{"componentChunkName":"component---src-templates-post-template-js","path":"/ghidra-ghidrascript-utils-en","result":{"data":{"markdownRemark":{"id":"46bb13c3-28de-52ee-8afc-ec8b57db4cf2","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ghidra-ghidrascript-utils\">original page</a>.</p>\n</blockquote>\n<p>Originally, this was a collection of Ghidra Script samples that I had introduced in the article <a href=\"/ghidra-ghidrascript-tutorial-en\">Solving a CTF Challenge with Your First Ghidra Script</a>, but as the number of examples grew and because I plan to start using Ghidra more seriously from here on, I decided to split them out into a separate article.</p>\n<p>From the feel of using it, I think it might be better to write scripts in Java rather than Python (Jython), but for the time being I am creating scripts in Python.</p>\n<p>For the runtime, I am using Ghidra’s default one rather than Ghidrathon.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#get-the-decompiler-output-of-a-function\">Get the Decompiler Output of a Function</a></li>\n<li><a href=\"#get-the-function-and-data-for-a-specific-address\">Get the Function and Data for a Specific Address</a></li>\n<li><a href=\"#enumerate-call-instructions-within-a-function\">Enumerate Call Instructions Within a Function</a></li>\n<li><a href=\"#enumerate-the-names-of-functions-called-by-call-instructions-executed-within-a-specified-address-range\">Enumerate the Names of Functions Called by Call Instructions Executed Within a Specified Address Range</a></li>\n<li><a href=\"#get-a-sequence-of-hard-coded-byte-arrays-from-disassembly\">Get a Sequence of Hard-Coded Byte Arrays from Disassembly</a></li>\n<li><a href=\"#identify-structure-information-at-a-specific-address-and-retrieve-its-values\">Identify Structure Information at a Specific Address and Retrieve Its Values</a></li>\n<li><a href=\"#assign-a-structure-to-a-specific-address-and-retrieve-its-values\">Assign a Structure to a Specific Address and Retrieve Its Values</a></li>\n<li><a href=\"#save-byte-data-from-an-arbitrary-address-range-as-a-file\">Save Byte Data from an Arbitrary Address Range as a File</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<p><a id=\"get-the-decompiler-output-of-a-function\"></a></p>\n<h2 id=\"get-the-decompiler-output-of-a-function\" style=\"position:relative;\"><a href=\"#get-the-decompiler-output-of-a-function\" aria-label=\"get the decompiler output of a function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Get the Decompiler Output of a Function</h2>\n<p>The following script outputs the decompiler result for the function currently selected in the Listing window.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>app<span class=\"token punctuation\">.</span>decompiler <span class=\"token keyword\">import</span> DecompInterface\n\n<span class=\"token comment\"># Decompile インターフェースを取得</span>\ndecomp <span class=\"token operator\">=</span> DecompInterface<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ndecomp<span class=\"token punctuation\">.</span>openProgram<span class=\"token punctuation\">(</span>currentProgram<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># currentAddress には、Listing で選択している行のアドレスが自動的に参照される</span>\n<span class=\"token comment\"># そのため、事前にターゲットになる関数のアドレスを選択しておく</span>\nfunc <span class=\"token operator\">=</span> fpapi<span class=\"token punctuation\">.</span>getFunctionContaining<span class=\"token punctuation\">(</span>currentAddress<span class=\"token punctuation\">)</span>\ndecomp_results <span class=\"token operator\">=</span> decomp<span class=\"token punctuation\">.</span>decompileFunction<span class=\"token punctuation\">(</span>func<span class=\"token punctuation\">,</span> <span class=\"token number\">30</span><span class=\"token punctuation\">,</span> monitor<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> decomp_results<span class=\"token punctuation\">.</span>decompileCompleted<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    pp <span class=\"token operator\">=</span> PrettyPrinter<span class=\"token punctuation\">(</span>fn<span class=\"token punctuation\">,</span> decomp_results<span class=\"token punctuation\">.</span>getCCodeMarkup<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    code <span class=\"token operator\">=</span> pp<span class=\"token punctuation\">.</span><span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>getC<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"There was an error in decompilation!\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"get-the-function-and-data-for-a-specific-address\"></a></p>\n<h2 id=\"get-the-function-and-data-for-a-specific-address\" style=\"position:relative;\"><a href=\"#get-the-function-and-data-for-a-specific-address\" aria-label=\"get the function and data for a specific address permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Get the Function and Data for a Specific Address</h2>\n<p>The following script lets you specify an offset to retrieve the function name for an arbitrary address, or retrieve the data at a specified address.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Listing 情報を取得(ghidra.program.database.ListingDB)</span>\nlisting <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getListing<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># オフセットを指定して GenericAddress オブジェクトを取得</span>\nfpapi <span class=\"token operator\">=</span> FlatProgramAPI<span class=\"token punctuation\">(</span>currentProgram<span class=\"token punctuation\">)</span>\naddr <span class=\"token operator\">=</span> fpapi<span class=\"token punctuation\">.</span>toAddr<span class=\"token punctuation\">(</span><span class=\"token number\">0x1024aa</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 指定したアドレスを含む関数を取得</span>\nfunc <span class=\"token operator\">=</span> fpapi<span class=\"token punctuation\">.</span>getFunctionContaining<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>func<span class=\"token punctuation\">.</span>getName<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># 関数名の表示</span>\n\n<span class=\"token comment\"># データを取得するアドレスを指定</span>\naddr <span class=\"token operator\">=</span> fpapi<span class=\"token punctuation\">.</span>toAddr<span class=\"token punctuation\">(</span><span class=\"token number\">0x102cd1</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 指定アドレスのデータを取得</span>\ndata <span class=\"token operator\">=</span> listing<span class=\"token punctuation\">.</span>getDataAt<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>getValue<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># ghidra.program.model.scalar.Scalar</span>\n\n<span class=\"token comment\"># 指定 AddressSet の範囲で DataIterator オブジェクトを取得</span>\n<span class=\"token comment\"># 指定の範囲でbelow. AddressSet を取得する</span>\n<span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>program<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">.</span>address <span class=\"token keyword\">import</span> Address<span class=\"token punctuation\">,</span> AddressSet\nfactory <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getAddressFactory<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 指定のオフセットから 0x100 分の範囲を指定</span>\naddr_set <span class=\"token operator\">=</span> AddressSet<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\naddr_set<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">,</span> addr<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 指定の範囲のデータを先頭から取得</span>\ndata_iterator <span class=\"token operator\">=</span> listing<span class=\"token punctuation\">.</span>getData<span class=\"token punctuation\">(</span>addr_set<span class=\"token punctuation\">,</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> data <span class=\"token keyword\">in</span> data_iterator<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>getValue<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    \n<span class=\"token comment\"># 特定のアドレスのオペコードとオペランドを取得</span>\naddr <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token number\">0x1000000</span><span class=\"token punctuation\">)</span>\ninst <span class=\"token operator\">=</span> getInstructionAt<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># オペランドの取得</span>\ninst<span class=\"token punctuation\">.</span>getDefaultOperandRepresentation<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ninst<span class=\"token punctuation\">.</span>getDefaultOperandRepesentation<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># 次の行の情報を取得できる</span>\ninst<span class=\"token punctuation\">.</span>getNext<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ninst<span class=\"token punctuation\">.</span>getDefaultOperandRepresentation<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ninst<span class=\"token punctuation\">.</span>getDefaultOperandRepesentation<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"enumerate-call-instructions-within-a-function\"></a></p>\n<h2 id=\"enumerate-call-instructions-within-a-function\" style=\"position:relative;\"><a href=\"#enumerate-call-instructions-within-a-function\" aria-label=\"enumerate call instructions within a function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumerate Call Instructions Within a Function</h2>\n<p>The following code enumerates <code class=\"language-text\">Call</code> instructions within a function.</p>\n<p>You need to use different retrieval methods depending on whether you want to preserve the call order.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># currentAddress is ghidra.program.model.address.GenericAddress</span>\n<span class=\"token comment\"># currentAddress には、Listing で選択している行のアドレスが自動的に参照される</span>\n\nfunc_mgr <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getFunctionManager<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nfunc <span class=\"token operator\">=</span> func_mgr<span class=\"token punctuation\">.</span>getFunctionContaining<span class=\"token punctuation\">(</span>currentAddress<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Call order is not preserved here</span>\ncalls <span class=\"token operator\">=</span> func<span class=\"token punctuation\">.</span>getCalledFunctions<span class=\"token punctuation\">(</span>monitor<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> calls<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Listing 情報を取得(ghidra.program.database.ListingDB)</span>\nlisting <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getListing<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 関数内の Call 命令を順に列挙することで呼び出し順序を維持して出力する</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> listing<span class=\"token punctuation\">.</span>getInstructions<span class=\"token punctuation\">(</span>func<span class=\"token punctuation\">.</span>body<span class=\"token punctuation\">,</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"enumerate-the-names-of-functions-called-by-call-instructions-executed-within-a-specified-address-range\"></a></p>\n<h2 id=\"enumerate-the-names-of-functions-called-by-call-instructions-executed-within-a-specified-address-range\" style=\"position:relative;\"><a href=\"#enumerate-the-names-of-functions-called-by-call-instructions-executed-within-a-specified-address-range\" aria-label=\"enumerate the names of functions called by call instructions executed within a specified address range permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumerate the Names of Functions Called by Call Instructions Executed Within a Specified Address Range</h2>\n<p>The following script enumerates the symbol names of functions called by <code class=\"language-text\">Call</code> instructions executed within the specified address range.</p>\n<p>I used it in the following challenge.</p>\n<p>Reference: <a href=\"/ctf-cakectf-2023-en\">Cake CTF 2023 Writeup - nande</a></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>program<span class=\"token punctuation\">.</span>flatapi <span class=\"token keyword\">import</span> FlatProgramAPI\n<span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>program<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">.</span>address <span class=\"token keyword\">import</span> AddressSet\n\nlisting <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getListing<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nfpapi <span class=\"token operator\">=</span> FlatProgramAPI<span class=\"token punctuation\">(</span>currentProgram<span class=\"token punctuation\">)</span>\nstart_addr <span class=\"token operator\">=</span> fpapi<span class=\"token punctuation\">.</span>toAddr<span class=\"token punctuation\">(</span><span class=\"token number\">0x1043c9</span><span class=\"token punctuation\">)</span>\nend_addr <span class=\"token operator\">=</span> fpapi<span class=\"token punctuation\">.</span>toAddr<span class=\"token punctuation\">(</span><span class=\"token number\">0x104825</span><span class=\"token punctuation\">)</span>\n\naddr_set <span class=\"token operator\">=</span> AddressSet<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\naddr_set<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>start_addr<span class=\"token punctuation\">,</span> end_addr<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> p <span class=\"token keyword\">in</span> listing<span class=\"token punctuation\">.</span>getInstructions<span class=\"token punctuation\">(</span>addr_set<span class=\"token punctuation\">,</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\ncode <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>toString<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">if</span> <span class=\"token string\">\"CALL\"</span> <span class=\"token keyword\">in</span> code<span class=\"token punctuation\">:</span>\nfunc_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nfpapi<span class=\"token punctuation\">.</span>getFunctionContaining<span class=\"token punctuation\">(</span>fpapi<span class=\"token punctuation\">.</span>toAddr<span class=\"token punctuation\">(</span>func_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>getName<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"get-a-sequence-of-hard-coded-byte-arrays-from-disassembly\"></a></p>\n<h2 id=\"get-a-sequence-of-hard-coded-byte-arrays-from-disassembly\" style=\"position:relative;\"><a href=\"#get-a-sequence-of-hard-coded-byte-arrays-from-disassembly\" aria-label=\"get a sequence of hard coded byte arrays from disassembly permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Get a Sequence of Hard-Coded Byte Arrays from Disassembly</h2>\n<p>The following code lets you extract operands sequentially from a series of assembly instructions.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># 特定アドレスから 0x26 バイト分のオペランドを取得する</span>\naddr <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token number\">0x109011</span><span class=\"token punctuation\">)</span>\ninst <span class=\"token operator\">=</span> getInstructionAt<span class=\"token punctuation\">(</span>addr<span class=\"token punctuation\">)</span>\nresult <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x26</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    result<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>inst<span class=\"token punctuation\">.</span>getDefaultOperandRepresentation<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    inst <span class=\"token operator\">=</span> inst<span class=\"token punctuation\">.</span>getNext<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"identify-structure-information-at-a-specific-address-and-retrieve-its-values\"></a></p>\n<h2 id=\"identify-structure-information-at-a-specific-address-and-retrieve-its-values\" style=\"position:relative;\"><a href=\"#identify-structure-information-at-a-specific-address-and-retrieve-its-values\" aria-label=\"identify structure information at a specific address and retrieve its values permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Identify Structure Information at a Specific Address and Retrieve Its Values</h2>\n<p>The following code identifies structure information at a specific address and retrieves its values.</p>\n<p>I used it in the following challenge.</p>\n<p>Reference: <a href=\"/ctf-amature-2023-en\">AmateursCTF 2023 Writeup - CSCE221-Data Structures and Algorithms</a></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>app<span class=\"token punctuation\">.</span>script <span class=\"token keyword\">import</span> GhidraScript\n\n<span class=\"token comment\"># list の取得</span>\nstart_address <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x404000\"</span><span class=\"token punctuation\">)</span>\ndata_section <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getMemory<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>getBlock<span class=\"token punctuation\">(</span>start_address<span class=\"token punctuation\">)</span>\ndata_address <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x404060\"</span><span class=\"token punctuation\">)</span>\ndata_object <span class=\"token operator\">=</span> getDataAt<span class=\"token punctuation\">(</span>data_address<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 自作した list 構造体が解釈される</span>\ndata_structure <span class=\"token operator\">=</span> data_object<span class=\"token punctuation\">.</span>dataType\ndata_component <span class=\"token operator\">=</span> data_structure<span class=\"token punctuation\">.</span>getComponent<span class=\"token punctuation\">(</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># Get the relative offset, length and data type of the component</span>\noffset <span class=\"token operator\">=</span> data_component<span class=\"token punctuation\">.</span>offset\nlength <span class=\"token operator\">=</span> data_component<span class=\"token punctuation\">.</span>length\ndata_type <span class=\"token operator\">=</span> data_component<span class=\"token punctuation\">.</span>dataType\n\n<span class=\"token comment\"># list 構造体から int 分の値を取得</span>\nbyte_array <span class=\"token operator\">=</span> getBytes<span class=\"token punctuation\">(</span>data_address<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>offset<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> length<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>byte_array<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Get the address of the .data section</span>\nstart_address <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x404000\"</span><span class=\"token punctuation\">)</span>\ndata_section <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getMemory<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>getBlock<span class=\"token punctuation\">(</span>start_address<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># list のアドレス</span>\ndata_address <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x404060\"</span><span class=\"token punctuation\">)</span>\ndata_object <span class=\"token operator\">=</span> getDataAt<span class=\"token punctuation\">(</span>data_address<span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"assign-a-structure-to-a-specific-address-and-retrieve-its-values\"></a></p>\n<h2 id=\"assign-a-structure-to-a-specific-address-and-retrieve-its-values\" style=\"position:relative;\"><a href=\"#assign-a-structure-to-a-specific-address-and-retrieve-its-values\" aria-label=\"assign a structure to a specific address and retrieve its values permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Assign a Structure to a Specific Address and Retrieve Its Values</h2>\n<p>This script lets you define data in an arbitrary address range as a structure and inspect its values.</p>\n<p>I used it in the following challenge.</p>\n<p>Reference: <a href=\"/ctf-amature-2023-en\">AmateursCTF 2023 Writeup - CSCE221-Data Structures and Algorithms</a></p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># listnode の取</span>\ndata_type_manager <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getDataTypeManager<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nmy_structure <span class=\"token operator\">=</span> data_type_manager<span class=\"token punctuation\">.</span>getDataType<span class=\"token punctuation\">(</span><span class=\"token string\">\"main.coredump/listnode\"</span><span class=\"token punctuation\">)</span>\nstart_address <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token string\">\"0x405000\"</span><span class=\"token punctuation\">)</span>\ndata_section <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getMemory<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>getBlock<span class=\"token punctuation\">(</span>start_address<span class=\"token punctuation\">)</span>\n\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\nlistnode_addr <span class=\"token operator\">=</span> <span class=\"token number\">0x4052a0</span>\n\n<span class=\"token comment\"># listnode</span>\ndata_address <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>listnode_addr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ndata_object <span class=\"token operator\">=</span> createData<span class=\"token punctuation\">(</span>data_address<span class=\"token punctuation\">,</span> my_structure<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 自作した listnode 構造体が解釈される</span>\ndata_structure <span class=\"token operator\">=</span> data_object<span class=\"token punctuation\">.</span>dataType\ndata_component <span class=\"token operator\">=</span> data_structure<span class=\"token punctuation\">.</span>getComponent<span class=\"token punctuation\">(</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Get the relative offset, length and data type of the component</span>\noffset <span class=\"token operator\">=</span> data_component<span class=\"token punctuation\">.</span>offset\nlength <span class=\"token operator\">=</span> data_component<span class=\"token punctuation\">.</span>length\ndata_type <span class=\"token operator\">=</span> data_component<span class=\"token punctuation\">.</span>dataType\n\n<span class=\"token comment\"># listnode 構造体から byte 分の値を取得</span>\nbyte_array <span class=\"token operator\">=</span> getBytes<span class=\"token punctuation\">(</span>data_address<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>offset<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> length<span class=\"token punctuation\">)</span>\nflag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>byte_array<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"save-byte-data-from-an-arbitrary-address-range-as-a-file\"></a></p>\n<h2 id=\"save-byte-data-from-an-arbitrary-address-range-as-a-file\" style=\"position:relative;\"><a href=\"#save-byte-data-from-an-arbitrary-address-range-as-a-file\" aria-label=\"save byte data from an arbitrary address range as a file permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Save Byte Data from an Arbitrary Address Range as a File</h2>\n<p>This script is useful when a section contains embedded encrypted data or similar and copying it manually would be cumbersome.</p>\n<p>It simply retrieves the data from an arbitrary address range one byte at a time and writes it to a file.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>program<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">.</span>address <span class=\"token keyword\">import</span> Address\n<span class=\"token keyword\">from</span> ghidra<span class=\"token punctuation\">.</span>program<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">.</span>mem <span class=\"token keyword\">import</span> MemoryAccessException\n<span class=\"token keyword\">import</span> struct\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">save_bytes_to_file</span><span class=\"token punctuation\">(</span>start_address<span class=\"token punctuation\">,</span> end_address<span class=\"token punctuation\">,</span> filename<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    currentProgram <span class=\"token operator\">=</span> getCurrentProgram<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    memory <span class=\"token operator\">=</span> currentProgram<span class=\"token punctuation\">.</span>getMemory<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    start_addr <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span>start_address<span class=\"token punctuation\">)</span>\n    end_addr <span class=\"token operator\">=</span> toAddr<span class=\"token punctuation\">(</span>end_address<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>filename<span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token builtin\">file</span><span class=\"token punctuation\">:</span>\n        address <span class=\"token operator\">=</span> start_addr\n        <span class=\"token keyword\">while</span> address <span class=\"token operator\">&lt;=</span> end_addr<span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n                byte <span class=\"token operator\">=</span> memory<span class=\"token punctuation\">.</span>getByte<span class=\"token punctuation\">(</span>address<span class=\"token punctuation\">)</span>\n                <span class=\"token builtin\">file</span><span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>struct<span class=\"token punctuation\">.</span>pack<span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">,</span> byte<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                address <span class=\"token operator\">=</span> address<span class=\"token punctuation\">.</span><span class=\"token builtin\">next</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">except</span> MemoryAccessException <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Error reading memory at address:\"</span><span class=\"token punctuation\">,</span> address<span class=\"token punctuation\">,</span> e<span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">break</span>\n\nstart_address <span class=\"token operator\">=</span> <span class=\"token number\">0x403040</span>\nend_address <span class=\"token operator\">=</span> <span class=\"token number\">0x403000</span> <span class=\"token operator\">+</span> <span class=\"token number\">0x1ce00</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span>\nfilename <span class=\"token operator\">=</span> <span class=\"token string\">\"C:\\\\Users\\\\Public\\\\output.bin\"</span>\nsave_bytes_to_file<span class=\"token punctuation\">(</span>start_address<span class=\"token punctuation\">,</span> end_address<span class=\"token punctuation\">,</span> filename<span class=\"token punctuation\">)</span></code></pre></div>\n<p><a id=\"summary\"></a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I feel that there will be even more things you can do once you get comfortable with Ghidra Script.</p>\n<p>However, Ghidra’s default Jython is old, and overwhelmingly most published sample scripts are in Java, so if you want to use it seriously, it might be better to study Java.</p>","fields":{"slug":"/ghidra-ghidrascript-utils-en","tagSlugs":["/tag/reversing-en/","/tag/ghidra-en/","/tag/english/"]},"frontmatter":{"date":"2024-07-15","description":"A collection of Ghidra Script samples by use case","tags":["Reversing (en)","Ghidra (en)","English"],"title":"Ghidra Script Samples by Use Case","socialImage":{"publicURL":"/static/9da27646267266fe15d51cabfaa57fc2/ghidra-ghidrascript-utils.png"}}}},"pageContext":{"slug":"/ghidra-ghidrascript-utils-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}