Headless Scripts for Ghidra's Headless Analyzer written in Python 2 for Automated Analysis (Decompilation and Disassembly).
Before jumping into the commands, it is important to explain what are the arguments passed to analyzeHeadless:
| Argument | Type | Description |
|---|---|---|
<PROJECT_PATH> |
Mandatory | Path where the new Ghidra Project will be created. |
<PROJECT_NAME> |
Mandatory | Name of the new Project to create in the previous path. |
-import <FILE_TO_ANALYZE> |
Mandatory | Path to the binary that you want to analyze with Ghidra. Here you can use -import or -process depending on your needs. For more information, check Ghidra Documentation. |
-scriptPath <PATH_TO_YOUR_SCRIPTS_FOLDER> |
Mandatory | Path to your scripts folder. |
-postScript <SCRIPT_FILENAME> |
Mandatory | Filename of the script you want to execute with Ghidra's Headless Analyzer. |
[OUTPUT_FILENAME] |
Optional | Filename of the output file that will be generated by Headless Scripts. If this argument is not passed, decompiler.py and disassembler.py will create a file with the following structure: <FILE_TO_ANALYZE>_decompiled.c and <FILE_TO_ANALYZE>.asm respectively. For decompile_simple.py the output filename will always be decompiled_output.c |
decompile_simple.py decompiles all the functions recognized by Ghidra, and writes them into an output file (Pseudo C). It does exactly the same as decompiler.py but with a simplified code, recommended for beginners.
$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -import <FILE_TO_ANALYZE> -scriptPath <PATH_TO_YOUR_SCRIPTS_FOLDER> -postScript <SCRIPT_FILENAME>$ analyzeHeadless /home/galoget/ HeadlessAnalysis -import /home/galoget/malware-sample.exe -scriptPath /home/galoget/ghidra-headless-scripts/ -postscript decompile_simple.py
By default the script will create an output file in the path where the command was executed, the output file will be named: output_malware.c
decompiler.py decompiles all the functions recognized by Ghidra, and writes them into an output file (Pseudo C).
$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -process <TARGET_FILENAME> -scriptPath <PATH_TO_YOUR_SCRIPT> -postScript <SCRIPT_FILENAME> <OUTPUT_FILENAME>$ analyzeHeadless /home/galoget/ HeadlessAnalysis -import /home/galoget/malware-sample.exe -scriptPath /home/galoget/ghidra-headless-scripts/ -postscript decompiler.py decompiled_malware_sample.c
disassembler.py disassembles all the functions recognized by Ghidra, and writes them into an output file (ASM).
$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -process <TARGET_FILENAME> -scriptPath <PATH_TO_YOUR_SCRIPT> -postScript <SCRIPT_FILENAME> <OUTPUT_FILENAME>
$ analyzeHeadless /home/galoget/ HeadlessAnalysis -import /home/galoget/malware-sample.exe -scriptPath /home/galoget/ghidra-headless-scripts/ -postscript disassembler.py.py disass_malware_sample.asm