GSoC 2024 - Ghidra P-code Support

[Rohit1123]

Hello @mike-hunhoff @williballenthin @mr-tz and everyone, I am willing to take up the project 'capa: Ghidra P-code Support' for my participation in GSoC 2024. I have a decent understanding of capa code base - merged a PR https://github.com/mandiant/capa/pull/1990 and been researching on capa-ghidra integration and how pcode is used in ghidra.

As per my understanding, ghidra disassembles the binaries, translates assembly instructions into pcode, and further into C code using SLEIGH. capa finds capabilities in binaries by matching capa rules with disassembled code. Now for enabling capa to process all of Ghidra’s supported architectures in an architecture-independent manner, which of the following is better:

• Update capa rules to support analysis of generated pcode for binary of any architecture
• Translate disassembled code of unsupported architectures into the architecture capa currently supports using SLEIGH specifications

I'm a bit confused about the goal of the project. If you could suggest something to better understand, it would be helpful to me to identify additions and changes to be made to ghidra backend of capa.

Thanks for your time

[mr-tz]

@mike-hunhoff should be able to provide more insight here

[mike-hunhoff]

Thanks for reaching out and your PR @Rohit1123 . It looks like you already have a good understanding of how P-code is generated and used during Ghidra’s analysis.

capa can be extended to support new analysis backends. An analysis backend is responsible for extracting program features such as strings, disassembly, and control flow used to detect capabilities. Extending capa to support P-code involves changing its existing Ghidra backend to extract program features from P-code instead of the machine code. There are two flavors of P-code, low (direct machine code to P-code translation, less readable) and high (P-code transformed during decompilation, more readable), that can be accessed using Ghidra’s scripting API. Part of the research component for this project involves determining which of these P-code flavors can be reliably used to extract the program features needed by capa. For example, an instruction’s low P-code can be access using Ghidra’s Instruction.getPcode API. The existing Ghidra backend’s logic for iterating functions, basic blocks, and instructions should be able to be reused. Our goal for adding P-code support is architecture-independent analysis so be sure to highlight any issues you see with this in your proposal e.g. program features extracted by capa that are architecture dependent.