Converting IDA Plugins from devttyS0 to Ghidra framework. To install, clone and add the script directory via Ghidra's Script Manager. If you check the 'In Tool' checkbox they will appear under a 'TNS' tag.
Table Of Contents
OG Scripts
Call Chain - Find call chains between two functions
Codatify - Fix up code and data.
Fluorescence - Highlight function calls.
Function Profiler - Display cross refs from the current function.
Leaf Blower - Identify common POSIX functions.
Local Cross References - Find references to items in the current function.
MIPS Rop Finder - Find ROP gadgets in MIPS disassembly.
Rename Variables - Rename saved stack variables.
Rizzo - Create fuzzy function signatures that can be applied to other projects.
New Scripts
Operator - Identify calls to functions and the parameters that are provided to the function.
Call Chain
Display the call chain, if it exists, between two functions. The output will be display using a modified graphviz library as well as Ghidra's console.
Codatify
Fixup Code
Define all undefined data in the .text section as code and covert it to a function if applicable.
Before
After
Fixup Data
Define uninitialized strings and pointers in the code. All other uninitialized data is converted to a DWORD. Finally, search for function tables and rename functions based off the discovered tables.
Before
Data Section
Cross Reference
After
Data Section
Cross Reference
Fluorescence
Highlight or un-highlight all function calls in the current binary.
Function Profiler
Display all cross references from the current function. Will display all strings, functions, and labels. Depending on the size of the function, the console output size may need to be adjusted to view all the text.
Leaf Blower
Identify common POSIX functions such as printf, sprintf, memcmp, strcpy, etc
Identify Leaf Functions
Identify leaf functions such as strcpy, strlen, atoi, etc.
Identify Format Parameter Functions
Identify funtions that accept format parameters to identify sprintf, printf, fscanf, etc.
Local Cross References
Find references to the selected item in the current function.
Operator
Identify calls and the parameters provided to the function when called. The script will take into account variadic arguments if they can be identified, however, passing argument via the stack will not.
MIPS ROP Gadget Finder
Find ROP gadgets in MIPS disassembly.
Double Jumps
Search for gadgets that contain double jumps.
Find
Find gadgets that contain custom MIPS instructions. Regular expressions are
supported. To search for a move to a0 from anything, simply search for
"move a0,.*".
Indirect Return
Find indirect return gadgets. Call t9 and then return to ra.
Li a0
Find gadgets that load a small value into a0. Useful for calling sleep.
Stack Finder
Find gadgets that place a stack address in a register.
Summary
Print a summary of gadgets that have been book marked with the string ropX
where X is the gadgets position in the rop chain. Double jumps can be displayed
by appending _d to the ropX bookmark name: ropX_d.
System Gadgets
Find gadgets suitable for calling system with user controlled arguments.
Rename Variables
Rename saved stack variables for easier tracking. Only valid in MIPS.
Rizzo
Create function signatures that can be shared amongst different projects. There are multiple sets of signatures that are generated:
- Formal: Function matches entirely
- Fuzzy: Functions resemble each other in terms of data/call references.
- String: Functions contain same string references.
- Immediate: Functions match based on large immediate value references.
Formal signatures are applied first, followed by string, immediate, and fuzzy. If a function is considered a match internal calls are also considered for renaming.
Apply
Apply Rizzo signatures from another project.
Save
Save Rizzo signatures from the current project.
