reverse-engineering-malware-with-ghidra

Featured

Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to understand internal logic, cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Reverse Engineering Malware with Ghidra ## When to Use - Static and dynamic analysis have identified suspicious functionality that requires deeper code-level understanding - You need to reverse engineer C2 communication protocols, encryption algorithms, or custom obfuscation - Understanding the exact exploit mechanism or vulnerability targeted by a malware sample - Extracting hardcoded configuration data (C2 addresses, encryption keys, campaign IDs) embedded in compiled code - Developing precise YARA rules or detection signatures based on unique code patterns **Do not use** for initial triage of unknown samples; perform static analysis with PEStudio and behavioral analysis with Cuckoo first. ## Prerequisites - Ghidra 11.x installed (download from https://ghidra-sre.org/) with JDK 17+ - Analysis VM isolated from production network (Windows or Linux host) - Familiarity with x86/x64 assembly language and Windows API conventions - PDB symbol files for Windows system DLLs to improve decompilation accuracy - Ghidra scripts repository (ghidra_scripts) for automated analysis tasks - Secondary reference: IDA Free or Binary Ninja for cross-validation of analysis results ## Workflow ### Step 1: Create Project and Import Binary Set up a Ghidra project and import the malware sample: ``` 1. Launch Ghidra: ghidraRun (Linux) or ghidraRun.bat (Windows) 2. File -> New Project -> Non-Shared Project -> Select directory 3. File -> Import File -> Select malware binary 4. Ghidra auto-det...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

reverse-engineering-rust-malware

Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-golang-malware-with-ghidra

Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.

12,642 Updated today
mukul975
AI & Automation Featured

reverse-engineering-dotnet-malware-with-dnspy

Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET obfuscation analysis.

12,642 Updated today
mukul975
AI & Automation Solid

ghidraida-reverse-engineering-skill

Deep integration with Ghidra and IDA Pro for binary analysis and reverse engineering

1,034 Updated today
a5c-ai
AI & Automation Featured

reverse-engineer

Expert reverse engineer specializing in binary analysis, disassembly, decompilation, and software analysis. Masters IDA Pro, Ghidra, radare2, x64dbg, and modern RE toolchains.

39,227 Updated today
sickn33