In the ghidra_11.0.1_PUBLIC\Extensions\Ghidra Ghidra extensions folder, there’s also a Skeleton folder, which includes five skeleton source code files located in ghidra_11.0.1\Extensions\Ghidra\Skeleton\src\main\java\skeleton. These enable us to write any kind of Ghidra extension.

In this section, we’ll discuss the different types of plugin extensions by overviewing their skeletons. Those skeletons are available from Eclipse. We’ll create an extension by using a skeleton in the Developing a Ghidra extension section.

Analyzers

Analyzers allow us to extend the Ghidra code analysis functionality. The skeleton to develop analyzers is available in the SkeletonAnalyzer.java file, which extends from ghidra.app.services.AbstractAnalyzer.

The analyzer skeleton consists of the following elements:

• A constructor, which indicates the analyzer’s name, its description, and the analyzer’s type. In addition, you can call to setSupportOneTimeAnalysis before the call to super to indicate that the analyzer supports it:

public SkeletonAnalyzer() {

super("My Analyzer", "Analyzer description goes here",

AnalyzerType.BYTE_ANALYZER);

}

The analyzer’s type can be BYTE_ANALYZER, DATA_ANALYZER, FUNCTION_ANALYZER, FUNCTION_MODIFIERS_ANALYZER, FUNCTION_SIGNATURES_ANALYZER, INSTRUCTION_ANALYZER, or ONE_SHOT_ANALYZER.

• The getDefaultEnablement method returns a Boolean value indicating whether this analyzer will be enabled all the time.

• The canAnalyze method returns true if the program can be analyzed. Here, you can check whether your analyzer supports the assembly language of the program, for example.

• If you want to let the user set some options for your analyzer, then you can override the registerOptions method.

• Finally, when things are added to the program, the added method will be called to perform the analysis.

Analyzer tips

Don’t let getDefaultEnablement return true if your analyzer isn’t fast enough because it can slow down Ghidra.

Analyzers can be useful when you’re analyzing a C++ program to obtain object-oriented programming information, for instance.

Filesystems

Filesystems allow us to extend Ghidra to support archive files. Examples of archive files are APK, ZIP, and RAR. The skeleton to develop filesystems is available in the SkeletonFileSystem.java file, which extends from GFileSystem.

The filesystem skeleton consists of the following elements:

• A constructor. As a parameter, it receives the root of the filesystem as the Filesystem Resource Locator (FSRL) and the filesystem provider.

• A filesystem implementation is complex. It consists of the mount, close, getName, getFSRL, isClosed, getFileCount, getRefManager, lookup, getByteProvider, getListing, and getFileAttributes methods.

Plugins

Plugins allow us to extend Ghidra in a lot of ways by accessing the GUI and the event notification systems. The skeleton to develop plugins is available in the SkeletonPlugin.java file, which extends from ghidra.app.plugin.ProgramPlugin.

The plugin skeleton consists of the following elements:

• A constructor. It receives PluginTool as a parameter and allows us to customize or remove both the provider and the help of the plugin.

• An init method. This allows us to acquire services if needed.

• It also includes an example of a provider extending from ComponentProvider, allowing us to customize the GUI and its actions.

Plugin tips

If you want to see the complete list of services, please search for ghidra.app.services in Ghidra’s Java documentation: /api/ghidra/app/services/package-summary.html

As you can imagine, plugin extensions are very versatile.

Exporters

Exporters allow us to extend Ghidra by implementing the ability to export parts of a program available in Ghidra’s program database. The skeleton to develop exporters is available in the SkeletonExporter.java file.

The exporter skeleton consists of the following elements:

• A constructor. It allows us to set the name of the exporter and also associate a file extension with it.

• A getOptions method is also available to define custom options if required.

• A setOptions method to assign custom options, if they exist, to the exporter.

• An export method where the export operation must be implemented. This returns a Boolean value indicating whether the operation was successful or not.

Some examples of preinstalled Ghidra exporters are AsciiExporter, BinaryExporter, GzfExporter, HtmlExporter, IntelHexExporter, ProjectArchiveExporter, and XmlExporter. Check out the following link to learn more about these exporters: https://ghidra.re/ghidra_docs/api/ghidra/app/util/exporter/package-summary.html.

Loaders

Loaders allow us to extend Ghidra by adding support to new binary code formats. Examples of binary code formats include Portable Executable (PE), Executable Linkable Format (ELF), Common Object File Format (COFF), Mach Object File Format (Mach O), and Dalvik Executable File(DEX). The skeleton to develop a loader is available in the SkeletonLoader.java file, which extends from AbstractProgramWrapperLoader.

The loader skeleton consists of the following elements:

• A getName method, which must be overridden to return the loader’s name.

• A findSupportedLoadSpecs method, which must return an ArrayList value with the specifications of the file if it can load it. If it can’t load it, then it must return an empty ArrayList value.

• A load method where the bulk of the implementation takes place. It loads the bytes from the provider into the program.

• If the loader has custom options, then you must define them in the getDefaultOptions method and also validate them in the validateOptions method.

In this section, we went over the skeletons for every type of Ghidra extension. Go ahead and modify any skeleton so that it may help you in development. In the next section, we’ll cover what Ghidra extension skeletons look like in Eclipse.

And you can read that next section in the book Ghidra Software Reverse Engineering for Beginners. Click the link to buy your own copy!