Skip to content

Instantly share code, notes, and snippets.

Last active June 4, 2024 23:58
Show Gist options
  • Save matterpreter/3d9239179372dd179801e996288c983e to your computer and use it in GitHub Desktop.
Save matterpreter/3d9239179372dd179801e996288c983e to your computer and use it in GitHub Desktop.
Convert Ghidra Call Trees to JSON for Neo4j Ingestion
#@author matterpreter
# To import to Neo4j:
# CREATE CONSTRAINT function_name ON (n:Function) ASSERT IS UNIQUE
# Note: If you want to store this file on the Neo4j server, put it in /var/lib/neo4j/import/
# CALL apoc.load.json("file:///xrefs.json") YIELD value
# UNWIND value as func
# MERGE (n:Function {name: func.FunctionName})
# SET n.entrypoint=func.EntryPoint
# WITH n, func
# UNWIND func.CalledBy as cb
# MERGE (m:Function {name:cb})
# MERGE (m)-[:Calls]->(n)
import json
# Collect all functions
fm = currentProgram.getFunctionManager()
funcs = fm.getFunctions(True) # True means 'forward'
# Change to the user's home directory
f = open("xrefs.json", 'w')
data = []
for func in funcs:
x = {}
x["FunctionName"] = func.getName()
x["EntryPoint"] = "0x{}".format(func.getEntryPoint())
# Enumerate all of the inbound calls to the function
incomingRefs = getReferencesTo(func.getEntryPoint())
refs = []
for ref in incomingRefs:
fromAddr = ref.getFromAddress()
print(" Called by: {} @ 0x{}".format(getFunctionContaining(fromAddr), fromAddr))
x["CalledBy"] = list(set(refs)) # Remove duplicates by converting to a set
y = json.dumps(data, sort_keys=True, indent=4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment