At VDA Labs we get excited about Reverse Engineering tools, and the recent release of NSA’s GHIDRA does not disappoint. The fact that it is free, supports many different CPU architectures, contains decompiler functionality, and allows many Reverse Engineers to work on the same project via a Team server, are some of the highlights. Another area of immediate interest to us was the scripting functionality. Much like IDA Pro, it is very easy to write scripts to help automate Reverse Engineering tasks.

A Quick Script

While playing with this functionality, we quickly wrote a script that searches through a program for the use of any unsafe functions. While not overly complicated, it demonstrates how fast and easy it is to extend GHIDRA’s functionality. We hope you have as much fun scripting GHIDRA as us!

How to Run a GHIDRA Script

Running one of the 238 included scripts, or adding your own script is quite easy. Simply drop the script on one of these directories.

Another option is creating your own script in the “Script Manager” interface.

After creating the “FindBannedFunctions.py” GHIDRA script, simply run it on any program like is shown below.

The output for an example ARM program we are reversing in some of our previous IoT hacking blogs, should look something like the screen capture below.

Simply double-click any of the identified memory addresses to visit the Banned Function entry point. Once there, you can press “Ctrl-Shift-F” to find any Cross-references where the Banned Function is used in the application. Happy GHIDRA scripting! And if you need any reverse engineering support — we’d love to help.