDRA software reverse engineering suite of tools


Ghidra FindCrypt
FindCrypt v1.2.0Latest
on Aug 16, 2020

This is a re-write of another Ghidra FindCrypt script as an auto analysis module. It also takes better advantage of the Ghidra API to label found constants.

Dragon Dance
dragondance v0.2.2Latest
on Sep 15, 2019

Dragon Dance is a plugin for Ghidra to get visualize and manipulate the binary code coverage data. Coverage data can be imported from the multiple coverage sources. For now the plugin supports Dynamorio and Intel Pin binary instrumentation tools. Dynamorio has its own coverage collection module called "drcov". Intel Pin does not provide a builtin coverage collector module. To handle the lack of module situation I have to write my own coverage collection module for Intel Pin. So I wrote a coverage collection module for Intel Pin named ddph (Dragon Dance Pin Helper). So you can use that. You can view ddph's source from this link. If you are lazy to compile for your own, you can use the compiled binaries I provided for Windows, macOS and Linux.

FindCrypt - Ghidra Edition
Fragmented constants scan and in-code scans - MANDATORYLatest
on Apr 17, 2020

While for years we used IDA Pro and its incredible plugins developed by its huge community, Ghidra came out recently (at the time of writing) showing a lot of potential and an incredible modular design for customization both in Python or Java.
As most of you know, FindCrypt, a plugin made by nonetheless than Ilfak Guilfanov himself for IDA, is essential for quickly find references to Cryptography functions in the target and extremely useful in the field of Reverse Engineering.
I'm trying to move to Ghidra and the very first thing I noticed is how important is the plugin to me, so I took the responsibility to migrate it, in Java, without sacrificing any signature and try to improve it as well.

Ghidra: Fizz - Signature Maker Plugin
This is a simple plugin which can create array of byte signatures for a currently selected area, block, or function.

Полезная функция для разработчика питон скриптов -
Ghidra .pyi Generator
The Ghidra .pyi Generator generates .pyi type stubs for the entire Ghidra API. Those stub files can later be used in PyCharm to enhance the development experience.


You can either use the stubs released here, or follow the instructions below to generate them yourself.
To use the stubs in PyCharm, follow the instructions in Install, uninstall, and upgrade interpreter paths.


A Ghidra script to export information to a x64dbg database.

  • Exports functions, function names (as labels), and function prototypes (as comments)
  • Exports labels for global variables
  • Exports bookmarks
  • Exports some (see Limitations) decompiled C statements (as comments)


Ghidra Scripts by AGDCservices
Custom scripts to make analyzing malware easier in Ghidra

This script will name all unidentified functions with a nomenclature that provides a preview of important capabilities included within the function and all child functions.
The script includes a list of hardcoded important API calls. The script will locate all calls contained in the unidentifed function and it's children functions. For any of the calls which match the hardcoded API call list, a shorthand name will be applied to indicate which category of important call is contained within the function.
The naming nomenclature is based on capability and does not identify specific API's. By keeping the syntax short and just for capability, you can get a preview of all the important capabilities within a function without having the name get enormous. See script header for more details.
For a video demonstration of this script, view the video "Ghidra Script To Name Function From Capabilities" on the AGDC Services channel of youtube, https://youtu.be/s5weitGaKLw

Script to search all instructions in current program looking for target instructions of interest. When found, a defined highlighting color will be applied to make it easy to identify target instructions. Target instructions are things like call instructions, potential crypto operations, pointer instructions, etc. Highlighting instructions of interest decrease the chance of missing important instructions when skimming malware code. See script header for more usage details.
Default color choices are made to work with the AGDC_codeBrowser_##.tool. They can be changed to fit any coloring schema by modifying the defined color constants at the top of the script

Script to aid in reverse engineering files that dynamically resolve imports. Script will search program for all dynamically resolved imports and label them with the appropriate API name pulled from a provided labeled IAT dump file. Only resolved imports stored in global variables will be identified. This script will not label every resolved global variable, but only those that are used inside a call instruction.

The labeled IAT dump file must be generated by an associated program, "Dump_Labeled_Iat_Memory.exe". This program is located in another repo on this github site called "Misc Malware Anaysis Tools". See script header for more usage details. https://youtu.be/wYiPEDV9IAw

Removes all highlight colors from current program. Applied highlighting colors are saved with the ghidra file. This script can be used to remove the colors prior to exporting and sharing the ghidra database so that the highlight colors don't clash with different color schemes used by coworkers. See script header for more usage details.

Adds a single space as a repeatable comment to all functions within the current program. By default, Ghidra adds a function prototype as a repeatable comment to all functions. These comments are very long which will force the code block to expand it its maximum size within the graph view. These default comments do not add any real value and decreases the amount of code that can be seen in the graph view.

Currently, there is no way to turn this option off. A work around is to replace the repeatable comment with a single space so that you don't see any comment by default, and the code block is not expanded out to it's maximum size because of the long function prototype comment. See script header for more usage details.

A number of commonly used convenience functions to aid in rapid scripting, e.g. Get_Operand_As_Immediate_Value, Get_Next_Target_Instruction, Get_Bytes_List, etc. See script header for more usage details.
Верх Низ