Ghostrings (“Go strings”) is a collection of Ghidra scripts for recovering string definitions in Go binaries. These analyze P-Code rather than native machine code, so they’re architecture independent.
- Tool release announcement: https://research.nccgroup.com/2022/05/20/tool-release-ghostrings/
- Source code and release builds: https://github.com/nccgroup/ghostrings
While developing Ghostrings, I ran into some unexpected difficulties with using the Ghidra decompiler’s high P-Code output to analyze stack write operations. To understand and work around these issues I had to look into the decompiler internals, including the different analysis configurations or “simplification styles” it offers. I wrote a blog post to provide an overview of what the simplification styles are, how to trace through the decompilation process to observe how specific analysis rules affect the P-Code output, and using the output from a lower-level simplification style versus a higher-level simplification style for analysis scripts.
The blog post is published on the NCC Group research blog at https://research.nccgroup.com/2022/05/20/earlyremoval-in-the-conservatory-with-the-wrench/.