Author: @hugsy
Headless Binary Ninja (sort of!)
Note: A Snippet version can be copy/pasted from here
This plugin allows you to use Binary Ninja headlessly and remotely to script and control Binja remotely without the need of an entreprise license. This makes it convenient for creating scripts, or live reversing using Jupyter for instance. It works internally by simply creating an RPyc service within the Python environment, and expose it on a TCP socket. Note that this plugin is Binary Ninja specific: an equivalent for IDA was created in the repository IDA-Headless.
Important note: this plugin exposes entirely the targeted Python VM over a TCP socket, in cleartext without authentication. Therefore anyone able to connect to it will be able to execute command on the remote system; so this plugin should never be used on a host that receive untrusted connections.
This plugin requires the installation of the rpyc package, but the service is only opened on demand. It was tested and works well under Windows and Linux but is expected to work the same on MacOS.
Install the files in the Binary Ninja plugin directory, start Binary Ninja and check in the logs the plugin is correctly loaded.
Loaded python3 plugin 'binja-headless'
You can now start the service (Palette -> Binja-RPyc - Start RPyc Service). A popup will confirm the service is running, or show the error in the logs on failure.
From a remote Python terminal, you can now import the rpyc module and access your remote Binary Ninja.
>>> import rpyc
>>> c = rpyc.connect("192.168.57.2", 18812)
>>> c.root.bv
<BinaryView: '//DESKTOP-SD4TH5/Temp/ls', len 0x248e8>
>>> dir(c.root.binaryninja)
['ActionType',
'ActiveAnalysisInfo',
'AddressField',
'AddressRange',
'AdvancedFunctionAnalysisDataRequestor',
'AnalysisCompletionEvent',
[...]And then you can create some aliases to make as if you were using it locally:
>>> bv = c.root.bv ; bn = c.root.binaryninja
# and then go crazy
>>> bn.core_version()
'3.4.4189-dev Personal'
>>> bv.file
<FileMetadata: Y:/IDBs/windows/kernel32/10.0.18362.329/kernel32.bndb>
>>> bv.arch
<arch: x86_64>
>>> bv.file.original_filename
'Y:/IDBs/windows/kernel32/10.0.18362.329/kernel32.dll'
>>> bv.get_functions_by_name("CreateFileMappingW")
[<func: x86_64@0x18001c250>]
>>> for f in bv.functions:
print(f"{f.name} -> {f.start:#x}")
RtlVirtualUnwindStub -> 0x180001010
GetNumberFormatWStub -> 0x180001060
GetTimeZoneInformationForYearStub -> 0x180001070
IdnToAsciiStub -> 0x180001080
CreateWaitableTimerW -> 0x180001090
[...]
>>> for block in bv.get_functions_by_name("GlobalUnlock")[0]:
for insn in block:
print(insn)
(['mov', ' ', 'qword ', '[', 'rsp', '+', '0x8', ']', ', ', 'rbx'], 5)
(['mov', ' ', 'qword ', '[', 'rsp', '+', '0x10', ']', ', ', 'rsi'], 5)
(['push', ' ', 'rdi'], 1)
[...]
This plugin requires the following minimum version of Binary Ninja:
- 3164
The required dependencies can be found in the requirements.txt file.
This plugin is released under a MIT license. See the LICENSE file for complete details.
2