Python script for Ghidra that searches for various malware indicators. Currently searches for multiple forms of encryption, base64 encoding*, URLs, IP addresses, persistence mechanisms, XOR operations, PowerShell execution, sandbox/debugging detection, privilege escalation, buffer overflow, and email usage. Prints each found example in the Ghidra console including a summary of the total indicators found.
Does require Ghidra, Ghidrathon, and Python 3.
The following variables can be edited to increase or decrease the number of indicators displayed in the console and their length:
MAX_DISPLAY = 20
DISPLAY_LIMIT = 100
To skip certain functions from being run comment them out like so:
currentProgram = getCurrentProgram()
scan_for_encryption_functions(currentProgram)
scan_for_base64_usage(currentProgram)
scan_for_suspicious_strings(currentProgram)
scan_for_suspicious_api_calls(currentProgram)
scan_for_persistence_mechanisms(currentProgram)
scan_for_dll_side_loading(currentProgram)
#scan_for_xor_operations(currentProgram)
scan_for_powershell_usage(currentProgram)
scan_for_sandbox_detection(currentProgram)
scan_for_privilege_escalation(currentProgram)
scan_for_buffer_overflow_functions(currentProgram)
scan_for_email_usage(currentProgram)
Searching for base64 encoding does currently find lots of false positives.