keensecuritylab / binabsinspector Goto Github PK

Hey, when i'm trying to execute binabsinspector in headless mode with parameters
"@@ -all -entry 0x180006c64 -K 50 -callStringK 3 -timeout -1 -Z3Timeout 1000"
I got a error:
Exception in thread "main" ghidra.util.exception.InvalidInputException: Bad argument: -entry

➜ build git:(master) ✗ sudo make install
[sudo] password for w0lfzhang:
Z3 was successfully installed.

BinAbsInspector.java> Running...
BinAbsInspector.java> Cannot detect z3 solver library, please check your z3 solver installation or disable z3 solver in configuration.

BinAbsInspector.java> Finished!

您好，我使用docker方式进行搭建这个程序，在分析一个elf文件的时候出现这种错误，请问大佬如何解决

docker run -v $(pwd):/data/workspace bai "@@<script parameters>" -import test

openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode)
INFO Using log config file: jar:file:/opt/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /root/.ghidra/.ghidra_10.1.2_PUBLIC/application.log (LoggingInitialization)
INFO Loading user preferences: /root/.ghidra/.ghidra_10.1.2_PUBLIC/preferences (Preferences)
INFO Class search complete (1304 ms) (ClassSearcher)
INFO Initializing SSL Context (SSLContextInitializer)
INFO Initializing Random Number Generator... (SecureRandomFactory)
INFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)
INFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)
Exception in thread "main" ghidra.util.exception.InvalidInputException: /data/workspace/BinAbsInspector/test is not a valid directory or file.
at ghidra.app.util.headless.AnalyzeHeadless.parseOptions(AnalyzeHeadless.java:212)
at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:113)
at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
at ghidra.Ghidra.main(Ghidra.java:47)

I have downloaded z3-4.8.17-x86-win.zip and unziped it.And set the PATH environment to z3-4.8.17-x86-win\bin .But BinAbsInspector.java still tell me :Cannot detect z3 solver library, please check your z3 solver installation or disable z3 solver in configuration. How could I install z3 solver?

严格按照安装指导书进行安装，启动工具失败，报错如下：
java.lang.StackOverflowError
at com.bai.solver.CFG.visit(CFG.java:80)
at com.bai.solver.CFG.visit(CFG.java:84)
at com.bai.solver.CFG.visit(CFG.java:84)

Build Date: 2022-Jan-25 1526 EST
Ghidra Version: 10.1.2
Java Home: C:\Program Files\Eclipse Adoptium\jdk-11.0.14.101-hotspot
JVM Version: Eclipse Adoptium 11.0.14.1
OS: Windows 10 10.0 amd64

When I use docker build . -t bai to build docker, I got the errors.

Can anyone help? Thanks!

I use ghidra 10.1.2 ,jdk 18,z3 4.8.15.I install the extensions, then when i analysis the binary ,it says Unable to locate script class: BinAbsInspector.java,what should i do to fix this

                 LAB_001695f8                                    XREF[2]:     001695b0(j), 00169684(j)  
        001695f8 73 52 4b b9     ldr        w19,[x19, #0xb50]=>PTR_002cfb50                  = 00000000
        001695fc e0 03 14 2a     mov        w0,w20
        00169600 a2 8f 40 b9     ldr        w2,[x29, #local_4]
        00169604 61 02 40 b9     ldr        w1,[x19]                                         CWE476: Null pointer dereference

这里报空指针异常，应该是指[X19]寄存器里面的内容吧，实际上它是在w19中被赋值了的。

The following error occurred when I build Dockerfile. 😥

Error

149250K .......... .......... .......... .......... .......... 43% 97.3K 13m18s
149300K .......... .......... .......... .......... .......... 43%  192K 13m18s
149350K .......... .......... .......... .......... .......... 43%  192K 13m18s
149400K .......... .......... .......... .......... .......... 43%  187K 13m18s
149450K .......... .......... .......... .......... .......... 43%  191K 13m17s
149500K .......... .......... .......... .......... .......... 43% 94.4K 13m18s
149550K .......... .......... .......... .......... .......... 43%  201K 13m17s
149600K .......... .......... .......... .......... .......... 43%  200K 13m17s

(Download ...)

2022-05-06 01:09:44 (239 KB/s) - Connection closed at byte 153387008. Retrying.

Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed. 
The command '/bin/sh -c wget https://github.com/NationalSecurityAgency/ghidra/releases/download/${GHIDRA_RELEASE_TAG}/${GHIDRA_BUILD}.zip &&     unzip -d ghidra ${GHIDRA_BUILD}.zip &&     rm ${GHIDRA_BUILD}.zip &&     mv ghidra/ghidra_* /opt/ghidra' returned a non-zero code: 6

I don't know why this error persists

processConstraints()中只传入了inOutEnv，当conditionVarnode是tmp变量时，无法从inOutEnv中获取相应的值集。或许应该把tmpEnv传进函数，然后调用KSet conditionKSet = getKSet(conditionVarnode,inOutEnv,tmpEnv,pcode);？

使用dockerfile 构建镜像后，能否给一个使用该镜像进行分析的使用例子

My command is : analyzeHeadless ./bai bai_2022_09_09 -import ./test2 -postScript BinAbsInspector "@@ -all"
And i get the error followed:
root@3893d60a101e:/bai# analyzeHeadless ./bai bai_2022_09_09 -import ./test2 -postScript BinAbsInspector "@@ -all"
openjdk version "17.0.4.1" 2022-08-12
OpenJDK Runtime Environment Temurin-17.0.4.1+1 (build 17.0.4.1+1)
OpenJDK 64-Bit Server VM Temurin-17.0.4.1+1 (build 17.0.4.1+1, mixed mode)
INFO Using log config file: jar:file:/bai/ghidra_10.1.2_PUBLIC/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /root/.ghidra/.ghidra_10.1.2_PUBLIC/application.log (LoggingInitialization)
INFO Loading user preferences: /root/.ghidra/.ghidra_10.1.2_PUBLIC/preferences (Preferences)
INFO Loading previous preferences: /root/.ghidra/.ghidra_10.1.5_PUBLIC/preferences (Preferences)
INFO Class search complete (1497 ms) (ClassSearcher)
INFO Initializing SSL Context (SSLContextInitializer)
INFO Initializing Random Number Generator... (SecureRandomFactory)
INFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)
INFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)
INFO HEADLESS Script Paths:
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/MicrosoftCodeAnalyzer/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/Base/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Processors/DATA/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/FileFormats/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Debug/Debugger/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Processors/PIC/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Debug/Debugger-agent-dbgmodel-traceloader/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/Python/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/BytePatterns/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Extensions/BinAbsInspector/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/Decompiler/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Processors/8051/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/FunctionID/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/VersionTracking/ghidra_scripts
/bai/ghidra_10.1.2_PUBLIC/Ghidra/Features/GnuDemangler/ghidra_scripts (HeadlessAnalyzer)
ERROR REPORT SCRIPT ERROR: BinAbsInspector : Missing plugin needed to run scripts of this type. Please ensure you have installed the necessary plugin. (HeadlessAnalyzer)
ERROR Abort due to Headless analyzer error: Invalid script: BinAbsInspector (HeadlessAnalyzer) java.lang.IllegalArgumentException: Invalid script: BinAbsInspector
at ghidra.app.util.headless.HeadlessAnalyzer.checkScript(HeadlessAnalyzer.java:788)
at ghidra.app.util.headless.HeadlessAnalyzer.checkScriptsList(HeadlessAnalyzer.java:801)
at ghidra.app.util.headless.HeadlessAnalyzer.compileScripts(HeadlessAnalyzer.java:835)
at ghidra.app.util.headless.HeadlessAnalyzer.processLocal(HeadlessAnalyzer.java:408)
at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:121)
at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
at ghidra.Ghidra.main(Ghidra.java:47)

I have tried many methods but failed in the end, could you please help me? thanks a lot

I want to use intellij IDEA Debug BinAbsInspector.java source code.

But if the first line of code fails, how do I configure the correct debug environment?

哥，同样分析/bin/ls，在创建cfg控制流图的时候有点问题

函数：

获取后驱的时候总是返回 FALL_THROUGH

docker build报错

COPY failed: file not found in build context or excluded by .dockerignore: stat ghidra_scripts: file does not exist
这个怎么处理

Take com.bai.env.funcs.externalfuncs.GetenvFunction as an example. (External function model for char *getenv(const char *name))

the source is:

    public void invoke(PcodeOp pcode, AbsEnv inOutEnv, AbsEnv tmpEnv, Context context, Function callFunc) {
        ALoc retALoc = getReturnALoc(callFunc, false);
        if (retALoc == null) {
            return;
        }
        long taints = TaintMap.getTaints(context, callFunc);
        inOutEnv.set(retALoc, KSet.getTop(taints), true);
    }

context doesn't include the current callsite of external function. So, for different callsites in the current function, TaintMap.getTaints will return the same taint.

If I analyze this shared object:

// clang  -shared -o test.so -fPIC ./test.c 
char *getenv(const char *name);

int main() {
    getenv("test");
    getenv("aaa");
    return 0;
}

and set breakpoint at GetenvFunction.invoke, I can see the same context (main[0, 0, 0]) and the same taints (taints = 2) twice.

I think it should return different taints?

(by the way, I am working on a research project that heavily uses BinAbsInspector)

Althouth i choose the specific cwe types，it does not work as i expected。I don't known how to fix this problem。Or should i use it in headless mode?
Besides,the results of cwe 787 check are really Outrageous。

在进行分析的过程中遇见代码符号相关异常：

如题

README.md中写的CWE有下面这些，一共可以检查13个CWE类型。

我在命令行和GUI运行的时候都只显示了7个CWE类型。如下：

我用的ghidra版本是10.1，是什么原因呢？

Ghidra version:
10.1.3
JDK version:
openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment Temurin-11.0.15+10 (build 11.0.15+10)
OpenJDK 64-Bit Server VM Temurin-11.0.15+10 (build 11.0.15+10, mixed mode)

when I tried to install BinAbsInspector as extension , it said imcompatible:

maybe I have to use Ghidra 10.1.2 ?

比如说处理call openprocess的时候，首先取140003040的地址的值，然后call


140003040的值是3f66并不是函数的地址

getmemblock为空导致无法分析出函数。

I just found this work, it is really interesting and fantastic.
I have tested it on several binaries and the results are great.
But I have issues when performing on X86 object files.
I am wondering when will you support object files.
Besides, since MIPS is also a popular architecture, especially on IoT firmware, do you have any plans to support MIPS?
Thanks!

I expect this command injection vulnerability FUN_000109f4 to be detected.

And I expect this Stack Overflow vulnerability FUN_00010d78 to be detected.

test1.cgi.zip

Hi, could you document some of the ideas behind BinAbsInspector, how it uses Z3?
Is there a research paper to understand this?
Super interesting!
Thanks.

Can BinAbsInspector analysis the libxxx.so or libxxx.a file? i noticed that this tool require a main fuction as the entry, can i use it to analysis a libxxx.so or libxxx.a which without main function?
thank you

在测试用例CWE78_OS_Command_Injection__char_connect_socket_system_01.out失败，经过分析发现，没有处理System调用返回值，导致在判断返回值时依据错误的rax值，导致部分路径不可达，从而未分析到漏洞路径。
sVar2 = strlen((char *)local_10);
*(undefined4 *)((longlong)local_10 + sVar2) = 0x2a2e2a;
iVar1 = system((char )local_10); 没有处理返回值，此时iVar1变量即rax是错误值
if (iVar1 != 0) {进入该分支，exit函数无返回导致分析中止，
printLine("command execution failed!");
/ WARNING: Subroutine does not return */
exit(1);
}
return;未进入该分支
建议当externalFunction没有自定义实现，且函数具有返回值时，将返回值设置为Top。
private Status invokeExternal(PcodeOp pcode, AbsEnv inOutEnv, AbsEnv tmpEnv, Function callee) {
String funcName = callee.getName();
ExternalFunctionBase externalFunction = FunctionModelManager.getExternalFunction(funcName);
if (externalFunction != null) {
Logging.debug("Invoke external function model: " + funcName);
externalFunction.invoke(pcode, inOutEnv, tmpEnv, context, callee);
} else {// change ret value
Parameter ret = callee.getReturn();
if (ret != null) {
Register retreg = ret.getRegister();
String rettype = ret.getDataType().getName();
if ((retreg != null) && (!rettype.equals("undefined"))){
ALoc retALoc = ALoc.getALoc(
Reg.getInstance(), retreg.getOffset(), GlobalState.arch.getDefaultPointerSize());
inOutEnv.set(retALoc, KSet.getTop(0), true);
}
}
}

如下：

I am using Ubuntu 22.04.1 Desktop OS and I followed the installation of BinAbsInspector strictly.
I have ghidra 10.1.2
I got the *.so files like this:
https://github.com/Z3Prover/z3/releases/download/z3-4.8.15/z3-4.8.15-x64-glibc-2.31.zip
$ unzip z3-4.8.15-x64-glibc-2.31.zip
$ cd ~/z3-4.8.15-x64-glibc-2.31/bin
$ sudo cp *.so /usr/local/lib/

I imported the ghidra_10.1.2_PUBLIC_20220420_BinAbsInspector.zip file successfully, but I get this error in ghidra:

Tis is the java environment:
$ java --version
openjdk 11.0.16 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Ubuntu-0ubuntu122.04)
OpenJDK 64-Bit Server VM (build 11.0.16+8-post-Ubuntu-0ubuntu122.04, mixed mode, sharing)

I have no idea what to do, please help!

Current getEntryFunction implementation can only handle an ELF header, thus the extension can't locate an entry point for PE/PE+ files automatically.

The logic of analyze function seems to be odd, as there's a generic way of locating an entry point through the analyzeFromMain function, which isn't called at all if the executable header wasn't successfully parsed.

Another thing, that analyzeFromMain is only trying to locate a global main function, which isn't always present in, for example, executables created in MASM. Probably it should locate and utilize an entry function address, if main is not present.

ghidra version： 10.1.2
BinAbslnspector： 10.1.2
Z3 version :z3-4.8.17-x64-win
解析文件：
$ file NDynSover.exe
NDynSover.exe: PE32+ executable (console) x86-64, for MS Windows
file test.exe
test.exe: PE32+ executable (DLL) (console) x86-64, for MS Windows
file PeachValidator.exe
PeachValidator.exe: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

这些PE文件都被报错如下：

BinAbsInspector.java> Running...
BinAbsInspector.java> [INFO] Preparing the program
BinAbsInspector.java> Unsupported file format.

BinAbsInspector.java> Cannot find entry function, maybe unsupported file format or corrupted header.

BinAbsInspector.java> Failed to analyze the program: no entrypoint.

BinAbsInspector.java> Finished!
BinAbsInspector.java> Running...
BinAbsInspector.java> Finished!

I have successfully run this script in my project for some time, but I can only view the problems found according to the console output.
I want to know if there is a way to export the results of script execution as a report so that other people who do not have ghidra and BinAbsInspector installed on their computers can view the problems?

Hello,

Many checks are not implemented or available for the plugin (via -all or --check <>).

• available: 78,134,190,367,427,467,676.
• not available: 119,125,415,416,426,476,787

The checker manager map has a 1:1 mapping of half of the supported checks listed on the README.
https://github.com/KeenSecurityLab/BinAbsInspector/blob/main/src/main/java/com/bai/checkers/CheckerManager.java#L10-L20

There seems to be a lot of checks that are in the MemoryCorruption bit that are tested but not exposed to the end user.
https://github.com/KeenSecurityLab/BinAbsInspector/tree/main/src/main/java/com/bai/checkers
https://github.com/KeenSecurityLab/BinAbsInspector/blob/main/src/main/java/com/bai/checkers/MemoryCorruption.java

我测试使用headless模式和GUI模式对同一个应用进行测试，但是测试结果不一样，GUI模式显示发现14个warn；headless模式有100多条这样的数据：{"timestamp":"2022-07-19T03:33:00","level":"WARN","logger":"CWE","message":"CWE787: Stack Out-of-Bound Write @ 0010f193 [ ]"}。请问这是什么原因

`FAILURE: Build failed with an exception.

• Where:
  Build file '/data/home/wjl/ghidra_10.1.2_PUBLIC/BinAbsInspector/build.gradle' line: 18

• What went wrong:
  Plugin [id: 'net.ltgt.errorprone', version: '2.0.2'] was not found in any of the following sources:

• Gradle Core Plugins (plugin is not in 'org.gradle' namespace)
• Plugin Repositories (could not resolve plugin artifact 'net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:2.0.2')
  Searched in the following repositories:
  Gradle Central Plugin Repository

• Try:

Run with --stacktrace option to get the stack trace.
Run with --info or --debug option to get more log output.
Run with --scan to get full insights.

• Get more help at https://help.gradle.org

BUILD FAILED in 323ms
`

[INFO  - BinAbsInspector] Running solver on "main()" function
 ERROR REPORT SCRIPT ERROR:  ( /input )  /root/.ghidra/.ghidra_10.1.2_PUBLIC/Extensions/BinAbsInspector/ghidra_scripts/BinAbsInspector.java : Index 0 out of bounds for length 0 (HeadlessAnalyzer) java.lang.IndexOutOfBoundsException: Index 0 out of bounds for length 0
        at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
        at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
        at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
        at java.base/java.util.Objects.checkIndex(Objects.java:372)
        at java.base/java.util.ArrayList.get(ArrayList.java:459)
        at com.bai.env.Context.prepareMainAbsEnv(Context.java:215)
        at com.bai.env.Context.initContext(Context.java:275)
        at com.bai.solver.InterSolver.run(InterSolver.java:32)
        at BinAbsInspector.analyzeFromMain(BinAbsInspector.java:52)
        at BinAbsInspector.analyze(BinAbsInspector.java:86)
        at BinAbsInspector.run(BinAbsInspector.java:153)
        at ghidra.app.script.GhidraScript.executeNormal(GhidraScript.java:379)
        at ghidra.app.script.GhidraScript.doExecute(GhidraScript.java:234)
        at ghidra.app.script.GhidraScript.execute(GhidraScript.java:212)
        at ghidra.app.util.headless.HeadlessAnalyzer.runScript(HeadlessAnalyzer.java:576)
        at ghidra.app.util.headless.HeadlessAnalyzer.runScriptsList(HeadlessAnalyzer.java:909)
        at ghidra.app.util.headless.HeadlessAnalyzer.analyzeProgram(HeadlessAnalyzer.java:1057)
        at ghidra.app.util.headless.HeadlessAnalyzer.processFileWithImport(HeadlessAnalyzer.java:1550)
        at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1688)
        at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1753)
        at ghidra.app.util.headless.HeadlessAnalyzer.processLocal(HeadlessAnalyzer.java:445)
        at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:121)
        at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
        at ghidra.Ghidra.main(Ghidra.java:47)

INFO  ANALYZING changes made by post scripts: /input (HeadlessAnalyzer)
INFO  REPORT: Post-analysis succeeded for file: /input (HeadlessAnalyzer)
INFO  REPORT: Save succeeded for file: /input (HeadlessAnalyzer)

Context.prepareMainAbsEnv throw exception where there is no function called "_start", we should adjust this logic.
bbgp.zip

Don't know why, I meet this error:

INFO  REPORT: Analysis succeeded for file: /test3 (HeadlessAnalyzer)
INFO  SCRIPT: /bai/ghidra_10.1.2_PUBLIC/Ghidra/Extensions/BinAbsInspector/ghidra_scripts/BinAbsInspector.java (HeadlessAnalyzer)
Loaded config: Config{z3TimeOut=1000, isDebug=false, isOutputJson=true, K=50, callStringK=3, checkers=[CWE676, CWE78, CWE467, CWE426, CWE134, CWE190, CWE367], entryAddress='null', timeout=-1, isEnableZ3=t
rue, z3Tactics=[], externalMapPath=null}
2022-09-13 17:43:33,156 main ERROR Invalid URL jar:file:/bai/ghidra_10.1.2_PUBLIC/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml java.net.MalformedURLException: Unknown protocol: jar
        at java.base/java.net.URL.<init>(URL.java:708)
        at java.base/java.net.URL.fromURI(URL.java:748)
        at java.base/java.net.URI.toURL(URI.java:1139)
        at org.apache.logging.log4j.core.config.ConfigurationSource.fromUri(ConfigurationSource.java:330)
        at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:505)
        at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:498)
        at org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:422)
        at org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:323)
        at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:695)
        at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:716)
        at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:270)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:245)
        at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
        at org.apache.logging.log4j.LogManager.getContext(LogManager.java:176)
        at com.bai.util.Logging.init(Logging.java:46)
        at BinAbsInspector.run(BinAbsInspector.java:132)
        at ghidra.app.script.GhidraScript.executeNormal(GhidraScript.java:379)
        at ghidra.app.script.GhidraScript.doExecute(GhidraScript.java:234)
        at ghidra.app.script.GhidraScript.execute(GhidraScript.java:212)
        at ghidra.app.util.headless.HeadlessAnalyzer.runScript(HeadlessAnalyzer.java:576)
        at ghidra.app.util.headless.HeadlessAnalyzer.runScriptsList(HeadlessAnalyzer.java:909)
        at ghidra.app.util.headless.HeadlessAnalyzer.analyzeProgram(HeadlessAnalyzer.java:1057)
        at ghidra.app.util.headless.HeadlessAnalyzer.processFileNoImport(HeadlessAnalyzer.java:1146)
        at ghidra.app.util.headless.HeadlessAnalyzer.processFolderNoImport(HeadlessAnalyzer.java:1313)
        at ghidra.app.util.headless.HeadlessAnalyzer.processNoImport(HeadlessAnalyzer.java:1342)
        at ghidra.app.util.headless.HeadlessAnalyzer.processLocal(HeadlessAnalyzer.java:442)
        at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:121)
        at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
        at ghidra.Ghidra.main(Ghidra.java:47)                                                                                                                                                               Caused by: java.lang.IllegalStateException: Unknown protocol: jar
        at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:373)
        at java.base/java.net.URL.<init>(URL.java:703)

And I solved this following the guide:
https://test.ocom.vn/?url=github.com/NationalSecurityAgency/ghidra/issues/3355

Hope someone else meets this problem could solve this quickly(Although I spend two days on it :( )

this line has a error in function getVarArgsSignature

DataTypeSymbol symbol = HighFunctionDBUtil.readOverride(symbols[0]);

log:
[INFO - BinAbsInspector] Running solver on "entry()" function
ERROR REPORT SCRIPT ERROR: ( /bin/ls ) /root/.ghidra/.ghidra_10.1.2_PUBLIC/Extensions/BinAbsInspector/ghidra_scripts/BinAbsInspector.java : Expected CODE symbol (HeadlessAnalyzer) java.lang.IllegalArgumentException: Expected CODE symbol
at ghidra.program.model.pcode.DataTypeSymbol.readSymbol(DataTypeSymbol.java:128)
at ghidra.program.model.pcode.HighFunctionDBUtil.readOverride(HighFunctionDBUtil.java:704)
at com.bai.env.funcs.externalfuncs.VarArgsFunctionBase.getVarArgsSignature(VarArgsFunctionBase.java:157)
at com.bai.checkers.MemoryCorruption.checkExternalCallParameters(MemoryCorruption.java:284)
at com.bai.solver.PcodeVisitor.visit_CALL(PcodeVisitor.java:684)
at com.bai.solver.PcodeVisitor.visit(PcodeVisitor.java:1334)
at com.bai.solver.PcodeVisitor.visit(PcodeVisitor.java:1466)
at com.bai.env.Context.loop(Context.java:304)
at com.bai.env.Context.mainLoop(Context.java:463)
at com.bai.solver.InterSolver.run(InterSolver.java:35)
at BinAbsInspector.analyze(BinAbsInspector.java:95)
at BinAbsInspector.run(BinAbsInspector.java:152)
at ghidra.app.script.GhidraScript.executeNormal(GhidraScript.java:379)
at ghidra.app.script.GhidraScript.doExecute(GhidraScript.java:234)
at ghidra.app.script.GhidraScript.execute(GhidraScript.java:212)
at ghidra.app.util.headless.HeadlessAnalyzer.runScript(HeadlessAnalyzer.java:576)
at ghidra.app.util.headless.HeadlessAnalyzer.runScriptsList(HeadlessAnalyzer.java:909)
at ghidra.app.util.headless.HeadlessAnalyzer.analyzeProgram(HeadlessAnalyzer.java:1057)
at ghidra.app.util.headless.HeadlessAnalyzer.processFileWithImport(HeadlessAnalyzer.java:1550)
at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1688)
at ghidra.app.util.headless.HeadlessAnalyzer.processWithImport(HeadlessAnalyzer.java:1753)
at ghidra.app.util.headless.HeadlessAnalyzer.processLocal(HeadlessAnalyzer.java:445)
at ghidra.app.util.headless.AnalyzeHeadless.launch(AnalyzeHeadless.java:121)
at ghidra.GhidraLauncher.launch(GhidraLauncher.java:59)
at ghidra.Ghidra.main(Ghidra.java:47)

startup command:
analyzeHeadless ~ tmp "-deleteProject" "-overwrite" "-postScript" "BinAbsInspector.java" "@@-all" -import /bin/ls

I tried using BinAbsInspector on MacOS, but got the following error:
BinAbsInspector.java> Cannot detect z3 solver library, please check your z3 solver installation or disable z3 solver in configuration

But I have successfully installed Z3 using the command: brew install z3, and I can find the z3 library in /usr/local/lib.
I don't know where I went wrong. Could you give me some advice?

求助下我如果用GUI模式，到修改完BinAbsInspector.java（默认参数），那么GUI界面会闪退消失。但是如果是命令行模式的话会出现下面的错误。

please add sysprintf syscall in CWE78 checking process

Ubuntu 20.04, Docker 20.10.14

$ docker build . -t BinAbsInspector
invalid argument "BinAbsInspector" for "-t, --tag" flag: invalid reference format: repository name must be lowercase
See 'docker build --help'.