安装并使用Ghidra的Eclipse插件的过程
按照Ghidra的installation guide,Ghidra提供了二次开发和调用API的功能:
Users can extend the functionality of Ghidra through the development of custom Ghidra scripts, plugins, analyzers, etc.
Ghidra supports development in Eclipse by providing a custom Eclipse plugin called GhidraDev, which can be found in the <GhidraInstallDir>/Extensions/Eclipse directory. For more information on installing and using the GhidraDev Eclipse plugin, see <GhidraInstallDir>/Extensions/Eclipse/GhidraDev/GhidraDev_README.html.
这里已经说得很详细了,我们打开这个GhidraDev_README.html,就可以看到具体的安装过程:
Help——Intall New Software——Add——Archive——从<GhidraInstallDir>/Extensions/Eclipse/GhidraDev/选择GhidraDev zip——Add——“Ghidra”前打对号——Next——Next——Accept——Finish——Install Anyway——Restart Now——然后就可以看到GhidraDev的选项卡了。(话说,Eclipse这种安装过程很繁琐,不觉得这样很垃圾么)
然后我们可以新建一个项目:GhidraDev——New——Ghidra Script Project(如果需要配置,指定一下Ghidra安装位置之类的即可,也可以通过Preferences——Ghidra Installations来指定)。
然后就可以通过Java代码来调用其API了,这个我们后面有机会再专门介绍。这里需要强调的一点是,写好Java代码之后,需要配置其运行参数:
There are two ways to create Ghidra run configurations:
- Click Run → Run Configurations...
- Right-click on Ghidra (or Ghidra Headless), and click New
- In the Main tab, click Browse... and select the Ghidra project to launch
- Optionally rename the new run configuration by editing the Name field at the top
Alternatively, you can right-click on any Ghidra project in the Eclipse package explorer, and then click Run As → Ghidra.
To debug Ghidra, click Debug As → Ghidra. GhidraDev will automatically switch Eclipse to the debug perspective.
这里也介绍得很清楚了。但是这里并没有说参数应该填什么啊。呵呵呵,不得不说,Ghidra的文档已经写得相当贴心了,但是还是有让人不能很好理解的地方,其实用Eclipse运行和我们直接使用Headless Mode是一样的,只不过Eclipse提供了方便编程和调试的功能。按照这里说的:
For more information, see the <GhidraInstallDir>/support/analyzeHeadlessREADME.html file.
我们打开上面这个README文件,就可以看到这个文件中介绍:
The Headless Analyzer can be useful when performing repetitive tasks on a project (i.e., importing and analyzing a directory of files or running a script over all the binaries in a project).
这句话真是说得我心有戚戚焉啊,懂得朋友自然懂。
这个README下面又给出了具体的命令行格式:
analyzeHeadless <project_location> <project_name>[/<folder_path>] | ghidra://<server>[:<port>]/<repository_name>[/<folder_path>]
[[-import [<directory>|<file>]+] | [-process [<project_file>]]]
[-preScript <ScriptName> [<arg>]*]
[-postScript <ScriptName> [<arg>]*]
[-scriptPath "<path1>[;<path2>...]"]
[-propertiesPath "<path1>[;<path2>...]"]
[-scriptlog <path to script log file>]
[-log <path to log file>]
[-overwrite]
[-recursive]
[-readOnly]
[-deleteProject]
[-noanalysis]
[-processor <languageID>]
[-cspec <compilerSpecID>]
[-analysisTimeoutPerFile <timeout in seconds>]
[-keystore <KeystorePath>]
[-connect [<userID>]]
[-p]
[-commit ["<comment>"]]
[-okToDelete]
[-max-cpu <max cpu cores to use>]
[-loader <desired loader name>]
其实这个格式吧,和没说差不多。还好这个html文件还给出了一些Example:
Headless Analyzer Examples
Import a binary /binaries/binary1.exe to a local Ghidra Project named Project1. Analysis is on by default.
analyzeHeadless /Users/user/ghidra/projects Project1 -import /binaries/binary1.exe
Import all *.exe binaries from a local folder to a local Ghidra project named Project1, suppressing analysis.
analyzeHeadless /Users/user/ghidra/projects Project1 -import /Users/user/sourceFiles/*.exe -noanalysis
Import the binary /usr/local/binaries/binaryA.exe to a subfolder of a local Ghidra Project, running a prescript, but suppressing analysis.
analyzeHeadless /Users/user/ghidra/projects Project1/folderOne -scriptPath /usr/scripts -preScript RunThisScriptFirst.java -import /usr/local/binaries/binaryA.exe -noanalysis
说实话这些例子还是很有用的,我们在Eclipse中运行的时候,唯一的区别是没有前面的“analyzeHeadless”,而是直接从项目目录开始指定。
就先总结这么多吧。