mandiant/Ghidrathon

Headless Ghidrathon extension installation

colton-gabertan opened this issue · 10 comments

colton-gabertan commented

After building the extension, Ghidra's documentation tells us to unzip it in the $GHIDRA_INSTALL_DIR/Extensions diretory; however, putting it in this directory only gives it visibility to perform the actual installation via the gui. To avoid having to configure the extension in the gui, we must extract the zip to ~/.ghidra/.ghidra_<version>/Extensions

note: The Extensions folder will not be present in the hidden directories (.ghidra*), so we must manually create it before/ during the extraction process

Invocation of the headlessAnalyzer should now be using Ghidrathon to process python scripts instead of the default Jython plugin.

williballenthin commented

perhaps we should discuss this with upstream Ghidra devs to hear their input. the above sounds like it should work and probably won't often be broken; therefore, can we rely on it? can it be documented as part of Ghidra's behavior?

i dont think its really bad if its not documented yet still works - its just something we need to remember and document internally, in case things break later on.

rchtsang commented

I've found extracting to $GHIDRA_INSTALL_DIR/Ghidra/Extensions also works.

mike-hunhoff commented

I've found extracting to $GHIDRA_INSTALL_DIR/Ghidra/Extensions also works.

@rchtsang did you find that you could use Ghidrathon in Ghidra headless mode w/out first configuring the extension via Ghidra's UI?

  • 👍1
rchtsang commented

I'm not quite sure. I went through the full installation process once a while back, and after upgrading to Ghidra 10.3 tried to do it again. I did open the GUI after that, but found that I didn't need to set anything else up. I can try this again and see if headless mode works without opening the GUI though.

UPDATE: It does appear to be the case. I uninstalled (and removed the .ghidra folder) and reinstalled Ghidra (via brew, i'm on Mac M1) and extracted the ghidrathon zip archive to the GHIDRA_INSTALL_DIR/Ghidra/Extensions directory and ran a headless script and it appears to work as expected.

  • 👍1
Ruturaj4 commented

I've found extracting to $GHIDRA_INSTALL_DIR/Ghidra/Extensions also works.

@rchtsang did you find that you could use Ghidrathon in Ghidra headless mode w/out first configuring the extension via Ghidra's UI?

Also, in that case, what about disabling the jython support, should that work fine? I don't have an access to the GUI at all.

rchtsang commented
Ruturaj4 commented

Btw, I just tested that with my script and it works fine! Thanks for the great project! @rchtsang @williballenthin @mike-hunhoff @colton-gabertan

larchchen commented

I've found extracting to $GHIDRA_INSTALL_DIR/Ghidra/Extensions also works.

Apparently the difference between $GHIDRA_INSTALL_DIR/Extensions and $GHIDRA_INSTALL_DIR/Ghidra/Extensions matters here. The official document refers to the later on.

The <GhidraInstallDir>/Extensions are "by default uninstalled" according to the same manual a few lines above.

mike-hunhoff commented

Thanks all - I've update Ghidrathon's README to specify unzip to $GHIDRA_INSTALL_DIR/Ghidra/Extensions as the preferred method for installing Ghidrathon w/out using Ghidra's UI.