From ebaaed7d536b41d8dc7ab490eadc183343438cdd Mon Sep 17 00:00:00 2001 From: ghidra1 Date: Wed, 27 Sep 2023 13:39:51 -0400 Subject: [PATCH 1/3] GP-0 added callfixup for get_pc_thunk.bp --- .../x86/data/languages/x86gcc.cspec | 129 ++++++++++-------- 1 file changed, 74 insertions(+), 55 deletions(-) diff --git a/Ghidra/Processors/x86/data/languages/x86gcc.cspec b/Ghidra/Processors/x86/data/languages/x86gcc.cspec index 99a4904ae57..0cda278b616 100644 --- a/Ghidra/Processors/x86/data/languages/x86gcc.cspec +++ b/Ghidra/Processors/x86/data/languages/x86gcc.cspec @@ -331,6 +331,17 @@ + + + + + + + + @@ -376,69 +387,77 @@ - - - + + - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - + + + + + + + - - - - - - + + + + + + + - - + ]]> + + + From 4d442f1262947e24a193dac971fe3ec6a15387dd Mon Sep 17 00:00:00 2001 From: ghidra1 Date: Wed, 27 Sep 2023 16:09:12 -0400 Subject: [PATCH 2/3] GP-0 Updated ChangeHistory and WhatsNew for 10.4 release --- .../src/global/docs/ChangeHistory.html | 82 +++++++ .../src/global/docs/WhatsNew.html | 219 ++++-------------- 2 files changed, 132 insertions(+), 169 deletions(-) diff --git a/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html b/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html index 64e338a809b..4ff9a22060f 100644 --- a/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html +++ b/Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html @@ -22,6 +22,88 @@ +

Ghidra 10.4 Change History (September 2023)

+

New Features

+
    +
  • Analysis. Swift Type Metadata is now marked up. (GP-2085)
  • +
  • FileSystems. Added cramfs support. (GP-3328)
  • +
  • FileSystems. The File System Browser now supports the Add To Program action. (GP-3730)
  • +
  • Importer. Created parsers and analyzers for Device Tree Blob (DTB) and Flattened Device Tree (FDT) binaries. (GP-1436)
  • +
  • Listing. Added ability to reduce an instructions length to facilitate overlapping instructions. This can now be accomplished by specifying an instruction length override on the first instruction and disassembling the bytes which follow it. The need for this has been observed with x86 where there may be a flow around a LOCK prefix byte. (GP-3256)
  • +
+
+

Improvements

+
    +
  • Analysis. Added support for Golang 1.17 binaries. (GP-3288)
  • +
  • Analysis. Added call fixups for GCC's spectre-mitigating thunks in x86 and x64. (GP-3320, Issue #299)
  • +
  • Analysis. Added support for Golang 1.19 and 1.20. (GP-3504)
  • +
  • Analysis. Developed additional ARM function start/end patterns. (GP-3805)
  • +
  • Analysis. Fixed PPC Analyzer to create the correct size undefined data type for a read/write reference. (GP-3845, Issue #5425)
  • +
  • API. Undo/Redo now show lists of transactions that can be undone or redone. (GP-3521)
  • +
  • Build. Fixed the buildHelp gradle task to correctly check for up-to-date inputs. (GP-3430)
  • +
  • Data Types. Added ability to establish source archive association when non-sourced data type dependencies get copied into an archive during a commit operation. (GP-3796, Issue #5675)
  • +
  • Debugger. Fixed Copy Into New Program action to use Dynamic Listing for its default context. This means the Dynamic Listing does not have to have focus for those actions to be enabled. (GP-1528)
  • +
  • Debugger:Modules. Changed mapper to use proper local ghidra:// URLs. No more "!" in them. (GP-3695)
  • +
  • Debugger:Trace. Removed the TraceFunction part of the Trace API. (GP-3351)
  • +
  • Decompiler. Removed the limitation preventing the Decompiler from analyzing functions where the this parameter refers to a placeholder class structure. (GP-3590, Issue #5403, #5475)
  • +
  • Decompiler. Added Decompiler support for return value storage at an explicit stack offset relative to the callee's stack pointer. (GP-3613, Issue #1962)
  • +
  • Decompiler. Added a callfixup for __RTC_CheckEsp in x86win.cspec and updated GraphASTScript.java. (GP-3752, Issue #5657)
  • +
  • FileSystems. Libraries extracted from the dyld_shared_cache filesystem now have chained fixups applied. (GP-1574)
  • +
  • FileSystems. Libraries extracted from the dyld_shared_cache filesystem now contain an optimized __LINKEDIT segment, resulting in a significantly smaller binary. (GP-3587, Issue #4175)
  • +
  • FileSystems. Libraries extracted from the dyld_shared_cache filesystem now contain local symbol information, which reduces the occurrence of <redacted> primary symbols. (GP-3728)
  • +
  • GUI. Added accessibility support to the FieldPanel component, which is the base component for the Listing, Byte Viewer, and Decompiler. (GP-2129)
  • +
  • GUI. Simplified the Listing's Plate Field word wrapping. (GP-3425, Issue #5299)
  • +
  • GUI. Added the Address w/ Offset Copy Special action. (GP-3515, Issue #5364)
  • +
  • GUI. Added a filter for the Memory Map provider table. (GP-3755)
  • +
  • Importer:ELF. Added support for ELF R_AARCH64_MOVW_UABS_Gn relocations. (GP-3435, Issue #3545, #3546, #5292)
  • +
  • Importer:Mach-O. Libraries can now be loaded from both local directories and GFileSystems. This enables loading, for example, Mach-O libraries directly from within the dyld_shared_cache file(s). (GP-2277, Issue #4162)
  • +
  • Importer:Mach-O. Improved markup for Mach-O load command data. (GP-3565)
  • +
  • Importer:Mach-O. Added more options to the DyldCacheLoader so its performance can be better controlled by the user. (GP-3566)
  • +
  • Importer:Mach-O. The MachoLoader now supports threaded binding (BIND_OPCODE_THREADED). (GP-3701, Issue #5558)
  • +
  • Languages. Updating the PowerPC index to reference the latest manuals. (GP-3296)
  • +
  • PDB. Improved disassembly and function creation in presence of non-returning functions. (GP-3604)
  • +
  • Processors. Added instruction manual indices for ColdFire instructions. (GP-3327)
  • +
  • Processors. Addressed unnecessary x86 LOAD ops preventing certain decompiler transformations. (GP-3822, Issue #5433)
  • +
  • Scripting. Updated RecoverClassesFromRTTIScript to improve class structure creation for GCC programs. (GP-3464, Issue #5642)
  • +
  • Scripting. Updated RecoverClassesFromRTTIScript to make sure all class thiscall functions are using the class structure created by the script. (GP-3777)
  • +
  • Sleigh. Replaced implementations of _fxsave and _fxsave64 with defined p-code ops in ia.sinc. (GP-3733, Issue #5208)
  • +
  • Version Tracking. Changed Auto Version Tracking duplicate function match to not process overly large duplicate match sets that can be extremely time-consuming. (GP-3527)
  • +
+
+

Bugs

+
    +
  • Analysis. Changed function body creation when functions overlap to favor contiguous functions. Previously, overlapping functions bodies were arbitrary based on order of creation. (GP-2823)
  • +
  • Analysis. Allow values that have the low bit set to be pointers if they are at the top of a function on ARM and MIPS. (GP-3766)
  • +
  • API. Added Function body restrictions to ensure it is contained within a single address space. (GP-567, Issue #2577, #5051)
  • +
  • API. Fixed issue where front end plugins were not having their dispose methods called when exiting Ghidra (GP-3343)
  • +
  • Data Types. Fixed alignment of 8-byte datatypes for 32-bit Windows data organization. (GP-3449)
  • +
  • Data Types. Eliminated use of data type aligned-length when adding components to a non-packed structure. This should allow arbitrary component placement when packing is disabled. (GP-3726, Issue #5602)
  • +
  • Data Types. Corrected problem with the decode of subnormal floating point values. (GP-3775, Issue #5647)
  • +
  • Decompiler. The Decompiler no longer automatically simplifies away code performing NaN tests. (GP-3019, Issue #4588)
  • +
  • Decompiler. Fixed a bug in the Decompiler where assignments to local variables on the stack could be incorrectly reordered before calls. (GP-3429, Issue #5237)
  • +
  • Decompiler. Fixed variable merging bug in the Decompiler that could cause "Unable to merge address forced indirect" exceptions. (GP-3682, Issue #5588)
  • +
  • Decompiler. Fixed bug causing segmentation faults in the Decompiler triggered by Golang binaries. (GP-3783)
  • +
  • Demangler. Fixed minor GNU Demangler parsing bug that caused && to get added to function pointers. (GP-3650)
  • +
  • Eclipse Integration. Exporting a Ghidra Module Extension with the GhidraDev Eclipse plugin produces an intermediate build directory within the project. This build directory now gets automatically cleaned up to avoid Ghidra runtime/debugging issues. (GP-3523, Issue #5327)
  • +
  • Eclipse Integration. The Ghidra Front-End GUI now prevents installation of extension source (unbuilt) directories. (GP-3852)
  • +
  • Framework. Fixed issue preventing Enum Editor actions from appearing in the Key Bindings options. (GP-3708, Issue #5638, #5639)
  • +
  • Graphing. Changed graph DOT exporter to rename our Name attribute to a label attribute, which is what DOT graphs use for display. Also, cleaned up vertex label display when in compact mode and added the vertex id in the tooltip. (GP-3779, Issue #5678)
  • +
  • GUI. The Comments dialog now uses the selected comment text when adding a new annotation. (GP-3560, Issue #5439)
  • +
  • Importer. User can now correctly Add To Program with Microsoft Module-definition (.def) files. Several parsing bugs with this file format were also fixed. (GP-3826, Issue #5676)
  • +
  • Importer:ELF. Made significant improvements to ELF RISCV relocation support. (GP-3707, Issue #3816)
  • +
  • Importer:ELF. Corrected ELF R_RISCV_RVC_BRANCH relocation processing. (GP-3792, Issue #5701)
  • +
  • Importer:ELF. Updated ELF Loader to convert non-displayable ASCII symbol name characters to ASCII Control Characters (e.g., ^A) instead of discarding symbol with an error. Import log will report use of modified name when this occurs. (GP-3793, Issue #5619)
  • +
  • Importer:Mach-O. Improved support for loading Apple watchOS binaries. (GP-3630)
  • +
  • Misc. Fixed bug in table sorting where data could be corrupted if the sort was cancelled before it completed. (GP-3685)
  • +
  • Processors. Fixed issue with M68000 reading from memory multiple times per instruction. (GP-3219, Issue #2492)
  • +
  • Processors. Fixed mnemonic for PowerPC VLE e_sthu instruction. (GP-3434, Issue #5247)
  • +
  • ProgramDB. Data may now be created in a Byte-Mapped Memory Block using a Dynamic datatype. This was previously disallowed due to an ambiguous initialized-memory check. (GP-3208)
  • +
  • Project. Changed project data store close/dispose behavior to resolve issues with open programs getting disconnected by closing of associated project store. Changed GhidraScript.askProgram to always require proper use of Program.release(Object consumer) by scripts which use it. Script's failure to release a program will prevent proper resource disposal. (GP-3697)
  • +
  • Scripting. Fixed ShowConstUse script back-tracking through MultiEqual pcode operations to handle multiple inputs to the same location. (GP-3503, Issue #5242)
  • +
  • Search. Fixed findBytes() to honor the search limit when used regular expressions. (GP-3797, Issue #5672)
  • +
+
+

Ghidra 10.3.3 Change History (August 2023)

Improvements

    diff --git a/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html b/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html index 300131f2d84..97c555435ef 100644 --- a/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html +++ b/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html @@ -15,12 +15,14 @@ th { font-family:times new roman; font-size:14pt; font-weight:bold; padding-left:10px; padding-right:10px; text-align:left; } code { color:black; font-family:courier new; font-size: 12pt; } span.code { font-family:courier new font-size: 14pt; color:#000000; } + .gcode { font-family: courier new; font-weight: bold; font-size: 85%; } + .gtitle { font-style: italic; font-weight: bold; font-size: 95%; } -

    Ghidra: NSA Reverse Engineering Software

    +

    Ghidra: NSA Reverse Engineering Software

    Ghidra is a software reverse engineering (SRE) framework developed by NSA's Research Directorate. @@ -43,203 +45,82 @@

    Ghidra: NSA Reverse Engineering Software


    -

    What's New in Ghidra 10.3

    +

    What's New in Ghidra 10.4

    The not-so-fine print: Please Read!

    -

    Ghidra 10.3 is fully backward compatible with project data from previous releases. - However, programs and data type archives which are created or modified in 10.3 will not be useable by an earlier Ghidra version.

    +

    Ghidra 10.4 is fully backward compatible with project data from previous releases. + However, programs and data type archives which are created or modified in 10.4 will not be useable by an earlier Ghidra version.

    -

    This release includes many new features and capabilities, performance improvements, quite a few bug fixes, and many pull-request +

    This release includes new features and capabilities, performance improvements, quite a few bug fixes, and many pull-request contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community thanks you too!

    IMPORTANT: Ghidra requires Java 17 JDK to run. A newer version of Java may be acceptable but has not been fully tested. Please see the Ghidra Installation Guide for additional information.

    -

    NOTE: Please note that any programs imported with a Ghidra beta versions or code built directly from source outside of a release tag may not be compatible +

    NOTE: Please note that any programs imported with a Ghidra beta version or code built directly from source outside of a release tag may not be compatible and may have flaws that won't be corrected by using this new release. Any programs analyzed from a beta or other local master source build should be considered experimental and re-imported and analyzed with a release version. As an example, Ghidra 10.1 beta had an import flaw affecting symbol demangling that was not correctable. Programs imported with previous release versions should upgrade correctly through various automatic upgrade mechanisms. Any program you will continue to reverse engineer should be imported fresh with a release version or a build you trust with the latest code fixes.

    -

    NOTE: Ghidra Server: The Ghidra 10.3 server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 10.3 +

    NOTE: Ghidra Server: The Ghidra 10.4 server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 10.4 clients are compatible with all 10.x and 9.x servers. Although, due to potential Java version differences, it is recommended that Ghidra Server installations older than 10.2 be upgraded. Those using 10.2 and newer should not need a server upgrade.

    -

    NOTE: Platform-specific native executables can be built directly from a release distribution. - The distribution currently provides Linux 64-bit, Windows 64-bit, and MacOS x86 binaries. If you have another platform, - for example a MacOS M1 based system or a Linux variant, the support/buildNatives script can build the Decompiler, - demangler, and legacy PDB executables for your plaform. Please see "Building Ghidra Native Components" section in the - the Ghidra Installation Guide for additional information.

    +

    NOTE: Platform-specific native components can be built directly from a release distribution. + The distribution currently provides Linux x86-64, Windows x86-64, and macOS x86-64 native components. If you have another platform, + for example a macOS M1 based system or a Linux ARM variant, the support/buildNatives script can build the Decompiler, + demangler, and legacy PDB executables for your plaform. Please see the "Building Ghidra Native Components" section in the + Ghidra Installation Guide for additional information.

    -

    Dark Mode / Theming

    +

    Mach-O Improvements

    -

    Ghidra now supports UI theming, which allows for full customization of colors, fonts, and icons used consistently throughout the application. - Ghidra themes are built on top of the various Java Look and Feel classes. Included are standard themes for all the supported - Look and Feels. The most notable is the Flat Dark theme, which is built using the FlatLaf, a modern open-source flat Look and Feel - library. Additionally, Ghidra includes various tools for editing and creating custom themes.

    +

    Support for the Mach-O binary file format has received many updates, including more complete markup of load command data and Swift type metadata. + Support has also been added for threaded binding (BIND_OPCODE_THREADED). Libraries extracted from the dyld_shared_cache + GFileSystem now contain a packed down __LINKEDIT segment, significantly reducing the size of the resulting binary. Additionally, + local symbols are included in the exported libraries which are visible where only <redacted> symbols were previously present. + Finally, libraries can now be loaded from both local directories as well as GFileSystems for all file formats and filesystems. This enables loading libraries directly + from within dyld_shared_cache file without the need to export them first to disk.

    -

    Also, all the main display windows (Listing, Decompiler, and Bytes Viewer) support quickly changing the font size via <Ctrl>+ or <Ctrl>-.

    - -

    See the Ghidra Help pages for full details on the theming feature.

    - -

    Debugger

    - -

    Perhaps the most exciting debugger change is the addition of new training course materials for the Debugger. The materials are written in - Markdown so they display right on GitHub, but they can also be rendered to nice HTML pages by Pandoc for offline viewing. They are suitable - both for self-paced learning and classroom environments. Even if you have used our Debugger before, we highly recommend reading these materials. - They are in the docs/GhidraClass directory with the other course materials.

    -

    There are several changes to improve the user experience with the Emulator:

    -
    -
      -
    • There is a dedicated Emulator tool. Previously, it was not apparent an Emulator GUI even existed in the Debugger tool. Most only - accessed it via scripting. The Emulator tool is the same as the Debugger tool, but without the back-end debugger management plugins. - This both showcases the Emulator and makes it safer to access, e.g., when examining malware. The launch buttons are removed, nearly - eliminating the risk of accidental detonation.
    • -
    • The control actions (step, suspend, resume, etc.) have been moved to the main toolbar. When toggled to control the emulator, it is now - possible to emulate to the next breakpoint. Before, it was only possible to step. If you were savvy, you could use the Go To Time - action to run many steps, but you had to predict precisely how many steps. These controls present the Emulator as a more traditional - trap-and-trace debugger and retain support for time travel.
    • -
    • Breakpoints are now applied to the Emulator. They also support injecting custom Sleigh semantics into the Emulator. This makes - it possible, e.g., to stub out external function calls. Breakpoints are now displayed in the Decompiler margin, too.
    • -
    • Regarding uninitialized/undefined memory, the Emulator will still treat undefined bytes as zeros. When decoding an - instruction; however, it will now interrupt if when encounters undefined bytes. Previously, it would just decode them as if - zeros, which was never useful.
    • -
    • Nascent support for stack unwinding has been added. Up to now, we have relied on the back-end debugger to unwind the stack, - which ruled out displaying accurate stack frames during emulation. There is still more work for full UI integration, but you can - unwind a stack (whether on target or emulated) using the Debugger -> Analysis menu and view the results by navigating the - Dynamic Listing to stack space. Please understand it may not work in most situations, yet.
    • -
    • Several miscellaneous actions have been added: To invalidate the Emulator cache, use the Debugger -> Configure Emulator menu. - Use this whenever the Emulator seems to be ignoring configuration changes, especially when modifying custom Sleigh breakpoints. - To display all bytes (not just changed ones) in the Dynamic Listing, choose Load Bytes from Emulator in the Auto-Read drop-down. - To manually add or remove memory regions, e.g., to create and initialize a heap for emulation, use the new actions in the Regions window
    • -
    -
    -

    There are several Debugger UI improvements:

    -
    -
      -
    • The control actions are duplicated in the main toolbar. Previously, these were only in the Objects window. (They remain there for - back-end connector/model development, troubleshooting, and diagnostics.) The actions in the main toolbar can be toggled to control a - live target or the Emulator. The Emulator stepping actions have been removed from the Threads panel. (They never really made sense there.) - Toggling these actions to the Emulator effectively forks an emulator from the target's live state, i.e., for extrapolation, just as the old - emulator stepping actions did.
    • -
    • The current program counter is now displayed in the top right corner of the Dynamic Listing (or whatever the listing is configured to - track). It will display in red if the address cannot be shown in the listing, e.g., because it is not mapped in memory. This provides better - feedback when the listings seem to be out of sync.
    • -
    • GDB's advance command has been added to the Listing context menus as well as the equivalent actions for other debuggers. (More generally, - any command provided by a back-end connector that takes a single address parameter is presented in context menus where an address is - available.)
    • -
    • The Go To dialog in the Dynamic Listing can now take simple addresses in hexadecimal. Previously, it only took Sleigh expressions, - which are powerful, but made the common case too complicated. It still accepts Sleigh expressions, and those expressions can now refer - to labels (symbols) from any mapped program database (static image).
    • -
    • A new kind of hover has been added for displayed variables. If there is a debugger target (live or emulated) mapped to the current program, - the hover will display the variable's current value. This applies to Listings and the Decompiler window.
    • -
    • You can now select a different thread, frame, or snapshot without activating it. Single-click to select. Double-click to activate.
    • -
    -
    -

    There are a few small improvements to back-end debugger integration:

    -
    -
      -
    • You can now set the working directory when launching a Windows target.
    • -
    • GADP agents now accept a single connection and automatically terminate when Ghidra disconnects.
    • -
    • Launch scripts have been added for starting a GADP agent from the command line.
    • -
    • There is now a script to build the Java bindings needed for the LLDB connector.
    • -
    -
    - -

    Decompiler

    -

    Support has been added for expanding assignment statements on structures or arrays, where multiple fields or elements are moved as a - group by a single instruction. This is especially helpful for analyzing structure initialization code and stack strings.

    - -

    Support continues to improve for structures that are either stored across multiple registers or in a single register that is - accessed in pieces. Data types associated with the component fields are propagated more fully throughout the function, and assignments - to fields are displayed simply.

    - -

    Data Types

    - -

    Data Type Archives may now optionally target a specific architecture as specified by a processor and associated compiler specification - such as data organization. This has the advantage of better conveying datatype details for a desired architecture and preserving aspects - which may change when resolved into a program. In the future, this will also allow function definitions to retain architecture-specific - details.

    - -

    Function definition data types have been improved to preserve calling convention names which may differ from the predefined generic - calling convention names to include those which may have originated from an extended compiler specification. In addition, function - definitions now support the noreturn attribute.

    - -

    Enum handling has been improved in the data type manager when creating new enums from an existing set of enum values, - for example define_ enums parsed from header files. Enum values will be automatically sized to fit all the values contained - in the enum. Setting the size of an Enum will check if the values will fit within the new size. In addition, define_ values - created as enums with a single value are sized to the minimum size to fit the value. Parsed enums from header files are sized based - on the declared size of an int from the data organization used to parse. A future version will have a setting to size all parsed enums - to the smallest size that will fit all the values.

    - -

    C Header File Parsing

    -

    The C-Parser GUI has been refactored to remove include paths from the Options section done as -D define lines, to a new Include section. - This should make it easier to configure paths to the include files and has the added benefit of coloring the include file entries red if - they are not found within any include path. You may find creating and using a Ghidra Script instead of the GUI an easier repeatable process. - There are several included examples scripts, including ones to parse AVR8 header files, and Visual Studio version 22 files.

    +

    Accessibility Improvements

    + +

    Ghidra's Listing, Byte Viewer, and Decompiler components have been updated to provide initial support for screen readers. These are custom Ghidra components + and as such do not have the typical built-in Java Swing support for screen readers. Other Ghidra components use standard Java Swing widgets and work + out of the box with screen readers. +

    -

    All supplied data type archive GDT files, except macOS, have been re-parsed to include the new processor architecture.

    +

    Instruction Length Override

    -

    Mach-O Binary Import

    -

    Mach-O binary analysis continues to improve. Support has been added for new file formats introduced in iOS 16 and macOS 13. - Improvements have also been made to function identification, symbol detection, and Objective-C support.

    +

    Added the ability to reduce an instruction's effective code unit length to facilitate overlapping instructions when flows into the middle of + an instruction occur (i.e., offcut flow). This length override does not impact the actual number of bytes parsed. By reducing the first instruction's + effective code unit length, disassembly of the offcut location may be performed utilizing trailing bytes shared with the first instruction. + The first instruction will retain its original fallthrough, therefore overlapping instruction(s) which follow should generally be fully contained + within the first instruction's parsed byte length. The need for this has been observed in the x86 Linux libc library + where there may be a flow around a LOCK prefix byte. +

    Analysis

    -

    New ApplyDataArchives analyzer settings enable use of locally created GDT data type archive files or project archives in the - analysis pipeline. Used in conjunction with analysis options settings saved to a named analysis configuration you can easily switch to using a new - GDT file and associated analysis options for a given type of binary. For example, if you are working with AVR8 binaries and have - an associated AVR8.gdt file, create an AVR8 configuration and it will be used as the default analysis options configuration until - you change to a new configuration.

    - -

    Constant Propagation now deals with constants passed as stack parameters. In addition, there are several new settings which can better - control when a constant is considered to be an address. For example, processors with small memory spaces, the setting Require pointer param - data type, will only create a reference if the parameter is declared with a data type that would be a pointer. This can be useful for Harvard - architectures with multiple address spaces used in conjunction with the PointerTypedef to specify the address space of the pointer. Currently, - once you change the parameter of a called function to be a pointer, you will need to re-run analysis to get the constants passed to the function - to be turned into a reference. This will be automated in the near future.

    - -

    By default, pointer-to-pointer analysis is turned off for ARM binaries in the Operand and Data Reference analyzers. This can result in fewer - references created and can be turned back on if your ARM binaries use pointers data stored in memory instead of offset values from the current PC - to calculate all references.

    - -

    Added support for PE MinGW pseudo-relocation processing.

    - -

    Shared Projects

    -

    Folder and file links to contents of another shared project repository may now be added to a Ghidra Project. This could allow a team to - include a program or subfolder that resides in another project rather than copying the program into your project for easy access. The linked - files are opened for read-only viewing.

    - -

    Processors

    -

    Improvements and bug fixes have been made to many processors since 10.2 to include: - AARCH64, ARM, Coldfire, HCS12 MIPS X86, PowerPC, RISCV SPARC, SuperH, TriCore, V850, Z80, 6x09, 68K, and 8051.

    - -

    Two new user-submitted processors, eBPF and BPF, add support for two variants of Berkeley Packet Filter binaries.

    - -

    A user-submitted refactoring of X86 LOCK/UNLOCK decoding and semantics has been committed. There are currently some issues with the - Decompiler re-arranging code outside of the LOCK/UNLOCK which will be addressed with an upcoming patch. If your analysis depends on - the LOCK/UNLOCK semantics, please be aware of the issue.

    +

    Function body creation has been reworked, when code from multiple functions overlap, to favor contiguous functions. There have been instances where compilers + share portions of another functions code, especially common return code. Where previously the jump to the other function would have been turned into a call, and + a portion of the other function split into two, the shared code will now belong to the function that falls into the shared code if possible. + Previously there was also a potential for arbitrary function bodies depending on which function was analzyed first. + These changes could have an affect on version tracking in some instances where the original binary was analyzed with an older version of Ghidra.

    -

    A new leading zeroes count operator, called lzcount, has been added to p-code, and it can now be used by SLEIGH developers - to model processor instructions. The Decompiler can simplify common code idioms using these instructions, and emulation is supported.

    +

    Diff Improvement

    -

    User Interface Improvements

    -

    Diff can now be performed between two open programs which may include remote files previously opened via a Ghidra-URL.

    +

    Diff can now be performed between two open programs which may include files previously opened via a Ghidra-URL. Previously, Diff only allowed + a file from the active project to be selected.

    -

    GoLang 1.18 Support

    -

    An importer, Analyzer, and Internal changes have been made to support GoLang. Currently, only version 1.18 is supported; however slightly older or newer versions may work. - There are still some Decompiler issues with multiple return parameters to be worked out, however the implementation was thought complete enough - for initial real use. Please consider the feature an evolving initial implementation.

    +

    GoLang Version Support

    -

    Ghidra Startup

    -

    Ghidra now remembers the last location of a program when it is closed. When that program is later re-opened, Ghidra will position the - program to that location. Also, there are options for where Ghidra should start for new programs and optionally when Ghidra completes - the initial analysis.

    +

    GoLang versions 1.17, 1.19, and 1.20 have been added. Previously only version 1.18 was supported. A bug in the decompiler triggered + by GoLang binaries has also been fixed.

    -

    Template Simplification

    -

    Ghidra now has options for simplifying the display of symbol names, in both the Listing and Decompiler, with complex template information - embedded in them. The simplification should result in a much less busy display when dealing with templates.

    +

    Undo/Redo Change List

    +

    Undo and Redo now have lists of transactions that can be undone or redone. This change makes it easy to choose a set of transactions to be undone/redone by choosing + an item further down the list instead of pressing undo/redo repeatedly

    Additional Bug Fixes and Enhancements

    Numerous other bug fixes and improvements are fully listed in the ChangeHistory file.

    @@ -250,4 +131,4 @@

    Additional Bug Fixes and Enhancements

    - + \ No newline at end of file From 1801dc1ee62be73faae29961ec2f17a59423f156 Mon Sep 17 00:00:00 2001 From: ghidra1 Date: Thu, 28 Sep 2023 12:24:51 -0400 Subject: [PATCH 3/3] GP-0 Update to WhatsNew for 10.4 release --- .../Public_Release/src/global/docs/WhatsNew.html | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html b/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html index 97c555435ef..5f25f61287d 100644 --- a/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html +++ b/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html @@ -78,10 +78,13 @@

    Mach-O Improvements

    Support for the Mach-O binary file format has received many updates, including more complete markup of load command data and Swift type metadata. Support has also been added for threaded binding (BIND_OPCODE_THREADED). Libraries extracted from the dyld_shared_cache - GFileSystem now contain a packed down __LINKEDIT segment, significantly reducing the size of the resulting binary. Additionally, - local symbols are included in the exported libraries which are visible where only <redacted> symbols were previously present. - Finally, libraries can now be loaded from both local directories as well as GFileSystems for all file formats and filesystems. This enables loading libraries directly - from within dyld_shared_cache file without the need to export them first to disk.

    + GFileSystem now contain a packed down __LINKEDIT segment, significantly reducing the size of the resulting binary.

    + +

    Local symbols within dyld_shared_cache extracted libraries are now included in place of <redacted> symbols.

    + +

    In addition to searching local filesystem directories, library dependencies can now be loaded from the top-level of any GFileSystem-supported container file. This is allowed for all Import file + formats that support the loading of library dependencies. For example, this enables loading library dependencies directly from within a dyld_shared_cache file without the + need to export them first to the local filesystem.

    Accessibility Improvements