search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.11k stars 742 forks source link

Ghidra headless analyzer not finding qiling #1457

Closed Ramaaaaaa1 closed 7 months ago

Ramaaaaaa1 commented 7 months ago

I am trying to run the Ghidra headless analyzer using the below command. Despite Qiling being installed in my Windows 10 system, it is throwing an error: ImportError: No module named qiling . Surprisingly, it is working fine with normal python3 cmd, and Qiling is the latest version.

"C:\Users\hacke\Downloads\Malware Analysis Tools\ghidra_11.0.1_PUBLIC_20240130\ghidra_11.0.1_PUBLIC\support\analyzeHeadless.bat" "C:\Users\hacke" "Binary Analysis1" -process elf_xordd -noanalysis -postScript xorddos_decrypt_config.py

Could you please help me to fix this issue

iMoD1998 commented 7 months ago

Ghidra doesn't use your hosts python unless you have a plugin. Ghidra has its own separate python interpreter usually called Jython which is based on python 2 so they can export their Java APIs to python.

Ramaaaaaa1 commented 7 months ago

Thank you for your response. I found another alternative that is working perfectly fine. Addressing my own questions to help others who might run into the same problem. As @iMoD1998 mentioned, we cannot use host python without a plugin.

  1. Download Ghidrathon from: https://github.com/mandiant/Ghidrathon/releases
  2. Install Java
  3. Install numpy
  4. Install Visual C++ Build Tools: https://visualstudio.microsoft.com/visual-cpp-build-tools
  5. Extract the Ghidrathon downloaded zip file and run the following commands from the extracted directory
    • python -m pip install -r requirements.txt
    • python ghidrathon_configure.py
  6. In the extracted folder, you will find another ZIP file. Extract this ZIP file, open the "extension.properties" file, and check whether the mentioned version matches your Ghidra version. If your Ghidra version is 11.0.1 and your Ghidrathon version is 11.0, you can change that value from 11.0 to 11.0.1. After making these modifications, compress this file and load it into Ghidra as an extension.
  7. After performing all these steps, we are good to run the Ghidra headless analyzer with host Python.
    • Load the binary into Ghidra GUI, analyze it, and save it.
    • Close the Ghidra GUI
    • Open the cmd and run the following command:

      "<path_to_Ghidra_Headless_Analyzer_Bat_file" "" -process -noanalysis -postScript To understand the Ghidra headless analyzer commands, refer to https://github.com/galoget/ghidra-headless-scripts