Automated Rapid Binary Triage with GitHub Actions, Capa, and Ghidra

Introduction

Imagine you’re a security analyst needing to quickly triage a suspicious binary. Or perhaps you’re in a competitive Capture the Flag (CTF) event, with a giant binary file to be analyzed. In either scenario, the pressure is on, and speed is paramount. This is where my process shines. Combining the capabilities of GitHub Actions, Capa, and Ghidra, I offer a swift and effective method for binary triage. This guide will walk you through this process, enabling you to comprehend binary files swiftly, a significant advantage in time-critical situations. Let’s begin!

If you want to skip the blog post and see the code in action, check out the GitHub repository.
https://github.com/rand-tech/CBA

Terminology & Tools:

Binary triage: A process where a binary file (often executable or malware) is quickly analyzed to understand its basic functionalities and behaviors.

Prerequisites:

GitHub account:
- We will be utilizing GitHub Actions, a powerful tool for automating tasks and processes.
Capa:
- An essential tool for binary triaging, Capa filters out library functions and identifies capabilities in executable files using a disassembler (default: vivisect) and a rule file.
Analysis tool with headless operation support:
- Options include IDA Pro, Binary Ninja, or Ghidra. For this guide, I’m using Ghidra, an open-source software reverse engineering framework developed by the National Security Agency (NSA) since it is free and open-source.

Process:

To start the process, all you need to do is commit the file to be analyzed and push it to your GitHub repository.
GitHub Actions will then automatically execute the workflow, which will perform the analysis and commit the results to the repository.
Our pipeline handles each file individually/simultaneously in each jobs using matrix.
- For every file, 4 types of outputs are generated:
  - a markdown file for an easy-to-read overview
  - a JSON file for detailed, machine-readable data (to be passed into Ghidra),
  - a decompiled code file for making it indexable by GitHub code search
  - and a gzf file to be imported into Ghidra for further analysis by the user.

Evaluation:

Here’s our Workflow in action:
Artifacts:
Artifacts (decompiled code, gzf, JSON, markdown)
We can see that the results from Capa have been successfully applied and displayed in namespace, Bookmarks, and Function Tags inside Ghidra.

Future Directions:

Future directions for this project include:

Broadening file format and tool support.
Incorporating dynamic analysis artifacts.
And more!

Conclusion:

In just 2 minutes and 45 seconds, I’ve effectively leveraged the capabilities of GitHub Actions, Capa, and Ghidra to execute a smooth and effective binary analysis process.
This showcases the potential of these tools when combined, offering rapid, high-quality analysis of executable files.

Notes:

This is a draft:

~~I will be releasing the source code for this workflow any time soon. 😉~~
UPDATE: I’ve released the project at github.com/rand-tech/CBA 🎉

Introduction#

Terminology & Tools:#

Prerequisites:#

Process:#

Evaluation:#

Future Directions:#

Conclusion:#

Notes:#