qilingframework / qiling

A True Instrumentable Binary Emulation Framework

Home Page:https://qiling.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Ghidra headless analyzer not finding qiling

Ramaaaaaa1 opened this issue · comments

I am trying to run the Ghidra headless analyzer using the below command. Despite Qiling being installed in my Windows 10 system, it is throwing an error: ImportError: No module named qiling . Surprisingly, it is working fine with normal python3 cmd, and Qiling is the latest version.

"C:\Users\hacke\Downloads\Malware Analysis Tools\ghidra_11.0.1_PUBLIC_20240130\ghidra_11.0.1_PUBLIC\support\analyzeHeadless.bat" "C:\Users\hacke" "Binary Analysis1" -process elf_xordd -noanalysis -postScript xorddos_decrypt_config.py

Could you please help me to fix this issue

commented

Ghidra doesn't use your hosts python unless you have a plugin. Ghidra has its own separate python interpreter usually called Jython which is based on python 2 so they can export their Java APIs to python.

Thank you for your response. I found another alternative that is working perfectly fine. Addressing my own questions to help others who might run into the same problem. As @iMoD1998 mentioned, we cannot use host python without a plugin.

  1. Download Ghidrathon from: https://github.com/mandiant/Ghidrathon/releases
  2. Install Java
  3. Install numpy
  4. Install Visual C++ Build Tools: https://visualstudio.microsoft.com/visual-cpp-build-tools
  5. Extract the Ghidrathon downloaded zip file and run the following commands from the extracted directory
  • python -m pip install -r requirements.txt
  • python ghidrathon_configure.py <absolute_path_to_ghidra_install_dir>
  1. In the extracted folder, you will find another ZIP file. Extract this ZIP file, open the "extension.properties" file, and check whether the mentioned version matches your Ghidra version. If your Ghidra version is 11.0.1 and your Ghidrathon version is 11.0, you can change that value from 11.0 to 11.0.1. After making these modifications, compress this file and load it into Ghidra as an extension.
  2. After performing all these steps, we are good to run the Ghidra headless analyzer with host Python.
  • Load the binary into Ghidra GUI, analyze it, and save it.
  • Close the Ghidra GUI
  • Open the cmd and run the following command:

"<path_to_Ghidra_Headless_Analyzer_Bat_file" "<project_location>" <project_name> -process <binary_name_saved_after_analyzing> -noanalysis -postScript <Python_script_path>
To understand the Ghidra headless analyzer commands, refer to https://github.com/galoget/ghidra-headless-scripts