colton: ghidra runtime detection & GhidraFeatureExtractor

2026-02-04 19:12:01 -08:00 · 2023-05-19 14:38:55 -07:00
parent ad611c2058
commit 14b0c5fdbf
5 changed files with 53 additions and 0 deletions
--- a/capa/features/extractors/ghidra/init.py
+++ b/capa/features/extractors/ghidra/init.py
--- a/capa/features/extractors/ghidra/extractor.py
+++ b/capa/features/extractors/ghidra/extractor.py
@@ -0,0 +1,14 @@
+import logging
+import contextlib
+from typing import Tuple, Iterator
+
+from capa.features.common import Feature
+from capa.features.address import Address, AbsoluteVirtualAddress
+from capa.features.extractors.base_extractor import FeatureExtractor
+import capa.features.extractors.ghidra.global_
+
+class GhidraFeatureExtractor(FeatureExtractor):
+    def __init__(self):
+        super().__init__()
+        self.global_features: List[Tuple[Feature, Address]] = []
+        self.global_features.extend(capa.features.extractors.ghidra.global_.extract_os())
--- a/capa/features/extractors/ghidra/file.py
+++ b/capa/features/extractors/ghidra/file.py
--- a/capa/features/extractors/ghidra/global_.py
+++ b/capa/features/extractors/ghidra/global_.py
--- a/capa/main.py
+++ b/capa/main.py
@@ -1311,6 +1311,31 @@ def ida_main():
    print(capa.render.default.render(meta, rules, capabilities))


+def ghidra_main():
+    import capa.rules
+    #import capa.render.default
+    #import capa.features.extractors.ghidra.extractor
+    import capa.features.extractors.ghidra.global_
+
+    logging.basicConfig(level=logging.INFO)
+    logging.getLogger().setLevel(logging.INFO)
+
+    logger.debug("-" * 80)
+    logger.debug(" Using default embedded rules.")
+    logger.debug(" ")
+    logger.debug(" You can see the current default rule set here:")
+    logger.debug("     https://github.com/mandiant/capa-rules")
+    logger.debug("-" * 80)
+
+    rules_path = os.path.join(get_default_root(), "rules")
+    logger.debug("rule path: %s", rules_path)
+    rules = get_rules([rules_path])
+    
+    globl_features: List[Tuple[Feature, Address]] = []
+    globl_features.extend(capa.features.extractors.ghidra.global_.extract_os())
+    print(globl_features)
+
+
 def is_runtime_ida():
    try:
        import idc
@@ -1320,8 +1345,22 @@ def is_runtime_ida():
        return True


+def is_runtime_ghidra():
+    try:
+        import ghidra.program.flatapi
+    except ImportError:
+        print("Not in Ghidra...")
+        return False
+    else:
+        return True
+
+
 if __name__ == "__main__":
    if is_runtime_ida():
        ida_main()
+    elif is_runtime_ghidra():
+        print("Calling Ghidra Main")
+        ghidra_main()
    else:
        sys.exit(main())
+