ghidra: initial capa explorer extension MVP

.gitignore

@@ -129,3 +129,10 @@ uv.lock
 .github/binja/BinaryNinja-headless.zip
 justfile
 data/
+.gradle.gradle/
+build/
+.DS_Store
+.gradle/
+**/.gradle/
+.DS_Store
+**/.DS_Store

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### New Features
 
+- ghidra: experimental capa explorer extension (MVP) @vaishakh787
 - ghidra: support PyGhidra @mike-hunhoff #2788
 - vmray: extract number features from whitelisted void_ptr parameters (hKey, hKeyRoot) @adeboyedn #2835
 

capa/ghidra/plugin/extension/README.md

@@ -0,0 +1,45 @@
+# Capa Explorer – Ghidra Extension (MVP)
+
+Experimental Ghidra extension that integrates  
+[capa](https://github.com/mandiant/capa) into Ghidra as a native plugin.
+
+The goal is to run capa directly on Ghidra’s analysis database and display
+results inside the UI.
+
+---
+
+## Status
+
+**MVP / Experimental**
+
+The current implementation validates the integration architecture and workflow.  
+Full capa rule evaluation and richer UI will be added incrementally.
+
+---
+
+## How it works
+
+1. User runs **Tools → Capa → Run Analysis**
+2. The plugin invokes a Python script using **GhidraScriptService**
+3. The script runs inside **PyGhidra** (no subprocesses)
+4. Results are written to a **JSON cache file**
+5. The plugin loads the cache and displays results in the **Capa Explorer** panel
+
+---
+
+## Key Design Decisions
+
+- Uses **PyGhidra** for in-process Python execution  
+- Uses **GhidraScriptService** (non-deprecated API)  
+- Reuses the already-loaded `Program` (no reanalysis)  
+- Exchanges data via a **cache file** instead of stdout  
+- Results persist across Ghidra sessions  
+
+---
+
+## Current Features
+
+- Run analysis from the Ghidra menu  
+- Optional cache reload vs re-run  
+- Background execution with progress  
+- Basic result viewer panel  

capa/ghidra/plugin/extension/build.gradle

@@ -0,0 +1,56 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//----------------------START "DO NOT MODIFY" SECTION------------------------------
+def ghidraInstallDir
+
+if (System.env.GHIDRA_INSTALL_DIR) {
+	ghidraInstallDir = System.env.GHIDRA_INSTALL_DIR
+}
+else if (project.hasProperty("GHIDRA_INSTALL_DIR")) {
+	ghidraInstallDir = project.getProperty("GHIDRA_INSTALL_DIR")
+}
+else {
+	ghidraInstallDir = "<REPLACE>"
+}
+
+task distributeExtension {
+	group = "Ghidra"
+
+	apply from: new File(ghidraInstallDir).getCanonicalPath() + "/support/buildExtension.gradle"
+	dependsOn ':buildExtension'
+}
+//----------------------END "DO NOT MODIFY" SECTION-------------------------------
+
+// Include Python scripts in the built extension
+buildExtension {
+	// Include ghidra_scripts directory in the extension
+	from('ghidra_scripts') {
+		into 'ghidra_scripts'
+	}
+
+	// Include data/python directory in the extension (if you have helper scripts there)
+	from('data/python') {
+		into 'data/python'
+	}
+}
+
+// Exclude additional files from the built extension
+// Ex: buildExtension.exclude '.idea/**'
+buildExtension.exclude '.git/**'
+buildExtension.exclude '.gradle/**'
+buildExtension.exclude 'build/**'
+buildExtension.exclude '.DS_Store'

capa/ghidra/plugin/extension/extension.properties

@@ -0,0 +1,5 @@
+name=@extname@
+description=Finds capabilities in programs, as detected by capa.
+author=vaishakh787
+createdOn=2026-01-26
+version=@extversion@

capa/ghidra/plugin/extension/src/main/help/help/TOC_Source.xml

@@ -0,0 +1,57 @@
+<?xml version='1.0' encoding='ISO-8859-1' ?>
+<!-- 
+
+	This is an XML file intended to be parsed by the Ghidra help system.  It is loosely based 
+	upon the JavaHelp table of contents document format.  The Ghidra help system uses a 
+	TOC_Source.xml file to allow a module with help to define how its contents appear in the 
+	Ghidra help viewer's table of contents.  The main document (in the Base module) 
+	defines a basic structure for the 
+	Ghidra table of contents system.  Other TOC_Source.xml files may use this structure to insert
+	their files directly into this structure (and optionally define a substructure).
+
+
+	In this document, a tag can be either a <tocdef> or a <tocref>.  The former is a definition
+	of an XML item that may have a link and may contain other <tocdef> and <tocref> children.  
+	<tocdef> items may be referred to in other documents by using a <tocref> tag with the 
+	appropriate id attribute value.  Using these two tags allows any module to define a place 
+	in the table of contents system (<tocdef>), which also provides a place for 
+	other TOC_Source.xml files to insert content (<tocref>).  
+
+	During the help build time, all TOC_Source.xml files will be parsed and	validated to ensure
+	that all <tocref> tags point to valid <tocdef> tags.  From these files will be generated
+	<module name>_TOC.xml files, which are table of contents files written in the format 
+	desired by the JavaHelp system.   Additionally, the genated files will be merged together
+	as they are loaded by the JavaHelp system.  In the end, when displaying help in the Ghidra
+	help GUI, there will be on table of contents that has been created from the definitions in 
+	all of the modules' TOC_Source.xml files.
+
+
+	Tags and Attributes
+
+	<tocdef>
+	-id          - the name of the definition (this must be unique across all TOC_Source.xml files)	
+	-text        - the display text of the node, as seen in the help GUI
+	-target**    - the file to display when the node is clicked in the GUI
+	-sortgroup   - this is a string that defines where a given node should appear under a given
+	               parent.  The string values will be sorted by the JavaHelp system using
+	               a javax.text.RulesBasedCollator.  If this attribute is not specified, then
+	               the text of attribute will be used.
+
+	<tocref>
+	-id			 - The id of the <tocdef> that this reference points to 
+
+	**The URL for the target is relative and should start with 'help/topics'.  This text is 
+	used by the Ghidra help system to provide a universal starting point for all links so that
+	they can be resolved at runtime, across modules.
+
+
+-->
+
+
+<tocroot>
+	<!-- Uncomment and adjust fields to add help topic to help system's Table of Contents
+	<tocref id="Ghidra Functionality">
+		<tocdef id="HelpAnchor" text="My Feature" target="help/topics/my_topic/help.html" />
+	</tocref>
+	-->
+</tocroot>

capa/ghidra/plugin/extension/src/main/help/help/topics/capaexplorer/help.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+
+<HTML>
+  <HEAD>
+    <META name="generator" content=
+    "HTML Tidy for Java (vers. 2009-12-01), see jtidy.sourceforge.net">
+    <META http-equiv="Content-Language" content="en-us">
+    <META http-equiv="Content-Type" content="text/html; charset=windows-1252">
+    <META name="GENERATOR" content="Microsoft FrontPage 4.0">
+    <META name="ProgId" content="FrontPage.Editor.Document">
+
+    <TITLE>Skeleton Help File for a Module</TITLE>
+    <LINK rel="stylesheet" type="text/css" href="help/shared/DefaultStyle.css">
+  </HEAD>
+
+  <BODY>
+    <H1><a name="HelpAnchor"></a>Skeleton Help File for a Module</H1>
+
+    <P>This is a simple skeleton help topic. For a better description of what should and should not
+    go in here, see the "sample" Ghidra extension in the Extensions/Ghidra directory, or see your 
+    favorite help topic. In general, language modules do not have their own help topics.</P>
+  </BODY>
+</HTML>