Last active
November 20, 2019 20:32
-
-
Save nstarke/770627c22d3f0512fee75255f5a5c6eb to your computer and use it in GitHub Desktop.
Ghidra Plugin for Finding Embedded HTML Documents and Fragments
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Search for HTML Documents / Fragments embedded in a binary and create a bookmark | |
| // @author Nicholas Starke | |
| import ghidra.app.script.GhidraScript; | |
| import ghidra.program.model.address.Address; | |
| import ghidra.program.model.mem.Memory; | |
| import ghidra.program.model.mem.MemoryAccessException; | |
| import ghidra.program.model.mem.MemoryBlock; | |
| import java.nio.charset.StandardCharsets; | |
| import static java.nio.charset.StandardCharsets.US_ASCII; | |
| public class FindHTMLDocuments extends GhidraScript { | |
| @Override | |
| protected void run() throws Exception { | |
| Memory memory = currentProgram.getMemory(); | |
| MemoryBlock[] blocks = memory.getBlocks(); | |
| for (MemoryBlock block : blocks) { | |
| Address start = block.getStart(); | |
| Address end = block.getEnd(); | |
| Address current = start; | |
| while (current.compareTo(end) < 0 && !monitor.isCancelled()) { | |
| Address found = memory.findBytes(current, current.add(1), new byte[]{'<'}, null, true, monitor); | |
| if (found != null) { | |
| Address scanned = scanHtml(found, end, memory, ">"); | |
| if (scanned != null){ | |
| byte[] beginTagBytes = new byte[(int) scanned.subtract(found)]; | |
| memory.getBytes(found, beginTagBytes); | |
| String beginTag = new String(beginTagBytes, US_ASCII); | |
| if (beginTag.charAt(1) != '/') { | |
| StringBuilder sb = new StringBuilder(beginTag); | |
| sb.insert(1, '/'); | |
| String endTag = sb.toString(); | |
| Address endTagAddress = scanHtmlEndTag(scanned, end, memory, endTag); | |
| if (endTagAddress != null) { | |
| byte[] fullHtml = new byte[(int) endTagAddress.subtract(found) + sb.toString().length()]; | |
| memory.getBytes(found, fullHtml); | |
| String fullHTmlString = new String(fullHtml, US_ASCII); | |
| createBookmark(found, "FindHTMLDocuments", "HTML Document Found"); | |
| println("Found HTML At " + found + " : " + fullHTmlString); | |
| } | |
| } | |
| } | |
| } | |
| current = current.add(1); | |
| } | |
| } | |
| } | |
| private Address scanHtmlEndTag(Address start, Address end, Memory memory, String needle) throws MemoryAccessException { | |
| Address current = start; | |
| Address endTag = memory.findBytes(current, end, needle.getBytes(), null, true, monitor); | |
| if (endTag == null) { | |
| return null; | |
| } | |
| while (current.compareTo(endTag) < 0 && !monitor.isCancelled()) { | |
| byte aByte = memory.getByte(current); | |
| if (aByte < 32 || aByte > 126) { | |
| return null; | |
| } | |
| current = current.add(1); | |
| } | |
| return endTag; | |
| } | |
| private Address scanHtml(Address start, Address end, Memory memory, String needle) throws MemoryAccessException { | |
| Address current = start.add(1); | |
| Address endTag = memory.findBytes(current, end, needle.getBytes(), null, true, monitor); | |
| if (endTag == null) { | |
| return null; | |
| } | |
| while (current.compareTo(endTag) < 0 && !monitor.isCancelled()) { | |
| byte aByte = memory.getByte(current); | |
| if (aByte < 32 || aByte > 126) { | |
| return null; | |
| } | |
| current = current.add(1); | |
| } | |
| return endTag.add(1); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment