Max 'Libra' Kersten
@maxkersten.nl
Malware analyst and reverse engineer, author of the Binary Analysis Course. DMs are always open. Opinions are my own and not the views of my employer.
My first few years were under @christiaanbeek.bsky.social. Upon his resignation, John Fokker became my team lead. I'd like to thank them both for the past few years, as well as colleagues old and new. Today, I am resigning and moving on to a new adventure!
2/2
2/2
August 29, 2025 at 12:38 PM
My first few years were under @christiaanbeek.bsky.social. Upon his resignation, John Fokker became my team lead. I'd like to thank them both for the past few years, as well as colleagues old and new. Today, I am resigning and moving on to a new adventure!
2/2
2/2
Questions and suggestions are always welcome! I'm happy to share back to the community with these scripts, all of which are open-source and can be found on GitHub.
GitHub: github.com/advanced-thr...
10/10
GitHub: github.com/advanced-thr...
10/10
GitHub - advanced-threat-research/GhidraScripts: Scripts to run within Ghidra, maintained by the Trellix ARC team
Scripts to run within Ghidra, maintained by the Trellix ARC team - advanced-threat-research/GhidraScripts
github.com
July 1, 2025 at 12:35 PM
Questions and suggestions are always welcome! I'm happy to share back to the community with these scripts, all of which are open-source and can be found on GitHub.
GitHub: github.com/advanced-thr...
10/10
GitHub: github.com/advanced-thr...
10/10
Based on @struppigel.bsky.social's script, we propagate external function parameters in the disassembly listing, making life slightly easier!
9/n
9/n
July 1, 2025 at 12:35 PM
Based on @struppigel.bsky.social's script, we propagate external function parameters in the disassembly listing, making life slightly easier!
9/n
9/n
Using the same graph theory code as used in GhidrAI, we can define which functions are the (least) complex. The most complex function calls are marked bright red, lesser complex functions are darker shades of red. This helps you identify interesting functions when no symbols are present!
8/n
8/n
July 1, 2025 at 12:35 PM
Using the same graph theory code as used in GhidrAI, we can define which functions are the (least) complex. The most complex function calls are marked bright red, lesser complex functions are darker shades of red. This helps you identify interesting functions when no symbols are present!
8/n
8/n
Those who worked with me before, know that visual art creation is not my strength. Visuals can, however, be very helpful during the analysis! And thus: graphic design is my (now) my passion!
7/n
7/n
July 1, 2025 at 12:35 PM
Those who worked with me before, know that visual art creation is not my strength. Visuals can, however, be very helpful during the analysis! And thus: graphic design is my (now) my passion!
7/n
7/n
That is not to say the LLM will generate perfect function and variable names, as well as function summaries. But it cant hurt to try! The result gives you, the analyst, a lot more context and insight!
6/n
6/n
July 1, 2025 at 12:35 PM
That is not to say the LLM will generate perfect function and variable names, as well as function summaries. But it cant hurt to try! The result gives you, the analyst, a lot more context and insight!
6/n
6/n
Based on research by @mrphrazer.bsky.social and @mu00d8.bsky.social, presented at RECon 2024, I used graph theory code from Ghidra's codebase to select the order in which functions are sent to the LLM, ensuring as much context as possible is retained. The script is aptly named GhidrAI!
5/n
5/n
July 1, 2025 at 12:35 PM
Based on research by @mrphrazer.bsky.social and @mu00d8.bsky.social, presented at RECon 2024, I used graph theory code from Ghidra's codebase to select the order in which functions are sent to the LLM, ensuring as much context as possible is retained. The script is aptly named GhidrAI!
5/n
5/n
The usage of BSim to rename functions automatically is something I dove into last year (see post two in this thread). The new Automagic script allows you to include multiple BSim databases to use per file, while specifying different similarity values per database! Granularity!
4/n
4/n
July 1, 2025 at 12:35 PM
The usage of BSim to rename functions automatically is something I dove into last year (see post two in this thread). The new Automagic script allows you to include multiple BSim databases to use per file, while specifying different similarity values per database! Granularity!
4/n
4/n
My new research focuses on an improved version of this workflow, while putting my money where my mouth is by providing ready-to-use scripts for all steps along the way!
3/n
3/n
July 1, 2025 at 12:35 PM
My new research focuses on an improved version of this workflow, while putting my money where my mouth is by providing ready-to-use scripts for all steps along the way!
3/n
3/n
Last year, I blogged about the recovery of symbols in my "No Symbols, No Problem" blog and subsequent DEFCON 32 talk. This resulted in a workflow, as shown in the attached image.
Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...
2/n
Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...
2/n
July 1, 2025 at 12:35 PM
Last year, I blogged about the recovery of symbols in my "No Symbols, No Problem" blog and subsequent DEFCON 32 talk. This resulted in a workflow, as shown in the attached image.
Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...
2/n
Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...
2/n