ELFExternalSymbolResolver script missing in release

[c0d3z3r0]

Describe the bug

ELFExternalSymbolResolver script missing in release

To Reproduce
Steps to reproduce the behavior:

1. Download and extract 11.1.2 release zip; find . -name ELFExternalSymbolResolver\* yields no results
2. Run Ghidra, check script manager: ELFExternalSymbolResolver missing

Expected behavior

ELFExternalSymbolResolver is packaged and can be used from the script manager

[ryanmkurtz]

This has been replaced by the External Symbol Resolver analyzer. Mainly because Mach-O started using it too. Is there a reason you need it in script form?

[c0d3z3r0]

Oh, I missed that, because I thought this only works for libaries on disk. Can you give me a hint, how to make Ghidra resolve external symbols in a firmware binary from a mask rom elf image? Adding the mask rom image in the "External Programs" screen doesn't seem to do the job

[ryanmkurtz]

In your firmware binary, in the Symbol Tree, are any Imports recognized? If so, are they under <EXTERNAL> or under the mask rom image?

[c0d3z3r0]

Well, I don't think it would be recognized as real import anyway. Maybe (I'd need to test it later) when the main binary is elf as well. In my case the main firmware was dumped from a device. The mask rom elf file is provided by Espressif for ESP*. So, basically my main binary is just calling functions in the mask rom region.

For now I worked around by exporting both Ghidra objects, main firmware and mask rom elf, as xml, merged the mask rom into the main xml by hand and reimported. That worked very well but is really ugly 😆

[c0d3z3r0]

I tested it now. Imports/exports are empty:

When I add the (already analyzed) mask rom elf image via "External Program" and assign the program, it gets listed in Imports, but nothing more happens. Maybe I'm doing it wrong?

This is the analyzed mask rom image having exports:

[ryanmkurtz]

If the external functions addresses that the main binary are actually correct in the ELF, you may just be able to import the ELF, and then do Add to Program, bringing in the firmware image into the same program. If the addresses match, everything may just work.

[c0d3z3r0]

That's actually what I tried in the first place, but Ghidra only let's me import it as a raw binary:

So, yes, if Ghidra would allow to load the ELF file into an existing project, that would work.

[ryanmkurtz]

Can't you import the ELF first, and then bring in the firmware image? Isn't that just a memory dump anyway?

[c0d3z3r0]

Sure, when doing it initially, that works. But what if you realize there is a mask rom elf available, when you already have reverse-engineered half of the main firmware? :/

[ryanmkurtz]

Indeed. I guess you are asking for #3307 then?

[c0d3z3r0]

Hah, yes indeed!

[ghidra1]

I suspect this image does not utilize dynamic libraries which would be identified within the image and therefor cannot be handled with our library support. Such binaries when built use pre-defined function locations defined during the buid process and is effectively pre-linked (i.e., no dynamic linking) and lack external symbol/library details, In such situations it may be neccessary to understand how the binary was built (i.e., tool chain, header files, etc.) and get creative in identifying function symbols and addresses. The CParser may help in parsing header files or another parsing technique may be required to collect the function signatures and associated addresses. Function symbols can then be created with name and signatures. The external library/function processing provided by Ghidra does not really help with such situations.

ELF imports that do utilize dynamic linking will generally have either program headers or sections which identify a dynamic table, global offset table (got), procedure linkage table (plt), etc. I see no evidence of such regions in your listings above.

ROM dumps/images are generally not ELF

[c0d3z3r0]

Yeah right, the dump is not ELF but it uses fixed location function calls to run vode provided by the mask rom. The latter is provided by Espressif as ELF. My hope was that Ghidra would be able to recognize these functions to the separately imported ELF through the External Program mechanism. Anyway, exporting the ELF as XML and importing it to the rom dump project just worked fine and all function calls are resolved now