Community Forms | Video Overview
Released as open source by RevEng.ai - https://reveng.ai
The RevEng.AI Toolkit allows you to interact with our API from within Ghidra. This allows you to upload your currently open binary for analysis, and use it for Binary Code Similarity to help you Reverse Engineer stripped binaries.
- Upload the current binary for analysis
- Automatically rename all functions above a confidence threshold
- Show similar functions and their names for one selected function
The latest stable version of the RevEng.AI Toolkit for Ghidra can be downloaded from the Releases page.
- Launch Ghidra.
- Navigate to the Install Extensions window.
File
->Install Extensions...
- Click the green "+" icon at the top-right corner.
- Select the downloaded ZIP file to load the plugin into Ghidra.
- Click the "OK" button to exit the Install Extensions window.
- Restart Ghidra when prompted.
Once installed, you can enable the plugin via the Configure
tool.
- Navigate to Ghidra's Configure tool
File
->Configure
- Click
Configure
under theRevEng.AI
plugin group - Select the checkbox next to each of the plugins you want to enable
Each plugin is dependent on the CorePlugin
, for instance, by enabling the BinarySimularityPlugin
you will automatically enable the CorePlugin
.
In this section, we provide an example workflow for our plugin that uses test binaries from src/test/resources
.
Once the plugin is loaded, there will be additional controls in the toolbar under RevEngAI Toolkit
.
The first thing we need to do is configure the tool with our API key and the host to use.
When you load the plugin for the first time, or by selecting RevEngAI -> Run Setup Wizard
, you will be guided through the configuration process.
Enter your API Key from the RevEng.AI Portal into the API Key field where they will be validated and saved for future use.
You are now ready to upload a binary.
Import src/test/resources/fdupes
into Ghidra and then create a new RevEng analysis, by going to RevEngAI Toolkit -> Create New Analysis for Binary
.
We are using
fdupes
with symbols to allow the model to learn what these functions look like, and to provide meaningful labels that we can use later to rename similar binaries.
You can check the status of your request by selecting Check Analysis Status
from the same menu.
Starting an analysis also triggers a background Ghidra thread that will periodically check the status
and pop a notification when the analysis is complete.
We now have uploaded fdupes
to our dataset, meaning we can now use it for our binary similarity tasks. Let's see how this works on a stripped version of fdupes.
Import src/test/resourcesfdupes.stripped
using the same steps as before. Once this has been completed, you can move on to the next step.
With fdupes.stripped
open in Ghidra, select a funtion in Ghidra's listing or decompiler view, and right-click -> Rename from Similar Functions
, or CTRL-Shift + R
.
This will open the function renaming window.
The list of functions is returned and displayed inside this panel for you.
You can then click Refresh
to update the returned functions based on updated parameters.
You can also batch analyse the binary to rename functions using the Auto Analyse
tool.
Move the slider to determine the confidence level you want to use for batch renaming. Any function returned that is higher than this value will automatically be renamed in the listing view. Clicking the start
button will kick off the analysis, which you can track in the blue progress bar
Use Fetch Similar Functions
to load matches from the API above the confidence threshold.
Once the results are retrieved, you can look at them more closely.
Each match is represented by a row in the table, and comes with various associated information
in each column. Not all of them are shown by default,
you can configure the displayed columns via the Add/Remove Columns
entry in the context menu of a column.
You can now simply accept all displayed results via the Apply Filtered Results
button,
or you can investigate them more closely yourself.
Ghidra comes with a powerful table including filtering and we integrate with this feature. Double-clicking a table entry will open the corresponding function in the listing view.
You can search by strings in all matches,
or you can access the advanced filter options via the Create Column Filter
button:
Here you can now set up more complex filters, e.g. if you only want to apply matches that satisfy certain criteria.
After you apply the filter, the Apply Filtered Results
button will only apply the matches that satisfy the filter.
Alternatively, you can select individual entries via Ctrl+Click
and Shift+Click
and apply only those via the
Apply Selected Results
button.
We welcome pull requests from the community.
The plugin is still undergoing active development currently, and we are looking for feedback on how to improve the plugin.
We have tried to decompose the plugin into a series of individual plugins dependent on a CorePlugin.
The CorePlugin provides services that are shared across all parts of the toolkit, namely configuration and API Services.
You should therefore group related features into a Feature Plugin, and then acquire services from the CorePlugin as required. This gives users the flexiblity to enable / disable features based on their use-case and/or preferences.
Gradle can be used to build REAIT from its source code.
-
Clone the REAIT for Ghidra GitHub repository.
git clone https://github.com/RevEngAI/reait-ghidra.git
-
Enter the repository and build with gradle.
cd reait-ghidra gradle -PGHIDRA_INSTALL_DIR=<ghidra_install_dir>
- Replace
<ghidra_install_dir>
with the path to your local Ghidra installation path.
- Replace
-
After building, the plugin ZIP file will be located in the
dist/
folder.
Developing in Eclipse is the prefered method, but it does require some setup on the developers part, below is a (non-exhaustive) summary of what you need to do.
- Import the project into Eclipse
- Under Preferences -> Gradle
- Add a Program Argument:
-PGHIDRA_INSTALL_DIR=PATH2GHIDRA
- Add a Program Argument:
- Link you project with Ghidra using GhidraDev
- Update your classpath to point at
jar
's inlib/
- Again this can be found in your project
preferences
- Again this can be found in your project
If you've found a bug in reait-ghidra, please open an issue via GitHub, or create a post on our Community Forms.
Plugin configuration is not appearing after installation:
Check that the downloaded folder is called reai-ghidra
and not reai-ghidra-2
due to multiple downloads of the same folder.