• Stars
    star
    480
  • Rank 91,562 (Top 2 %)
  • Language
    C++
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Yet Another Ghidra Integration for IDA

Yagi

Yet Another Ghidra Integration for IDA

Overview

Yagi intends to include the wonderful Ghidra decompiler into both IDA pro and IDA Free.

Example of Yagi

📦 You can download installers for Windows and Linux versions here, then press F3 and enjoy! 📦

Here is the list of architectures that Yagi can decompile at the moment:

Arch Names Yagi
x86 ✔️
x86_64 ✔️
arm ✔️
aarch64(armv8) ✔️
powerpc ✔️
mips ✔️
sparc ✔️
avr8 ✔️
6502 ✔️
z80 ✔️
eBPF 🐝✔️🐝
cp1600
cr16
dalvik
jvm
tricore
riscv
System Z
xCore
68000

It's easy to add one if it's supported by Ghidra. Just open an issue, and we will do our best!

It allows you to edit the following items:

  • Global Symbol like function prototype, global variable, etc.
  • Local stack variables name and type
  • Local registry variables name and type
Key Interact
Decompile 🖱️ Place cursor on function ⌨️ F3
Edit Type ⌨️ Y
Clear Type ⌨️ C
Edit Name ⌨️ N
Cross References ⌨️ X
Navigate 🖱️ Double Click on keyword

💾 Changes are save into IDA database 💾

Build

As Yagi is built using git submodules to handle Ghidra dependencies, you will first need to do a recursive clone:

git clone https://github.com/airbus-cert/Yagi --recursive

For Windows

Install Dependencies

As Ghidra uses bison and flex to parse the sleigh grammar, we need first to install build dependencies from here

You also need the IDA SDK associated with your version of IDA.

Cmake

Yagi's build system is based on cmake; you can find an MSI package here.

You need at least a Visual Studio compiler with C++ toolchain.

Production

To generate a Wix installer, you need to install WiX before.

Then, let the cmake magic happen:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ..\Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DCPACK_PACKAGE_INSTALL_DIRECTORY="IDA Pro 7.6"
cmake --build . --target package --config release

A new yagi-1.0.0-win64.msi will be generated. It will contain all the necessary dependencies to install the plugin.

Development

To create a dev environment you need to generate the Visual Studio solution:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ..\Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON

PATH_TO_IDA_SDK_ROOT_FOLDER represents the root path of the decompressed archive provided by Hex-Rays.

To launch unit tests, just use ctest installed with cmake:

cd tests
ctest -VV

For Linux

Install Dependencies

As Ghidra uses bison and flex to parse the sleigh grammar and Yagi is built using Cmake and C++, you will need the following:

apt install cmake c++ git flex bison yacc

Production

To generate an installer script:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ../Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER]
cmake --build . --target package --config release

This will produce a yagi-1.0.0-Linux.sh script. Then you just have to launch it:

./yagi-1.0.0-Linux.sh --prefix=[PATH_TO_IDA_INSTALL_FOLDER]
y
n

Enjoy!

Development

To generate a dev environment you need to generate the Makefile:

git clone https://github.com/airbus-cert/Yagi --recursive
mkdir build_yagi
cd build_yagi
cmake ../Yagi -DIDA_SDK_SOURCE_DIR=[PATH_TO_IDA_SDK_ROOT_FOLDER] -DBUILD_TESTS=ON -DCMAKE_BUILD_TYPE=Debug
make

To launch unit tests, just use ctest installed with cmake:

cd tests
ctest -VV

TODO

  • Handle enum types
  • Add rules to handle end function computation on AARCH64
  • Change constant type (key H, R)

Credits and references

Thanks Ghidra development team to open sources this master piece of software.

Thanks Hex-Ray teams to built a very extensible software.

More Repositories

1

ttddbg

Time Travel Debugging IDA plugin
C++
551
star
2

Winshark

A wireshark plugin to instrument ETW
Lua
527
star
3

Invoke-Bof

Load any Beacon Object File using Powershell!
PowerShell
245
star
4

comida

An IDA Plugin that help analyzing module that use COM
Python
198
star
5

regrippy

A modern Python-3-based alternative to RegRipper
Python
184
star
6

etl-parser

Event Trace Log file parser in pure Python
Python
132
star
7

yara-ttd

Use YARA rules on Time Travel Debugging traces
C
86
star
8

vbSparkle

VBScript & VBA source-to-source deobfuscator with partial-evaluation
C#
72
star
9

ntTraceControl

Powershell Event Tracing Toolbox
PowerShell
72
star
10

CVE-2024-4040

Scanner for CVE-2024-4040
Python
50
star
11

etwbreaker

An IDA plugin to deal with Event Tracing for Windows (ETW)
Python
49
star
12

minusone

Powershell Linter
Rust
46
star
13

PSTrace

Trace ScriptBlock execution for powershell v2
C
39
star
14

tree-sitter-powershell

Powershell grammar for tree-sitter
JavaScript
36
star
15

dnYara

A multi-platform .Net wrapper library for the native Yara library.
C#
35
star
16

timeliner

A rewrite of mactime, a bodyfile reader
Go
34
star
17

Splunk-ETW

A Splunk Technology Add-on to forward filtered ETW events.
C#
30
star
18

cacdec

The hidden mstsc recorder player
Python
28
star
19

ttd2mdmp

Extract data of TTD trace file to a minidump
C++
28
star
20

dirtypipe-ebpf_detection

An eBPF detection program for CVE-2022-0847
C
27
star
21

mispy

Another MISP module for Python
Python
17
star
22

mispgo

Golang library for MISP
Go
5
star
23

usnrs

USN Journal parsing software and library
Rust
5
star
24

bodyfile

A bodyfile parsing library
Go
3
star
25

nix-forensics

Reproducible forensics environment, 100% of the time
Nix
3
star
26

skyblue.team

Our website
HTML
1
star