PyGhidra: Run a Java script

[bdemick]

Is it possible to run a Ghidra Java script from a standalone Python script? pyghidra.run_script doesn't quite seem to fit the bill as it looks to be mimicking analyzeHeadless, and if I remember correctly, the recommendation is to stay away from using the GhidraScript API in a standalone Python script. The ideal workflow for me would be to be able to choose existing scripts to run after loading the binary.

[ryanmkurtz]

I think my answer to this question is what you are looking for: #7932

[bdemick]

Attempted to mimic the referenced Java in a standalone PyGhidra script, and running into issues (I think similar to the ones we ran into in #7343), relevant code snippet:

import ghidra
from ghidra.program.model.listing import Program
from ghidra.program.util import ProgramSelection
from ghidra.app.plugin.core.analysis import AutoAnalysisManager
from ghidra.framework.plugintool import PluginTool
from ghidra.app.script import GhidraState, GhidraScriptUtil, GhidraScript, GhidraScriptProvider
from ghidra.framework.model import Project
from ghidra.program.model.address import AddressSet


def _findProject(tool: PluginTool) -> Project | None:
    if tool is not None:
        return tool.getProject()
    
    return None

# program is a valid Program object
analysisManager: AutoAnalysisManager = AutoAnalysisManager.getAnalysisManager(program)
tool: PluginTool = analysisManager.getAnalysisTool()
project: Project = _findProject(tool)
addr_set: AddressSet = AddressSet(program.getMinAddress(), program.getMaxAddress())
state: GhidraState = GhidraState(tool, project, program, program.getMinAddress(), ProgramSelection(addr_set), None)
...

It seems like the problem here is that the analysisTool attribute in the analysisManager object is None, which is I think what was encountered in the previous discussion.

[bdemick]

After digging a little more, it seems like pyghidra.run_script should be able to operate on an existing project, and I saw some language in a comment that implied that it should handle Java scripts. As such, I'm attempting another route that consists of:

1. Create a GhidraProject in /tmp/tmppmym16h8 called mybin_ghidra
2. Use AutoImporter to import binary
3. Save program returned by AutoImporter to project
4. Close the program and project

When this is done, in my temp folder I have a mybin_ghidra.gpr and a mybin_ghidra.rep, as well as .lock and .lock~ files. I would have expected the lock files to disappear after the project is closed. Regardless, I can now run:

/opt/ghidra/ghidra_11.3.1_PUBLIC/support/analyzeHeadless /tmp/tmppmym16h8 mybin_ghidra -process mybin -readOnly

Which runs autoanalysis as expected and completes successfully (and the lock files are gone, curiously) so the project that was created seems to be good. I then add a call to pyghidra.run_script after the program and project have been closed, to reopen the project and run a simple Java script:

pyghidra.run_script(prog_name,  # mybin
                    "/opt/ghidra/ghidra_11.3.1_PUBLIC/Ghidra/Features/Base/ghidra_scripts/HelloWorldScript.java",
                    project_location=tempdir,  # /tmp/tmppmym16h8 which contains mybin_ghidra.gpr and mybin_ghidra.rep
                    project_name=proj_name)  # mybin_ghidra

What ends up happening in this case is that pyghidra/core.py:_setup_project appends project_name to project_location, attempts to open that project, which fails because one doesn't exist there, so it creates one and then tries to import the specified binary since the project setup is now operating in the import path due to the openProject call failing. I retried in the debugger, and after the project_location is set in _setup_project, I changed it back removing the extra subfolder, which still resulted in openProject failing, and then tried going back to the initial project creation and adding the extra subfolder (project_name), which still ended up failing.

Kind of at a loss for what to try next. My expectation was that since analyzeHeadless can open and analyze the project just fine, this would work the same way, but I'm not finding that to be the case. I did go back and grab the exception thrown by the openProject call in _setup_project, which I've dropped below.

'Traceback (most recent call last):\n  File "GhidraProject.java", line 89, in ghidra.base.project.GhidraProject.openProject\nException: Java Exception\n\nThe above exception was the direct cause of the following exception:\n\nTraceback (most recent call last):\n  File "", line 117, in _setup_project\n    project = GhidraProject.openProject(project_location, project_name, True)\njava.io.java.io.IOException: java.io.IOException: Failed to open project: mybin_ghidra\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File "", line 193, in _get_py_dictionary\n    attr = getattr(var, name)\nAttributeError: Field \'args\' is static\n'

[ryanmkurtz]

Sounds like the same issue that was reported in #8040. Would you mind taking a look at that issue and letting me know if the solution will suit your needs? It's been implemented, but not released yet.

[bdemick]

Can't believe I missed that issue. Will give that a shot, although I'm not sure it will fix the traceback I dropped above, which occurs if I force the correct project location in the debugger or during project creation. I'm guessing that has something to do with project still being locked when trying to re-open it.

[ryanmkurtz]

@bdemick I've been working on a brand new PyGhidra API and was interested in getting your feedback. Here's an example script that does various generic things. Note there are no explicit imports of any Java classes to do this stuff.

https://github.com/ryanmkurtz/ghidra/blob/pyghidra_api/Ghidra/Features/PyGhidra/src/main/py/README.md#api

import os, jpype, pyghidra
pyghidra.start()

# Open our existing "Test" project
with pyghidra.open_project(os.environ["GHIDRA_PROJECT_DIR"], "ExampleProject", create=True) as project:

    # Walk a Ghidra release zip file, load every decompiler binary, and save them to the project
    with pyghidra.open_filesystem(f"{os.environ['DOWNLOADS_DIR']}/ghidra_11.4_PUBLIC_20250620.zip") as fs:
        loader = pyghidra.program_loader().project(project)
        for f in fs.files(lambda f: "os/" in f.path and f.name.startswith("decompile")):
            loader.source(f.getFSRL()).projectFolderPath("/" + f.parentFile.name)
            with loader.load() as load_results:
                load_results.save(pyghidra.dummy_monitor())

    # Analyze the windows decompiler program
    with pyghidra.program_context(project, "/win_x86_64/decompile.exe") as program:
        analysis_props = pyghidra.analysis_properties(program)
        with pyghidra.transaction(program):
            analysis_props.setBoolean("Non-Returning Functions - Discovered", False)
        pyghidra.analyze(program)
        program.save("Analyzed", pyghidra.dummy_monitor())
    
    # Walk the project and set a propery in each decompiler program
    def set_property(domain_file, program):
        with pyghidra.transaction(program):
            program_info = pyghidra.program_info(program)
            program_info.setString("PyGhidra Property", "Set by PyGhidra!")
        program.save("Setting property", pyghidra.dummy_monitor())
    pyghidra.walk_programs(project, set_property, program_filter=lambda f, p: p.name.startswith("decompile"))

    # Load some bytes as a new program
    ByteArrayCls = jpype.JArray(jpype.JByte)
    my_bytes = ByteArrayCls(b"\xaa\xbb\xcc\xdd\xee\xff")
    loader = pyghidra.program_loader().project(project).source(my_bytes).name("my_bytes")
    loader.loaders("BinaryLoader").language("DATA:LE:64:default")
    with loader.load() as load_results:
        load_results.save(pyghidra.dummy_monitor())

    # Run a GhidraScript
    pyghidra.ghidra_script(f"{os.environ['GHIDRA_SCRIPTS_DIR']}/HelloWorldScript.java", project)

[ryanmkurtz]

Oops, that's an oversight...I'll get that added in...thanks!

[ryanmkurtz]

There is now an optional script_args parameter

ghidra/Ghidra/Features/PyGhidra/src/main/py/src/pyghidra/api.py

Lines 154 to 172 in 295f714

	def ghidra_script(
	path: Union[str, Path],
	project: "Project",
	program: "Program" = None,
	script_args: List[str] = [],
	echo_stdout = True,
	echo_stderr = True
	) -> Tuple[str, str]:
	"""
	Runs any type of GhidraScript (Java, PyGhidra, Jython, etc).
	:param path: The GhidraScript's path.
	:param project: The Ghidra project to run the GhidraScript in.
	:param program: An optional Ghidra program that the GhidraScript will see as its "currentProgram".
	:param script_args An optional list of arguments to pass to the GhidraScript.
	:param echo_stdout: Whether or not to echo the GhidraScript's standard output.
	:param echo_stderr: Whether or not to echo the GhidraScript's standard error.
	:return: A 2 element tuple consisting of the GhidraScript's standard output and standard error.
	"""

[bdemick]

Is there a better way to express "Thank you" to you and the rest of the Ghidra dev team beyond a 🎉 emoji? Y'all have been amazing.

[dragonmacher]

Be sure to tell all of your friends about Ghidra! 🐉

[ryanmkurtz]

Thanks for the kind words!