Ghidra: Capa Explorer UI Integration #1786
Conversation
There was a problem hiding this comment.
Wow, this looks amazing! Thanks, I've noted a few things on a glance. I hope Mike and others can give this a more thorough look and test it on a few samples.
Would you mind adding a (short) README analogous to https://github.com/mandiant/capa/blob/master/capa/ida/plugin/README.md?
There was a problem hiding this comment.
Great work @colton-gabertan - this is looking great! I've left comments and questions for your review. I also mirror @mr-tz 's request to add a README. Please re-request my review when you have finished 🚀
|
Also, @colton-gabertan it looks like the submodules have fallen out of sync. Please re-sync when you get a chance. |
There was a problem hiding this comment.
Good work @colton-gabertan ! I've left additional comments for your review. Please re-request my review when you've finished and let me know if you have any questions along the way.
There was a problem hiding this comment.
@colton-gabertan nice work - I've left another round of changes. Please re-request my review when you've addressed them 🚀
There was a problem hiding this comment.
These latest changes are awesome @colton-gabertan ! The capa results are much easier to identify and follow now. The only item left before we get this merged is updating the Ghidra README to include a small section that explains how to use and interpreter the results of this script. Once that's done we'll get this merged 🚀 🚀
Co-authored-by: Mike Hunhoff <[email protected]>
There was a problem hiding this comment.
Great work @colton-gabertan ! I've left suggestions for your review. Please address these suggestions and resolve the merge conflict. Re-request my review when you're done and we'll get this merged 🚀 (I'll handle the CLA issue when it's time to merge).
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
Co-authored-by: Mike Hunhoff <[email protected]>
|
Great work, Colton and Mike! Thank you! |
Checklist
Capa Explorer: Ghidra Backend
This PR revives the project from #1734 to implement capa results with the Ghidra UI.
Description
The UI integration will parse the json output from capa's analysis and create namespaces, labels, function tags, and bookmarks within the Ghidra UI. Namespaces tightly correlate with the way that the capa rules are defined, and the linked labels for each namespace represents the feature/ description pulled from the matched rule. Function tags hold each matched capability within its scope.
Furthermore, depending on how the rule is written, information such as parameters and their corresponding names are displayed. For example:
Mitre ATT&CK Framework mappings exist only in the bookmarks created, and are only labelled at the function scope, since they are broad and encompass many tactics/techniques.