Created
October 4, 2020 18:49
-
-
Save v-p-b/46e452eaabe73f36959fcdb558f17401 to your computer and use it in GitHub Desktop.
Stupid little Ghidra script to find identifiable strings referenced from a function or its descendants
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Stupid little script to find identifiable strings referenced from a function or its descendants | |
| #@author buherator | |
| #@category Test | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| from ghidra.util.task import TaskMonitor | |
| from docking.widgets import OptionDialog | |
| from ghidra.program.model.symbol import RefType | |
| VISITED=set() | |
| def func_refs(f): | |
| body=f.getBody() | |
| instr=getInstructionAt(f.getEntryPoint()) | |
| while instr.getMinAddress().compareTo(body.getMaxAddress()) < 0: | |
| refs=ref_mgr.getReferencesFrom(instr.getMinAddress()) | |
| for r in refs: | |
| if r.getReferenceType() == RefType.DATA: | |
| data=getDataAt(r.getToAddress()) | |
| if data is not None: | |
| print(f, instr, data.getValue()) | |
| instr=instr.getNext() | |
| for ff in first_func.getCalledFunctions(TaskMonitor.DUMMY): | |
| if ff.getEntryPoint().getOffset() not in VISITED: | |
| VISITED.add(ff.getEntryPoint().getOffset()) | |
| func_refs(ff) | |
| af=currentProgram.getAddressFactory() | |
| function_addr = af.getAddress("0x%x" % int(OptionDialog.showInputSingleLineDialog(None, "Function address","Function address","0x13370000"),16)) | |
| ref_mgr=currentProgram.getReferenceManager() | |
| first_func=getFunctionAt(function_addr) | |
| func_refs(first_func) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment