-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect and use third-party analysis backends when possible #2376
Comments
Binary Ninja on LinuxInstalls an XDG Desktop Entry like this:
from which we can parse We actually have some functionality already for loading Binary Ninja from the standalone exe, though it uses a different strategy: https://github.com/mandiant/capa/blob/master/capa/features/extractors/binja/find_binja_api.py It invokes a Python subprocess to find the local install path. This works as long as the binaryninja module is available globally. If not, the import will fail. The upside is that this is cross platform. The downside is the requirement for global installation. |
IDA on LinuxIDA v8.0 also uses a Desktop Entry:
However, the IDA 9.0 Beta 4 doesn't add the desktop entry (bug reported). But new in IDA 9.0 is a configuration file The IDA 9.0 idalib installation has a similar script to update the Python environment so that the shared libraries can be loaded. We can pull some of that logic into capa once the base directory is recovered. |
WindowsI think we can walk the registry to find where IDA/BinaryNinja are installed. Will update here when I try to make it work. |
macOSI don't know and I don't have a system to test on. But maybe we can get outside contributors to help out. Alternatively, its OK because we can fallback to viv when necessary. |
search for Binary Ninja API via XDG Desktop Entries in https://github.com/mandiant/capa/compare/push-ltqsxxylmzpy |
* introduce script to detect 3P backends ref #2376 * add idalib backend * binary ninja: search for API using XDG desktop entry ref #2376 * binja: search more XDG locations for desktop entry * binary ninja: optimize embedded PE scanning closes #2397 * add script for comparing the performance of analysis backends
capa has analysis backends for third party tools, like IDA, Binary Ninja, and Ghidra. It's possible to invoke capa to use these backends, but you typically have to be an expert to figure out how to do this.
We should investigate whether the standalone capa.exe can automatically detect installations of relevant third party applications and use their backends, when possible. For example, capa.exe could recognize that IDA is installed, figure out where the path is, and try to initialize idalib from that path. Of course, there are a lot of edge cases and possibilities, but I suspect a few common workflows might be achievable. For example, ensuring capa.exe in FLARE-VM uses the best available backend. Worst case, capa.exe continues to use the embedded vivisect backend.
Tasks
The text was updated successfully, but these errors were encountered: