gitea-mirror/capa
1
0
Fork 0
mirror of https://github.com/mandiant/capa.git synced 2026-01-25 18:54:45 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
90423e27a88c7819ee87b91eb15bf28ef683aead
capa/capa/ghidra/plugin/README.md
Mike Hunhoff 66dc70a775 ghidra: support PyGhidra (#2788) 
* ghidra: init commit switch to PyGhidra

* update CHANGELOG and PyGhidra version requirements

* Update capa/features/extractors/ghidra/helpers.py

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* fix black errors

* support Ghidra v12

* remove deprecated APIs

* refactor outdated code

* fix pyinstaller, code refactoring

* address PR feedback

* add back capa_explorer.py

* beef up capa_explorer.py script

* refactor README

* refactor README

* fix #2747

* add sha256 check for workflows

* add sha256 check for workflows

* add sha256 check for workflows

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-12-18 17:55:49 -07:00

3.4 KiB
Raw Blame History

capa explorer for Ghidra

capa explorer for Ghidra brings capas detection capabilities directly to Ghidras user interface helping speed up your reverse engineering tasks by identifying what parts of a program suggest interesting behavior, such as setting a registry value. You can execute (via PyGhidra) the script capa_explorer.py using Ghidras Script Manager window to run capas analysis and view the results in Ghidra.

ui integration

capa_explorer.py renders capa results in Ghidra's UI to help you quickly navigate them. This includes adding matched functions to Ghidras Symbol Tree and Bookmarks windows and adding comments to functions that indicate matched capabilities and features. You can execute this script using Ghidras Script Manager window.

symbol tree window

Matched functions are added to Ghidra's Symbol Tree window under a custom namespace that maps to the capabilities' capa namespace.

comments

Comments are added at the beginning of matched functions indicating matched capabilities and inline comments are added to functions indicating matched features. You can view these comments in Ghidras Disassembly Listing and Decompile windows.

bookmarks

Bookmarks are added to functions that matched a capability that is mapped to a MITRE ATT&CK and/or Malware Behavior Catalog (MBC) technique. You can view these bookmarks in Ghidra's Bookmarks window.

getting started

requirements

  • Ghidra >= 12.0 must be installed.
  • flare-capa >= 10.0 must be installed (virtual environment recommended) with the ghidra extra (e.g., pip install "flare-capa[ghidra]").
  • capa rules must be downloaded for the version of capa you are using.

execution

1. run Ghidra with PyGhidra

You must start Ghidra using the pyghidraRun script provided in the support directory of your Ghidra installation to ensure the Python environment is correctly loaded. You should execute pyghidraRun from within the Python environment that you used to install capa.

<ghidra_install>/support/pyghidraRun

2. run capa_explorer.py

  1. Open your Ghidra project and CodeBrowser.
  2. Open the Script Manager.
  3. Add capa_explorer.py to the script directories.
  4. Filter for capa and run the script.
  5. When prompted, select the directory containing the downloaded capa rules.
Reference in New Issue View Git Blame Copy Permalink