creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/reverse-engineering-malware-with-ghidra/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.6 KiB
Raw Blame History

API Reference: Malware Reverse Engineering with Ghidra Agent

Overview

Combines Ghidra headless analysis with r2pipe (radare2) for automated malware binary analysis: function enumeration, import classification, section entropy, cryptographic constant detection, and network indicator extraction.

Dependencies

Package Version Purpose
r2pipe >= 1.8 Radare2 scripting interface for binary analysis
hashlib stdlib File hash computation

External Tools

Tool Purpose
Ghidra (analyzeHeadless) Automated disassembly and decompilation
radare2 Binary analysis, function detection, string extraction

Core Functions

run_ghidra_headless(ghidra_path, project_dir, project_name, binary_path, script)

Executes Ghidra in headless mode with optional post-analysis script.

  • Timeout: 600 seconds
  • Returns: dict with command, returncode, stdout/stderr

export_functions_ghidra(...)

Generates and runs a Ghidra script to export function list as JSON.

  • Exports: name, address, size, calling convention, is_thunk

analyze_with_radare2(filepath)

Full r2pipe analysis: binary info, functions, imports, strings, sections, entry points.

  • Classifies imports: injection, network, evasion, crypto, persistence
  • Extracts: network indicators (URLs, IPs) from strings
  • Returns: dict with info, function_count, suspicious_imports, sections, etc.

extract_crypto_constants(filepath)

Searches binary for known cryptographic constants: AES S-box, RC4 init table, SHA-256 init vector, RSA magic bytes.

  • Returns: list[dict] with constant name and file offset

analyze_malware(filepath, ghidra_path, output_dir)

Full pipeline: hashes -> crypto constants -> radare2 analysis -> Ghidra headless.

Suspicious Import Categories

Category Example Functions
injection VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
network InternetOpenA, WSAStartup, URLDownloadToFileA
evasion IsDebuggerPresent, NtQueryInformationProcess
crypto CryptEncrypt, CryptDecrypt
persistence RegSetValueExA, CreateServiceA

Radare2 Commands Used

Command Purpose
aaa Full auto-analysis
ij Binary info as JSON
aflj Function list as JSON
iij Import list as JSON
izj String list as JSON
iSj Section list as JSON
iej Entry points as JSON

Usage

# With radare2 only
python agent.py malware.exe

# With Ghidra headless analysis
python agent.py malware.exe /opt/ghidra
Reference in New Issue View Git Blame Copy Permalink