<div class="bci-header">
    
<div class="bci-header-image">
  <img src="../images/bcilogo.svg"/>
    </div>
<div class="bci-header-text">
    <div class="bci-header-class"> Ghidra Automations </div>
    <div class="bci-header-sub"> Introduction to the Ghidra API </div>
    <div class="bci-header-author">Dr. Kayla Afanador</div>
    
<br><br><br>

<div class="markdown-box">
<div class="markdown-text">

<div id="outline" class="outline">   
Notebook Outline 
</div>
<ol>
    <li><a href="#intro">Introduction to the Ghidra API</a></li>
    <li><a href="#funcs">Working with Functions</a></li>
    <li><a href="#decomp">Working with the Decompiler</a></li>
</ol>

    
 

<div class="markdown-box">
<div class="markdown-text">

<div id="intro">
<h1> Introduction to the Ghidra(v10.2) API</h1>
    </div>

The Ghidra API provides a set of classes and methods that you can use to access and manipulate data. In version 10.2, the API is available in both Java and Python, and it allows you to automate tasks, such as code analysis, program modification, and scripting.

The Ghidra API is organized into packages. 

e.g., 
<ol> 
    <li> ghidra.program.model</li>
    <li> ghidra.program.database</li>
    <li> ghidra.program.util</li>
    </ol> 
    
    
Reference: https://ghidra.re/ghidra_docs/api/

<div class="markdown-box">
<div class="markdown-text">

<div id="intro">
<h2> Freebies</h2>
    </div>

All scripts, when run, will be handed the current state in the form of class instance variable. These variables are:

<ol> 
    <li> currentProgram </li>
    <li> currentAddress</li>
    <li> currentLocation</li>
    <li> currentSelection</li>
    <li> currentHighlight</li>
    </ol> 
    
Reference: https://ghidra.re/ghidra_docs/api/ghidra/app/script/GhidraScript.html

<div class="markdown-box">
<div class="markdown-text">
<details>
<summary>Example: Current program</summary>
<br><br>
    
Note: no additional imports are required. We get access to currentProgram automatically when running a Ghidra script. 

Package: ghidra.program.model.listing
Interface: Program 
    
```python
print "Program Info:"
program_name = currentProgram.getName()
creation_date = currentProgram.getCreationDate()
language_id = currentProgram.getLanguageID()
compiler_spec_id = currentProgram.getCompilerSpec().getCompilerSpecID()
print "%s: %s_%s (%s)\n" % (program_name, language_id, compiler_spec_id, creation_date)
```
    
Reference: https://ghidra.re/ghidra_docs/api/ghidra/program/model/listing/Program.html

<div class="exercise">

<div class="exercise-title">
<h2>Exercise: currentProgram() </h2>
</div>


<div class="exercise-body">
    
<div class="exercise-body-subhead">
    <br/>Overview<br/> 
</div>
    
In this exercise we'll explore the Program interface and corresponding method (via currentProgram). 
    
    
<div class="exercise-body-subhead">
    <br>Procedure<br>
</div>

<ol class="indent-list">
    <li> Examine the currentProgram related methods that are automatically available to you when you run a Ghidra script. e.g., getAddressFactory(), getExecutablePath(), getLanguage(), etc. </li> 
    <li> Explore the example code provided </li> 
    <li> Using the example provided use the Python interpreter to access and print at least 5 methods accessible from the interface. </li> 
    <li> Test your script against a single binary </li>    


<div class="markdown-box">
<div class="markdown-text">

    
<h3>Student Work</h3>


<div class="markdown-box">
<div class="markdown-text">

<div id="funcs">
<h1> Working with Functions </h1>
    </div>
    
You can use the Ghidra API to access functions in a binary. 
    
Some key methods: 
    
* getFunction(address)
* getFunctionAt(address)
* getFunctions(boolean)
   
   
<table class="fancy-table" style="font-size:12px">
<thead><tr>
<th>Modifier and Type</th>
<th>Method</th>
<th>Description</th>
</tr>
</thead>
<tbody>
    
<tr id="i3" class="rowColor">
<td class="colFirst"><code>Variable</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink">getAllVariables</a></span>()</code></th>
<td class="colLast">
<div class="block">Returns an array of all local and parameter variables</div>
</td>
</tr>
<tr id="i5" class="rowColor">
<td class="colFirst"><code>java.util.Set&lt;Function</a>&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink">getCalledFunctions</a></span>​(TaskMonitor</a>&nbsp;monitor)</code></th>
<td class="colLast">
<div class="block">Returns a set of functions that this function calls.</div>
</td>
</tr>
<tr id="i9" class="rowColor">
<td class="colFirst"><code>java.util.Set&lt;Function</a>&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink">getCallingFunctions</a></span>​(TaskMonitor</a>&nbsp;monitor)</code></th>
<td class="colLast">
<div class="block">Returns a set of functions that call this function.</div>
</td>
</tr>
<tr id="i18" class="altColor">
<td class="colFirst"><code>java.lang.String</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink">getName</a></span>()</code></th>
<td class="colLast">
<div class="block">Get the name of this function.</div>
</td>
</tr>

</tbody></table>

<div class="markdown-box">
<div class="markdown-text">
<details>
<summary>Example: Getting functions</summary>
<br><br>

   
Here's an example from ghidra_basic.py 
    
```python
# Get the current program's function names
function = getFirstFunction()
while function is not None:
    print function.getName()
    function = getFunctionAfter(function)
```
---
    
Alternative: https://ghidra.re/ghidra_docs/api/ghidra/program/model/listing/Program.html
    
```python
# 1. Get the function manager
# # https://ghidra.re/ghidra_docs/api/ghidra/program/model/listing/FunctionManager.html
func_manager = currentProgram.getFunctionManager()

# 2. Get a function iterator
# # https://ghidra.re/ghidra_docs/api/ghidra/program/model/listing/FunctionIterator.html
func_iterator = func_manager.getFunctions(True)

# 3. Access some function methods!
# # https://ghidra.re/ghidra_docs/api/ghidra/program/model/listing/Function.html
TODO
```

<div class="exercise">

<div class="exercise-title">
<h2>Exercise: Working with Functions </h2>
</div>


<div class="exercise-body">
    
<div class="exercise-body-subhead">
    <br/>Overview<br/> 
</div>
    
In this exercise you'll write a Ghidra script to access the following methods for each function in the program: 
    
<ul> 
    <li> getAllVariables() </li> 
    <li> getCalledFunctions​(TaskMonitor monitor) </li> 
    <li> getCallingFunctions​(TaskMonitor monitor) </li> 
    <li> getName() </li> 
    </ul> 
    
<div class="exercise-body-subhead">
    <br>Procedure<br>
</div>

<ol class="indent-list">
    <li> Review the example code provided (Example: Getting functions)</li> 
    <li> Expand the code to access the above members for each function identified </li> 
    <li> Test your code against a single program </li> 
    <li> Upon success rerun the code 
    


<div class="markdown-box">
<div class="markdown-text">

<h1> The TaskMonitor </h1>
    
In the Ghidra API, the TaskMonitor is an interface that allows you to monitor and control long-running tasks. It provides methods for checking the status of a task, updating progress, and canceling a task.

We typically do not need to create a TaskMonitor object ourselves. 


<div class="alert alert-block alert-info" style="background-color: white; border: 2px solid; padding: 10px">
    <b><i class="fa fa-info-circle" aria-hidden="true"></i>&nbsp; TaskMonitor</b><br>
    <p style="color: black">
        For example, 
    </p>
<div>

```python
>>> decompileFunction(Function func, int timeoutSecs, TaskMonitor monitor) # prototype
decompileFunction(func, 10, None) #default taskMonitor
```
<br>
<p style="color: black">
Alternatively, we can create our own TaskMonitor implementation and pass it as a parameter to the function call.
</p>
<br>

```python
>>> def my_monitor():
    # TODO implement some TaskMonitor methods
    return 

decompileFunction(func, timeoutSecs, my_monitor) # my_monitor (custom) taskMonitor
```    
</div>
</div>
<br><br>    


Reference: https://ghidra.re/ghidra_docs/api/ghidra/util/task/TaskMonitor.html

----