Malware Analysis Tools for Ghidra
Published:
Below is a round up of some of my work at the Software Engineering Institute with Ghidra and developing automated tools for reverse engineering and static code analysis, particularly with an eye toward malware analysis.
SEI Blog Post: Introducing CERT Kaiju: Malware Analysis Tools for Ghidra
SEI Podcast: Building on Ghidra: Tools for Automating Reverse Engineering and Malware Analysis
I co-authored the above article and podcast with Jeff Gennari. The Kaiju extension for Ghidra is also available on GitHub, although should be considered fairly experimental. It was a good way to learn about Ghidra’s internals which are not well documented, and I would probably approach it very differently if I were to start the project over today. Ghidra has also significantly improved in recent releases since its initial open sourcing, which enables many more features than I had when first starting this project, but that also means some of its API and tools have not been very stable, unfortunately meaning Kaiju releases are tied to specific versions of Ghidra due to the unstable API.
I also contributed to some related code analysis tools within SEI including the Pharos framework, which is available on GitHub. In particular I worked on some of the Windows API database and logic.
(Note: Updated 2022-02-10 to include the podcast on this topic that took a bit of time to get published on the SEI website.)