Using local LLM and Ghidra to analyze malware (Part 2)

Thoughts:

- Local LLM, with a powerful debugger as its oracle, is now powerful enough to run rudimentary malware analysis without consulting with external sources.

- More complex malwares are still beyond what local LLMs can handle. The local LLM can see all the behaviors by the malware, but the LLM fails to put the analysis together to deduce the true intention of a binary.

- Local LLM is a very lost-cost way to do malware analysis (about 5 US cents of electricity.)

- The biggest killer-app feature is having the LLM writes its analysis back to Ghidra. The more you interact with the LLM, the more data it will write back to Ghidra. This could potentially saves hours per manual debugging by skipping function/resources/variables labeling.