forked from cmu-sei/kaiju
-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Public release 20210329, includes a number of bug fixes and improveme…
…nts. Largely improvements to README, and a new HEADLESS_README for better documentation on using Kaiju in headless mode from a command line. New runKaiju bash script for easy headless usage. Also includes a simple new plugin for counting function cross-references within a program.
- Loading branch information
1 parent
1580b4b
commit 4bd1a67
Showing
15 changed files
with
1,717 additions
and
114 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| name: Bug report | ||
| about: Create a report to help us improve | ||
| title: '' | ||
| labels: '' | ||
| assignees: '' | ||
|
|
||
| --- | ||
|
|
||
| **Describe the bug** | ||
| A clear and concise description of what the bug is. | ||
|
|
||
| **To Reproduce** | ||
| Steps to reproduce the behavior: | ||
| 1. Go to '...' | ||
| 2. Click on '....' | ||
| 3. Scroll down to '....' | ||
| 4. See error | ||
|
|
||
| **Expected behavior** | ||
| A clear and concise description of what you expected to happen. | ||
|
|
||
| **Screenshots** | ||
| If applicable, add screenshots to help explain your problem. | ||
|
|
||
| **Desktop (please complete the following information):** | ||
| - OS: [e.g. iOS] | ||
| - Browser [e.g. chrome, safari] | ||
| - Version [e.g. 22] | ||
|
|
||
| **Smartphone (please complete the following information):** | ||
| - Device: [e.g. iPhone6] | ||
| - OS: [e.g. iOS8.1] | ||
| - Browser [e.g. stock browser, safari] | ||
| - Version [e.g. 22] | ||
|
|
||
| **Additional context** | ||
| Add any other context about the problem here. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| --- | ||
| name: Feature request | ||
| about: Suggest an idea for this project | ||
| title: '' | ||
| labels: '' | ||
| assignees: '' | ||
|
|
||
| --- | ||
|
|
||
| **Is your feature request related to a problem? Please describe.** | ||
| A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] | ||
|
|
||
| **Describe the solution you'd like** | ||
| A clear and concise description of what you want to happen. | ||
|
|
||
| **Describe alternatives you've considered** | ||
| A clear and concise description of any alternative solutions or features you've considered. | ||
|
|
||
| **Additional context** | ||
| Add any other context or screenshots about the feature request here. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # Using CERT Kaiju in "Headless" Mode | ||
|
|
||
| ## Overview | ||
|
|
||
| The following Kaiju tools are available in "headless" mode: | ||
|
|
||
| - **fn2hash** = automatically run Fn2Hash on a given program | ||
| and export all the hashes to a CSV file specified | ||
| - **fn2yara** = automatically run Fn2Hash on a given program | ||
| and export all hash data as YARA signatures to the file specified | ||
| - **fnxrefs** = analyze a Program and export a list of Functions | ||
| based on entry point address that have cross-references in | ||
| data or other parts of the Program | ||
|
|
||
| These tools are designed to work completely from the command line; | ||
| the user does not need to run the GUI version of Ghidra to utilize | ||
| this mode. This may be helpful in several scenarios, such as | ||
| an automated "batch" mode where a script runs Ghidra/Kaiju tools | ||
| automatically on a batch of samples, or to allow remote analysis | ||
| on a virtual machine/resources with only a remote terminal. | ||
|
|
||
| *NOTE*: These tools may not completely correspond with features available | ||
| in graphical interface tools, simply due to the nature of | ||
| how a typical user utilizes GUI versus command line tools. | ||
|
|
||
| ## Using the Headless Analyzer | ||
|
|
||
| Kaiju makes use of Ghidra's built-in "Headless Analyzer" mode, as well | ||
| as some GhidraScripts, to expose functionality and tools to the command line. | ||
| Users are recommended to familiar with the official Ghidra documentation, | ||
| for details please see the [Ghidra Headless Analyzer README](https://ghidra.re/ghidra_docs/analyzeHeadlessREADME.html). | ||
|
|
||
| A brief overview, for the purposes of using CERT Kaiju in headless mode, is provided here. | ||
|
|
||
| --- | ||
|
|
||
| The general syntax for the Headless analyzer is: | ||
|
|
||
| `analyzeHeadless PROJECT_DIRECTORY PROJECT_NAME [options...]` | ||
|
|
||
| Three main steps happen when you run this command: | ||
|
|
||
| 1. if specified with `-preScript`, a GhidraScript is run (pre-analysis) that can be used to initialize or setup tools including Kaiju | ||
| 2. one or more Ghidra analyzers, including those installed by Kaiju, are run against the provided executable in the given project environment | ||
| 3. if specified with `-postScript`, a GhidraScript is then run (post-analysis) to process analyzer results (including export data to file) | ||
|
|
||
| We have provided several sample scripts to perform these actions: | ||
|
|
||
| - _setupScript.java_ | ||
| Ensures that the CERT Function Hashing plugin is enabled for headless analysis. (preScript) | ||
|
|
||
| - _exportCSVHeadless.java_ | ||
| Extracts the function hashing artifacts and outputs them to the specified file in CSV format. (postScript) | ||
|
|
||
| - _exportXrefsToCSVHeadless.java_ | ||
| Counts the number of external References to Function entry points and outputs them to the specified file in CSV format. (postScript) | ||
|
|
||
| --- | ||
|
|
||
| ### Examples | ||
|
|
||
| Analyzing a single binary with Fn2Hash and export the hashes to CSV: | ||
| `$GHIDRA_INSTALL_DIR/support/analyzeHeadless $HOME/ghidra_projects tmpProj -import exampleFile.exe -preScript setupScript.java -postScript exportCSVHeadless.java exampleFileResults.csv` | ||
|
|
||
| Analyzing a directory of binaries with Fn2Hash: | ||
| `$GHIDRA_INSTALL_DIR/support/analyzeHeadless $HOME/ghidra_projects tmpProj -import path/to/binaries -preScript setupScript.java -postScript exportCSVHeadless.java exampleFileResults.csv` | ||
|
|
||
|
|
||
| Using `-okToDelete` and `-deleteProject` options on analyzeHeadless to remove tmpProj after import: | ||
| `$GHIDRA_INSTALL_DIR/support/analyzeHeadless $HOME/ghidra_projects tmpProj -okToDelete -deleteProject -import exampleFile.exe -preScript setupScript.java -postScript exportCSVHeadless.java exampleFileResults.csv` | ||
|
|
||
| *** NOTE *** This will DELETE any Ghidra project named `tmpProj` in your user directory defined by `$HOME/ghidra_projects` (or throw an error if `$HOME` is undefined)! | ||
|
|
Oops, something went wrong.