• Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    Java
  • License
    Other
  • Created almost 4 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CERT Kaiju is a binary analysis framework extension for the Ghidra software reverse engineering suite. This repository is a "mirror" -- please file tickets, bug reports, or pull requests at the upstream home in @CERTCC: https://github.com/certcc/kaiju

CERT Kaiju Binary Analysis Framework for GHIDRA

CERT Kaiju is a collection of binary analysis tools for Ghidra.

This is a Ghidra/Java implementation of some features of the CERT Pharos Binary Analysis Framework, particularly the function hashing and malware analysis tools, but is expected to grow new tools and capabilities over time.

As this is a new effort, this implementation does not yet have full feature parity with the original C++ implementation based on ROSE; however, the move to Java and Ghidra has actually enabled some new features not available in the original framework -- notably, improved handling of non-x86 architectures. Since some significant re-architecting of the framework and tools is taking place, and the move to Java and Ghidra enables different capabilities than the C++ implementation, the decision was made to utilize new branding such that there would be less confusion between implementations when discussing the different tools and capabilities.

Our intention for the near future is to maintain both the original Pharos framework as well as Kaiju, side-by-side, since both can provide unique features and capabilities.

CAVEAT: As a prototype, there are many issues that may come up when evaluating the function hashes created by this plugin. For example, unlike the Pharos implementation, Kaiju's function hashing module will create hashes for very small functions (e.g., ones with a single instruction like RET causing many more unintended collisions). As such, analytical results may vary between this plugin and Pharos fn2hash.

Installation

Pre-built Kaiju packages are available. Simply download the ZIP file corresponding with your version of Ghidra and install according to the instructions below. It is recommended to install via Ghidra's graphical interface, but it is also possible to manually unzip into the appropriate directory to install.

CERT Kaiju requires the following runtime dependencies:

Z3 is provided pre-compiled as part of the pre-built packages, or you may build Z3 on your own or use your Linux distribution's package.

Graphical Installation

Start Ghidra, and from the opening window, select from the menu: File > Install Extension. Click the plus sign at the top of the extensions window, navigate and select the .zip file in the file browser and hit OK. The extension will be installed and a checkbox will be marked next to the name of the extension in the window to let you know it is installed and ready.

The interface will ask you to restart Ghidra to start using the extension. Simply restart, and then Kaiju's extra features will be available for use interactively or in scripts.

Some functionality may require enabling Kaiju plugins. To do this, open the Code Browser then navigate to the menu File > Configure. In the window that pops up, click the Configure link below the "CERT Kaiju" category icon. A pop-up will display all available publicly released Kaiju plugins. Check any plugins you wish to activate, then hit OK. You will now have access to interactive plugin features.

If a plugin is not immediately visible once enabled, you can find the plugin underneath the Window menu in the Code Browser.

Experimental "alpha" versions of future tools may be available from the "Experimental" category if you wish to test them. However these plugins are definitely experimental and unsupported and not recommended for production use. We do welcome early feedback though!

Manual Installation

Ghidra extensions like Kaiju may also be installed manually by unzipping the extension contents into the appropriate directory of your Ghidra installation. For more information, please see The Ghidra Installation Guide.

Build It Yourself

You can also build the Kaiju extension directly from source code. See the INSTALL.md file included in the top Kaiju source directory.

Usage

Kaiju's tools may be used either in an interactive graphical way, or via a "headless" mode more suited for batch jobs. Some tools may only be available for graphical or headless use, by the nature of the tool.

Interactive Graphical Interface

Kaiju creates an interactive graphical interface (GUI) within Ghidra utilizing Java Swing and Ghidra's plugin architecture.

Most of Kaiju's tools are actually Analysis plugins that run automatically when the "Auto Analysis" option is chosen, either upon import of a new executable to disassemble, or by directly choosing Analysis > Auto Analyze... from the code browser window. You will see several CERT Analysis plugins selected by default in the Auto Analyze tool, but you can enable/disable any as desired.

The Analysis tools must be run before the various GUI tools will work, however. In some corner cases, it may even be helpful to run the Auto Analysis twice to ensure all of the metadata is produced to create correct partitioning and disassembly information, which in turn can influence the hashing results.

Analyzers are automatically run during Ghidra's analysis phase and include:

  • DisasmImprovements = improves the function partitioning of the disassembly compared to the standard Ghidra partitioning.
  • Fn2Hash = calculates function hashes for all functions in a program and is used to generate YARA signatures for programs.

The GUI tools include:

  • GhiHorn = a plugin to calculate paths and reachability in control flow graphs, utilizing Z3.
    • Select Kaiju > GhiHorn to access this tool from Ghidra's CodeBrowser. You can also launch the plugin by pressing CTRL-G.
  • Function Hash Viewer = a plugin that displays an interactive list of functions in a program and several types of hashes. Analysts can use this to export one or more functions from a program into YARA signatures.
    • Select Window > CERT Function Hash Viewer from the menu to get started with this tool if it is not already visible. A new window will appear displaying a table of hashes and other data. Buttons along the top of the window can refresh the table or export data to file or a YARA signature. This window may also be docked into the main Ghidra CodeBrowser for easier use alongside other plugins. More extensive usage documentation can be found in Ghidra's Help > Contents menu when using the tool.
  • OOAnalyzer JSON Importer = a plugin that can load, parse, and apply Pharos-generated OOAnalyzer results to object oriented C++ executables in a Ghidra project. When launched, the plugin will prompt the user for the JSON output file produced by OOAnalyzer that contains information about recovered C++ classes. After loading the JSON file, recovered C++ data types and symbols found by OOAnalyzer are updated in the Ghidra Code Browser. The plugin's design and implementation details are described in our SEI blog post titled Using OOAnalyzer to Reverse Engineer Object Oriented Code with Ghidra.
    • Select Kaiju > OOAnalyzer Importer from the menu to get started with this tool. A simple dialog popup will ask you to locate the JSON file you wish to import. More extensive usage documentation can be found in Ghidra's Help > Contents menu when using the tool.

Command-line "Headless" Mode

Ghidra also supports a "headless" mode allowing tools to be run in some circumstances without use of the interactive GUI. These commands can therefore be utilized for scripting and "batch mode" jobs of large numbers of files.

The headless tools largely rely on Ghidra's GhidraScript functionality.

Headless tools include:

  • fn2hash = automatically run Fn2Hash on a given program and export all the hashes to a CSV file specified
  • fn2yara = automatically run Fn2Hash on a given program and export all hash data as YARA signatures to the file specified
  • fnxrefs = analyze a Program and export a list of Functions based on entry point address that have cross-references in data or other parts of the Program

A simple shell launch script named kaijuRun has been included to run these headless commands for simple scenarios, such as outputing the function hashes for every function in a single executable. Assuming the GHIDRA_INSTALL_DIR variable is set, one might for example run the launch script on a single executable as follows:

$GHIDRA_INSTALL_DIR/Ghidra/Extensions/kaiju/kaijuRun fn2hash example.exe

This command would output the results to an automatically named file as example.exe.Hashes.csv.

Basic help for the kaijuRun script is available by running:

$GHIDRA_INSTALL_DIR/Ghidra/Extensions/kaiju/kaijuRun --help

Please see docs/HeadlessKaiju.md file in the repository for more information on using this mode and the kaijuRun launcher script.

Further Documentation and Help

More comprehensive documentation and help is available, in one of two formats.

See the docs/ directory for Markdown-formatted documentation and help for all Kaiju tools and components. These documents are easy to maintain and edit and read even from a command line.

Alternatively, you may find the same documentation in Ghidra's built-in help system. To access these help docs, from the Ghidra menu, go to Help > Contents and then select CERT Kaiju from the tree navigation on the left-hand side of the help window.

Please note that the Ghidra Help documentation is the exact same content as the Markdown files in the docs/ directory; thanks to an in-tree gradle plugin, gradle will automatically parse the Markdown and export into Ghidra HTML during the build process. This allows even simpler maintenance (update docs in just one place, not two) and keeps the two in sync.

All new documentation should be added to the docs/ directory.

Licensing

This software is licensed under a simplified BSD-style license by the Software Engineering Institute at Carnegie Mellon University. Please find full details of this license, as well as licensing terms of dependencies used in this project, in the LICENSE.md file in the root of this repository.

The CERT Kaiju logo is based on art created by Cameron Spahn, originally released under terms of Creative Commons Attribution-Share Alike 4.0 International license.

More Repositories

1

pharos

Automated static analysis tools for binary programs
C++
1,547
star
2

GHOSTS

GHOSTS is a realistic user simulation framework for cyber experimentation, simulation, training, and exercise
C#
463
star
3

SCALe

SCALe (Source Code Analysis Lab) is a static analysis aggregator/correlator which enables a source code analyst to combine static analysis results from multiple tools into one interface, and also provides mappings for diagnostics from the tools to the SEI CERT Secure Coding standards.
C
285
star
4

gbtl

GraphBLAS Template Library (GBTL): C++ graph algorithms and primitives using semiring algebra as defined at graphblas.org
C++
129
star
5

BigGrep

A scalable search index for binary files
C++
114
star
6

SCADASim

The SCADA Simulator is a configurable system that presents itself as a SCADA system within an exercise environment. It has a web-accessible user interface and generates modbus traffic on the network.
Python
108
star
7

cyobstract

A tool to extract structured cyber information from incident reports.
Python
78
star
8

greybox

A tool to host an Internet simulation
Shell
49
star
9

topgen

Scripts to generate an Internet simulation
Shell
34
star
10

welled

Wireless adapter emulation
C
33
star
11

juneberry

Juneberry improves the experience of machine learning experimentation by providing a framework for automating the training, evaluation and comparison of multiple models against multiple datasets, reducing errors and improving reproducibility.
Python
31
star
12

pharos-demangle

Demangles C++ symbol names genarated by Microsoft Visual C++ in order to retrieve the original C++ declarations.
C++
30
star
13

crucible

Crucible is a modular framework for creating, deploying, and managing virtual environments to support training, education, and exercises.
HTML
29
star
14

TopoMojo

A simple virtual lab builder/player
C#
28
star
15

sa-bAbI

sa-bAbI is a software assurance dataset generator similar to the natural language dataset generator
Python
27
star
16

GHOSTS-ANIMATOR

GHOSTS Animator is a library and API for generating realistic NPCs for training and exercise.
C#
25
star
17

pdfrankenstein

Python tool for bulk PDF feature extraction. This tool is a prototype.
Python
24
star
18

CDAS

This program generates cyber attack scenarios for use in cyber training exercises, red team planning, blue team planning, automated attack execution, and cybersecurity policy analysis.
Python
24
star
19

finsim

FinSim is a financial simulation tool for exercise environments. It provides students the opportunity to investigate a model financial system and its associated security concerns.
Python
22
star
20

foundry-appliance

A virtual appliance for building cyber labs, challenges and competitions
Shell
22
star
21

GHOSTS-SPECTRE

SPECTRE enables GHOSTS clients to have and build individual preferences over time.
C#
20
star
22

vtunnel

vTunnel is a tool that proxies IP traffic between guest and host networks.
C
19
star
23

AASPE

A set of modeling tools for security analysis (attack tree, attack impact) and a code generator to produce code for the seL4 platform from AADL models.
Java
16
star
24

TopoMojo-v1

Virtual Lab builder and player
C#
15
star
25

nabu

Graphical analysis of PDF structure.
Python
12
star
26

eraces

Tools to identify complexity in software models (e.g., SCADE, AADL).
Tcl
12
star
27

usersim

An agent that performs user actions on a workstation
Python
12
star
28

cmu-sei.github.io

SEI GitHub landing page.
HTML
11
star
29

SCAIFE-API

Source Code Analysis Integrated Framework Environment (SCAIFE) API: YAML specification
HTML
10
star
30

Polar

Polar is a secure and scalable knowledge graph framework, designed to address the challenges posed by building big data systems in highly regulated environments, and improve observability for DevSecOps Organizations.
Rust
9
star
31

feud

AI Division, Reverse Engineering CNN Trojans
Python
8
star
32

cert-rosecheckers

C
7
star
33

SEER

SEER is a platform for assessing the performance of cybersecurity training and exercise participants.
JavaScript
7
star
34

DRAT

Deployment Recovery Automation Technology
Python
7
star
35

bgpuma

An application to search BGP Update files for CIDR blocks or Autonomous Systems.
C++
6
star
36

cubespace

Spacefaring cyber competition video game
C#
6
star
37

DevSecOps-Model

HTML
6
star
38

Valkyrie_Framework

Valkyrie Framework is an open source suite of tools that enable hunt teams to locate and identify hidden cybersecurity threats lurking in network traffic.
Python
5
star
39

SilkWeb

HTML
5
star
40

topomojo-ui-v1

TypeScript
4
star
41

quabasebd

A wiki knowledge base the links architecture principles to NoSQL product features to support designers of scalable data-intensive systems.
PHP
4
star
42

MORE

Malware driven Overlooked REquirements contains the components SERF SEcurity Requirements Finder and Report Writing application.
HTML
4
star
43

redemption

Redemption is a tool that automatically repairs C/C++ code given a set of static-analysis alerts
Python
4
star
44

augur-code

Augur is a toolset that helps simulate and detect drift in different types of datasets, to define the best metrics that can be used to predict drift before it happens.
Python
4
star
45

Crucible.Appliance

Shell
3
star
46

ansible-role-silk

A role to install and configure the SiLK analysis and collection tools.
Python
3
star
47

Stormbox

Stormbox is an "internet user simulator" that is designed to simulate the transient, temporary, and anonymous nature of typical internet users during a cyber wargame.
Python
3
star
48

Identity

C#
3
star
49

virtualization-abstraction-layer

The Virtualization Abstraction Layer is a proof-of-concept library to allow projects that rely on hypervisors to easily switch between virtualization technologies.
C#
3
star
50

Cyber-Ticket-Studio

CTS is a tool that enables users to explore, search, sort, mine, and visualize large numbers of cyber incident tickets (and some other kinds of tickets) at the same time.
R
3
star
51

Player.Ui

Player is the centralized interface where users, teams, and administrators go to configure and participate in the cyber exercise.
TypeScript
2
star
52

gameboard-ui-v2

Gameboard is a flexible web platform that provides game design capabilities and a competition-ready user interface.
TypeScript
2
star
53

Console.Ui

Console.Ui is a UI application that displays and interacts with VMware virtual machine consoles. The Crucible VM project uses Console.Ui to display virtual machines.
TypeScript
2
star
54

cloud-migration-for-managers

TypeScript
2
star
55

topomojo-ui

TypeScript
2
star
56

threat-hunting-games

Code in support of SEI 2022 Line project on threat hunting games.
Python
2
star
57

autocats

AUTOCATS is the automated code analysis testing suite, used by projects like CERT Kaiju. This repository is a "mirror" -- please file tickets, bug reports, or pull requests at the upstream home in @CERTCC: https://github.com/certcc/autocats
C++
2
star
58

Gameboard

C#
2
star
59

CITE.Ui

The Collaborative Incident Threat Evaluator allows exercise participants to assess the severity of an incident using a scale such as the National Cyber Incident Scoring System.
TypeScript
2
star
60

Caster.Api

Caster is the primary deployment component of the Crucible framework. Caster provides a web interface that gives exercise developers a way to create, share, and manage topology configurations.
C#
2
star
61

helm-charts

Smarty
2
star
62

gameboard-v2

Gameboard is a flexible web platform that provides game design capabilities and a competition-ready user interface.
C#
2
star
63

vessel

Vessel is a project with the goal of promoting reproducible container builds. The first version of the Vessel tool compares two built container images and reports on differences between them, flagging as many known issues as possible.
1
star
64

Steamfitter.Ui

Steamfitter.Ui gives exercise developers the ability to create scenarios consisting of a series of scheduled tasks, manual tasks, and injects which run against virtual machines in a view.
TypeScript
1
star
65

Caster.Ui

Caster is the primary deployment component of the Crucible framework. Caster provides a web interface that gives exercise developers a way to create, share, and manage topology configurations.
TypeScript
1
star
66

ansible-role-rwflowpack

An ansible role for configuring and managing the rwflowpack service.
Shell
1
star
67

juneberry-example-workspace

A sample workspace for the Juneberry machine learning tool.
Python
1
star
68

eem

This repository hosts Eclipse-related files for the Enabling Evidence-Based Modernization project.
Java
1
star
69

TEC

A tool that allows users to detect ML Mismatch during the development, deployment, and maintenance of a ML component.
Vue
1
star
70

ghosts-cyber-range-and-exercise-simulation-tools

Range and simulation tools for executing realistic training and exercise events
C#
1
star
71

FALSA-model-problem

The FALSA model problem is a software that simulates an autonomous drone mission and its intended use is for research in assurance.
C++
1
star
72

scir-oss

scir-oss is a tool that integrates public data and information regarding open source software projects and their products into a Project, Product, Protection, and Policy report (OSS-P4/R).
Shell
1
star
73

gamebrain

Python
1
star
74

certccsilklive

Official dockerfile for the Ubuntu based SiLK Live! training system.
Dockerfile
1
star
75

osticket-crucible

A plugin for osTicket that provides authentication against an OAuth2 identity server and posts ticket event notifications to the Crucible API.
PHP
1
star
76

Player.Api

Player is the centralized interface where users, teams, and administrators go to configure and participate in the cyber exercise.
C#
1
star
77

AppMailRelay

C#
1
star
78

Gallery.Ui

Gallery is an exercise inject visualization tool. It allows various types of inject data to be displayed, categorized, and searched by exercise participants.
TypeScript
1
star
79

ml-mismatch-descriptors

A set of descriptors used to support TEC the ML Mismatch detection tool, and other future tools.
1
star
80

REST

REST is a simple J2EE based application that is designed to exposed RDBMS database via webservices. REST software is designed to simplify integration of several RDBMS datasources to a JSON/XML for frameworks like jQuery etc.
JavaScript
1
star
81

UnitML

Python
1
star
82

Vm.Api

The Vm.Api is the backend restful API for the VM application that integrates with Player to display and manage virtual machines.
C#
1
star
83

augur-results

Augur is a toolset that helps simulate and detect drift in different types of datasets. This repo contains the results of experiments run using the toolset.
1
star
84

Blueprint.Ui

TypeScript
1
star
85

ansible-role-yaf

An ansible role for installing, configuring, and managing the YAF service.
Shell
1
star
86

GameEngine

GameEngine is a web API that serves games and challenges and also provides grading for the Gameboard platform.
C#
1
star