LightNews
maxkersten.nl
Max 'Libra' Kersten
@maxkersten.nl
210 followers 100 following 26 posts
Malware analyst and reverse engineer, author of the Binary Analysis Course. DMs are always open. Opinions are my own and not the views of my employer.
Posts Media Videos Starter Packs
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Aug 29
My first few years were under @christiaanbeek.bsky.social. Upon his resignation, John Fokker became my team lead. I'd like to thank them both for the past few years, as well as colleagues old and new. Today, I am resigning and moving on to a new adventure!
2/2
1 5
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Aug 29
When I joined Trellix in June 2021, the only thing I knew was that I'd dig into malware and blog about it. That I did, over the past four and a bit years, I wrote 24 blogs. On average, that is just two months per blog!
1/2
1 5
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Aug 18
Had a great time meeting friends old and new at summercamp nearly two weeks ago! I've shared my experience while representing Trellix here: maxkersten.nl/2025/08/18/m...
My impression of BlackHat USA 2025 and DEFCON 33 – Max Kersten
maxkersten.nl
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 16
The workshop tickets for my Advanced Ghidra Scripting & Automation workshop at @defcon.bsky.social are live now: events.humanitix.com/dc33ws-n260-...
Advanced Ghidra Scripting & Automation
Register on Humanitix - Advanced Ghidra Scripting & Automation hosted by DEF CON Workshops. DEF CON Workshops . Saturday August 9th 2025. Find event information.
events.humanitix.com
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Questions and suggestions are always welcome! I'm happy to share back to the community with these scripts, all of which are open-source and can be found on GitHub.

GitHub: github.com/advanced-thr...

10/10
GitHub - advanced-threat-research/GhidraScripts: Scripts to run within Ghidra, maintained by the Trellix ARC team
Scripts to run within Ghidra, maintained by the Trellix ARC team - advanced-threat-research/GhidraScripts
github.com
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Based on @struppigel.bsky.social's script, we propagate external function parameters in the disassembly listing, making life slightly easier!

9/n
Left are several instruction as shown by default in Ghidra, on the right hand side the external function parameters are added as comments by the script.
1 1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Using the same graph theory code as used in GhidrAI, we can define which functions are the (least) complex. The most complex function calls are marked bright red, lesser complex functions are darker shades of red. This helps you identify interesting functions when no symbols are present!

8/n
A side-by-side view of the same disassembly instructions. The left hand side is shown as-is by Ghidra, while the right hand side contains the colourised function calls based on the function's complexity. The brigther red a function call is, the more complex the function is.
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Those who worked with me before, know that visual art creation is not my strength. Visuals can, however, be very helpful during the analysis! And thus: graphic design is my (now) my passion!

7/n
Word Art 2003 style text which states "Graphic Design is my passion"
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
That is not to say the LLM will generate perfect function and variable names, as well as function summaries. But it cant hurt to try! The result gives you, the analyst, a lot more context and insight!

6/n
The output of the LLM shown within Ghidra's plate comment
1 2 3
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Based on research by @mrphrazer.bsky.social and @mu00d8.bsky.social, presented at RECon 2024, I used graph theory code from Ghidra's codebase to select the order in which functions are sent to the LLM, ensuring as much context as possible is retained. The script is aptly named GhidrAI!

5/n
A side-by-side view of Ghidra's decompiler. Left is the raw output, right is the output enhanced by the LLM.
1 1 3
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
The usage of BSim to rename functions automatically is something I dove into last year (see post two in this thread). The new Automagic script allows you to include multiple BSim databases to use per file, while specifying different similarity values per database! Granularity!

4/n
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
My new research focuses on an improved version of this workflow, while putting my money where my mouth is by providing ready-to-use scripts for all steps along the way!

3/n
The improved workflow, where the yellow squares remain unchanged while the blue ones have been newly added.
1 1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Last year, I blogged about the recovery of symbols in my "No Symbols, No Problem" blog and subsequent DEFCON 32 talk. This resulted in a workflow, as shown in the attached image.

Blog: www.trellix.com/blogs/resear...
Talk: www.youtube.com/watch?v=-re_...

2/n
The workflow to analyze files when reverse engineering, with a focus on accuracy.
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jul 1
Ghidra, scripting, LLM, automagic automation. That should grab the attention for this thread. If you want to read the complete blog, you can do so here: www.trellix.com/blogs/resear...
1/n
A side by side comparison of the original output by Ghidra, and the LLM enriched output.
1 5 8
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · May 27
This year's @botconf.infosec.exchange.ap.brid.gy edition was a great experience! I wrote about it in my most recent blog: maxkersten.nl/2025/05/27/m...
My impression of Botconf 2025 – Max Kersten
maxkersten.nl
3
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · May 22
Tuesday's workshop @botconf.infosec.exchange.ap.brid.gy went well with very engaged and enthusiastic attendees!
A picture of the workshop's title slide
2
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · May 16
Coming Tuesday I will represent Trellix at @botconf.infosec.exchange.ap.brid.gy in Angers with a four hour workshop on Ghidra automation!
1 2
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Apr 30
Ghidra has multiple types of comments you can set, but when can you best use which comment? You'll find the explanation in my Ghidra tip of the month: maxkersten.nl/2025/04/15/g...
Ghidra Tip 0x0A: Comments – Max Kersten
maxkersten.nl
1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Mar 12
Two weeks ago, @re-verse.io happened! I wrote about my experience at the conference in my most recent blog: maxkersten.nl/2025/03/12/m...
My impression of RE//VERSE 2025 – Max Kersten
maxkersten.nl
2 9
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Mar 1
What do you wear at @re-verse.io? A Ghidra tshirt and Hex Rays cap, with @psifertex.bsky.social rocking the Binary Ninja tshirt, hoodie, and cap!
Jordan is wearing a Binary Ninja tshirt, hoodie, and cap, whereas Im wearing a Ghidra tshirt and a Hex Rays cap
1 11
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Feb 25
This Friday, I will represent Trellix at @re-verse.io and I will talk about code reuse, attribution, and the dangers thereof. Looking forward to it, and to meet the Vector 35 folks! The full abstract can be found at: re-verse.sessionize.com/session/754398
The image contains a part od the talk's abstract: The dreadful feeling when reversing a binary which shows hundreds or thousands of unknown functions is, unfortunately, all too well known by analysts. It does not matter if the binary in question is a malware sample, a patch-diffing effort, or a hobby project, the lack of function symbols severely slows down the analysis. This talk dives into function symbol recovery by detecting code reuse in binaries to avoid the slow and tedious analysis, and to improve attribution capabilities. The AcidRain and AcidPour wipers, used against Ukrainian targets in the wild, will be used as case studies. Automation of repetitive steps is kept in mind throughout the process.
3 10
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jan 16
My reverse engineering workflows survey is still ongoing! In less than 3 minutes, you can fill it in and help out: docs.google.com/forms/d/e/1F...
Reverse Engineering Survey
My name is Max 'Libra' Kersten and I'm a malware analyst. This survey will collect the answers you provide without the need for any personal information. The goal of this survey is to get a better und...
docs.google.com
1 1
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Jan 7
Ever ran a script in Ghidra that you wanted to cancel, only to find out that the script would not let you? The TaskMonitor handles the cancellation event, December's Ghidra tip dives into the details: maxkersten.nl/2024/12/31/g...
Ghidra Tip 0x09: TaskMonitor – Max Kersten
maxkersten.nl
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Nov 27
Ghidra can do a lot, but some tasks are best outsourced to (micro)services! How? This month's tip helps you along: maxkersten.nl/2024/11/27/g...
Ghidra Tip 0x08: Scripting with microservices – Max Kersten
maxkersten.nl
2
maxkersten.nl
Max 'Libra' Kersten @maxkersten.nl · Nov 19
Interested in technical malware analysis content and news? This is your (continuously updated) starter pack: go.bsky.app/BLY75TZ
1 3