Home

Awesome

Ghidra COFF Parser

Ghidra script which fully parses COFF files.

Installation

Basic install.

Download the script into the ~/ghidra_scripts directory.

$ mkdir ~/ghidra_scripts
$ curl -L https://raw.githubusercontent.com/MEhrn00/GhidraCOFFParser/main/COFFParser.py -o ~/ghidra_scripts/COFFParser.py

In the Windows -> Script Manager menu of the CodeBrowser tool, select the In Tool check box under Scripts -> Analysis -> COFFParser.py. (May need to refresh the script list by clicking the Refresh Script List button in the top right corner.

COFF files can be analyzed from the Analysis -> One Shot -> COFF Parser in the menu bar after normal Ghidra analysis.

Features

Example

Before

Ghidra only parses a few sections and excludes all of the headers.

<p align="center"> <img alt="before_pictures.png" src="res/before_picture.png"> </p>

After

Headers and other metadata are mapped in.

<p align="center"> <img alt="after_program_tree.png" src="res/after_program_tree.png"> </p>

COFF metadata includes correct types and relocations.

<p align="center"> <img alt="after_coff_header.png" src="res/after_coff_header.png"> </p>

COFF types added to the Ghidra data type manager under Data Types/[program name]/COFFDefs.

<p align="center"> <img alt="after_coff_types.png" src="res/after_coff_types.png"> </p>

Disclaimer

This hasn't been tested thoroughly so there may be bugs.