Mike Bell speaking at the Jailbreak Brewing Company Security Summit on Friday, October 11, 2019.
In this talk, Mike will explore the many ways to extend Ghidra. He will demonstrate writing scripts with Java and Python that interact with the component managers, using the interactive console to explore program characteristics in real-time, and how to create custom data types and apply them to programs.
Integration of Ghidra with Eclipse will be demonstrated. Mike will show how the Ghidra ExtensionPoint interface works, its interaction with the class loader, and common extension points of interest. How to write binary format loaders will be briefly discussed, as well as the steps required to start writing plugins and analyzers in order to publish them as official Ghidra Extensions.
(Source: Jailbreak Brewing Company)
Mike Bell: [00:00:38:23] Thank you. So this Ghidra walks into a bar and says, "Hey, how would you like to have a free SRE tool?" Bartender says, "I don't know." Thank you. So about me, I'm Mike J Bell, yes I know, wake up, it's after lunch. I worked on the Ghidra development team for eight years from 2007-2015 and taught a number of the courses. And I love esoteric languages like Elixir and Clojure, any love for crazy languages here? No, okay.
Mike Bell: [00:01:28:00] So, today what we are going to do is we are going to take a tour of the ways to extend Ghidra, from the simple to the complex. This entire slide deck is going to be available afterwards, so don't worry if you're not able to keep up with this. I've got a lot of stuff to show, not a lot of time. So we're going to go over scripting, the python interpreter, eclipse integration, Ghidra modules and some low-level hooks.
Mike Bell: [00:01:55:12] Scripting. This is the easiest way for you to customize Ghidra's behavior. We have two different ways to access Ghidra internals, there's an easy API and then the more complex program object model. And we're going to talk about a little bit of both of them. It's got really powerful integration with the GUI so it's easy to make things look pretty even when you're only writing a script. Open something called the Script Manager, this is what allows users to organize their clips, their scripts and edit them. Integrate them essentially with the code browser tool.
Mike Bell: [00:02:46:22] So what it does is, it organizes this for you and lets you search for them and change your script paths. One thing that you should do if you're using Ghidra is go and look at the example scripts. On the left side of the script manager here, you're going to see the category type. Down here is examples, click on that and all of these you are going to see are examples of how to write scripts. They're easy to understand, usually they're commented well so this is a great place for you to jump off when you're starting to develop.
Mike Bell: [00:03:25:06] Now Ghidra right now supports Java and Python scripts. Java has great integration with Eclipse and it lets you migrate your code easier to some of the harder things like plug-ins and analyzers that we will talk about later. But Python is shorter to write and has an interpretor.
Mike Bell: [00:03:45:19] What are Java GhidraScripts? Technically it's not really a script, it's compiled as subclass GhidraScript. GhidraScript itself is a subclass of FlatProgramAPI and it's linked into a running instance of Ghidra dynamically.
Mike Bell: [00:04:04:09] Let's just go about the steps to make a simple script. You press the new script button which looks like a little scroll with a plus, in the script manager. Then you choose Java and the directory that you want to put it into.
Mike Bell: [00:04:23:05] When the built in editor pops up you'll notice it's very rudimentary, it's basic, nothing like Codecompletion or anything like that. But it works whether or not you have Eclipse or any other editor. Now you're free to use whatever editor of choice you want to use. So in the examples for the screen shots here, I used a great editor, Tracey, called Adam. Lets talk about the stuff that goes up at the top, you're given a template when you make a new script. And you have six pieces of metadata that are going to help you integrate with Ghidra. The first line is a description, it's a short little description that gets put into the tool, that lets people know what is going to happen when they run they script. Second is the author, obviously for blaming people; the category organizes it in that tree that I showed you. And then there are three things that help you with the GUI integration; key binding, menu path and tool bar which is an icon. As long as these things are 'in tool', you're going to get this kind of integration with the GUI and it's really, really powerful, really slick.
Mike Bell: [00:05:37:05] I mentioned FlatProgramAPI in GhidraScript, what are they? Basically it's exactly what it says, it takes the program API and flattens it out so it's not object orientated. And as a result it's really easy for you to find methods to do what you want. It almost never changes. I think the last fully breaking change to GhidraScript happened in 2008 and I believe I was responsible for it. So yeah it's very, very stable and it helps you when you're first learning about where things are.
Mike Bell: [00:06:18:19] So lets take a look at FlatProgramAPI method, here's one called create label. It takes an address, a string and a bullion whether or not to make it primary. When you look in the code you see, well that one's actually a passthrough to this other that also lets you define the source type. And then the implementation: you'll see it goes down here and you have to get the current program and you have to get the symbol table, then you create your label and you make it primary. It's like a whole bunch of stuff that you don't want to have to type each time. So it's a convenience method, not only in the amount of crud that you have to do, but it's also not deep inside some object orientated API that you don't know yet.
Mike Bell: [00:07:04:08] Now the internal program API though, it's a very strong object model, it's organized in a whole bunch of managers like the listing which has bytes in it. I'm sorry, listing has code units which are like instructions or data. The memory has bytes. Function manager which takes care of functions; datatypesmanager, data types etc. All of these are sort of in this realm, this universe of things for you to use that are part of a program.
Mike Bell: [00:07:39:10] At this point I'm going to show a really simple script, I call it Ledger. And what it does is it makes alternating ledger lines out of your code units. It's kind of like the old green and white fan fold paper, if you remember that from printers. No? Yeah, maybe, okay so I'll find that on Wikipedia and send that to you guys. So for category I'm going to call it selection, there's already an existing category for that. The key binding is shift-L, there is nothing else mapped to that so I made it shift-L. The menu path actually exists in Ghidra, all the way up to the final bit. So select program highlight ledger and this last bit, I've cached up png. It turns out when you put in your icons here, they have to be part of the class path. So unless you're making a module, you have use one of the built in icons so you have to search for it. I just happen to know that this is a cool one, looks like a lightning bolt.
Mike Bell: [00:08:53:09] When you select this thing that I was talking about before called 'in tool', so I've got my script manager open here. I click on this check box and you're going to see all of these wonderful things happen like, here my key binding is shift-L, so I can run it if I just hit shift-L. Over here in the select program highlight, I have ledger. And then also way over here you'll notice that along with all the other tools like the memory map and registers etc, you see the ledger icon, this cache.png. So all of that happened just because of that metadata, very powerful.
Mike Bell: [00:09:35:03] Lets take a look at this script body. I have my class name, I extend GhidraScript, I've got a constant here. And the only thing I really have to do is override this method run. And so what this does is for every code unit in the current program .getlisting, it checks to see if the user canceled because you don't want to leave the user unresponsive if they say no, no, stop. And then if the count mod is 2.0, I set the background color. Fairly simple and the results are like this. Now if you seen Ghidra you'll notice here that I have the peak code on, so this is especially helpful I think to be able to see and delineate between the instructions. When you're trying to read the peak code and make sure every thing's happening the way that you think it's happening.
Mike Bell: [00:10:29:11] Just to highlight the difference between GhidraScript and the object model. This loop iteration here, I had to get into the object model by saying current program, .getlisting, .getcodeunits, so that is actually kind of a de-call. Whereas set background color, that's part of GhidraScript. So this demonstrates both styles in the same script.
Mike Bell: [00:10:59:08] Hidden gem, this is probably the one thing that anybody who's written scripts will hopefully take away from this. This is something that you should really consider. If you're doing lots of crazy disassembling in your script, like you've got some kind of embedding platform and auto analysis just isn't doing it for you. You go and you do a bunch of a disassembling and then you've got to create some cross references and make some symbols. You are going to be fighting with the auto analysis manager, so as soon as that code gets created, it's like trying to beat you. So if you know more about your program than you think the auto analysis manager does, override this method and return suspended. And what this does is says, hold off, don't do the auto analysis until I'm done with my script, then you can go ahead. This is has saved me many, many times when I actually know more about what the binary needs to look like, than the auto analysis manager.
Mike Bell: [00:12:00:22] Scripting Python, so why Python? It's awesome, it inherits the same environment as GhidraScript. You get great integration with Java because it's Jython and in most cases you can reduce the wordiness of your scripts.
Mike Bell: [00:12:18:09] What I did here is just transliterated ledger.py or ledger.java into ledger.py. And you can see the only real differences here, you've got the Python comment at the front of the metadata and a much shorted import line. It's about nine lines shorter than the java version but very much similar.
Mike Bell: [00:12:45:20] So lets talk about the interpreter. I love the interpreter, honestly, I'm a REPL guy, people also call it the console. It's really neat because it's just like a Ghidra or PythonScript, it has the same environment so you can access the current program and the tool and everything. But it's got auto completion, it's got command history and you can access the Ghidra Java doc from inside of your session.
Mike Bell: [00:13:16:18] For instance, if I'm in the Python Interpreter and I just type current and hit tab, it's going to show me all of the things that can complete. These are the standard five that you get with GhidraScript.
Mike Bell: [00:13:31:16] Or I say help on create selection, I happen to know this is a method. If you didn't know you can just type create and tab. So help on create selection and it's going to search through the API and give me the java doc because that's all built in.
Mike Bell: [00:13:49:02] Lets talk about custom datatypes, I'm not really going to go into the datatype manager per se because this is a short talk. But if you're used to making datatypes the long way, you can also make them programatically. I put into this little script snippet here what I need to do. I've imported the datatypes that I want to use and then I just say, well my important struct is a new one of these guys. I give it a zero length and I add these fields to them. And when I type that into the interpreter and do create data, voila: it just shows up. This is really powerful, this datatype is now actually in my datatype manager.
Mike Bell: [00:14:39:05] Lets talk about customization, we want to use some helper methods here in the interpreter. So I'm going to define these methods in editor, I've got this method called Here and it just returns the function at the address that I'm on. And Select which kind of does a bunch of different things, if you don't pass it anything, it clears a selection. If you say, give it a function, it'll select the entire body or it will select numbers of bytes. And I really want to have this available every single time I launch Ghidra.
Mike Bell: [00:15:15:14] I paste the entire buffer in that window and down here you can see the interpreter isn't stuck; one plus two is three. But when I try to launch here, it says, I don't know what that is. So what's going on? Well new lines don't get recognized as statement separators when you paste the expressions in there. Lets back up a second, why would we want to paste in this corpus of functions anyway? That seems kind of wrong, what happens when you keep adding methods to this? We really want a start up script. Ghidra doesn't have this right now, I would imagine they're probably going to be putting this in in about 15 minutes. But, I've hacked in a start up script. So what we're going to do is, we're going to change the Ghidra launcher to make sure that we're in a consistent working directory.
Mike Bell: [00:16:10:10] If you look in Ghidra.run down here on line 19, this is the actual magic that launches it here. What we do is we say, cd to the script_dir and do the rest. So we're always going to be in that Ghidra.run launch directory. Once we do that, now you can just use execfile on 'init.py' which is what I named that file, saved it in that directory and boom, I have my functions. So if you're used to doing things on the command line, if you like dynamic languages, you're going to be using the Console, this is a great way for you to just keep extending your capabilities on the command line.
Mike Bell: [00:16:56:02] Let's talk about Eclipse integration. Getting started with scripting is really, really easy with Eclipse, it's what the Ghidra developers use, so they've made sure that it's very easy and seamless, it's integrated well. And it also is the way for you to write more complex customizations, modules, which we will talk about in a minute. The other thing that's really, really amazing is that you can start Ghidra from within Eclipse and then debug it. This really helps is you're writing a complex script and you're like, why isn't this doing what I want it to do, you can debug it.
Mike Bell: [00:17:35:22] How do we set this up? First thing we're going to do is we're going to click on this Eclipse icon in the script manager. Notice I have my ledger.java selected here. And the first time we run we have to set up some stuff up, so it'll say the Eclipse installation directory is not defined, do you want to verify your options? Yes we do. So what you have to do here to bring up this configuration, you have to click on this to say where Eclipse is installed. On Windows and Linux this is fairly straightforward. If you're on a Mac, Mac hides stuff. So you're going to want to look in your Eclipse directory and then something that looks like java contents, MacOS. And that's where the real Eclipse executable is.
Mike Bell: [00:18:28:13] With all of that out of the way, we will click on Eclipse and see what happens. We got more set up to do. First thing we have to do here is create a GhidraScript project, it's going to try to open that ledger.java but it's nowhere in a class path. Do you want to create this project? Yes because there's a ton of integration that goes into this that's going to help you out. You have got to choose a name, in this case GhidraScript is great.
Mike Bell: [00:18:59:02] Finally in Eclipse, it will show you your script. So this is ledger.java, you can see on the left side here, my project has all kinds of read only scripts that are delivered with Ghidra. And what I wanted to show right at the end here is that I typed in create and did the control space for Eclipse. And it's showing me, once again, what are all of the available methods because I'm a GhidraScript or because I'm a FlatProgramAPI because those are connected.
Mike Bell: [00:19:39:05] Ghidra modules. You'll see they are sometimes called extensions, they are heavy weight java projects. You get access to basically anything inside of Ghidra. You can create new GUI components and you can also deliver these packages. So you have some kind of really, really great thing that you're writing and you want the whole world to have it, instead of them having to have source and whatever, you can package it up and just give it to them. It used to be called contribs if anybody remembers that.
Mike Bell: [00:20:15:23] Lets create a sample module project. In Eclipse you go under file, new project and because of the integration with Ghidra, you'll have this plug-in right here that says, Ghidra module project. So that's the kind of project that you want to create. I called this one sample module and now you have a whole bunch of templates that it's going to come with that are populated and show you examples. Select all of them because you want to see what all of these things can do.
Mike Bell: [00:20:56:14] Now this is important, it's going to ask you for the Ghidra installation. It's not completely apparent right now, but when you release your module, you are tied to this particular version right now. It doesn't mean you can't recompile and redistribute for another version, it's just that the one that you actually build will be tied to this.
Mike Bell: [00:21:19:14] Enable Python if would you like. And here's your project layout and you'll note by default the package that they put everything is, is sample module which is the name of the project you created. You can change that to whatever com.youreanawesomecompany.ghidra.whatever.
Mike Bell: [00:21:42:17] When we're creating these modules and we're developing, you want to launch Ghidra from within Eclipse because it sets up the class path and makes sure you have access to all of the components that you're developing. So if you look under the launch menu here, this is the debug one. You'll see your module is right in there, so that's how you want to run Ghidra while you're developing.
Mike Bell: [00:22:11:11] These are the sample module templates provided, coincidently they are what we're going to talk about for the rest of the module's module. Analyzers: very important analyzers operate on a single program. That means that if you have some kind of crazy script that needs to operate on two different programs, it's not going to work. Analyzers are only on one. You have fine grain control over when it runs, under what circumstances. You don't have GhidraScript methods but you can use the FlatProgramAPI, all you have to do is instantiate one with your program. So you can use some of the easier more basic methods in it.
Mike Bell: [00:23:01:02] Looking at analyzer type, by the way, I didn't mention this but all of this is out there. All of the sources are there so when I'm referencing these things in the code, you could go right now and see this. Analyzer type specifies under what circumstances your analyzers going to run. A byte analyzer runs when a memory block is added for instance. An instruction analyzer runs when instructions are created and so on and so forth. Now one little caveat down here, you'll see this one-shot analyzer and that means it's not going to respond to any events. It only shows up in the one-shot menu but that doesn't mean that your other analyzers can't do that as well. And we'll see that in just a second.
Mike Bell: [00:23:49:17] So what do we have to implement here to get an analyzer to work? First of all you have to have a constructor, appropriately with the short name, the description and what type of analyzer it is. And like I was just saying here, you can say, hey I support one-time analysis, you just say that right there in the constructor. Now there are two methods that you have to override that are kind of confusing: they both return bullions. The first one here we'll talk about is getDefaultEnablement. This means in the auto analysis manager, should I be enabled all the time? Now let's say that what you do, takes three hours and it's incredibly complex and it only has 85% chance of being right. You should totally turn that off, don't be default enabled, let the user choose when to run that. But if you're always right or you're 15 milliseconds or whatever, sure. You can return that my default enablement is true.
Mike Bell: [00:24:53:08] Then there's the other side of that coin which is canAnalyze. That means am I available for this program at all? So, in my example here to you, I'm making an analyzer that's going to do basically what the ledger script did. So obviously the ledger script can go and alternate and make those colored bands on any program. But I wanted to show you an example of constraining your canAnalyze by a particular binary type. This is a good way here to say, well if the program language processor equals X86 and the default space size is 64, then yes I can run. It's totally contrived in this example but that's how you would do it.
Mike Bell: [00:25:46:19] Registering options, this is if you ever bring up the auto analysis manager and you select one of the analyzers, you'll see a bunch of options. So if you need to provide options to this user, this where you would do it. And then this is the meat right here. So added, the reason why it's called added of course it because it's sort of like an event when instructions are added or bytes are added. Added is like the run method in a script. You get a program, you get an address set view which is like a range of what has changed. You get a task monitor so that you're not spinning and user can't cancel. And a message log in case you need to say anything to the user, something that was out of the ordinary. And so you look at this and it's quite a bit longer than the script. I had to a lot more stuff, I had to check to make sure I'm not in headless mode. I have to go get an analysis manager and get a service. This is a lot more hard core once I get into the full, I'm developing a module but it does the same thing.
Mike Bell: [00:26:59:06] But how do we know it's there? We'll bring up analysis options on some program and right here you'll see ledger lines. Default enablement is no. But over here in the one-shot menu you can also see I said, be available for one-shot and there it is.
Mike Bell: [00:27:22:14] Lets switch gears and we'll go to plug-ins. This is the Swiss Army knife. They allow access to the GUI, event notification systems, basically anything. You could do literally anything with this, you could tie Ghidra to another SRE tool in real time and synchronize events. You could make a space-curve display of byte ranges. Integrate a graphing service, you can do whatever you want to with a plug-in.
Mike Bell: [00:27:52:20] We're not going to go over anything crazy, we're going to do the sample source code. Like I said, the sample templates are very, very good. What the sample does is, it creates a dockable panel, recall that Ghidra has all those dockable panels you can put wherever and tab them and separate them into their own windows. The action that's provided with that dockable panel in the sample, just opens a modal dialog with the dragon. We're going to omit the source so I won't bore you with that, but when you launch it, where is the plug-in? Because most likely you've installed this and then you run it and you're like, I can't find my stuff. So lets go take a peek.
Mike Bell: [00:28:36:13] In your code browser, you're going to want to go to file configure. And then up here there's this plug says, configure all plug-ins. So click on that guy and you'll see sample module plug-in. This is where your thing appears and it's not configured to be in your tool. If you click on that, all of a sudden the docking window appears with this action. You click on that action and you get the nice custom dialog.
Mike Bell: [00:29:16:16] Lets talk about loaders. Loaders are basically what Ghidra uses to import a program, think PE, COFF, Mach-O etc. They have two responsibilities, one is to examine the file, take a look and say, hey can I do this? And the other one is to actually do the loading so both of those have to be done. Implementation details are way beyond this presentation. If you go and look at something like ELF loader it will make you crazy, how complex it is. But we're going to look at those two important methods real quick.
Mike Bell: [00:29:57:21] The first one is findSupportedLoadSpecs and you get this ByteProvider which is basically like a random access file. And so what it needs to do is say, hey I'm looking into this file and yeah, I can load this or no. So as it is, this makes an empty list and returns it so it means I can't do it. But a note on these LoadSpecs, just something to keep in the back of your mind. It's possible for a loader to say, yeah I know how to load this but I don't know what the processor is at all, and I need to make the user choose. That's what this is, when you read the source in LoadSpec, if you're implementing a loader, that's what this means. It says, you know what I can load I just don't know what it is, I don't know what the architecture is.
Mike Bell: [00:30:50:14] And then load does all the hard work, it creates memory blocks, makes symbols, cross references. And it takes that LoadSpec that the user selected and the LoadSpec really is kind of like an opinion when you think about it. It's like, "I think that this is how you should do it," and sometimes there are conflicts. So the user has to be presented with those different opinions.
Mike Bell: [00:31:20:18] Lets briefly talk about FileSystems. FileSystems are incredibly complex but they're very, very useful. They're containers of file-like objects like tar, zip, APKs, IPAs, etc. If you ever run into a specialized binary delivery format for your embedded device, you might want to develop a FileSystem that would be able to pull this apart. We're not going to look at any code but there are two things that I want to point you in the right direction for. One is the sample source code, the sample FileSystem has a ton of comments in it and it's really going to be crucial to your understanding what the life cycle is for a FileSystem. Another good one to look at is the ZipFileSystem, what this does is forms a bridge between Java's ability to open a zip file and Ghidra's ability to open a zip file. If you have some sort of library that knows how to open your particularl format, then you can make a bridge to Ghidra.
Mike Bell: [00:32:32:20] Last one is exporters. An exporter saves parts or all of the Ghidra program externally. The one caveat on this is that you only have one file object that you can put this into. You can't split it up into multiple files.
Mike Bell: [00:32:52:18] This sample one here is about writing book marks out, I just convert them to text and write them to a text file. What I do here is I say, my name is bookmarks, my suffix is text, my options: I just left this in here so that you can see it in the screen shot, I don't really have any options. And what I do is, I make a print writer and inside of my loop here which basically loops over all of the bookmarks and the bookmark manager. I go and I just print to that print writer, the bookmark.twostring and it actually makes it look nice.
Mike Bell: [00:33:33:02] Using the exporter, you can see file export program, then right in here format, bookmark shows up. That's your exporter. And then if you click on options here, once again this is where your option name/option value goes here. Like the ASCII output will say how big do you want to have various listing fields, you know, for their widths. So if you need options, you put them right in there.
Mike Bell: [00:34:04:12] Packaging, so this is obviously very important once you make your awesome module, you've got your plug-in, you've got your analyzers. You need to give it to somebody. So we're going to create an installable package. Go under file, export, this is Eclipse. And once again, Ghidra integration, we've got Ghidra module extension. It's going to ask you which module project do you want to use, in this case sample module. Then it will ask you to configure Gradle, just leave that as is. It's very complex, they know what they're doing. Press finish and wait for the result and in this case it takes about under a minute to package all this thing up because it's not very big. And then you'll notice it says, I created this zip file that has Ghidra 904, that's the one that we selected, in this particular directory.
Mike Bell: [00:35:08:04] Now how do we install that? First thing you do is you copy the zip file to the appropriate directory. In this case I copied this zip file which Gradle told me it was creating, into this directory, it's always this kind of directory. The Ghidra version/extensions/Ghidra; that's where it needs to go. And now we still have some work to do from the front end of Ghidra. We choose file, install extensions, select the module right up here. Press okay and it'll ask you to restart. Now, open a tool and it's going to say this to you, hey new extension plug-ins detected, would you like to configure them? So we say yes and once again, it brings up this configure and you have to select this to have it show up in your tool. You'll notice the plug-in is in our window menu, so it's available.
Mike Bell: [00:36:21:08] Lets briefly talk about low-level hooks. This is like the very heart of the extensible system. Basically you don't need to be messing around in here, if you are, please contact the Ghidra team and apply. If you look at the very, very beginnings of an application and it's a little bit difficult to trace this down. But basically what happens is, this perform class searching happens in the very beginning, and then perform module initialization. What is that? It turns out if you make a module initializer in your module, you will get it run for free as soon as Ghidra starts coming up. So if you need to do something like clean up or any kind of registration, the foundation initializer registers a whole bunch of pluggable services into the registry, or the FileSystem initializer cleans up old temp databases. If you need something to happen at the very beginning, put it here.
Mike Bell: [00:37:40:21] Finally ExtensionPoint, almost all components are extensible. The class searcher which we saw a couple of slides back here, perform class searching. That class searcher is going to dynamically load ExtensionPoints. But the suffix of the name of the ExtensionPoint has to be in an extensions.manifest file. If you don't have one in there, your module has to have an extensions.manifest with that suffix in it. Very rare to create a new ExtensionPoint and let me show you why. You can see here it's a marker class and in Eclipse I went and showed the class hierarchy. Just the top level of this has an amazing number of abstract classes and sub-interfaces. Most likely you're going to be able to find something along the lines of what you want to do already in here.
Mike Bell: [00:38:44:22] I was told I had to have cats. This is Buttons and Pumpkin. I want to especially thank Jailbreak for having me and the Fortigo team for their editing skills. And a guy by the name of Brian Knighton, who's a fantastic friend. That's it, I have time for some questions.
Mike Bell: [00:39:13:07] Thank you.
Male Announcer: [00:39:22:09] Any questions for Mike?
Male Audience Member: [00:39:24:17] You said the slides are available [INAUDIBLE]?
Mike Bell: [00:39:27:18] They're probably not available right this second but they will be as soon as we get done, they will be up and available. And if you're shy and you've got some other really specific technical questions, just come find me. Yes, sir?
Male Audicence Member #2: [00:39:43:13] How could you use extensions? Do you have to do it through Eclipse or is there another way?
Mike Bell: [00:39:49:05] You can run Gradle yourself. I have never done it that way because it's just so complex, but yes, you can run it from the command line, definitely. I think there was one back here, yes sir?
Male Audience Member #3: [00:40:06:15] Are there any plug-ins that exist that are out there that you've used or that you recommend, do you think?
Mike Bell: [00:40:15:08] So the question was are there any plug-ins that are out there that I would recommend using, and I'm really glad you asked that question because it brought up something that I didn't cover at the very beginning of the presentation. And that's that so far I've only seen scripts, I have not seen plug-ins in the wild. And so I think it would be really, really fantastic if only three of you said, you know what I'm going to take my awesome analysis and I'm going to make a module out of it. So right now I can't say that there are any out there that I use. But please make some.
Male Audicence Member #3: [00:40:51:11] So the follow up to that question is then what plug-ins does Ghidra need?
Mike Bell: [00:40:58:08] Oh goodness, I don't know, I mean, it really does everything right? You know, I'm really not sure, I think that the one that I had up there about plug-ins being able to do graphing service. I mean, Ghidra has the function graph which is fantastic for just looking at a single function. But being able to see all of the functions and how they inter-relate, and like EVM was talking about being able to discern your libraries, that would be something that would be really useful as integrate like a graphing service. Anyone else?
Male Audicence Member #4: [00:41:47:11] You've been working on Ghidra for years and you have kind of seen it go out the door and publicly released. I was wondering higher level you covered it in the presentation in parts, but how do you want to see it evolve next?
Mike Bell: [00:42:04:15] Thanks, I was probably the second person to advocate for it to be publicly released and the simple fact is, the team can't keep up with all the changes in the industry. I mean, there are constantly processor variants that are being released and new tweaks to loaders and all that kind of stuff that has to happen. And so what I really want to have happen is for this to get into academia, and to have young people that are hungry and underpaid get into this and use Ghidra as their platform. A good friend of mine said he went to BlackCat and saw all these talks and these people would just stand up there, their stovepipe analysis engines. And 75% of all of those could be handled by the Ghidra framework essentially. And so I think it's a great launch point for a lot deeper analysis. So yeah, hitting the colleges, that would be the best thing.