-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathPwnRigID.java
More file actions
47 lines (36 loc) · 1.31 KB
/
PwnRigID.java
File metadata and controls
47 lines (36 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
//Identify build name
//@author Lacework Labs
//@category Analysis
//@keybinding
//@menupath
//@toolbar
import ghidra.app.script.GhidraScript;
import ghidra.program.model.address.Address;
import ghidra.program.model.symbol.Reference;
public class PwnRig_ID extends GhidraScript {
static String built_date = "\n built on"; //PwnRig build string.
@Override
protected void run() throws Exception {
println("=====================================================\n");
println("Triaging " + getCurrentProgram().getName().toString());
analyzeAll(this.currentProgram); // initially analyze so we can xref strings.
findConfigs();
println("=====================================================\n");
}
boolean findConfigs() throws Exception {
Address Args = find(built_date);
if (Args == null) {
println("[!] Could not find cli_args hardcoded string");
return false;
}
// loop through references to build_date string
Reference[] refs = getReferencesTo(Args);
for (Reference ref : refs) {
createLabel(ref.getFromAddress(), "build_date", false); // creaing a label within the Ghidra project
println("PwnRig Name & XMRig Args: " + getFunctionContaining(ref.getFromAddress()).toString());
println("Build info: " + getDataAt(ref.getToAddress()).toString());
break;
}
return true;
}
}