Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
In this blog, we’ll use Ghidra to analyse a suspicious imported function identified with PeStudio.
This forms a basic and repeatable workflow within Ghidra, where imported functions are cross-referenced to establish context and intent.
Not only does this establish context, but it almost always establishes an area of code that you can begin to work from within Ghidra.…
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is great technique for working with Ghidra and establishing a starting point for analysis. Reducing total investigation time and determining why and how a string is contained within a file.…
This post is a continuation of “Malware Unpacking With Hardware Breakpoints”.
Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.
Locating the Shellcode Decryption Function In GhidraAt the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…
Intermediate
Improving Malware Analysis Workflows by Modifying the default Ghidra UI.
MatthewOct 25, 2023 — 4 min read
The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool.
In this post, I’ll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience.…
Start with open https://siteconfig.fivefilters.org/
Enter a URL to the article for which you’d like custom extraction rules applied.
Select a block which appears to contain only the article content (or as close to it as possible).
Click Download Full-Text RSS site config to download a site config file for the site.…