Ghidra Script To Name Function From Capabilities

View our malware analysis training: https://AGDCservices.com/training/ Follow me on Twitter for RE tips and resources: https://twitter.com/AGDCservices View our malware analysis products to aid in your RE efforts (Ghidra / python scripts, tools, and individual analysis results) https://github.com/agdcservices Get resources to help with learning malware analysis https://agdcservices.com/blog/resources-for-learning-malware-analysis/ Static malware analysis is all about knowing what functions to look at and what to ignore so you can quickly find important Indicators of Compromise (IOCs). Important functions are identified by the APIs used within, but it can take a lot of time to step through all the functions to find the relevant APIs. This video will introduce a Ghidra script to automatically name functions based on their functionality, giving you a preview of the capability so you can decide if you should step into the function or skip over it. A unique naming convention will let you see at a glance if a function has common operations such as networking capabilities, process operations, registry operations, etc. We will demonstrate how useful this can be by applying the script to a basic RAT and showing how you can quickly decide where to look for IOCs. Download the malware samples at https://malshare.com to review in your own analysis lab: 1. Example 1: Ba284b8dae1d85ebe4d24f38eaa588bfdf73a4b54188da0aa39ac936d2388c7a Download the Ghidra script, “Preview_Function_Capabilities”: https://github.com/AGDCservices/Ghidra-Scripts #ReverseEngineering #MalwareAnalysis #SRE #RE #Ghidra #Scripting