Keypoints
- Integration implemented as two Python 3 scripts: capa_explorer.py (UI integration) and capa_ghidra.py (text output).
- Requires Ghidrathon to enable Python 3 scripting inside Ghidra; scripts are placed in ghidra_scripts or added via Script Manager.
- capa_explorer.py adds matched functions into Ghidra’s Symbol Tree under capa rule namespaces, creates bookmarks linked to MITRE ATT&CK/MBC mappings, and inserts comments showing matched capabilities/features.
- capa_ghidra.py produces text-based capa output that reflects interactive database changes and can run in Ghidra’s Console or via analyzeHeadless for automation/batch processing.
- The integration includes a Ghidra backend that uses Ghidra’s API (e.g., FunctionManagerDB, FunctionDB) to extract strings, disassembly, basic blocks, and control flow for capa’s feature detection.
- Continuous Integration workflows (GitHub Actions) install capa, Ghidra, and Ghidrathon and run tests across multiple Python 3 versions to ensure correctness.
- Planned improvements include a dedicated Ghidra extension to simplify installation and integrating capa’s FLIRT matching engine with Ghidra’s FunctionID analyzer.
MITRE Techniques
- No specific MITRE ATT&CK technique IDs or names are cited – The article notes that capa rules may map to MITRE ATT&CK and the Malware Behaviour Catalog (MBC) but does not list particular Txxxx techniques.
Indicators of Compromise
- No concrete IOCs provided – The post mentions extracting indicators (for example, from functions that implement persistence) but does not include specific IPs, domains, file names, or hashes.
To install and run the integration, place capa_explorer.py and capa_ghidra.py into your ghidra_scripts directory or add their parent directories via Ghidra’s Script Manager after following the README steps on the project’s GitHub. This integration depends on Ghidrathon to enable Python 3 inside Ghidra; once installed you can execute the scripts from the Script Manager or run capa_ghidra.py in headless mode with Ghidra’s analyzeHeadless command for automated/batch processing (example: analyzeHeadless <project_path> <project_name> -Import <sample_path> -PostScript capa_ghidra.py “<capa_rules_path>”).
capa_explorer.py augments Ghidra’s UI by adding matched functions into the Symbol Tree under namespaces that reflect capa rule namespaces, inserting comments at function starts and inline to show matched capabilities and features, and creating bookmarks for rules mapped to MITRE ATT&CK or MBC to aid pivoting to documentation. capa_ghidra.py mirrors capa’s standalone text output inside Ghidra’s Console and respects any interactive database edits (useful after unpacking or revealing hidden code), making it suitable both for interactive analysis and automated pipelines.
The Ghidra backend implemented for capa extracts program features using Ghidra’s API (e.g., FunctionManagerDB to enumerate imports/exports and functions, FunctionDB to get basic blocks and instructions) so capa can detect strings, control flow, and other features necessary for its rule engine. The project includes GitHub Actions CI that installs capa, Ghidra, and Ghidrathon and runs tests across multiple Python 3 versions; future work aims to provide a full Ghidra extension to simplify installation and to integrate capa’s FLIRT matching engine with Ghidra’s FunctionID to improve library function identification.
Read more: https://www.mandiant.com/resources/blog/capa-harnesses-ghidra