Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a Ghidra entry script users can invoke to run capa against a loaded Ghidra database #1767

Merged
merged 11 commits into from
Aug 26, 2023
Merged

add a Ghidra entry script users can invoke to run capa against a loaded Ghidra database #1767

merged 11 commits into from
Aug 26, 2023

Conversation

mike-hunhoff
Copy link
Collaborator

This PR adds a Ghidra Python 3 script that invokes capa in a way that allows users to specify a rules path and control rendering in both Ghidra headless and UI modes.

Steps:

  1. Install Ghidrathon
  2. pip install flare-capa
  3. Download official capa rules matching capa version
  4. Copy capa_ghidra.py to Ghidra user scripts directory
  5. Run capa_ghidra.py from Ghidra headless or script manager

Users can specify their capa rules path and verbosity via the UI when running in Ghidra UI and users can specify their capa rules path and verbosity via command-line arguments when running in Ghidra headless. Unfortunately Ghidra's headless analyzer does not allow flags, e.g. -v to be specified as script arguments so instead we require users to specify their command-line arguments using a single string surrounded by quotes e.g. "<path_to_rules> -vv". Users can specify the keyword help, e.g. "help", to view the scripts help output that would normally be accessed via -h or --help.

This PR also includes bug fixes, refactoring, and adding Ghidra support for show-features.py.

Ghidra UI

Selecting rules:
Screen Shot 2023-08-25 at 3 23 24 PM

Selecting rendering:
Screen Shot 2023-08-25 at 3 23 32 PM

Output to Ghidra console window (which can be used to navigate directly to displayed addresses):
Screen Shot 2023-08-25 at 3 24 47 PM

Ghidra headless

Running capa with specified rules and verbosity:

$ analyzeHeadless /home/wampus test -process Practical\ Malware\ Analysis\ Lab\ 01-01.dll_ -PostScript capa_ghidra.py "/home/wampus/capa/rules -vv"
[...]
INFO  REPORT: Analysis succeeded for file: /Practical Malware Analysis Lab 01-01.dll_ (HeadlessAnalyzer)  
INFO  SCRIPT: /ghidra_scripts/capa_ghidra.py (HeadlessAnalyzer)  
md5                     290934c61de9176ad682ffdd65f0a669                                                                                                                                                                                                   
sha1
sha256                  f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba
path                    /home/spring/Documents/capa/tests/data/Practical Malware Analysis Lab 01-01.dll_
timestamp               2023-08-25 15:40:39.990986
capa version            6.0.0
os                      windows
format                  Portable Executable (PE)
arch                    x86
extractor               ghidra
base address            global
rules                   /home/spring/Documents/capa/rules
function count          5
library function count  0
total feature count     376

contain loop (3 matches, only showing first match of library rule)
author  [email protected]
scope   function
function @ 0x10001010
  or:
    characteristic: loop @ 0x10001010

delay execution (2 matches, only showing first match of library rule)
author      [email protected], @ramen0x3f
scope       basic block
mbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003]
references  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp
basic block @ 0x10001154 in function 0x10001010
  or:
    and:
      os: windows
      or:
        api: kernel32.Sleep @ 0x10001159

check mutex
namespace  host-interaction/mutex
author     [email protected], [email protected]
scope      basic block
mbc        Process::Check Mutex [C0043]
basic block @ 0x1000102E in function 0x10001010
  and:
    or:
      api: kernel32.OpenMutex @ 0x10001059

create mutex
namespace  host-interaction/mutex
author     [email protected], [email protected]
scope      function
mbc        Process::Create Mutex [C0042]
function @ 0x10001010
  or:
    api: kernel32.CreateMutex @ 0x1000106E

create process on Windows
namespace  host-interaction/process/create
author     [email protected]
scope      basic block
mbc        Process::Create Process [C0017]
basic block @ 0x10001179 in function 0x10001010
  or:
    api: kernel32.CreateProcess @ 0x100011AF



Script /ghidra_scripts/capa_ghidra.py called exit with code 0
INFO  ANALYZING changes made by post scripts: /Practical Malware Analysis Lab 01-01.dll_ (HeadlessAnalyzer)  

[...]

Viewing help:

$ analyzeHeadless /home/wampus test -process Practical\ Malware\ Analysis\ Lab\ 01-01.dll_ -PostScript capa_ghidra.py "help"
[...]
INFO  REPORT: Analysis succeeded for file: /Practical Malware Analysis Lab 01-01.dll_ (HeadlessAnalyzer)  
INFO  SCRIPT: /ghidra_scripts/capa_ghidra.py (HeadlessAnalyzer)  
usage: [-h] [-v] [-vv] [-d] [-q] [-j] rules

The FLARE team's open-source tool to integrate capa with Ghidra.

positional arguments:
  rules            path to rule file or directory

options:
  -h, --help       show this help message and exit
  -v, --verbose    enable verbose result document (no effect with --json)
  -vv, --vverbose  enable very verbose result document (no effect with --json)
  -d, --debug      enable debugging output on STDERR
  -q, --quiet      disable all output but errors
  -j, --json       emit JSON instead of text
Script /ghidra_scripts/capa_ghidra.py called exit with code 0
INFO  ANALYZING changes made by post scripts: /Practical Malware Analysis Lab 01-01.dll_ (HeadlessAnalyzer)  
[...]

@mike-hunhoff mike-hunhoff added enhancement New feature or request ghidra Related to Ghidra integration gsoc Work related to Google Summer of Code project. labels Aug 25, 2023
@mike-hunhoff
Copy link
Collaborator Author

Performance significantly improved by 4283c01.

Before:

        1    0.000    0.000   26.628   26.628 file.py:75(extract_file_embedded_pe)
        1    0.005    0.005   26.628   26.628 file.py:26(check_segment_for_pe)

After:

        1    0.002    0.002    0.198    0.198 file.py:81(extract_file_embedded_pe)
        6    0.117    0.019    0.144    0.024 file.py:25(find_embedded_pe)

@mike-hunhoff mike-hunhoff mentioned this pull request Aug 25, 2023
Open
@colton-gabertan
Copy link
Collaborator

Performance significantly improved by 4283c01.

Before:

        1    0.000    0.000   26.628   26.628 file.py:75(extract_file_embedded_pe)
        1    0.005    0.005   26.628   26.628 file.py:26(check_segment_for_pe)

After:

        1    0.002    0.002    0.198    0.198 file.py:81(extract_file_embedded_pe)
        6    0.117    0.019    0.144    0.024 file.py:25(find_embedded_pe)

Awesome find in optimizing the byte conversions 😄

@colton-gabertan colton-gabertan merged commit 6517980 into backend-ghidra Aug 26, 2023
@colton-gabertan colton-gabertan deleted the enhance/add-ghidra-entry-script branch August 26, 2023 01:36
@williballenthin
Copy link
Collaborator

casual 100x improvement 🥷

@colton-gabertan colton-gabertan mentioned this pull request Aug 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colton-gabertan colton-gabertan colton-gabertan approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request ghidra Related to Ghidra integration gsoc Work related to Google Summer of Code project.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mike-hunhoff @colton-gabertan @williballenthin