capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

When running capa with Binary Ninja backend, Binja not found

Open as0ni opened this issue 1 year ago • 4 comments

Description

When running capa against shellcode using the Binary Ninja backend, capa indicates the Binary Ninja API is not found. Mentioning @xusheng6 since I believe he works issues related to Binja. Thank you!

Steps to Reproduce

Run capa on shellcode using Binary Ninja as a backend with the following command: C:\Tools\capa.exe -r C:\Tools\capa-rules -f sc64 sc.bin -b binja -d

Expected behavior: capa should analyze the shellcode file with the binary ninja backend and report any detected capabilities based on the specified rules.

Actual behavior: The above command produces the following error:

DEBUG    capa: using rules path: C:\Tools\capa-rules                                                                        main.py:495
DEBUG    capa.rules: reading rules from directory C:\Tools\capa-rules                                                  __init__.py:2101
DEBUG    capa.rules.cache: loading rule set from cache: C:\Users\REM\AppData\Local\flare\capa\cache\capa-6b587440.cache    cache.py:150
DEBUG    capa: successfully loaded 969 rules                                                                                main.py:683
DEBUG    capa.features.extractors.common: unsupported file format: fc4883e4, will not guess OS                            common.py:141
DEBUG    capa: skipping library code matching: only supported by the vivisect backend                                       main.py:783
DEBUG    capa: format:  sc64                                                                                                main.py:833
DEBUG    capa: backend: binja                                                                                               main.py:834
DEBUG    capa.features.extractors.binja.find_binja_api: Binary Ninja API not installed, searching...              find_binja_api.py:149
WARNING  capa.features.extractors.binja.find_binja_api: unsupported platform to find Binary Ninja: win32          find_binja_api.py:110
DEBUG    capa.features.extractors.binja.find_binja_api: failed to find Binary Ninja installation                  find_binja_api.py:153
DEBUG    capa.features.extractors.binja.find_binja_api: found Binary Ninja API: None                              find_binja_api.py:155
Traceback (most recent call last):
  File "main.py", line 1103, in <module>
  File "main.py", line 990, in main
  File "main.py", line 837, in get_extractor_from_cli
  File "loader.py", line 246, in get_extractor
RuntimeError: cannot find Binary Ninja API module.
[PYI-4732:ERROR] Failed to execute script 'main' due to unhandled exception!

Versions

capa version: 8.0.1 capa rules version: 8.0.1 Installed as: Tried both Python library and standalone EXE Backend: Binary Ninja 4.2.6455 (Personal License)

Additional Information

  • I installed the Binary Ninja API as described here: https://docs.binary.ninja/dev/batch.html#install-the-api.
  • I manually executed python find_binja_api.py (the file referenced in the debug output), and it outputs the path C:\Users\REM\AppData\Local\Programs\Vector35\BinaryNinja\python.
  • I also ran this code, located in find_binja_api.py, with the following output:
>>> import importlib.util
>>> importlib.util.find_spec("binaryninja")
ModuleSpec(name='binaryninja', loader=<_frozen_importlib_external.SourceFileLoader object at 0x000001F77ABE8350>, origin='C:\\Users\\REM\\AppData\\Local\\Programs\\Vector35\\BinaryNinja\\python\\binaryninja\\__init__.py', submodule_search_locations=['C:\\Users\\REM\\AppData\\Local\\Programs\\Vector35\\BinaryNinja\\python\\binaryninja'])

Any ideas are much appreciated. Thank you!

as0ni avatar Dec 18 '24 18:12 as0ni

thanks for reporting this @as0ni

I think the relevant logging line is this:

WARNING capa.features.extractors.binja.find_binja_api: unsupported platform to find Binary Ninja: win32

the API auto detection is only implemented for Linux and macOS. I don't think windows will be hard, I just didn't have a system handy at the time.

williballenthin avatar Dec 18 '24 19:12 williballenthin

@as0ni do you have any interest in trying to implement this? if not, I can make an attempt when i have a little time.

I imagine the strategy will be to inspect the registry to find the installation path of Binary Ninja, then look in that directory for the python bindings. The idea is that this should work even without running the API install script provided by Vector35.

williballenthin avatar Dec 18 '24 19:12 williballenthin

Hi @williballenthin, I was able to resolve the issue by taking the following steps:

  • Uninstalled the capa Python library via pip, removed standalone capa.exe from my path, and then reinstalled the capa Python library via pip.
  • Installed commercial Binary Ninja license (I was using a Personal license previously).
  • Installed the Binary Ninja API as outlined here: https://docs.binary.ninja/dev/batch.html#install-the-api.

So, my key takeaways are:

  • My capa installation likely became messy due to having both the library and standalone executable installed (even though both were version 8.0.1 )
  • A commercial Binary Ninja license is required. This makes sense since headless support is only available in commercial licenses.

It might be helpful to clarify in the documentation that a commercial license is necessary for backend processing when using Binary Ninja with capa.

Let me know if you have any questions or additional thoughts on this. Thanks for your support!

as0ni avatar Dec 19 '24 15:12 as0ni

I will try to look into this when I can. Sorry I missed it earlier

xusheng6 avatar May 14 '25 03:05 xusheng6