Export ghidra decompiled code to dwarf sections inside ELF binary

Ghidra2Dwarf is a ghidra plugin that allows to exports informations (such as functions, decompiled code, types) from ghidra to dwarf sections inside ELF binaries.

Information

Category: Android / Utility
Watchers: 18
Star: 101
Fork: 9
Last update: Jun 20, 2022

Resource links

https://github.com/cesena/ghidra2dwarf

Ghidra2Dwarf

Inspired by: dwarfexport

Ghidra2Dwarf is a ghidra plugin that allows to exports informations (such as functions, decompiled code, types) from ghidra to dwarf sections inside ELF binaries.

More specifically it exports inside a source file named ${program}.c all the decompiled functions, and create an ELF binary named ${program}_dbg that can be used to do source code level debugging.

Example:

Inside gdb now you can use:

list <function> to display the function's source code.
n to step one source code line instruction.
ni to step one assembly instruction.

Install

Linux

Bash:

git clone https://github.com/cesena/ghidra2dwarf.git
cd ghidra2dwarf
export GHIDRA_VERSION="ghidra_9.1.2_PUBLIC" # Change here with correct version
mkdir -p ~/.ghidra/.${GHIDRA_VERSION}/plugins
cp ./jnarated/target/libdwarf.jar ~/.ghidra/.${GHIDRA_VERSION}/plugins

Windows

Powershell:

git clone https://github.com/cesena/ghidra2dwarf.git
cd ghidra2dwarf
Set-Variable -Name "GHIDRA_VERSION" -Value "ghidra_9.1.2_PUBLIC"
mkdir -p ~\.ghidra\.$GHIDRA_VERSION\plugins
cp .\jnarated\target\libdwarf.jar ~\.ghidra\.$GHIDRA_VERSION\plugins

Run

In the script manager -> script directories add the src directory:

And then run ghidra2dwarf:

In windows objcopy.exe is not working, so you need to do the last step on a *nix shell:

BINARY_NEW=${BINARY}_dbg
cp $BINARY $BINARY_NEW

echo '[*] Removing unneeded debug sections'
objcopy -g $BINARY_NEW

echo '[*] Adding the debug sections'
objcopy --add-section .debug_info=.debug_info $BINARY_NEW
objcopy --add-section .debug_line=.debug_line $BINARY_NEW
objcopy --add-section .debug_abbrev=.debug_abbrev $BINARY_NEW

Or use export.sh:

$ ./src/export.sh <Binary path> <Binary>
$ # example: ./src/export.sh ~/CTF/ chall.exe

Headless mode

Linux

If you saved the project and ghidra is closed, you can launch ghidra2dwarf.sh to run ghidra in headless mode and export the dwarf informations:

$ ./src/ghidra2dwarf.sh <Project directory> <Project name> <Binary path> <Binary>
$ # Example: ./src/ghidra2dwarf.sh ~/.local/share/ghidra/ TEST ~/CTF/ chall

Windows

TODO

Known issues

Sometimes you get an IndexError, try to re-run the script until it works.

7 Open More issues

Closed

BUG: AttributeError: 'NoneType' object has no attribute 'c'

ghidra2dwarf.py> Running...
Traceback (most recent call last):
  File "/root/ghidra_scripts/ghidra2dwarf/ghidra2dwarf.py", line 499, in <module>
    add_debug_info()
  File "/root/ghidra_scripts/ghidra2dwarf/ghidra2dwarf.py", line 138, in add_debug_info
    add_function(cu, f, file_index)
  File "/root/ghidra_scripts/ghidra2dwarf/ghidra2dwarf.py", line 318, in add_function
    d = res.decompiledFunction.c
AttributeError: 'NoneType' object has no attribute 'c'
ghidra2dwarf.py> Finished!

I'm new to Ghidra, so idk if my solution is right, but I found in docs that api got getC method.

and try to fix:


def add_function(cu, func, file_index):
    die = dwarf_new_die(dbg, DW_TAG_subprogram, cu, None, None, None)
    loc_expr = dwarf_new_expr(dbg)
    dwarf_add_expr_gen(loc_expr, DW_OP_call_frame_cfa, 0, 0)
    dwarf_add_AT_location_expr(dbg, die, DW_AT_frame_base, loc_expr)
    f_name = func.name
    dwarf_add_AT_name(die, f_name)
    dwarf_add_AT_string(dbg, die, DW_AT_linkage_name, f_name)

    # TODO: Check for multiple ranges
    f_start, f_end = get_function_range(func)

    t = func.returnType
    ret_type_die = add_type(cu, func.returnType)
    dwarf_add_AT_reference(dbg, die, DW_AT_type, ret_type_die)

    dwarf_add_AT_targ_address(dbg, die, DW_AT_low_pc, f_start, 0)
    dwarf_add_AT_targ_address(dbg, die, DW_AT_high_pc, f_end - 1, 0)

    func_line = len(decomp_lines) + 1

    res = get_decompiled_function(func)
    if res:
        try:
            d = res.decompiledFunction.c
        except:
            d = res.decompiledFunction.getC
    else:
        return

    decomp_lines.extend(d.split("\n"))
    dwarf_add_AT_unsigned_const(dbg, die, DW_AT_decl_file, file_index)
    dwarf_add_AT_unsigned_const(dbg, die, DW_AT_decl_line, func_line)
    dwarf_add_line_entry(dbg, file_index, f_start, func_line, 0, True, False)
    add_decompiler_func_info(cu, die, func, file_index, func_line)

    return die

But, no luck:

ghidra2dwarf.py> Running...
Traceback (most recent call last):
  File "/root/ghidra_scripts/ghidra2dwarf/ghidra2dwarf.py", line 505, in <module>
    add_debug_info()
  File "/root/ghidra_scripts/ghidra2dwarf/ghidra2dwarf.py", line 138, in add_debug_info
    add_function(cu, f, file_index)
  File "/root/ghidra_scripts/ghidra2dwarf/ghidra2dwarf.py", line 322, in add_function
    d = res.decompiledFunction.getC
AttributeError: 'NoneType' object has no attribute 'getC'
ghidra2dwarf.py> Finished!

I found this in api docs:

   
   // Make calls to the decompiler:
   DecompileResults res = ifc.decompileFunction(func,0,taskmonitor);
   
   // Check for error conditions
   if (!res.decompileCompleted()) {
        system.out.println(res.getErrorMessage());
      return;
   }

opened Apr 20, 2021 by kotee4ko 13

Closed

macOS support, fix #9, function parameters

This patchset introduces a few fixes and improvements to ghidra2dwarf:

Added macOS support by compiling libdwarf-20200719 as a shared library
Added a status message so that progress is more obvious on large binaries with many functions
Eliminated a redundant call to get_decompiled_function to cut down on script execution time
Generate formal_parameter tags for function parameters to improve backtraces and debugging experience
Fix Java crash reported in #9 by using defaultFieldName if fieldName is not available (the segfault is caused by a segfault from passing a NULL pointer through to a libdwarf function).

opened Aug 10, 2021 by nneonneo 5

Closed

TypeError: unsupported operand type(s) for +: 'long' and 'NoneType'

Hello,

I am using Ghidra 9.2.3 and I got an issue when testing a binary with your script :

Thanks in advance,

opened May 29, 2021 by jy95 3

Closed

Macos support

Added macos support, built libdwarf from the most recent version. I was trying to dump c headers for a risc-v file but that didn't work because libdwarf doesn't seem to support risk-v(dwarfdump can dump the dwarf info though). Also added try block to bypass functions without a proper de-compilation.

opened Nov 20, 2020 by madushan1000 2

Closed

Typedefs not exported

This tool doesn't export typedef information, which breaks GEF.

It causes problems because of this behavior:

(gdb)  p *(uint64_t *) 0x7fffffffe080
$1 = uint64_t

Using unsigned long instead of uint64_t has the expected behavior:

(gdb)  p *(unsigned long *) 0x7fffffffe080
$2 = 0x1

It should be printing the value, but it's printing the type instead. Probably gdb is doing this because, without typedef information, it thinks uint64_t is some kind of void-like opaque type.

The error this causes in GEF is:

[!] Command 'dereference' failed to execute properly, reason: Cannot convert value to long.

opened Sep 20, 2020 by io12 2

Closed

Handle Unicode in decompiler output

The decompiler output can legitimately contain Unicode (e.g. Unicode strings). Currently, the script will crash with an error like this:

Traceback (most recent call last):
  File "ghidra2dwarf.py", line 512, in <module>
    write_source()
  File "ghidra2dwarf.py", line 343, in write_source
    src.write("\n".join(decomp_lines))
UnicodeEncodeError: 'ascii' codec can't encode character u'\uefbe' in position 14630: ordinal not in range(128)

This fix makes the output UTF-8, which solves this issue for all valid Unicode characters.

opened Sep 17, 2021 by nneonneo 1

Open

Dwarf export error

I get the following error using this tool and exporting and then importing into gdb.

Reading symbols from init_dbg...
Dwarf Error: wrong version in compilation unit header (is 512, should be 2, 3, 4 or 5) [in module /path]

opened May 6, 2022 by lacraig2 0

Open

Unknown protocol: jar

I'm trying to run the script inside Ghidra but it gives me multiple errors caused by "Unknown protocol: jar" I have OpenJdk 17.0.2 I don't have Python but it shouldn't be a problem since Ghidra has it I'm on Windows

Traceback (most recent call last): File "D:\Documents\Ghidra\Plugin\ghidra2dwarf\ghidra2dwarf.py", line 34, in from libdwarf import LibdwarfLibrary java.lang.ExceptionInInitializerError at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:467) at org.python.core.Py.loadAndInitClass(Py.java:1160) at org.python.core.Py.findClassInternal(Py.java:1095) at org.python.core.Py.findClassEx(Py.java:1147) at org.python.core.packagecache.SysPackageManager.findClass(SysPackageManager.java:233) at org.python.core.packagecache.PackageManager.findClass(PackageManager.java:36) at org.python.core.packagecache.SysPackageManager.findClass(SysPackageManager.java:221) at org.python.core.PyJavaPackage.findattr_ex(PyJavaPackage.java:137) at org.python.core.PyObject.findattr(PyObject.java:902) at org.python.core.PyObject.findattr(PyObject.java:889) at org.python.core.imp.ensureFromList(imp.java:1484) at org.python.core.imp.ensureFromList(imp.java:1449) at org.python.core.imp.import_module_level(imp.java:1377) at org.python.core.imp.importName(imp.java:1528) at org.python.core.ImportFunction.call(builtin.java:1285) at org.python.core.PyObject.call(PyObject.java:433) at org.python.core.builtin.import(builtin.java:1232) at org.python.core.imp.importFromAs(imp.java:1620) at org.python.core.imp.importFrom(imp.java:1595) at org.python.pycode._pyx42.f$0(D:/Documents/Ghidra/Plugin/ghidra2dwarf/ghidra2dwarf.py:518) at org.python.pycode._pyx42.call_function(D:/Documents/Ghidra/Plugin/ghidra2dwarf/ghidra2dwarf.py) at org.python.core.PyTableCode.call(PyTableCode.java:173) at org.python.core.PyCode.call(PyCode.java:18) at org.python.core.Py.runCode(Py.java:1687) at org.python.core.builtin.execfile_flags(builtin.java:535) at org.python.util.PythonInterpreter.execfile(PythonInterpreter.java:287) at ghidra.python.GhidraPythonInterpreter.execFile(GhidraPythonInterpreter.java:239) at ghidra.python.PythonScriptExecutionThread.run(PythonScriptExecutionThread.java:51) Caused by: java.lang.RuntimeException: java.net.MalformedURLException: Unknown protocol: jar at org.python.core.SyspathJavaLoader.findResource(SyspathJavaLoader.java:152) at java.base/java.lang.ClassLoader.getResource(ClassLoader.java:1403) at com.sun.jna.Native.extractFromResourcePath(Native.java:1085) at com.sun.jna.NativeLibrary.loadLibrary(NativeLibrary.java:276) at com.sun.jna.NativeLibrary.getInstance(NativeLibrary.java:455) at com.sun.jna.Library$Handler.(Library.java:192) at com.sun.jna.Native.loadLibrary(Native.java:646) at com.sun.jna.Native.loadLibrary(Native.java:630) at libdwarf.LibdwarfLibrary.(LibdwarfLibrary.java:13) ... 29 more Caused by: java.net.MalformedURLException: Unknown protocol: jar at java.base/java.net.URL.(URL.java:708) at java.base/java.net.URL.(URL.java:569) at java.base/java.net.URL.(URL.java:516) at org.python.core.SyspathJavaLoader.findResource(SyspathJavaLoader.java:150) ... 37 more Caused by: java.lang.IllegalStateException: Unknown protocol: jar at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:373) at java.base/java.net.URL.(URL.java:703) ... 40 more java.lang.ExceptionInInitializerError: java.lang.ExceptionInInitializerError

opened Mar 5, 2022 by Signum21 0

Open

Non-x86_64 output

Right now x86_64 is hardcoded, we should fetch the arch from Ghidra instead.

opened Feb 14, 2022 by Manouchehri 0

Open

Add ELF exporting logic.

Solves #13.

opened Feb 14, 2022 by Manouchehri 0

Open

DWARF v5 source code embedding extension?

Would be cool if we could embed the decompiled file into the output ELF. This is only supported as of DWARFv5 (I think it's backwards compatible with DWARFv4, so likely won't hurt).

Probably requires adding DW_LNCT_has_source and DW_LNCT_source to Ghidra first, not sure.

https://reviews.llvm.org/D42765

https://reviews.llvm.org/D42766

opened Feb 14, 2022 by Manouchehri 0

Open

Using current ELF in Ghidra instead of file on disk?

Right now, ghidra2dwarf.py relies on having the original ELF on disk. It ends up breaking one of my automated workflows, since my tooling cleans up samples off disk after they've been imported to Ghidra.

https://github.com/cesena/ghidra2dwarf/blob/650597d7553654cd0c643c4bfbffaf9c8d9e1b4a/src/ghidra2dwarf.py#L69-L73

https://github.com/cesena/ghidra2dwarf/blob/650597d7553654cd0c643c4bfbffaf9c8d9e1b4a/src/ghidra2dwarf.py#L515

We should use the ElfExporter class instead to get the original ELF file. https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/src/main/java/ghidra/app/util/exporter/ElfExporter.java

Here's some examples of how to do that:

https://github.com/sengi12/GhidraScripting-Basics/blob/fa6181bf0634a12015296fed54068bff0585acc5/examples/exportLocalCopy.py#L22-L27

https://github.com/riverratz/ghidraheadless_binexport/blob/b69966cc6ece8820588355c5f5b893b6d0d1c613/sample_functions_cpy.py#L17-L32

opened Feb 14, 2022 by Manouchehri 1

Parsing ELF and DWARF in Python

The new bridge between Ghidra and Frida!

LibObjectFile is a .NET library to read, manipulate and write linker and executable object files (e.g ELF, DWARF, ar...)

Execute ELF files without dropping them on disk

Check .gnu.warning.* sections in ELF object files

ELF: a platform for game research with AlphaGoZero/AlphaZero reimplementation

Tools for converting Nintendo DS binaries to an ELF file for Ghidra/IDA

Ghidra is a software reverse engineering (SRE) framework

Daenerys: A framework for interoperability between IDA and Ghidra

IDA Pro's FindCrypt ported to Ghidra, with an updated and customizable signature database

A collection of my Ghidra scripts

Yet Another Ghidra Integration for IDA

Renesas RL78 processor module for Ghidra

Nintendo 3DSX loader for Ghidra

Ghidra scripts to help with 3ds reverse engineering

Hexagon decompiler for Ghidra

Ghidra Plugin for Texas Instrument CC 8051 SOC's especially CC1110 and CC2510

Binary code coverage visualizer plugin for Ghidra

PowerPacker by Nico François (decompiled source code)

The Java Disassembler

Armok Web Services: remote Dwarf Fortress streaming in a web browser with Xpra

Share this repo

Related Repos

Utility

R library for converting R models to PMML

R2PMML R package for converting R models to PMML Features This library is a thin wrapper around the JPMML-R command-line application. For a list of su

Utility

The Raku utility library

_ _ (pronounced "lowbar") is a meta utility package for the Raku programming language. Being meta means that _ is comprised of independent sub-package

Utility

Helper for waiting on asynchronous conditions to be met.

ExWaiter Helper for waiting on asynchronous conditions to be met. Hexdocs found at https://hexdocs.pm/ex_waiter. Installation Add the latest release t

Utility

Boru is a pipeline solution

boru boru is a pipeline implementation in kotlin with native coroutine support and custom dsl. Supports chaining pipeline steps with conditions and br

Utility

Module lua sources for `coq.nvim`, first & third party

coq.nvim (first & third) party sources PR welcome First party lua sources & third party integration for coq.nvim See :COQhelp custom_sources How to us

Utility

💊 How addicted are you to Instagram?

Instaddict (beta) How addicted are you to Instagram? Let's drop your data package into Instaddict, it will give you the answer. ㅤㅤㅤㅤㅤㅤㅤㅤ Example DEMO

Utility

A simple HTML to PDF convertor for Android

A simple HTML to PDF convertor for Android

Utility

Timber + Logger Integration. Make Logcat Prettier, show thread information and more.

Timber + Logger Integration. Make Logcat Prettier, show thread information and more.

Utility

Simple library to decompress files .zip, .rar, .cbz, .cbr in React Native.

Simple library to decompress files .zip, .rar, .cbz and .cbr in React Native.

Utility

Linkester is an Android library that aims to help Android developers test their deep links...

Linkester is an Android library that aims to help Android developers test their deep links implementation.

Utility

310

Transit is a data format and a set of libraries for conveying values between applications ...

Transit is a data format and a set of libraries for conveying values between applications written in different languages. This library provides support for marshalling Transit data to/from Clojure.

Utility

Launch an Android Virtual Device without Android Studio.

Utility

214

An effort to write a modern, fast, and interesting operating system in V.

vOS An effort to write a modern, fast, and interesting operating system in V. Join the Discord chat (#v-os channel). Goals Keep it simple and easy to

Utility

2.3k

Unlock an Android phone (or device) by bruteforcing the lockscreen PIN.

Unlock an Android phone (or device) by bruteforcing the lockscreen PIN. Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices! (no root, no adb)

Utility

SPIDlibraryAndroid is a library for logging in via SPID through several different identity...

SPIDlibraryAndroid is a library for logging in via SPID through several different identity providers.