|
|
|
|
@@ -1,17 +1,17 @@
|
|
|
|
|
# What's New in Ghidra 11.2
|
|
|
|
|
# What's New in Ghidra 11.3
|
|
|
|
|
This release includes new features, enhancements, performance improvements, quite a few bug fixes,
|
|
|
|
|
and many pull-request contributions. Thanks to all those who have contributed their time, thoughts,
|
|
|
|
|
and code. The Ghidra user community thanks you too!
|
|
|
|
|
|
|
|
|
|
### The not-so-fine print: Please Read!
|
|
|
|
|
Ghidra 11.2 is fully backward compatible with project data from previous releases. However, programs
|
|
|
|
|
and data type archives which are created or modified in 11.2 will not be usable by an earlier Ghidra
|
|
|
|
|
Ghidra 11.3 is fully backward compatible with project data from previous releases. However, programs
|
|
|
|
|
and data type archives which are created or modified in 11.3 will not be usable by an earlier Ghidra
|
|
|
|
|
version.
|
|
|
|
|
|
|
|
|
|
__IMPORTANT:__ Ghidra 11.2 requires at minimum JDK 21 to run.
|
|
|
|
|
__IMPORTANT:__ Ghidra 11.3 requires at minimum JDK 21 to run.
|
|
|
|
|
|
|
|
|
|
__IMPORTANT:__ To use the Debugger or do a full source distribution build, you will need Python3
|
|
|
|
|
(3.9 to 3.12 supported) installed on your system.
|
|
|
|
|
(3.9 to 3.13 supported) installed on your system.
|
|
|
|
|
|
|
|
|
|
__NOTE:__ There have been reports of certain features causing the XWindows server to crash. A fix
|
|
|
|
|
for `CVE-2024-31083` in X.org software in April 2024 introduced a regression, which has been fixed
|
|
|
|
|
@@ -21,7 +21,7 @@ causing a full logout, check if your xorg-server has been updated to at least th
|
|
|
|
|
__NOTE:__ Each build distribution will include native components (e.g., decompiler) for at least one
|
|
|
|
|
platform (e.g., Windows x86-64). If you have another platform that is not included in the build
|
|
|
|
|
distribution, you can build native components for your platform directly from the distribution.
|
|
|
|
|
See the `Installation Guide` for additional information. Users running with older shared libraries
|
|
|
|
|
See the _Installation Guide_ for additional information. Users running with older shared libraries
|
|
|
|
|
and operating systems (e.g., CentOS 7.x) may also run into compatibility errors when launching
|
|
|
|
|
native executables such as the Decompiler and GNU Demangler which may necessitate a rebuild of
|
|
|
|
|
native components.
|
|
|
|
|
@@ -42,76 +42,61 @@ process that will provide better results than prior Ghidra versions. You might
|
|
|
|
|
fresh import of any program you will continue to reverse engineer to see if the latest Ghidra
|
|
|
|
|
provides better results.
|
|
|
|
|
|
|
|
|
|
## Memory Search
|
|
|
|
|
The __Search Memory__ feature in Ghidra has been updated substantially to provide two new features:
|
|
|
|
|
* The ability to perform set operations on successive searches
|
|
|
|
|
* The ability to (re)scan memory for changes in value
|
|
|
|
|
## PyGhidra
|
|
|
|
|
The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center
|
|
|
|
|
(DC3) under the name "Pyhidra", is a Python library that provides direct access to the Ghidra API
|
|
|
|
|
within a native CPython 3 interpreter using JPype. PyGhidra contains some conveniences for setting
|
|
|
|
|
up analysis on a given sample and running a Ghidra script locally. It also contains a Ghidra plugin
|
|
|
|
|
to allow the use of CPython 3 from the Ghidra GUI.
|
|
|
|
|
|
|
|
|
|
To launch Ghidra in PyGhidra mode, run `./support/pyghidra` (or `support\pyghidra.bat`). See the
|
|
|
|
|
_"PyGhidra Mode"_ section of the _Installation Guide_ and `Ghidra/Features/PyGhidra/README.html`
|
|
|
|
|
for more information.
|
|
|
|
|
|
|
|
|
|
## Visual Studio Code
|
|
|
|
|
Ghidra 11.2 introduced a `VSCodeProjectScript.java` GhidraScript to assist in setting up Visual
|
|
|
|
|
Studio Code project folders for Ghidra module development and debugging. This GhidraScript has been
|
|
|
|
|
replaced in Ghidra 11.3 by 2 new actions, accessible from a _CodeBrowser_ tool:
|
|
|
|
|
* _Tools -> Create VSCode Module Project..._
|
|
|
|
|
* "_Edit Script with Visual Studio Code_" button in the Script Manager
|
|
|
|
|
|
|
|
|
|
The "_Create VSCode Module Project..._" action provides the same capability as the old
|
|
|
|
|
`VSCodeProjectScript.java` GhidraScript, creating a Visual Studio Code project folder that contains
|
|
|
|
|
a skeleton module which can be used to build a variety of different Ghidra extension points
|
|
|
|
|
(Plugins, Analyzers, Loaders, etc). Launchers are also provided to run and debug the module in
|
|
|
|
|
Ghidra, as well as a Gradle task to export the module as a distributable Ghidra extension zip file.
|
|
|
|
|
|
|
|
|
|
The "_Edit Script with Visual Studio Code_" button in the Script Manager enables quick editing and
|
|
|
|
|
debugging of the selected script in a Visual Studio Code workspace that is automatically created
|
|
|
|
|
behind the scenes in Ghidra's user settings directory. This provides a much snappier and modern
|
|
|
|
|
alternative to Eclipse, while maintaining all of the core fuctionality you would expect from an IDE (auto complete, hover, navigation, etc).
|
|
|
|
|
|
|
|
|
|
Ghidra will do its best to automatically locate your Visual Studio Code installation, but if cannot
|
|
|
|
|
find it, it can be set via the Front-End GUI at _Edit -> Tool Options -> Visual Studio Code
|
|
|
|
|
Integration_.
|
|
|
|
|
|
|
|
|
|
Set operations, accessible from the pull-down menu under `Search`, allow you to augment results by
|
|
|
|
|
performing boolean operations on an existing search. For example, you might search for the hex
|
|
|
|
|
pattern `DE AD` using `Search`, add `BE EF` to the pattern field, and then select `A-B` to retrieve
|
|
|
|
|
a list of byte sequences that begin with `DE AD` but do not include `DE AD BE EF`. Scanning for
|
|
|
|
|
changes is most useful in a dynamic environment, such as the Debugger. Given an existing search,
|
|
|
|
|
you can look for values that have changed, increased, decreased, or remained the same. Simple
|
|
|
|
|
examples might include looking for counters while a process is running, checking for areas of
|
|
|
|
|
decompressed memory, or identifying active areas of the heap.
|
|
|
|
|
|
|
|
|
|
## PDB
|
|
|
|
|
The `PDB Symbol Server Search Config` dialog has been changed, allowing the user to mark symbol
|
|
|
|
|
servers as trusted or untrusted. This is an improvement over the previous mechanism that based trust
|
|
|
|
|
on the symbol server's connection type.
|
|
|
|
|
|
|
|
|
|
## Debugger
|
|
|
|
|
__ATTENTION:__ Please either delete and re-import the default `Emulator` tool, or manually remove
|
|
|
|
|
the `TraceRmiPlugin` from your EmulatorTool!
|
|
|
|
|
The old "IN-VM" and "GADP" launchers and connectors have been removed, as their replacement
|
|
|
|
|
TraceRmi-based implementations have been satisfactorily completed. On that same note, the entire API
|
|
|
|
|
and supporting code base for IN-VM and GADP connectors have been removed.
|
|
|
|
|
|
|
|
|
|
There are new launchers/features for the traceRMI version of dbgeng, including extended launch
|
|
|
|
|
options, kernel debugging, and remote process server connections.
|
|
|
|
|
|
|
|
|
|
## Decompiler
|
|
|
|
|
* The Decompiler can now automatically recover strings built on the stack and initial support for
|
|
|
|
|
optimized heap strings has been added. Stack strings are typically found in optimized code and
|
|
|
|
|
obfuscated malware.
|
|
|
|
|
We've begun to explore more kernel-level debugging. Our lldb connector can now debug the macOS
|
|
|
|
|
kernel, and our dbgeng connector can now debug a Windows kernel running in a VM via eXDI.
|
|
|
|
|
|
|
|
|
|
* A new Search All action has been added which displays a table containing the results found within
|
|
|
|
|
the current function.
|
|
|
|
|
## Emulator
|
|
|
|
|
We have introduced a new accelerated p-code emulator that uses Jit-in-Time translation (JIT).
|
|
|
|
|
This is *not* currently integrated in the UI but is available for scripting and plugin developers.
|
|
|
|
|
Its implementation is named `JitPcodeEmulator`, and it's a near drop-in replacement for
|
|
|
|
|
`PcodeEmulator`. See its javadoc for usage and implementation details. This is very new, so there
|
|
|
|
|
may still be many bugs.
|
|
|
|
|
|
|
|
|
|
## Programming Languages
|
|
|
|
|
Golang support for versions `1.15` and `1.16` have been added. This brings the supported Golang
|
|
|
|
|
versions to `1.15` through `1.22`.
|
|
|
|
|
|
|
|
|
|
## Processors
|
|
|
|
|
* There have been quite a few improvements to the `Sparc` processor specification, including
|
|
|
|
|
additional instructions, 64-bit relocation support, and better handling of call/return detection
|
|
|
|
|
through tracking of the `o7` link register. In addition, the calling convention for both
|
|
|
|
|
sparc 32 and 64 bit binaries have had an overhaul to support hidden structure return and much
|
|
|
|
|
improved parameter allocation of floating point and general data types.
|
|
|
|
|
|
|
|
|
|
* The `Intel M16C/60/80` sleigh processor specifications have been added. In addition, there have
|
|
|
|
|
been numerous fixes to the `ARM`, `RX`, `M68000`, `PIC16`, `PPC`, and `x86` processor
|
|
|
|
|
specifications.
|
|
|
|
|
|
|
|
|
|
## Other Improvements
|
|
|
|
|
* Actions have been added to compare functions directly from the Listing, Decompiler, or Functions
|
|
|
|
|
Table via popup menu items. If there is already a Function Comparison window showing, there are
|
|
|
|
|
two actions: one to add the selected function(s) to the existing comparison, and one to create a
|
|
|
|
|
new Function Comparison Window. This allows a workflow where users can build up a set of functions
|
|
|
|
|
to compare as they browse around instead of having to select them all at once.
|
|
|
|
|
|
|
|
|
|
* For Ghidra script and plugin developers who would prefer to use Visual Studio Code, a new script
|
|
|
|
|
`VSCodeProjectScript.java` will create a new Visual Studio Code project that is setup to do Ghidra
|
|
|
|
|
scripting and module development. The capabilities are similar to the Eclipse GhidraDev plugin.
|
|
|
|
|
|
|
|
|
|
* There have been major speed improvements when creating or modifying large structures within the
|
|
|
|
|
structure editor. In general large structure manipulation should perform fluidly no matter the
|
|
|
|
|
size of the structure. If the structure contains a large number of defined data, there could
|
|
|
|
|
still be some degradation in speed. Some fixed performance issues include: resizing a structure
|
|
|
|
|
smaller or larger, clicking on an item to select a row, and defining a data type either with
|
|
|
|
|
keyboard actions or dragging and dropping from the data type manager. In addition, the behavior
|
|
|
|
|
of automatically growing the size of a structure has been made consistent. Defining data on the
|
|
|
|
|
last element of a structure is allowed to automatically grow the structure to fit the data type.
|
|
|
|
|
Defining data anywhere other than the last element isn't allowed if the data type does not fit
|
|
|
|
|
because of defined data that would need to be cleared, or there are not enough undefined bytes.
|
|
|
|
|
## Other Improvements
|
|
|
|
|
* Much of Ghidra's standalone documentation has been modernized to the Markdown format. Generated
|
|
|
|
|
HTML versions are provided alongside the Markdown files for convenience. Converting all relevant
|
|
|
|
|
documents to Markdown remains an ongoing process. __NOTE:__ There are no plans to convert the
|
|
|
|
|
internal Ghidra help system to Mardown, as the Java Help library does not support it.
|
|
|
|
|
* Libraries can now be loaded into an already-imported program with the _File -> Load Libraries..._
|
|
|
|
|
action.
|
|
|
|
|
|
|
|
|
|
## Additional Bug Fixes and Enhancements
|
|
|
|
|
Numerous other new features, improvements, and bug fixes are fully listed in the
|
|
|
|
|
|
Ryan Kurtz