This article is based on the public release of Ghidra 11.2.
While Ghidra is an extensive framework and allows the inclusion of arbitrary logic to perform a given task, some tasks are better performed elsewhere. There can be a variety of reasons to outsource the execution of the code somewhere else: a proprietary service offers which API access can be used to enhance the analysis results, the execution of said code might be too heavy to handle on the analysis device, or the required disk space for the required actions might be insufficient locally.
The aforementioned reasons are by no means exhaustive, but do serve as a few examples which clearly illustrate the need to interact with (micro)services.
The script I wrote for Trellix to interact with Malpedia‘s FLOSSED uses the API to process the provide string(s) and uses the response to perform actions locally.
The script itself contains a function, on line 113, which creates a HTTP POST request using Java’s own networking related objects. While this function performs a HTTP POST request with a few other headers, this can easily be changed to a different type of HTTP request with additional headers. Most services require a header with the API key to authenticate the user in questions.
While it is possible to include nonstandard Java packages with regards to networking, this is not possible in a script, unless Ghidra already uses said package. When writing a plug-in, it is possible to include custom packages, but this requires the plug-in to be built prior to its usage, whereas a script can be compiled by Ghidra during runtime.
One such package, which is often used when interacting with API endpoints, is Google’s Java based JSON library named Gson. This eases the interaction with API endpoints easier, as Gson allows one to create Java objects from JSON, which can then be used to interact with Ghidra’s internal codebase and FlatAPI.
It might sound logical to use HTTP requests to interact with HTTP-based service, but people often assume this cannot be done for various reasons. The focus of this blog is to show it can be done, to provide some more background information, and to provide an example to help others with.
To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on Twitter @Libranalysis.