Skip to content
Please note that GitHub no longer supports Internet Explorer.

We recommend upgrading to the latest Microsoft Edge, Google Chrome, or Firefox.

Learn more
A collection of pwn/CTF related utilities for Ghidra
Python
Branch: master
Clone or download
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs/images added system call annotation Jan 17, 2020
scripts added utility to go to main() Jan 20, 2020
.gitignore Initial commit Jan 10, 2020
LICENSE Initial commit Jan 10, 2020
README.md updated README.md Jan 20, 2020

README.md

pwndra

A collection of pwn/CTF related utilities for Ghidra

Utilities

Replace Constants

This utility will attempt to replace known constants in functions with their human readable counterpart.

pwndra constants

Annotate Syscalls

This utility will attempt to find and identify system calls (and arguments).

Annotation in the decompiler view pwndra syscalls

Arguments are annotated in the disassembler view pwndra syscalls

Character Conversion

The correct workflow to convert displayed data in an operand is to right click the value and select the conversion type under the Convert submenu, however, on request I have made a script to convert the display type of operands to char so it can be used with a keyboard shortcut for convenience (IDA style).

To use it select the In Tool option of the UtilitiesConvertCharacter.py script and then select a numeric operand and hit shift+r to convert to a string. You can change the shortcut by editing the line that contains the comment with keybinding in it at the top of the script.

Goto Main

One annoying difference between Ghidra and IDA is that Ghidra makes no attempt to jump to main() (or the entry point) when you load a binary. The UtilitiesGotoMain.py script aims to correct that. Run it directly or if integrated with In Tool then hit ctrl+m and it will attempt to dynamically find main() and move focus to that function.

If there is no main() function detected, it will jump to the entry function. If you run on a stripped binary then it will rename the main function for you.


Installation

Clone the repository or download and extract somewhere. In Ghidra, open the Script Manager (Window -> Script Manager) click the Script Directory buttom and add pwndra/scripts to the list.

Once the script directory is added to Ghidra you can find the scripts in the Pwn category. You can run the scripts directly from the Script Manager if you like but the scripts also have menus and keyboard shortcuts for ease of use. In order to activate the menus and shortcuts you must click the In Tool checkbox next to the scripts you wish to integrate into the tool.

If you clicked In Tool the menus will be under Analysis -> Pwn and any shortcuts for scripts are listed in the menu item that uses that shortcut.

Usage

There are several frontends available:

  • aarch64
  • amd64
  • arm (oabi/eabi)
  • hppa
  • i386
  • m68k
  • mips (n32/o32/n64)
  • powerpc
  • powerpc64
  • sh
  • sh4
  • sparc
  • sparc64
  • thumb

You can either run one of those frontend scripts directly (through the Script Manager or if you clicked In Tool you can access a menu; Analysis -> Pwn -> Tool Name).

There is an Auto frontend that will automatically detect the current loaded program for you. This can also be accessed with the keyboard shortcut which is specified in the menu item for the tool.

The scripts have two modes of operation, the default is to operate globally, the second is to only operate on a given selection. This is useful for those times where you have two binary modes interlaced in the same code such as i386/amd64 or thumb/arm.

You can’t perform that action at this time.