Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

detect and use third-party analysis backends when possible #2376

Closed
2 of 6 tasks
williballenthin opened this issue Sep 19, 2024 · 7 comments · Fixed by #2380
Closed
2 of 6 tasks

detect and use third-party analysis backends when possible #2376

williballenthin opened this issue Sep 19, 2024 · 7 comments · Fixed by #2380

Comments

@williballenthin
Copy link
Collaborator

williballenthin commented Sep 19, 2024

capa has analysis backends for third party tools, like IDA, Binary Ninja, and Ghidra. It's possible to invoke capa to use these backends, but you typically have to be an expert to figure out how to do this.

We should investigate whether the standalone capa.exe can automatically detect installations of relevant third party applications and use their backends, when possible. For example, capa.exe could recognize that IDA is installed, figure out where the path is, and try to initialize idalib from that path. Of course, there are a lot of edge cases and possibilities, but I suspect a few common workflows might be achievable. For example, ensuring capa.exe in FLARE-VM uses the best available backend. Worst case, capa.exe continues to use the embedded vivisect backend.

Tasks

@williballenthin
Copy link
Collaborator Author

williballenthin commented Sep 19, 2024

Binary Ninja on Linux

Installs an XDG Desktop Entry like this:

❯ bat ~/.local/share/applications/com.vector35.binaryninja.desktop -p
[Desktop Entry]
Name=Binary Ninja
Exec=/home/wballenthin/software/binaryninja/binaryninja %u
MimeType=application/x-binaryninja;x-scheme-handler/binaryninja;
Icon=/home/wballenthin/software/binaryninja/docs/img/logo.png
Terminal=false
Type=Application
Categories=Utility;
Comment=Binary Ninja: A Reverse Engineering Platform

from which we can parse Exec=/home/wballenthin/software/binaryninja/ to recover the spot where the binaryninja API is loaded. Then this install_api.py script is used to update the Python environment so the API can be imported.


We actually have some functionality already for loading Binary Ninja from the standalone exe, though it uses a different strategy: https://github.com/mandiant/capa/blob/master/capa/features/extractors/binja/find_binja_api.py

It invokes a Python subprocess to find the local install path. This works as long as the binaryninja module is available globally. If not, the import will fail.

The upside is that this is cross platform. The downside is the requirement for global installation.

@williballenthin
Copy link
Collaborator Author

williballenthin commented Sep 19, 2024

IDA on Linux

IDA v8.0 also uses a Desktop Entry:

❯ bat -p /usr/share/applications/ida64.desktop
[Desktop Entry]
Name=IDA Pro (64-bit targets)
Exec=/opt/idapro/ida64
Icon=/opt/idapro/appico64.png
Terminal=false
Type=Application
StartupWMClass=ida64

However, the IDA 9.0 Beta 4 doesn't add the desktop entry (bug reported). But new in IDA 9.0 is a configuration file ~/.idapro/ida-config.json with an entry that points to the location of the current installation:

image

The IDA 9.0 idalib installation has a similar script to update the Python environment so that the shared libraries can be loaded. We can pull some of that logic into capa once the base directory is recovered.

@williballenthin
Copy link
Collaborator Author

Windows

I think we can walk the registry to find where IDA/BinaryNinja are installed. Will update here when I try to make it work.

@williballenthin
Copy link
Collaborator Author

macOS

I don't know and I don't have a system to test on. But maybe we can get outside contributors to help out. Alternatively, its OK because we can fallback to viv when necessary.

@williballenthin
Copy link
Collaborator Author

williballenthin commented Sep 19, 2024

@williballenthin
Copy link
Collaborator Author

williballenthin commented Sep 20, 2024

image

https://github.com/mandiant/capa/compare/push-trmuzvmvrzkx

@williballenthin
Copy link
Collaborator Author

search for Binary Ninja API via XDG Desktop Entries in https://github.com/mandiant/capa/compare/push-ltqsxxylmzpy

williballenthin added a commit that referenced this issue Sep 26, 2024
* introduce script to detect 3P backends

ref #2376

* add idalib backend

* binary ninja: search for API using XDG desktop entry

ref #2376

* binja: search more XDG locations for desktop entry

* binary ninja: optimize embedded PE scanning

closes #2397

* add script for comparing the performance of analysis backends
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant