Skip to content

ghidra_analyzer.py

ofrak_ghidra.components.ghidra_analyzer

GhidraCodeRegionModifier (Modifier, OfrakGhidraMixin)

modify(self, resource, config=None) async

Modify the given resource.

Users should not call this method directly; rather, they should run Resource.run.

Parameters:

Name Type Description Default
resource Resource required
config

Optional config for modification. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run.

 None
Source code in ofrak_ghidra/components/ghidra_analyzer.py 
async def modify(self, resource: Resource, config=None):
    code_region = await resource.view_as(CodeRegion)
    ghidra_project = await OfrakGhidraMixin.get_ghidra_project(resource)

    ofrak_code_regions = await ghidra_project.resource.get_descendants_as_view(
        v_type=CodeRegion, r_filter=ResourceFilter(tags=[CodeRegion])
    )

    backend_code_regions_json = await self.get_code_regions_script.call_script(resource)
    backend_code_regions = []

    for cr_j in backend_code_regions_json:
        cr = CodeRegion(cr_j["start"], cr_j["size"])
        backend_code_regions.append(cr)

    ofrak_code_regions = sorted(ofrak_code_regions, key=lambda cr: cr.virtual_address)
    backend_code_regions = sorted(backend_code_regions, key=lambda cr: cr.virtual_address)

    if len(ofrak_code_regions) > 0:
        relative_va = code_region.virtual_address - ofrak_code_regions[0].virtual_address

        for backend_cr in backend_code_regions:
            backend_relative_va = (
                backend_cr.virtual_address - backend_code_regions[0].virtual_address
            )

            if backend_relative_va == relative_va and backend_cr.size == code_region.size:
                resource.add_view(backend_cr)
                return

        LOGGER.debug(
            f"No code region with relative offset {relative_va} and size {code_region.size} found in Ghidra"
        )
    else:
        LOGGER.debug("No OFRAK code regions to match in Ghidra")

GhidraProjectAnalyzer (Analyzer)

Use Ghidra backend to create project for and analyze a binary. This analyzer must run before Ghidra analysis can be accessed from OFRAK. This Analyzer can either create a new project and new analysis for a binary or, if a config is passed to it, load an existing Ghidra project.

analyze(self, resource, config=None) async

Analyze a resource for to extract specific ResourceAttributes.

Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.

Parameters:

Name Type Description Default
resource Resource

The resource that is being analyzed

 required
config Optional[ofrak_ghidra.components.ghidra_analyzer.GhidraProjectConfig]

Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run.

 None

Returns:

Type Description
GhidraProject

The analysis results
Source code in ofrak_ghidra/components/ghidra_analyzer.py 
async def analyze(
    self, resource: Resource, config: Optional[GhidraProjectConfig] = None
) -> GhidraProject:

    # TODO: allow multiple headless server instances
    os.system("pkill -if analyzeHeadless")
    if config is not None:
        full_fname = config.ghidra_zip_file
        tmp_dir = None
    else:
        tmp_dir = tempfile.TemporaryDirectory()
        data = await resource.get_data()
        hash_sha256 = hashlib.sha256()
        hash_sha256.update(data)
        full_fname = os.path.join(tmp_dir.name, hash_sha256.hexdigest())
        data = await resource.get_data()
        with open(full_fname, "wb") as f:
            f.write(data)

    ghidra_project = f"{GHIDRA_REPOSITORY_HOST}:{GHIDRA_REPOSITORY_PORT}/ofrak"

    program_name = await self._do_ghidra_import(ghidra_project, full_fname)
    await self._do_ghidra_analyze_and_serve(
        ghidra_project, program_name, skip_analysis=config is not None
    )

    if tmp_dir:
        tmp_dir.cleanup()

    return GhidraProject(ghidra_project, f"{GHIDRA_SERVER_HOST}:{GHIDRA_SERVER_PORT}")

GhidraProjectConfig (ComponentConfig) dataclass

Config for GhidraProjectAnalyzer to pass in a pre-analyzed Ghidra project for a binary as a Ghidra Zip file.

A Ghidra Zip File can be exported from Ghidra's project window, right-clicking on an analyzed file and "Export...". Then select the Ghidra Zip File format and save the file. This will create a .gzf file that you can import with this GhidraProjectConfig.