creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/reverse-engineering-malware-with-ghidra/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

76 lines
2.6 KiB
Markdown
Raw Blame History

# API Reference: Malware Reverse Engineering with Ghidra Agent
## Overview
Combines Ghidra headless analysis with r2pipe (radare2) for automated malware binary analysis: function enumeration, import classification, section entropy, cryptographic constant detection, and network indicator extraction.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| r2pipe | >= 1.8 | Radare2 scripting interface for binary analysis |
| hashlib | stdlib | File hash computation |
## External Tools
| Tool | Purpose |
|------|---------|
| Ghidra (analyzeHeadless) | Automated disassembly and decompilation |
| radare2 | Binary analysis, function detection, string extraction |
## Core Functions
### `run_ghidra_headless(ghidra_path, project_dir, project_name, binary_path, script)`
Executes Ghidra in headless mode with optional post-analysis script.
- **Timeout**: 600 seconds
- **Returns**: `dict` with command, returncode, stdout/stderr
### `export_functions_ghidra(...)`
Generates and runs a Ghidra script to export function list as JSON.
- **Exports**: name, address, size, calling convention, is_thunk
### `analyze_with_radare2(filepath)`
Full r2pipe analysis: binary info, functions, imports, strings, sections, entry points.
- **Classifies imports**: injection, network, evasion, crypto, persistence
- **Extracts**: network indicators (URLs, IPs) from strings
- **Returns**: `dict` with info, function_count, suspicious_imports, sections, etc.
### `extract_crypto_constants(filepath)`
Searches binary for known cryptographic constants: AES S-box, RC4 init table, SHA-256 init vector, RSA magic bytes.
- **Returns**: `list[dict]` with constant name and file offset
### `analyze_malware(filepath, ghidra_path, output_dir)`
Full pipeline: hashes -> crypto constants -> radare2 analysis -> Ghidra headless.
## Suspicious Import Categories
| Category | Example Functions |
|----------|-------------------|
| injection | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread |
| network | InternetOpenA, WSAStartup, URLDownloadToFileA |
| evasion | IsDebuggerPresent, NtQueryInformationProcess |
| crypto | CryptEncrypt, CryptDecrypt |
| persistence | RegSetValueExA, CreateServiceA |
## Radare2 Commands Used
| Command | Purpose |
|---------|---------|
| `aaa` | Full auto-analysis |
| `ij` | Binary info as JSON |
| `aflj` | Function list as JSON |
| `iij` | Import list as JSON |
| `izj` | String list as JSON |
| `iSj` | Section list as JSON |
| `iej` | Entry points as JSON |
## Usage
```bash
# With radare2 only
python agent.py malware.exe
# With Ghidra headless analysis
python agent.py malware.exe /opt/ghidra
```
Reference in New Issue View Git Blame Copy Permalink