Left are several instruction as shown by default in Ghidra, on the right hand side the external function parameters are added as comments by the script.
Based on @struppigel.bsky.social's script, we propagate external function parameters in the disassembly listing, making life slightly easier!
9/n
01.07.2025 12:35 β π 1 π 0 π¬ 1 π 0
A side-by-side view of the same disassembly instructions. The left hand side is shown as-is by Ghidra, while the right hand side contains the colourised function calls based on the function's complexity. The brigther red a function call is, the more complex the function is.
Using the same graph theory code as used in GhidrAI, we can define which functions are the (least) complex. The most complex function calls are marked bright red, lesser complex functions are darker shades of red. This helps you identify interesting functions when no symbols are present!
8/n
01.07.2025 12:35 β π 0 π 0 π¬ 1 π 0
Word Art 2003 style text which states "Graphic Design is my passion"
Those who worked with me before, know that visual art creation is not my strength. Visuals can, however, be very helpful during the analysis! And thus: graphic design is my (now) my passion!
7/n
01.07.2025 12:35 β π 0 π 0 π¬ 1 π 0
The output of the LLM shown within Ghidra's plate comment
That is not to say the LLM will generate perfect function and variable names, as well as function summaries. But it cant hurt to try! The result gives you, the analyst, a lot more context and insight!
6/n
01.07.2025 12:35 β π 3 π 2 π¬ 1 π 0
A side-by-side view of Ghidra's decompiler. Left is the raw output, right is the output enhanced by the LLM.
Based on research by @mrphrazer.bsky.social and @mu00d8.bsky.social, presented at RECon 2024, I used graph theory code from Ghidra's codebase to select the order in which functions are sent to the LLM, ensuring as much context as possible is retained. The script is aptly named GhidrAI!
5/n
01.07.2025 12:35 β π 3 π 1 π¬ 1 π 0
The usage of BSim to rename functions automatically is something I dove into last year (see post two in this thread). The new Automagic script allows you to include multiple BSim databases to use per file, while specifying different similarity values per database! Granularity!
4/n
01.07.2025 12:35 β π 0 π 0 π¬ 1 π 0
The improved workflow, where the yellow squares remain unchanged while the blue ones have been newly added.
My new research focuses on an improved version of this workflow, while putting my money where my mouth is by providing ready-to-use scripts for all steps along the way!
3/n
01.07.2025 12:35 β π 1 π 0 π¬ 1 π 0
The workflow to analyze files when reverse engineering, with a focus on accuracy.
Last year, I blogged about the recovery of symbols in my "No Symbols, No Problem" blog and subsequent DEFCON 32 talk. This resulted in a workflow, as shown in the attached image.
Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...
2/n
01.07.2025 12:35 β π 0 π 0 π¬ 1 π 0
A side by side comparison of the original output by Ghidra, and the LLM enriched output.
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
01.07.2025 12:35 β π 8 π 5 π¬ 1 π 0
My impression of Botconf 2025 β Max Kersten
This year's @botconf.infosec.exchange.ap.brid.gy edition was a great experience! I wrote about it in my most recent blog: maxkersten.nl/2025/05/27/m...
27.05.2025 11:42 β π 3 π 0 π¬ 0 π 0
A picture of the workshop's title slide
Tuesday's workshop @botconf.infosec.exchange.ap.brid.gy went well with very engaged and enthusiastic attendees!
22.05.2025 10:12 β π 2 π 0 π¬ 0 π 0
Coming Tuesday I will represent Trellix at @botconf.infosec.exchange.ap.brid.gy in Angers with a four hour workshop on Ghidra automation!
16.05.2025 11:22 β π 2 π 1 π¬ 0 π 0
Ghidra Tip 0x0A: Comments β Max Kersten
Ghidra has multiple types of comments you can set, but when can you best use which comment? You'll find the explanation in my Ghidra tip of the month: maxkersten.nl/2025/04/15/g...
30.04.2025 07:57 β π 1 π 0 π¬ 0 π 0
My impression of RE//VERSE 2025 β Max Kersten
Two weeks ago, @re-verse.io happened! I wrote about my experience at the conference in my most recent blog: maxkersten.nl/2025/03/12/m...
12.03.2025 13:59 β π 9 π 2 π¬ 0 π 0
Jordan is wearing a Binary Ninja tshirt, hoodie, and cap, whereas Im wearing a Ghidra tshirt and a Hex Rays cap
What do you wear at @re-verse.io? A Ghidra tshirt and Hex Rays cap, with @psifertex.bsky.social rocking the Binary Ninja tshirt, hoodie, and cap!
01.03.2025 15:49 β π 10 π 1 π¬ 0 π 0
The image contains a part od the talk's abstract:
The dreadful feeling when reversing a binary which shows hundreds or thousands of unknown functions is, unfortunately, all too well known by analysts. It does not matter if the binary in question is a malware sample, a patch-diffing effort, or a hobby project, the lack of function symbols severely slows down the analysis. This talk dives into function symbol recovery by detecting code reuse in binaries to avoid the slow and tedious analysis, and to improve attribution capabilities. The AcidRain and AcidPour wipers, used against Ukrainian targets in the wild, will be used as case studies. Automation of repetitive steps is kept in mind throughout the process.
This Friday, I will represent Trellix at @re-verse.io and I will talk about code reuse, attribution, and the dangers thereof. Looking forward to it, and to meet the Vector 35 folks! The full abstract can be found at: re-verse.sessionize.com/session/754398
25.02.2025 12:05 β π 10 π 3 π¬ 0 π 0
Ghidra Tip 0x09: TaskMonitor β Max Kersten
Ever ran a script in Ghidra that you wanted to cancel, only to find out that the script would not let you? The TaskMonitor handles the cancellation event, December's Ghidra tip dives into the details: maxkersten.nl/2024/12/31/g...
07.01.2025 13:09 β π 0 π 0 π¬ 0 π 0
Ghidra Tip 0x08: Scripting with microservices β Max Kersten
Ghidra can do a lot, but some tasks are best outsourced to (micro)services! How? This month's tip helps you along: maxkersten.nl/2024/11/27/g...
27.11.2024 12:14 β π 2 π 0 π¬ 0 π 0
Interested in technical malware analysis content and news? This is your (continuously updated) starter pack: go.bsky.app/BLY75TZ
19.11.2024 07:40 β π 3 π 0 π¬ 1 π 0
Was working on one, figured I'd share it here now that the first iteration is complete and I saw your message: go.bsky.app/BLY75TZ
Suggestions are always welcome :)
18.11.2024 08:35 β π 6 π 3 π¬ 2 π 0
Head of Investigations at InfoGuard AG - dfir.ch
tag or dm for submissions
support: https://www.patreon.com/TheLouvreofBluesky
Conseiller senior cybercriminalitΓ© & cybersΓ©curitΓ© / Senior #cybercrime & #cybersecurity adviser #ComCyberMI #Gendarmerie | Alumni #Polytechnique (X92) [β¦]
π bridged from https://mastodon.social/@ericfreyss on the fediverse by https://fed.brid.gy/
Hunting pokemons for a living @exatrack.bsky.social
Threat Research @ Proofpoint. Former @virtualroutes.bsky.social fellow. @warstudieskcl.bsky.social alum. She/her
just good news and fun stories π₯°
hello@thatgoodnewsgirl.com
I am eminently qualified to speak from experience about a variety of dumpster fires.
ICS DFIR at Dragos, martial artist, marksman, humanist, level 14 Neutral Good rogue, USAF retired. I post *very serious* things about infosec. Thoughts my own. Enby. π³οΈβπ
Former journalist running for Congress (IL-09) because we deserve Democrats who actually do something | katforillinois.com
#threatintel @Recorded Future | Formerly @PwC GTI | Malware & infrastructure analysis with a side of cyberpunk. ππ She/her, support π³οΈβππ³οΈββ§οΈβ¨
President of the @ec.europa.eu
Mother of seven. Brussels-born. European by heart. πͺπΊ
#ThreatIntel #ICS #DFIR; ''Learning iOS Forensics'' author;
#BSidesZH #BSidesBE #PIVOTcon org.
@pivotcon.bsky.social
https://pstirparo.ch
twitter.com/pstirparo
Related interests/obsessions:
#ThreatHunting #CTI #YARA #CriticalThinking #Books #Obsidian
Backup account for @binary.ninja
ProPublica reporter | Email me at joshua.kaplan@propublica.org | Contact info & stories here: propublica.org/people/joshua-kaplan
https://re-verse.io/ reverse engineering conference
Binary Ninja dev, Cuber, EUC rider.
Senior Director of Threat Analytics @Rapid7 by day, undercover BBQ detective by night.
The only way out is through | Stringer, Central Intelligence Corporation
