gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2025-12-12 15:49:46 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ae8183a4a4180d83ec2f6c2e1e07b3ea6ba5553
capa/capa/ghidra
History

README.md

capa + Ghidra

capa is the FLARE teams open-source tool that detects capabilities in executable files. Ghidra is an open-source software reverse engineering framework created and maintained by the National Security Agency Research Directorate. capa + Ghidra brings capas detection capabilities directly to Ghidras user interface helping speed up your reverse engineering tasks by identifying what parts of a program suggest interesting behavior, such as setting a registry value. You can execute the included Python 3 scripts capa_explorer.py or capa_ghidra.py to run capas analysis and view the results in Ghidra. You may be asking yourself, “Python 3 scripts in Ghidra?”. You read that correctly. This integration is written entirely in Python 3 and relies on Ghidrathon, an open source Ghidra extension that adds Python 3 scripting to Ghidra.

Check out our capa + Ghidra blog posts:

UI Integration

capa_explorer.py renders capa results in Ghidra's UI to help you quickly navigate them. This includes adding matched functions to Ghidras Symbol Tree and Bookmarks windows and adding comments to functions that indicate matched capabilities and features. You can execute this script using Ghidras Script Manager window.

Symbol Tree Window

Matched functions are added to Ghidra's Symbol Tree window under a custom namespace that maps to the capabilities' capa namespace.

Comments

Comments are added at the beginning of matched functions indicating matched capabilities and inline comments are added to functions indicating matched features. You can view these comments in Ghidras Disassembly Listing and Decompile windows.

Bookmarks

Bookmarks are added to functions that matched a capability that is mapped to a MITRE ATT&CK and/or Malware Behavior Catalog (MBC) technique. You can view these bookmarks in Ghidra's Bookmarks window.

Text-based Integration

capa_ghidra.py outputs text-based capa results that mirror the output of capas standalone tool. You can execute this script using Ghidras Script Manager and view its output in Ghidras Console window.

You can also execute capa_ghidra.py using Ghidra's Headless Analyzer to view its output in a terminal window.

Getting Started

Requirements

Tool Version Source
capa >= 7.0.0 https://github.com/mandiant/capa/releases
Ghidrathon >= 3.0.0 https://github.com/mandiant/Ghidrathon/releases
Ghidra >= 10.3.2 https://github.com/NationalSecurityAgency/ghidra/releases
Python >= 3.8.0 https://www.python.org/downloads

Installation

Note: capa + Ghidra relies on Ghidrathon to execute Python 3 code in Ghidra. You must first install and configure Ghidrathon using the steps outlined in its README. Then, you must use the Python 3 interpreter that you configured with Ghidrathon to complete the following steps:

  1. Install capa and its dependencies from PyPI using the following command:
$ pip install flare-capa
  1. Download and extract the official capa rules that match the capa version you have installed. You can use the following command to view the version of capa you have installed:
$ pip show flare-capa
OR
$ capa --version
  1. Copy capa_explorer.py and capa_ghidra.py to your ghidra_scripts directory or manually add the parent directory of each script using Ghidras Script Manager.

Usage

You can execute capa_explorer.py and capa_ghidra.py using Ghidras Script Manager. capa_ghidra.py can also be executed using Ghidra's Headless Analyzer.

Execution using Ghidras Script Manager

You can execute capa_explorer.py and capa_ghidra.py using Ghidra's Script Manager as follows:

  1. Navigate to Window > Script Manager
  2. Expand the Python 3 > capa category
  3. Double-click a script to execute it

Both scripts ask you to provide the path of your capa rules directory (see installation step 2). capa_ghidra.py also has you choose one of default, verbose, and vverbose output formats which mirror the output formats of capas standalone tool.

Execution using Ghidras Headless Analyzer

You can execute capa_ghidra.py using Ghidras Headless Analyzer by invoking the analyzeHeadless script included with Ghidra in its support directory. The following arguments must be provided:

Argument Description
<project_path> Path to Ghidra project
<project_name> Name of Ghidra Project
-Process <sample_name> OR -Import <sample_path> Name of sample <sample_name> already imported into <project_name> OR absolute path of sample <sample_path> to import into <project_name>
-ScriptPath <script_path> OPTIONAL parent directory <script_path> of capa_ghidra.py
-PostScript capa_ghidra.py Execute capa_ghidra.py after Ghidra analysis
"<script_args>" Quoted string "<script_args>" containing script arguments passed to capa_ghidra.py that must specify a capa rules path and optionally the output format (--verbose, --vverbose, --json) you can specify ”help” to view the scripts help message

The following is an example of combining these arguments into a single analyzeHeadless script command:

$ analyzeHeadless /home/wumbo/demo demo -Import /home/wumbo/capa/tests/data/Practical\ Malware\ Analysis\ Lab\ 01-01.dll_ -PostScript capa_ghidra.py "/home/wumbo/capa/rules --verbose"
Reference in New Issue View Git Blame Copy Permalink