This Ghidra extension enables you to run symbolic execution on the binary you are analysing in Ghidra.
- Install Python 3 on your computer (you can use PyPy which may have better performance)
- Create a python 3 virtualenv, e.g:
python3 -m venv ~/pcode_venv
- Activate the virtualenv, e.g:
source ~/pcode_venv/bin/activate
- Use pip to install python dependencies:
pip install angr pypcode ghidra_bridge
- Install the ghidra bridge:
python -m ghidra_bridge.install_server ~/ghidra_scripts
For already built releases, please see the Releases page
The recommended way to build the extension is using the GhidraDev eclipse plugin, but you can also build from the command line:
Install gradle using your package manager. I've successfully built with gradle version 6.8.3 and 7.2, other versions aren't tested.
GHIDRA_INSTALL_DIR=/path/to/ghidra gradle
Replace/path/to/ghidra
with the directory containing your ghidra installation- The extension will be placed in the
dist/
directory as a zip file
- Start ghidra using the
ghidraRun
script - Click on
File->Install Extensions...
- Install the extension zip file, if you built it then it will be in the
dist/
directory - Restart Ghidra
- Open the CodeBrowser tool by selecting a file, you will be prompted: "New extension plugins detected. Would you like to configure them?"
- Select "Yes", then tick the box next to "PcodeSym" plugin, then click ok
- In the CodeBrowser window, navigate to
Tools->PcodeSym->Set python3 interpreter
and select the location of your python 3 interpreter (e.g~/pcode_venv/bin/python
) - Select the location to start the symbolic exectution in the code listing, right click select
PcodeSym->Set->Source Address
- Select the location to stop the symbolic execution in the code listing, right click select
PcodeSym->Set->Sink Address
- For any addresses that you wish to avoid during symbolic executions, right click them and select
PcodeSym->Add->Avoid Address
- Run the symbolic execution by starting the "RunSolve.py" script in the Ghidra script manager
This symbolic execution works by sending the P-code from Ghidra to the python3 interpreter using the ghidra bridge.
Your python3 interpreter will then use the P-code engine in Angr to perform the symbolic execution.