{"id":13843290,"url":"https://github.com/cmu-sei/kaiju","last_synced_at":"2025-04-05T02:11:03.390Z","repository":{"id":37751604,"uuid":"336323310","full_name":"cmu-sei/kaiju","owner":"cmu-sei","description":"CERT Kaiju is a binary analysis framework extension for the Ghidra software reverse engineering suite. This repository is a \"mirror\" -- please file tickets, bug reports, or pull requests at the upstream home in @CERTCC: https://github.com/certcc/kaiju","archived":false,"fork":false,"pushed_at":"2024-11-14T14:36:21.000Z","size":1526,"stargazers_count":126,"open_issues_count":1,"forks_count":33,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-03-29T01:13:35.951Z","etag":null,"topics":["binary-analysis","ghidra","reverse-engineering"],"latest_commit_sha":null,"homepage":"https://github.com/certcc/kaiju","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cmu-sei.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-05T16:17:06.000Z","updated_at":"2025-02-21T15:10:17.000Z","dependencies_parsed_at":"2023-09-25T00:42:31.853Z","dependency_job_id":"6d21f34f-424d-4eab-9643-e6d361815bae","html_url":"https://github.com/cmu-sei/kaiju","commit_stats":{"total_commits":132,"total_committers":8,"mean_commits":16.5,"dds":0.5075757575757576,"last_synced_commit":"a2ba4f7a3271bfd84a9dc4628cc27968ca292dd9"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cmu-sei%2Fkaiju","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cmu-sei%2Fkaiju/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cmu-sei%2Fkaiju/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cmu-sei%2Fkaiju/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cmu-sei","download_url":"https://codeload.github.com/cmu-sei/kaiju/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247276189,"owners_count":20912288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-analysis","ghidra","reverse-engineering"],"created_at":"2024-08-04T17:01:58.824Z","updated_at":"2025-04-05T02:11:03.286Z","avatar_url":"https://github.com/cmu-sei.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"![Dynamic YAML Badge](https://img.shields.io/badge/dynamic/yaml?url=https%3A%2F%2Fgithub.com%2FCERTCC%2Fkaiju%2Fraw%2Fmain%2F.github%2Fworkflows%2Frelease_on_tag.yml\u0026query=%24.jobs.build_kaiju.strategy.matrix.ghidra_version\u0026label=Supported%20Ghidra%20versions)\n![release_on_tag Badge](https://github.com/CERTCC/kaiju/actions/workflows/release_on_tag.yml/badge.svg)\n![run_tests_on_push_pr Badge](https://github.com/CERTCC/kaiju/actions/workflows/run_tests_on_push_pr.yml/badge.svg)\n\n# CERT Kaiju Binary Analysis Framework for GHIDRA\n\nCERT Kaiju is a collection of binary analysis tools for\n[Ghidra](https://ghidra-sre.org).\n\nThis is a Ghidra/Java implementation of some features\nof the [CERT Pharos Binary Analysis Framework][pharos], \nparticularly the function hashing and malware analysis tools,\nbut is expected to grow new tools and capabilities over time.\n\nAs this is a new effort, this implementation does not yet have full\nfeature parity with the original C++ implementation based on ROSE;\nhowever, the move to Java and Ghidra has actually enabled some new\nfeatures not available in the original framework -- notably, improved\nhandling of non-x86 architectures. Since some significant\nre-architecting of the framework and tools is taking place, and the\nmove to Java and Ghidra enables different capabilities than the C++\nimplementation, the decision was made to utilize new branding\nsuch that there would be less confusion between implementations\nwhen discussing the different tools and capabilities.\n\nOur intention for the near future is to maintain both the\noriginal Pharos framework as well as Kaiju, side-by-side,\nsince both can provide unique features and capabilities.\n\nCAVEAT: As a prototype, there are many issues that may come up when\nevaluating the function hashes created by this plugin. For example,\nunlike the Pharos implementation, Kaiju's function hashing module will\ncreate hashes for very small functions (e.g., ones with a single\ninstruction like RET causing many more unintended collisions). As\nsuch, analytical results may vary between this plugin and Pharos\nfn2hash.\n\n## Installation\n\n[Pre-built Kaiju packages][prebuilts] are available. Simply download\nthe ZIP file corresponding with your version of Ghidra and install\naccording to the instructions below. It is recommended to install via\nGhidra's graphical interface, but it is also possible to manually\nunzip into the appropriate directory to install.\n\nCERT Kaiju requires the following runtime dependencies:\n- [Ghidra](https://ghidra-sre.org) 10.3.x, 10.4.x, 11.0.x, 11.1.x, or 11.2.x\n- JDK 21 (or 17 for older Ghidra releases)\n- [Z3](https://github.com/Z3Prover/z3) including Z3 Java bindings .jar\n\nZ3 is provided pre-compiled as part of the pre-built packages,\nor you may build Z3 on your own or use your Linux distribution's package.\n\n### Graphical Installation\n\nStart Ghidra, and from the opening window, select from the menu:\n`File \u003e Install Extension`. Click the plus sign at the top of the\nextensions window, navigate and select the .zip file in the file\nbrowser and hit OK. The extension will be installed and a checkbox\nwill be marked next to the name of the extension in the window\nto let you know it is installed and ready.\n\nThe interface will ask you to restart Ghidra to start using\nthe extension. Simply restart, and then Kaiju's extra features will\nbe available for use interactively or in scripts.\n\nSome functionality may require enabling Kaiju plugins. To do this,\nopen the Code Browser then navigate to the menu `File \u003e Configure`.\nIn the window that pops up, click the `Configure` link below\nthe \"CERT Kaiju\" category icon. A pop-up will display all available\npublicly released Kaiju plugins. Check any plugins\nyou wish to activate, then hit OK. You will now have access to\ninteractive plugin features.\n\nIf a plugin is not immediately visible once enabled, you\ncan find the plugin underneath the `Window` menu in the Code Browser.\n\nExperimental \"alpha\" versions of future tools may be available from\nthe \"Experimental\" category if you wish to test them. However\nthese plugins are definitely experimental and unsupported and not\nrecommended for production use. We do welcome early feedback though!\n\n### Manual Installation\n\nGhidra extensions like Kaiju may also be installed manually\nby unzipping the extension contents into the appropriate directory\nof your Ghidra installation. For more information, please see\n[The Ghidra Installation Guide](https://ghidra-sre.org/InstallationGuide.html#Extensions).\n\n### Build It Yourself\n\nYou can also build the Kaiju extension directly from source code.\nSee the `INSTALL.md` file included in the top Kaiju source directory.\n\n## Usage\n\nKaiju's tools may be used either in an interactive graphical way,\nor via a \"headless\" mode more suited for batch jobs.\nSome tools may only be available for graphical or headless use,\nby the nature of the tool.\n\n### Interactive Graphical Interface\n\nKaiju creates an interactive graphical interface (GUI) within Ghidra\nutilizing Java Swing and Ghidra's plugin architecture.\n\nMost of Kaiju's tools are actually Analysis plugins that run automatically\nwhen the \"Auto Analysis\" option is chosen, either upon import of\na new executable to disassemble, or by directly choosing\n`Analysis \u003e Auto Analyze...` from the code browser window. You will\nsee several CERT Analysis plugins selected by default in the Auto Analyze\ntool, but you can enable/disable any as desired.\n\nThe Analysis tools must be run before the various GUI tools will work,\nhowever. In some corner cases, it may even be helpful to run the\nAuto Analysis twice to ensure all of the metadata is produced\nto create correct partitioning and disassembly information, which\nin turn can influence the hashing results.\n\nAnalyzers are automatically run during Ghidra's analysis phase and include:\n- **DisasmImprovements** = improves the function partitioning of the\n  disassembly compared to the standard Ghidra partitioning.\n- **Fn2Hash** = calculates function hashes for all functions in a program\n  and is used to generate YARA signatures for programs.\n\nThe GUI tools include:\n- **GhiHorn** = a plugin to calculate paths and reachability in\ncontrol flow graphs, utilizing Z3.\n    - Select `Kaiju \u003e GhiHorn` to access this tool from Ghidra's CodeBrowser.\n      You can also launch the plugin by pressing `CTRL-G`.\n- **Function Hash Viewer** = a plugin that displays an interactive list\nof functions in a program and several types of hashes. Analysts can use this\nto export one or more functions from a program into YARA signatures.\n    - Select `Window \u003e CERT Function Hash Viewer` from the menu to get started\n    with this tool if it is not already visible. A new window will appear\n    displaying a table of hashes and other data. Buttons along the top\n    of the window can refresh the table or export data to file or\n    a YARA signature. This window may also be docked into the main\n    Ghidra CodeBrowser for easier use alongside other plugins.\n    More extensive usage documentation can be found in\n    Ghidra's `Help \u003e Contents` menu when using the tool.\n- **OOAnalyzer JSON Importer** = a plugin that can\nload, parse, and apply Pharos-generated OOAnalyzer results to object\noriented C++ executables in a Ghidra project. When launched, the\nplugin will prompt the user for the JSON output file produced by\nOOAnalyzer that contains information about recovered C++\nclasses. After loading the JSON file, recovered C++ data types and\nsymbols found by OOAnalyzer are updated in the Ghidra Code\nBrowser. The plugin's design and implementation details are described\nin our SEI blog post titled [Using OOAnalyzer to Reverse Engineer\nObject Oriented Code with Ghidra][ooanalyzer-blog].\n    - Select `Kaiju \u003e OOAnalyzer Importer` from the menu to get started\n    with this tool. A simple dialog popup will ask you to\n    locate the JSON file you wish to import.\n    More extensive usage documentation can be found in\n    Ghidra's `Help \u003e Contents` menu when using the tool.\n\n\n### Command-line \"Headless\" Mode\n\nGhidra also supports a \"headless\" mode allowing tools to be run\nin some circumstances without use of the interactive GUI.\nThese commands can therefore be utilized for scripting and\n\"batch mode\" jobs of large numbers of files.\n\nThe headless tools largely rely on Ghidra's GhidraScript functionality.\n\nHeadless tools include:\n- **fn2hash** = automatically run Fn2Hash on a given program\nand export all the hashes to a CSV file specified\n- **fn2yara** = automatically run Fn2Hash on a given program\nand export all hash data as YARA signatures to the file specified\n- **fnxrefs** = analyze a Program and export a list of Functions\nbased on entry point address that have cross-references in\ndata or other parts of the Program\n\nA simple shell launch script named `kaijuRun` has been included to run\nthese headless commands for simple scenarios, such as outputing the\nfunction hashes for every function in a single executable.\nAssuming the `GHIDRA_INSTALL_DIR` variable is set, one might\nfor example run the launch script on a single executable as follows:\n\n```\n$GHIDRA_INSTALL_DIR/Ghidra/Extensions/kaiju/kaijuRun fn2hash example.exe\n```\n\nThis command would output the results to an automatically named file as\n`example.exe.Hashes.csv`.\n\nBasic help for the `kaijuRun` script is available by running:\n\n```\n$GHIDRA_INSTALL_DIR/Ghidra/Extensions/kaiju/kaijuRun --help\n```\n\nPlease see `docs/HeadlessKaiju.md` file in the repository\nfor more information on using this mode and\nthe `kaijuRun` launcher script.\n\n### Further Documentation and Help\n\nMore comprehensive documentation and help is available, in one\nof two formats.\n\nSee the `docs/` directory for Markdown-formatted documentation\nand help for all Kaiju tools and components. These documents\nare easy to maintain and edit and read even from a command line.\n\nAlternatively, you may find the same documentation in Ghidra's\nbuilt-in help system. To access these help docs,\nfrom the Ghidra menu, go to `Help \u003e Contents`\nand then select `CERT Kaiju` from the tree navigation on the\nleft-hand side of the help window.\n\nPlease note that the Ghidra Help documentation is the exact\nsame content as the Markdown files in the `docs/` directory;\nthanks to an in-tree gradle plugin, gradle will automatically\nparse the Markdown and export into Ghidra HTML during the build\nprocess. This allows even simpler maintenance (update docs in\njust one place, not two) and keeps the two in sync.\n\nAll new documentation should be added to the `docs/` directory.\n\n\n## Licensing\n    \nThis software is licensed under a simplified BSD-style license\nby the Software Engineering Institute at Carnegie Mellon University.\nPlease find full details of this license, as well as licensing terms\nof dependencies used in this project, in the `LICENSE.md` file\nin the root of this repository.\n\nThe CERT Kaiju logo is based on [art][logo] created by Cameron Spahn,\noriginally released under terms of\n[Creative Commons Attribution-Share Alike 4.0 International license][logo-license].\n\n\n[pharos]: https://github.com/cmu-sei/pharos\n[prebuilts]: https://github.com/certcc/kaiju/releases\n[ooanalyzer-blog]: https://insights.sei.cmu.edu/sei_blog/2019/07/using-ooanalyzer-to-reverse-engineer-object-oriented-code-with-ghidra.html\n[logo]: https://commons.wikimedia.org/wiki/File:RapatorCameronSpahn.jpg\n[logo-license]: https://creativecommons.org/licenses/by-sa/4.0/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcmu-sei%2Fkaiju","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcmu-sei%2Fkaiju","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcmu-sei%2Fkaiju/lists"}