search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
50.94k stars 5.81k forks source link

BSIM results decompile #6230

Open justin-in-time opened 7 months ago

justin-in-time commented 7 months ago

I'm currently exploring the BSIM feature across multiple binaries for similarity for a project. I have everything with BSIM working and now want to explore the headless side of things as well as BSIM scripting. I have previous scripts that would pull the function decompile from the current running program. However, within the QueryFunction.py script it's unclear how to do the same thing for all the compared functions in the BSIM database. I'm looking to have the same decompile returned that can be done compareFunctions feature in the BSIM pull down menu.

How do I reference the following for BSIM ->

decomp = ghidra.app.decompiler.DecompInterface() decomp.openProgram(currentProgram) decomp_res = decomp.decompileFunction(function, TIMEOUT, monitor)

When given the results from a query using data from fdesc.getAddress() https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/BSim/ghidra_scripts/QueryFunction.py#L59

Thanks

ghidracadabra commented 7 months ago

If I understand correctly, given a BSim match you would like to be able to decompile the matching function.

The BSim server only stores BSim feature vectors and certain metadata about functions and executables. If you want to decompile a matching function, you need to open the program containing the match.

You can get a ghidra URL string from the ExecutableRecord associated with a match via the getURLString method. You can use that string to create a URL object, use the url to create a ProgramLocator, and then finally pass the locator to a ProgramOpener. For headless use you'll want to use the setSilent method on ProgramOpener. Once you've opened a program you can turn the long address of the matching function from the FunctionDescription into an actual Ghidra Address via program.getAddressFactory().getDefaultAddressSpace().getAddress(). Once you have the address you can get the function from the program's FunctionManager. That should (finally) be enough to use the decompiler.

Depending on your setup, there might be some snags involving headless authentication to different Ghidra servers.

Depending on your workflow, there might be easier but less elegant solutions. For example, you might be able to do one run of the headless analyzer to perform your BSim queries, save the URLs and addresses of the functions you care about to a file, and then do another headless analyzer run (possibly pointed at a different repository) to do the decompilation.

Let us know if you encounter any issues.