Skip to content

MISP/misp-ghidra

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
docs
docs
 
 
ghidra_scripts
ghidra_scripts
 
 
img
img
 
 
mispghidra
mispghidra
 
 
test
test
 
 
.gitignore
.gitignore
 
 
readme.md
readme.md
 
 
requirements.txt
requirements.txt
 
 
roadmap.md
roadmap.md
 
 
setup.sh
setup.sh
 
 
template.env
template.env
 
 

Repository files navigation

MISP-Ghidra is a python library and scripts to extend Ghidra for exporting ghidra decompilation indicators (functions names, FID hashes, BSIM vectors) to MISP Objects

This is a work in progress.

Requirements

Ghidra 12.0.2 with PyGhidra and BSIM plugin activated

Installation

Install requirements with your pyghidra venv

~/.config/ghidra/ghidra_12.0.2_PUBLIC/ghidra_12.0.2_PUBLIC/venv/bin/pip install -r requirements.txt

Copy the MISP config.toml template and edit with your own API keys

cp mispghidra/misp/config/config.template.toml mispghidra/misp/config/config.toml

GUI Usage

Launch ghidra with PyGhidra : pyghidra -g or ghidra_12.0.2_PUBLIC/support/pyghidraRun

Add the ghidra_scripts directory from this git repository to the Ghidra Bundle Manager

The scripts are under the category MISP

Run MISP/Test connection to the MISP instance to test the connection to the MISP instances API (configured in config.toml)

GUI scripts

Headless Usage

Check the /test/ directory bash scripts for more examples.

Add a single ghidra-function object to existing event in MISP

pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --event-uuid ${EVENT_UUID_EXISTING} \
    --function-address ${FUNCTION_ADDRESS}

Add object to new event in MISP

pyghidra \
pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --new-event \
    --function-address ${FUNCTION_ADDRESS}

Add all functions to an event

pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --new-event \
    --all-functions

Filter on function types and names

This is still a work in progress.

You can filter on which functions to send based on function types (thunk, defined, external, internal) and function names (regex)

pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --new-event \
    --all-functions
    --name-include "entry" \
    --name-exclude "^_|^abort|^plt" \
    --ignore thunks \
    --new-event \

In MISP

misp-ghidra creates by default the objects:

	file   | file
    ghidra | ghidra-function

Correlation graph on FID hashes

Event correlation graph

Function call tree graph

Event graph

About

Ghidra and MISP

Topics

malware-analysis misp reversing ghidra ghidra-extension

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages