GitHub - MISP/misp-ghidra: Ghidra and MISP

2 min read Original article ↗

MISP-Ghidra is a python library and scripts to extend Ghidra for exporting ghidra decompilation indicators (functions names, FID hashes, BSIM vectors) to MISP Objects

Features

  • (From GUI or Headless) Export to a MISP instance :
    • program metadatas to a MISP file objects (PE, ELF, MachO file/section objects)
    • function metadatas, FID and BSIM hashes and decompiled code to a MISP ghidra-function object (version 1)
  • (From GUI) (in development) Search similar functions in MISP using FID and BSIM hashes

Requirements

  • Ghidra 12.0.2 with PyGhidra
  • pymisp
  • pymisp[fileobjects] (not required for windows)

Installation

Install requirements with your pyghidra venv

~/.config/ghidra/ghidra_12.0.2_PUBLIC/ghidra_12.0.2_PUBLIC/venv/bin/pip install -r requirements.txt

Copy the MISP config.toml template and edit with your own API keys

cp mispghidra/misp/config/config.template.toml mispghidra/misp/config/config.toml

GUI Usage

Launch ghidra with PyGhidra : pyghidra -g or ghidra_12.0.2_PUBLIC/support/pyghidraRun

Add the ghidra_scripts directory from this git repository to the Ghidra Bundle Manager

The scripts are under the category MISP

Run MISP/Test connection to the MISP instance to test the connection to the MISP instances API (configured in config.toml)

GUI scripts

Headless Usage

Check the /test/ directory bash scripts for more examples.

Add a single ghidra-function object to existing event in MISP

pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --event-uuid ${EVENT_UUID_EXISTING} \
    --function-address ${FUNCTION_ADDRESS}

Add object to new event in MISP

pyghidra \
pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --new-event \
    --function-address ${FUNCTION_ADDRESS}

Add all functions to an event

pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --new-event \
    --all-functions

Filter on function types and names

This is still a work in progress.

You can filter on which functions to send based on function types (thunk, internal, external, internal) and function names (regex)

pyghidraRun --headless ${PROJECT_PATH} ${PROJECT_NAME} \
    -import ${BINARY_PATH} \
    -postScript ghidra_scripts/ghidra-functions-to-MISP.py \
    --new-event \
    --all-functions
    --name-include "entry" \
    --name-exclude "^_|^abort|^plt" \
    --ignore thunk \
    --new-event \

In MISP

misp-ghidra creates by default the objects:

for the program file : 
	file   | file

for PE programs :
    file   | pe
    file   | pe-section
for ELF programs :
    file   | elf
    file   | elf-section
for Mach-O programs :
    file   | macho
    file   | macho-section

And for all ghidra functions (custom object for now):
    ghidra | ghidra-function

ghidra-function object

Correlation graph on FID hashes

Event correlation graph

Function call tree graph

Event graph

License

This software is licensed under Apache License, Version 2.0

Copyright 2026 Thomas Caillet

Copyright 2026 CIRCL - Computer Incident Response Center Luxembourg