I made this starter pack a while ago, and if I find some time the coming week, I'll update it accordingly: go.bsky.app/BLY75TZ
25.01.2026 16:05
๐ 0
๐ 0
๐ฌ 0
๐ 0
I made this starter pack a while ago, and if I find some time the coming week, I'll update it accordingly: go.bsky.app/BLY75TZ
Aside from updating my Java API libraries, I also wrote a new library for Abuse.ch's ThreatFox! You can find all information about it here: maxkersten.nl/projects/api...
Over the past years, as hobby projects, I made Java API libraries for Abuse.ch's Malware Bazaar and Yaraify, for RecordedFuture's Tria.ge, and for @malshare.com's API. Today, I updated all their updating dependencies, and I added some features! Find the repositories here: github.com/ThisIsLibra?...
Libra.setAge(Libra.getAge() + 1);
My first few years were under @christiaanbeek.bsky.social. Upon his resignation, John Fokker became my team lead. I'd like to thank them both for the past few years, as well as colleagues old and new. Today, I am resigning and moving on to a new adventure!
2/2
When I joined Trellix in June 2021, the only thing I knew was that I'd dig into malware and blog about it. That I did, over the past four and a bit years, I wrote 24 blogs. On average, that is just two months per blog!
1/2
Had a great time meeting friends old and new at summercamp nearly two weeks ago! I've shared my experience while representing Trellix here: maxkersten.nl/2025/08/18/m...
The workshop tickets for my Advanced Ghidra Scripting & Automation workshop at @defcon.bsky.social are live now: events.humanitix.com/dc33ws-n260-...
Questions and suggestions are always welcome! I'm happy to share back to the community with these scripts, all of which are open-source and can be found on GitHub.
GitHub: github.com/advanced-thr...
10/10
Left are several instruction as shown by default in Ghidra, on the right hand side the external function parameters are added as comments by the script.
Based on @struppigel.bsky.social's script, we propagate external function parameters in the disassembly listing, making life slightly easier!
9/n
A side-by-side view of the same disassembly instructions. The left hand side is shown as-is by Ghidra, while the right hand side contains the colourised function calls based on the function's complexity. The brigther red a function call is, the more complex the function is.
Using the same graph theory code as used in GhidrAI, we can define which functions are the (least) complex. The most complex function calls are marked bright red, lesser complex functions are darker shades of red. This helps you identify interesting functions when no symbols are present!
8/n
Word Art 2003 style text which states "Graphic Design is my passion"
Those who worked with me before, know that visual art creation is not my strength. Visuals can, however, be very helpful during the analysis! And thus: graphic design is my (now) my passion!
7/n
The output of the LLM shown within Ghidra's plate comment
That is not to say the LLM will generate perfect function and variable names, as well as function summaries. But it cant hurt to try! The result gives you, the analyst, a lot more context and insight!
6/n
A side-by-side view of Ghidra's decompiler. Left is the raw output, right is the output enhanced by the LLM.
Based on research by @mrphrazer.bsky.social and @mu00d8.bsky.social, presented at RECon 2024, I used graph theory code from Ghidra's codebase to select the order in which functions are sent to the LLM, ensuring as much context as possible is retained. The script is aptly named GhidrAI!
5/n
The usage of BSim to rename functions automatically is something I dove into last year (see post two in this thread). The new Automagic script allows you to include multiple BSim databases to use per file, while specifying different similarity values per database! Granularity!
4/n
The improved workflow, where the yellow squares remain unchanged while the blue ones have been newly added.
My new research focuses on an improved version of this workflow, while putting my money where my mouth is by providing ready-to-use scripts for all steps along the way!
3/n
The workflow to analyze files when reverse engineering, with a focus on accuracy.
Last year, I blogged about the recovery of symbols in my "No Symbols, No Problem" blog and subsequent DEFCON 32 talk. This resulted in a workflow, as shown in the attached image.
Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...
2/n
A side by side comparison of the original output by Ghidra, and the LLM enriched output.
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
This year's @botconf.infosec.exchange.ap.brid.gy edition was a great experience! I wrote about it in my most recent blog: maxkersten.nl/2025/05/27/m...
A picture of the workshop's title slide
Tuesday's workshop @botconf.infosec.exchange.ap.brid.gy went well with very engaged and enthusiastic attendees!
Coming Tuesday I will represent Trellix at @botconf.infosec.exchange.ap.brid.gy in Angers with a four hour workshop on Ghidra automation!
Ghidra has multiple types of comments you can set, but when can you best use which comment? You'll find the explanation in my Ghidra tip of the month: maxkersten.nl/2025/04/15/g...
Two weeks ago, @re-verse.io happened! I wrote about my experience at the conference in my most recent blog: maxkersten.nl/2025/03/12/m...
Jordan is wearing a Binary Ninja tshirt, hoodie, and cap, whereas Im wearing a Ghidra tshirt and a Hex Rays cap
What do you wear at @re-verse.io? A Ghidra tshirt and Hex Rays cap, with @psifertex.bsky.social rocking the Binary Ninja tshirt, hoodie, and cap!
The image contains a part od the talk's abstract: The dreadful feeling when reversing a binary which shows hundreds or thousands of unknown functions is, unfortunately, all too well known by analysts. It does not matter if the binary in question is a malware sample, a patch-diffing effort, or a hobby project, the lack of function symbols severely slows down the analysis. This talk dives into function symbol recovery by detecting code reuse in binaries to avoid the slow and tedious analysis, and to improve attribution capabilities. The AcidRain and AcidPour wipers, used against Ukrainian targets in the wild, will be used as case studies. Automation of repetitive steps is kept in mind throughout the process.
This Friday, I will represent Trellix at @re-verse.io and I will talk about code reuse, attribution, and the dangers thereof. Looking forward to it, and to meet the Vector 35 folks! The full abstract can be found at: re-verse.sessionize.com/session/754398
My reverse engineering workflows survey is still ongoing! In less than 3 minutes, you can fill it in and help out: docs.google.com/forms/d/e/1F...
Ever ran a script in Ghidra that you wanted to cancel, only to find out that the script would not let you? The TaskMonitor handles the cancellation event, December's Ghidra tip dives into the details: maxkersten.nl/2024/12/31/g...
Ghidra can do a lot, but some tasks are best outsourced to (micro)services! How? This month's tip helps you along: maxkersten.nl/2024/11/27/g...
Interested in technical malware analysis content and news? This is your (continuously updated) starter pack: go.bsky.app/BLY75TZ
Was working on one, figured I'd share it here now that the first iteration is complete and I saw your message: go.bsky.app/BLY75TZ
Suggestions are always welcome :)