capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

integrate capa with ghidra

Open williballenthin opened this issue 5 years ago • 6 comments
trafficstars

lots of people use ghidra, which is free and open source. we should recommend a way of integrating capa results into ghidra.

williballenthin avatar Jun 30 '20 21:06 williballenthin

@psifertex would be interested to hear your feedback on our plan here: http://www.williballenthin.com/post/2020-05-20-sketch-modern-python-in-ghidra/

williballenthin avatar Jul 27 '20 16:07 williballenthin

Hmm, I'm probably not the right person to provide feedback as I have very little JVM experience. One concern might be multithreading with other native plugins--in particular the decompiler. That said, if you limited your usage to either just automated processing where you let analysis run to completion and then use the recovered CFG, as well as a separate plugin to display results, it seems doable to me.

As a general solution it sounds very risky, but for the approach you're taking maybe it's not too bad? Again my experience is limited enough that I wouldn't count it for much.

Another alternative might be to use angr which can integrate much more cleanly (and is already written in python) though I don't have any intuition as to its accuracy relative to viv if that's the reason for wanting another alternative.

You could build a pure java plugin to consume results and display annotations in ghidra but not try to leverage the analysis component on the backend and use angr instead as an alternative to vivisect.

Caveat: I am of course horribly biased and therefore assume everyone will eventually come to know the best solution is BN. 🤣

psifertex avatar Jul 28 '20 02:07 psifertex

if that's the reason for wanting another alternative.

i think the primary motivation is that lots of people use ghidra, so if we support ghidra, then more people get access to capa. also, it does provide a solid UI framework through which we can provide neat interfaces, like we've done with IDA. i hate requiring expensive tools to be able to benefit from these research projects (no zing intended, i promise!).

williballenthin avatar Jul 28 '20 03:07 williballenthin

Your front-end is separate from your back-end, no? It might be easier to implement a ghidra front-end with java so it's more native so-to-speak and just give it the ability to integrate results from capa with a much more clearly defined set of APIs.

All I'm proposing is that depending on your goals you might be better served by considering angr as another alternative for back-end processing (which should integrate more easily if you want a viv alternative), but build out the ghidra front-end separately in a way that doesn't risk as much technical debt.

EDIT: Also, no offense perceived! I merely was trying to understand whether the motivator was accuracy, cost + accuracy, or audience size, etc since I couldn't speak to the analysis quality between those three as accurately as i'd like.

psifertex avatar Jul 29 '20 04:07 psifertex

You could build a pure java plugin to consume results and display annotations in ghidra

Done. but in python in a cleaner and simpler form.

https://github.com/reb311ion/CapaExplorer

image

reb311ion avatar Nov 26 '20 23:11 reb311ion

Wow, this looks really cool, @reb311ion!

mr-tz avatar Nov 30 '20 08:11 mr-tz

@reb311ion, doing a capa explorer UI all in Ghidra is possible now.

mr-tz avatar Sep 01 '23 14:09 mr-tz