{"componentChunkName":"component---src-templates-post-template-js","path":"/ghidra-ghidrascript-tutorial-en","result":{"data":{"markdownRemark":{"id":"b882ba69-4754-5cbc-a243-b97515d075e7","html":"
\n

This page has been machine-translated from the original page.

\n
\n

The scripting feature available in the reverse engineering tool Ghidra is very powerful and quite nice, but when reading binaries in CTFs I had not really been making good use of it and ended up letting it go to waste.

\n

Since useful tools should be used proactively, this time I decided to actually use Ghidra Script through a CTF challenge.

\n

Ghidra Script is convenient, but there is fairly little beginner-friendly information, and if you cannot read the code or the reference, it can be hard to know what to do. I want this article to help bridge that gap.

\n

(If you are doing reverse engineering, maybe the answer is simply to read the code yourself…)

\n\n

Table of Contents

\n\n

\n

About Ghidra Scripting

\n

By using Ghidra Script, you can automate searches within a binary, add comments, run analysis routines, and more.

\n

Ghidra scripting runs through an interface called the Ghidra API, and it can be used from Java or Python.

\n

In Python, you can run scripts not only from the Script Manager, but also through the interpreter.

\n

However, the interpreter built into the Ghidra 10.2.3 that I am currently using is Jython-based and is not compatible with Python 3.

\n

There is also a third-party module called Ghidrathon that lets you work with Python 3 instead of the built-in Python interpreter, but unfortunately (at least as far as the interpreter goes) it is not very comfortable to use, so in this article I will use the standard interpreter.

\n

Note: For instructions on setting up Ghidrathon, see my earlier article Ghidra Environment Setup Notes for CTF.

\n

Still, so that the code will continue to work as-is even if I move to Python 3 in the future, I will write it as much as possible in a Python 3 style.

\n

\n

About the Ghidra API

\n

First, let us briefly organize the overall structure of the Ghidra API.

\n

The interface to a program analyzed in Ghidra appears to be provided by the Program API.

\n

Within Ghidra, this Program API is positioned as a lower-level layer, and access to the entire Program API is exposed through FlatProgramAPI.

\n

There is also something called GhidraScript that extends FlatProgramAPI.

\n

GhidraScript is provided as a subclass of FlatProgramAPI.

\n

Reference: Program

\n

Reference: FlatProgramAPI

\n

Reference: GhidraScript

\n

\n

Summary of Frequently Used Classes

\n

ghidra.program.flatapi.FlatProgramAPI

\n

As mentioned above, when using Ghidra Script from Python, FlatProgramAPI is the main interface.

\n

You can create an instance by passing as an argument the ghidra.program.database.ProgramDB object corresponding to the current program, which can be referenced from the interpreter as currentProgram.

\n

This class has a large number of methods. For example, there is the getFunctionContaining method, which takes a ghidra.program.model.address.GenericAddress object such as the one referenced by currentAddress and returns the function that contains that address.

\n

Other methods are also very useful, such as toAddr, which returns a GenericAddress object for an arbitrary offset.

\n
# 以下で取得できるオブジェクト\nfpapi = FlatProgramAPI(currentProgram)\n\n# currentAddress が含まれる関数の FunctionDB オブジェクトを返す\nfunc = fpapi.getFunctionContaining(currentAddress)\n\n# 指定のオフセットの GenericAddress オブジェクトを返す\naddr = fpapi.toAddr(0x10000)
\n

Reference: FlatProgramAPI

\n

ghidra.program.database.ProgramDB

\n

The Program object that you can obtain with currentProgram is this class.

\n

It is the top-level object in the Program API hierarchy.

\n

It includes objects such as ListingDB, which you can obtain with the getListing function.

\n
# 現在のプログラムの ListingDB オブジェクトを取得\nlisting = currentProgram.getListing()\n\n# すべての関数へのアクセスを提供する FunctionManagerDB オブジェクトを取得\nfunc_mgr = currentProgram.getFunctionManager()\n\n# プログラムのバイナリコンテンツを扱える MemoryMapDB オブジェクトを取得\nmem = currentProgram.getMemory()
\n

Reference: Program

\n

ghidra.program.database.function.FunctionDB

\n
# 様々な関数から取得できる\nfunc = fpapi.getFirstFunction() # 最初の関数を返す\nfunc = fpapi.getFunctionContaining(currentAddress)\n\n# 関数の先頭と末尾アドレスを持つ ghidra.program.model.address.AddressSet を返す\nfunc_body = func.getBody()\n\n# 先頭と末尾のアドレスの ghidra.program.model.address.GenericAddress オブジェクトを取得する\nstart = func.getEntryPoint()\nend = func.getBody().getMaxAddress()
\n

Reference: FunctionDB

\n

ghidra.program.database.ListingDB

\n

When you use ListingDB together with FunctionDB, you can obtain information including iterable disassembly results as an InstructionRecordIterator object.

\n
# 特定の関数の\nlisting = currentProgram.getListing()\nfunc_body = func.getBody()\n\n# 関数内の命令を順に列挙する(line_instruct は InstructionDB オブジェクト)\nfor line_instruct in listing.getInstructions(func_body, True):\n    print(line_instruct)\n    print(line_instruct.toString())\n    print(line_instruct.getMnemonicString())\n    print(line_instruct.getNumOperands())
\n

Reference: Listing

\n

ghidra.program.model.address.GenericAddress

\n

This class provides the Address interface.

\n

In Ghidra, all addresses are represented as offsets of up to 64 bits.

\n
# 指定のオフセットの GenericAddress オブジェクトを返す\naddr = fpapi.toAddr(0x10000)\n\n# GenericAddress からアドレスオフセットを long 型で取得\naddr_offset = addr.getOffset()\nhex(int(addr_offset))
\n

Reference: GenericAddress

\n

ghidra.program.model.address.AddressSet

\n

AddressSet is an object composed of one or more address ranges, and it can also represent cases where a function’s code is allocated across multiple non-contiguous memory ranges.

\n
# 関数の先頭と末尾アドレスを持つ ghidra.program.model.address.AddressSet を返す\nfunc_body = func.getBody()\n\n# AddressSet 内のアドレスは  AddressIterator オブジェクトで探索できる\nfor line_addr in func_body.getAddresses(True):\n    print(line_addr)\n\n# 逆順で列挙\nfor line_addr in func_body.getAddresses(False):\n    print(line_addr)\n\n\n# 指定の範囲で任意の AddressSet を取得する\nfrom ghidra.program.model.address import Address, AddressSet\nfactory = currentProgram.getAddressFactory()\n\n# 空の AddressSet を作成\naddr_set = AddressSet()\nstart = factory.getAddress(\"0x1000\")\nend = start.add(0x1000);\n\n# 指定の範囲の AddressSet を取得する\naddr_set.add(start, end)
\n

Reference: AddressSet

\n

Hurry up! Wait!(Rev)

\n
\n

svchost.exe

\n
\n

Now that we have covered the minimum basics of Ghidra Script, let us solve an actual CTF challenge.

\n

This time I solved a picoCTF challenge called Hurry up! Wait!.

\n

First, I was given a file named svchost.exe, but its format was just a normal ELF.

\n

I tried running it locally for now, but it failed with the error error while loading shared libraries: libgnat-7.so.1.

\n

So instead, I decided to try static analysis first.

\n

After identifying the main function and following the processing flow, I reached a point where an extremely large number of functions were being called, as shown below.

\n

\n \n \n \n \n \n \n \n \n

\n

It turns out that this function prints the flag one character at a time—p, i, c, o, …—from top to bottom.

\n

\n \n