mitsupi 1.0.0

package/skills/ghidra/SKILL.md

@@ -0,0 +1,254 @@
+---
+name: ghidra
+description: "Reverse engineer binaries using Ghidra's headless analyzer. Decompile executables, extract functions, strings, symbols, and analyze call graphs without GUI."
+---
+
+# Ghidra Headless Analysis Skill
+
+Perform automated reverse engineering using Ghidra's `analyzeHeadless` tool. Import binaries, run analysis, decompile to C code, and extract useful information.
+
+## Quick Reference
+
+| Task | Command |
+|------|---------|
+| Full analysis with all exports | `ghidra-analyze.sh -s ExportAll.java -o ./output binary` |
+| Decompile to C code | `ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary` |
+| List functions | `ghidra-analyze.sh -s ExportFunctions.java -o ./output binary` |
+| Extract strings | `ghidra-analyze.sh -s ExportStrings.java -o ./output binary` |
+| Get call graph | `ghidra-analyze.sh -s ExportCalls.java -o ./output binary` |
+| Export symbols | `ghidra-analyze.sh -s ExportSymbols.java -o ./output binary` |
+| Find Ghidra path | `find-ghidra.sh` |
+
+## Prerequisites
+
+- **Ghidra** must be installed. On macOS: `brew install --cask ghidra`
+- **Java** (OpenJDK 17+) must be available
+
+The skill automatically locates Ghidra in common installation paths. Set `GHIDRA_HOME` environment variable if Ghidra is installed in a non-standard location.
+
+---
+
+## Main Wrapper Script
+
+```bash
+./scripts/ghidra-analyze.sh [options] <binary>
+```
+
+Wrapper that handles project creation/cleanup and provides a simpler interface to `analyzeHeadless`.
+
+**Options:**
+- `-o, --output <dir>` - Output directory for results (default: current dir)
+- `-s, --script <name>` - Post-analysis script to run (can be repeated)
+- `-a, --script-args <args>` - Arguments for the last specified script
+- `--script-path <path>` - Additional script search path
+- `-p, --processor <id>` - Processor/architecture (e.g., `x86:LE:32:default`)
+- `-c, --cspec <id>` - Compiler spec (e.g., `gcc`, `windows`)
+- `--no-analysis` - Skip auto-analysis (faster, but less info)
+- `--timeout <seconds>` - Analysis timeout per file
+- `--keep-project` - Keep the Ghidra project after analysis
+- `--project-dir <dir>` - Directory for Ghidra project (default: /tmp)
+- `--project-name <name>` - Project name (default: auto-generated)
+- `-v, --verbose` - Verbose output
+
+---
+
+## Built-in Export Scripts
+
+### ExportAll.java
+Comprehensive export - runs all other exports and creates a summary. Best for initial analysis.
+
+**Output files:**
+- `{name}_summary.txt` - Overview: architecture, memory sections, function counts
+- `{name}_decompiled.c` - All functions decompiled to C
+- `{name}_functions.json` - Function list with signatures and calls
+- `{name}_strings.txt` - All strings found
+- `{name}_interesting.txt` - Functions matching security-relevant patterns
+
+```bash
+./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
+```
+
+### ExportDecompiled.java
+Decompile all functions to C pseudocode.
+
+**Output:** `{name}_decompiled.c`
+
+```bash
+./scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe
+```
+
+### ExportFunctions.java
+Export function list as JSON with addresses, signatures, parameters, and call relationships.
+
+**Output:** `{name}_functions.json`
+
+```json
+{
+  "program": "example.exe",
+  "architecture": "x86",
+  "functions": [
+    {
+      "name": "main",
+      "address": "0x00401000",
+      "size": 256,
+      "signature": "int main(int argc, char **argv)",
+      "returnType": "int",
+      "callingConvention": "cdecl",
+      "isExternal": false,
+      "parameters": [{"name": "argc", "type": "int"}, ...],
+      "calls": ["printf", "malloc", "process_data"],
+      "calledBy": ["_start"]
+    }
+  ]
+}
+```
+
+### ExportStrings.java
+Extract all strings (ASCII, Unicode) with addresses.
+
+**Output:** `{name}_strings.json`
+
+```bash
+./scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe
+```
+
+### ExportCalls.java
+Export function call graph showing caller/callee relationships.
+
+**Output:** `{name}_calls.json`
+
+Includes:
+- Full call graph
+- Potential entry points (functions with no callers)
+- Most frequently called functions
+
+### ExportSymbols.java
+Export all symbols: imports, exports, and internal symbols.
+
+**Output:** `{name}_symbols.json`
+
+---
+
+## Common Workflows
+
+### Analyze an Unknown Binary
+
+```bash
+# Create output directory
+mkdir -p ./analysis
+
+# Run comprehensive analysis
+./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary
+
+# Review the summary first
+cat ./analysis/unknown_binary_summary.txt
+
+# Look at interesting patterns (crypto, network, dangerous functions)
+cat ./analysis/unknown_binary_interesting.txt
+
+# Check specific decompiled functions
+grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c
+```
+
+### Analyze Firmware
+
+```bash
+# Specify ARM architecture for firmware
+./scripts/ghidra-analyze.sh \
+    -p "ARM:LE:32:v7" \
+    -s ExportAll.java \
+    -o ./firmware_analysis \
+    firmware.bin
+```
+
+### Quick Function Listing
+
+```bash
+# Just get function names and addresses (faster)
+./scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program
+
+# Parse with jq
+cat program_functions.json | jq '.functions[] | "\(.address): \(.name)"'
+```
+
+### Find Specific Patterns
+
+```bash
+# After running ExportDecompiled, search for patterns
+grep -n "password\|secret\|key" output_decompiled.c
+grep -n "strcpy\|sprintf\|gets" output_decompiled.c
+```
+
+### Analyze Multiple Binaries
+
+```bash
+for bin in ./samples/*; do
+    name=$(basename "$bin")
+    ./scripts/ghidra-analyze.sh -s ExportAll.java -o "./results/$name" "$bin"
+done
+```
+
+---
+
+## Architecture/Processor IDs
+
+Common processor IDs for the `-p` option:
+
+| Architecture | Processor ID |
+|-------------|--------------|
+| x86 32-bit | `x86:LE:32:default` |
+| x86 64-bit | `x86:LE:64:default` |
+| ARM 32-bit | `ARM:LE:32:v7` |
+| ARM 64-bit | `AARCH64:LE:64:v8A` |
+| MIPS 32-bit | `MIPS:BE:32:default` or `MIPS:LE:32:default` |
+| PowerPC | `PowerPC:BE:32:default` |
+
+Find all available processors:
+```bash
+ls "$(dirname $(./scripts/find-ghidra.sh))/../Ghidra/Processors/"
+```
+
+---
+
+## Troubleshooting
+
+### Ghidra Not Found
+```bash
+# Check if Ghidra is installed
+./scripts/find-ghidra.sh
+
+# Set GHIDRA_HOME if in non-standard location
+export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC
+./scripts/ghidra-analyze.sh ...
+```
+
+### Analysis Takes Too Long
+```bash
+# Set a timeout (seconds)
+./scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary
+
+# Skip analysis for quick export
+./scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
+```
+
+### Out of Memory
+Edit the `analyzeHeadless` script or set:
+```bash
+export MAXMEM=4G
+```
+
+### Wrong Architecture Detected
+Explicitly specify the processor:
+```bash
+./scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin
+```
+
+---
+
+## Tips
+
+1. **Start with ExportAll.java** - It gives you everything and the summary helps orient you
+2. **Check the interesting.txt file** - It highlights security-relevant functions automatically
+3. **Use jq for JSON parsing** - The JSON exports are designed to be machine-readable
+4. **Decompilation isn't perfect** - Use it as a guide, cross-reference with disassembly
+5. **Large binaries take time** - Use `--timeout` and consider `--no-analysis` for quick scans

package/skills/ghidra/scripts/find-ghidra.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+# Locate Ghidra installation and analyzeHeadless script
+# Searches common installation paths and outputs the path to analyzeHeadless
+
+set -e
+
+# Common locations to search for Ghidra
+SEARCH_PATHS=(
+    # Homebrew on Apple Silicon
+    "/opt/homebrew/Caskroom/ghidra"
+    # Homebrew on Intel
+    "/usr/local/Caskroom/ghidra"
+    # Manual installation locations
+    "/opt/ghidra"
+    "/usr/local/ghidra"
+    "$HOME/ghidra"
+    "$HOME/Applications/ghidra"
+    "/Applications/ghidra"
+    # Linux common paths
+    "/usr/share/ghidra"
+    "/usr/local/share/ghidra"
+)
+
+# Check GHIDRA_HOME environment variable first
+if [[ -n "$GHIDRA_HOME" ]]; then
+    HEADLESS="$GHIDRA_HOME/support/analyzeHeadless"
+    if [[ -x "$HEADLESS" ]]; then
+        echo "$HEADLESS"
+        exit 0
+    fi
+fi
+
+# Search through common paths
+for base_path in "${SEARCH_PATHS[@]}"; do
+    if [[ -d "$base_path" ]]; then
+        # Find analyzeHeadless in the directory tree (handles versioned paths)
+        HEADLESS=$(find "$base_path" -name "analyzeHeadless" -type f 2>/dev/null | head -n 1)
+        if [[ -n "$HEADLESS" && -x "$HEADLESS" ]]; then
+            echo "$HEADLESS"
+            exit 0
+        fi
+    fi
+done
+
+# Try to find it anywhere on the system as a last resort
+HEADLESS=$(find /opt /usr/local /Applications "$HOME" -name "analyzeHeadless" -type f 2>/dev/null | head -n 1)
+if [[ -n "$HEADLESS" && -x "$HEADLESS" ]]; then
+    echo "$HEADLESS"
+    exit 0
+fi
+
+echo "ERROR: Could not find Ghidra's analyzeHeadless script." >&2
+echo "Please set GHIDRA_HOME environment variable or install Ghidra." >&2
+exit 1

package/skills/ghidra/scripts/ghidra-analyze.sh

@@ -0,0 +1,239 @@
+#!/bin/bash
+# Wrapper script for Ghidra headless analysis
+# Handles project creation/cleanup and provides a simpler interface
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Find analyzeHeadless
+ANALYZE_HEADLESS=$("$SCRIPT_DIR/find-ghidra.sh")
+GHIDRA_HOME=$(dirname "$(dirname "$ANALYZE_HEADLESS")")
+
+show_help() {
+    cat << 'EOF'
+Usage: ghidra-analyze.sh [options] <binary>
+
+Analyze a binary file using Ghidra's headless analyzer.
+
+Options:
+  -o, --output <dir>       Output directory for results (default: current dir)
+  -s, --script <name>      Post-analysis script to run (can be repeated)
+  -a, --script-args <args> Arguments for the last specified script
+  --script-path <path>     Additional script search path
+  -p, --processor <id>     Processor/architecture (e.g., x86:LE:32:default)
+  -c, --cspec <id>         Compiler spec (e.g., gcc, windows)
+  --no-analysis            Skip auto-analysis
+  --timeout <seconds>      Analysis timeout per file
+  --keep-project           Keep the Ghidra project after analysis
+  --project-dir <dir>      Directory for Ghidra project (default: /tmp)
+  --project-name <name>    Project name (default: auto-generated)
+  -v, --verbose            Verbose output
+  -h, --help               Show this help
+
+Built-in Scripts (use with -s):
+  ExportDecompiled.java    Export all functions as decompiled C code
+  ExportFunctions.java     Export function list with addresses and signatures
+  ExportStrings.java       Export all strings found in the binary
+  ExportCalls.java         Export function call graph
+  ExportSymbols.java       Export all symbols and their addresses
+
+Examples:
+  # Basic analysis with decompilation output
+  ghidra-analyze.sh -s ExportDecompiled.java -o ./output myprogram
+
+  # Analyze with specific architecture
+  ghidra-analyze.sh -p ARM:LE:32:v7 firmware.bin
+
+  # Run multiple scripts
+  ghidra-analyze.sh -s ExportFunctions.java -s ExportStrings.java binary
+
+  # Keep project for later use
+  ghidra-analyze.sh --keep-project --project-name MyProject binary
+EOF
+}
+
+# Default values
+OUTPUT_DIR="."
+SCRIPTS=()
+SCRIPT_ARGS=()
+SCRIPT_PATH=""
+PROCESSOR=""
+CSPEC=""
+NO_ANALYSIS=""
+TIMEOUT=""
+KEEP_PROJECT=false
+PROJECT_DIR="/tmp"
+PROJECT_NAME=""
+VERBOSE=false
+BINARY=""
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -o|--output)
+            OUTPUT_DIR="$2"
+            shift 2
+            ;;
+        -s|--script)
+            SCRIPTS+=("$2")
+            shift 2
+            ;;
+        -a|--script-args)
+            # Associate args with the last script
+            if [[ ${#SCRIPTS[@]} -gt 0 ]]; then
+                SCRIPT_ARGS+=("${#SCRIPTS[@]}:$2")
+            fi
+            shift 2
+            ;;
+        --script-path)
+            SCRIPT_PATH="$2"
+            shift 2
+            ;;
+        -p|--processor)
+            PROCESSOR="$2"
+            shift 2
+            ;;
+        -c|--cspec)
+            CSPEC="$2"
+            shift 2
+            ;;
+        --no-analysis)
+            NO_ANALYSIS="-noanalysis"
+            shift
+            ;;
+        --timeout)
+            TIMEOUT="$2"
+            shift 2
+            ;;
+        --keep-project)
+            KEEP_PROJECT=true
+            shift
+            ;;
+        --project-dir)
+            PROJECT_DIR="$2"
+            shift 2
+            ;;
+        --project-name)
+            PROJECT_NAME="$2"
+            shift 2
+            ;;
+        -v|--verbose)
+            VERBOSE=true
+            shift
+            ;;
+        -h|--help)
+            show_help
+            exit 0
+            ;;
+        -*)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+        *)
+            BINARY="$1"
+            shift
+            ;;
+    esac
+done
+
+if [[ -z "$BINARY" ]]; then
+    echo "Error: No binary file specified" >&2
+    show_help
+    exit 1
+fi
+
+if [[ ! -f "$BINARY" ]]; then
+    echo "Error: Binary file not found: $BINARY" >&2
+    exit 1
+fi
+
+# Create output directory if needed
+mkdir -p "$OUTPUT_DIR"
+
+# Generate project name if not specified
+if [[ -z "$PROJECT_NAME" ]]; then
+    PROJECT_NAME="ghidra_$(basename "$BINARY" | tr '.' '_')_$$"
+fi
+
+# Build script path including our built-in scripts
+BUILTIN_SCRIPTS="$SCRIPT_DIR/ghidra_scripts"
+if [[ -n "$SCRIPT_PATH" ]]; then
+    FULL_SCRIPT_PATH="$BUILTIN_SCRIPTS;$SCRIPT_PATH"
+else
+    FULL_SCRIPT_PATH="$BUILTIN_SCRIPTS"
+fi
+
+# Build command
+CMD=("$ANALYZE_HEADLESS" "$PROJECT_DIR" "$PROJECT_NAME" -import "$BINARY")
+
+# Add script path
+CMD+=(-scriptPath "$FULL_SCRIPT_PATH")
+
+# Add scripts
+for i in "${!SCRIPTS[@]}"; do
+    script="${SCRIPTS[$i]}"
+    CMD+=(-postScript "$script")
+    
+    # Check if there are args for this script
+    for arg_entry in "${SCRIPT_ARGS[@]}"; do
+        idx="${arg_entry%%:*}"
+        args="${arg_entry#*:}"
+        if [[ "$idx" -eq $((i + 1)) ]]; then
+            # Append script arguments
+            CMD+=($args)
+        fi
+    done
+done
+
+# Add output directory as environment variable for scripts
+export GHIDRA_OUTPUT_DIR="$OUTPUT_DIR"
+
+# Add processor if specified
+if [[ -n "$PROCESSOR" ]]; then
+    CMD+=(-processor "$PROCESSOR")
+fi
+
+# Add compiler spec if specified
+if [[ -n "$CSPEC" ]]; then
+    CMD+=(-cspec "$CSPEC")
+fi
+
+# Add no-analysis flag if specified
+if [[ -n "$NO_ANALYSIS" ]]; then
+    CMD+=($NO_ANALYSIS)
+fi
+
+# Add timeout if specified
+if [[ -n "$TIMEOUT" ]]; then
+    CMD+=(-analysisTimeoutPerFile "$TIMEOUT")
+fi
+
+# Delete project after analysis unless keeping it
+if [[ "$KEEP_PROJECT" != true ]]; then
+    CMD+=(-deleteProject)
+fi
+
+# Add log file
+LOG_FILE="$OUTPUT_DIR/ghidra_analysis.log"
+CMD+=(-log "$LOG_FILE")
+
+# Run the analysis
+if [[ "$VERBOSE" == true ]]; then
+    echo "Running: ${CMD[*]}"
+fi
+
+"${CMD[@]}" 2>&1 | tee "$OUTPUT_DIR/ghidra_output.log"
+
+exit_code=${PIPESTATUS[0]}
+
+if [[ $exit_code -eq 0 ]]; then
+    echo ""
+    echo "Analysis complete. Output files in: $OUTPUT_DIR"
+    ls -la "$OUTPUT_DIR"
+else
+    echo "Analysis failed with exit code: $exit_code" >&2
+    echo "Check log file: $LOG_FILE" >&2
+fi
+
+exit $exit_code