Ghidra v10.0

FleTime2021-6-2258

Ghidra 10.0 Change History (June 2021)
New FeaturesDebugger. Introduced the Debugger, along with GDB and dbgeng.dll connectors for debugging user-mode applications on Linux and Windows, respectively. The UI includes threads, timeline, modules, memory, registers, watches, etc., for examining and controlling debug targets. See Help -> Contents -> What's New for more details. (GP-986)
Exporter. For programs imported with the PE and ELF loaders, new exporters are available that write back to the original file layout. Any file-backed bytes that were modified by the user in the program database will be reflected in the written file (except on relocations). Writing back a modified Memory Map is not supported. (GP-786, Issue #1501, #1505, #19)
Graphing. Added Graph -> Data actions to the Code Browser, allowing visualization of specified pointer relationships in a graph. (GP-194)
Scripting. Added prototype RecoverClassesFromRTTIScript and that uses RTTI information to enhance Ghidra's knowledge of class hierarchy, class member function types (constructors, destructors, deleting destructors, clones) and class member data. The script will label and put member functions into correct class namespace and apply new class structures created either using PDB information, if available, or Decompiler pcode information. (GP-339)
Scripting. Added an example script, LocateMemoryAddressForFileOffset, to demonstrate mapping of a location in the original imported file to the program memory address. Useful for cases where the original file offset is known; for example, a YARA rule match. (GP-782)
Scripting. Created a script to allow users to search for image base offsets to the current cursor location in 32-bit and 64-bit programs. (GP-863)Improvements
Analysis. Function signatures, including return types and argument data types, are now decoded from CLI Metadata for .NET binaries. (GP-327)
Analysis. Switched #Strings table processing from ASCII to UTF-8 for CIL binaries. (GP-330, Issue #423)
Analysis. Added Constant, Assembly, and AssemblyRef blob processing for CIL binaries. (GP-465)
Analysis. Added the Variadic Function Signature Override analyzer, which identifies functions that take a format string as a parameter and applies the correct signature override at each call site. (GP-516)
Analysis. Added ability to save and easily reuse analysis options in customer-defined configurations. (GP-544, Issue #2182, #312)
Analysis. Ghidra analysis is now aware of more PE/Windows non-returning functions. (GP-733, Issue #2111)
Analysis. ResolveX86orX64LinuxSyscallsScript now properly marks non-returning syscalls. (GP-868, Issue #2761)
API. Revised Structure and Union API, and associated editor, to eliminate the use of the terms Unaligned/Aligned in favor of a packing enablement designation. Also corrected various change notification issues which may improve archive synchronization and merge behavior. (GP-862, Issue #2681)
API. Renamed Datatype.isDynamicallySized() to DataType.hasLanguageDependantLength() to avoid confusion. This method is used internally to differentiate between fixed-length types and those whose length is determined by the compiler specification's data organization (e.g., pointers). (GP-932)
Basic Infrastructure. Improved error reporting when trying to launch Ghidra from the git repo without Eclipse having compiled it. (GP-815, Issue #2872)
Build. Command gradle -I gradle/support/fetchDependencies.gradle init now downloads the Function ID datasets from the ghidra-data GitHub repository so they will be automatically included in development mode and custom builds. (GP-678, Issue #1007)
Build. Performing a gradle clean no longer deletes downloaded dependencies. The top-level flatRepo directory has been replaced with the dependencies directory. (GP-811, Issue #1663)
Build. Ghidra now requires Gradle 6.0 or later to build. Gradle 7.x is now supported. (GP-849, Issue #2949)
Build. Made changes to gradle code to remove warnings. (GP-993, Issue #3039)
Data Types. Added support for hexadecimal byte offset display within composite bitfield view. (GP-910, Issue #2959)
Decompiler. Decompiler analysis now automatically identifies and displays loop variables using standard for-loop syntax. When a loop variable is discovered, a condition, iteration, and optional initializer statement are displayed at the top of the loop. (GP-565)
Decompiler. Added the Max Instructions per Function Decompiler tool option, specifying the maximum number of instructions the Decompiler will decode in a single function before throwing an exception. Previously, this had been a hard-coded limit. (GP-767, Issue #2557)
Decompiler. The Decompiler now propagates datatypes across signed comparison operations, so constant integer and enum values display correctly. (GP-802, Issue #2565)
Demangler. Updated the GNU Demangler Analyzer options to provide a list of available formats from which to choose. (GP-94, Issue #2214)
Demangler. Updated the GNU Demangler's Namespace-building to improve analysis performance. (GP-706, Issue #2509)
Demangler. Improved Demangler error checking and reporting to give underlying cause of failure. (GP-850)
Documentation. Added basic instructions on how to install, build, and develop Ghidra to README.md. (GP-847)
DWARF. Improved speed and memory usage when importing large DWARF binaries. (GP-419)
DWARF. Added M68000/SVR4 DWARF register mappings. (GP-556, Issue #1610)
DWARF. Improved handling of zero-length structure components during DWARF processing. (GP-851, Issue #2191)
Exporter. Made various improvements and bug fixes and to the IDA Pro exporter. (GP-831, Issue #1897, #2788, #2882, #2891)
FileSystems. Added support for recognizing unencrypted DMG files. (GP-845)
Framework. Added support for program-specific extensions to a compiler specification. Users can now define their own calling conventions and call-fixups to integrate into decompilation and other analysis (see help for Specification Extensions). (GP-653)
Graphing. Added capability to collapse and expand nodes in the default graph display. (GP-371)
Graphing. Upgraded jungrapht to version 1.1. (GP-377)
Graphing. Refactored graph exporters into a more extensible framework. (GP-440)
Graphing. Graph layout algorithms can now be chosen programmatically. (GP-551)
Graphing. Created additional modified versions of the MinCross layout algorithms, all named to start with Vertical Hierarchical Min-Cross, so that they accept a favoredEdge predicate. When an edge is favored, a pass though the graph layers attempts to align those edges vertically. (GP-625)
Graphing. Added an option to change the background color of the Function Graph window. (GP-760, Issue #1324)
Graphing. Updated Function Graph edge routing when applying the Use Condensed Layout option to reduce edges being clipped by vertices. (GP-768)
Graphing. Added option to disable the lightening of edges in the Function Graph. (GP-769, Issue #1106)
Graphing. Added a distinct visual edge highlight beyond just a different color for graph edge selection. (GP-793, Issue #2953)
Graphing. Added Display as Graph action to the Data Type Manager, allowing visualization of embedded and referenced types of the selected types. (GP-808)
Graphing. Fixed function graph bug that prevented the satellite view from showing the primary view lens. Fixed a layout bug that allowed some vertices to get clipped when condensing the graph. (GP-940)
Graphing. Added graph API method to set descriptions (tooltips) on vertices and edges. (GP-949)
Graphing. Added Vertex and Edge attributes to GraphML export format. (GP-957, Issue #2958)
GUI. Added new Copy Special actions: Python Byte String, Python List, and C Array. (GP-210, Issue #744)
GUI. Updated the Listing to allow structure members to display Plate Comments. (GP-421, Issue #2091)
GUI. Copy/Pasting and Dragging data types now uses a progress monitor. (GP-422, Issue #2379)
GUI. Added right-click menu Data -> Save Image action to allow user to export embedded graphic resource images. (GP-426)
GUI. Changed Symbol Comment Annotation to use the existing symbol when available. This allows for the direct navigation of that symbol's address instead of using the search feature of the Go To Service. (GP-675)
GUI. Added the Shift-F10 keybinding to allow users to show the popup context menu over the currently focused item. The Menu Key can also be used on supporting keyboards. (GP-732, Issue #2790)
GUI. Fixed/Improved the behavior of global menu items and toolbar items with respect to which windows they appear in. These actions can now easily be configured to be either 1) only in menu bar and tool bar of the main window, 2) in the menu bar and tool bar of all windows, or 3) only in the windows that have components that generate the type of context that the action consumes. Added methods to the ActionBuilder class to support these three options. Also, updated numerous actions to make sure they appear in the appropriate windows. (GP-759)
GUI. Improved overall UI responsiveness when performing analysis with the Symbol Table open. (GP-788)
GUI. Updated the Function Tags table column so that it may be used in most Ghidra tables. (GP-816, Issue #2873)
GUI. Updated the Defined Strings view to reload less frequently during auto-analysis. (GP-835, Issue #2889)
GUI. Updated function hovering in the Decompiler to find the correct function tooltip when multiple functions exist with the same name. (GP-959, Issue #2604)
Importer:ELF. Added markup to ELF import for .note.gnu.build-id and .gnu_debuglink sections. (GP-468)
Importer:ELF. Added ELF import support for SHN_MIPS_TEXT and SHN_MIPS_DATA symbol section index values and provided ability for other processor-specific ELF extensions to resolve ELF symbol memory addresses. (GP-664)
Importer:ELF. Changed various ELF relocations to detect and mark unsupported data relocations which refer to the EXTERNAL block. Applied EXTERNAL data relocations, which have a non-zero offset from the external symbol, will still be incorrect but will have an error bookmark to flag the condition. The relocation addend will not be applied in this case to avoid references to a completely irrelevant symbol in the EXTERNAL block. (GP-1029)
Importer:Mach-O. Improved support for Mach-O object files. (GP-700)
Importer:PE. CustomAttrib blobs in CLI/.NET metadata are now decoded. (GP-414)
Importer:PE. Created proper external references for PE Delay Load Imports. (GP-674, Issue #2554, #2623)
Importer:PE. PeLoader can now read and interpret the .pdata section of PE files that include exception handling data. (GP-729)
Importer:PE. Added .exports XML files for the mfc71.dll and mfc71u.dll libraries. Having them allows Ghidra to translate ordinal imports from applications compiled against MFC 7.1 (from Visual Studio .NET 2003) to class and function names with parameters. (GP-1010, Issue #3051)
Listing. Improved Listing view performance, especially noticeable on functions with excessively large stack frames. (GP-268, Issue #109, #2351)
Listing. Added a tool option to hide function auto-comments that appear, trailing a function call in the Listing. (GP-752)
PDB. Improved Ghidra's ability to find and pull PDB files from symbol servers and symbol storage locations. (GP-42)
Processors. Simplified PIC24 return instruction semantics. (GP-647)
Processors. Added support for register alias specification within processor spec (*.pspec). Added WREG register aliases for PIC24 processor variants. (GP-901, Issue #2956)
Processors. Fixed issue with the PPAGE register not being properly restored after CALL instructions in the HCS12 processor. (GP-920, Issue #1099)
Processors. Fixed HCS12 IDX1 addressing with negative immediate values. (GP-937, Issue #3008)
Processors. Fixed V850 multiply-by-immediate calculation that produced an incorrect value when the fifth bit was set. (GP-939, Issue #2970)
References. Improved performance of reference management for special cases when large a number of references from the same address exist (e.g., entry point designation). (GP-696)
Scripting. ExportImageScript now exports all images within a user-selected region to files within a user-selected folder. (GP-231)
Scripting. Improved TableChooserDialog, allowing multiple rows to be processed at once. (GP-676)
Scripting. Updated the TableChooserDialog to allow clients to set the default column sort. (GP-792)
Scripting. Added Python script comment block support. (GP-843, Issue #1484, #2846)
Scripting. Added ApplyClassFunctionSignatureUpdatesScript and ApplyClassFunctionDefinitionUpdatesScript fix-up scripts that can be applied if a user makes changes to a virtual function recovered by the RecoverClassesFromRTTIScript. Both scripts identify differences between Function Signatures in the Listing and Function Definitions in the Data Type Manager, but the first script fixes all changes to match the signature and the second to match the definition. (GP-973, Issue #3081)
Sleigh. Debug info for Sleigh constructors now includes source file names. (GP-233)
Sleigh. The Sleigh compiler now issues a warning if it generates a temporary varnode which might be large enough to overlap another temporary varnode. (GP-520)
Sleigh. While register names should remain case-sensitive within a Sleigh spec during compilation/parse, register names must not duplicate in a case-insensitive manner since the Program API provides a case-insensitive register lookup by name. The Sleigh Compiler now enforces this. (GP-927)Bugs
Analysis. Fixed how managed code entry points in .NET binaries with CIL entry points are detected and labeled. (GP-319)
Analysis. Can now process implementation-specific data structures for Microsoft CIL compilers. (GP-461)
Analysis. Corrected processing for pointers, function pointers, custom modifiers, ValueTypes, static methods, MethodRefs, MethodDefs, and PInvokes found in .NET mixed binaries. (GP-656)
Analysis. Improved constant analysis speed when processing large binaries with a large amount of code not in defined functions, such as exception handlers. (GP-746, Issue #2509)
Analysis. When OverlayAddressSpace was refactored and Decompiler made aware of it for Ghidra 9.2, the VarnodeContext was not aware of the overlays. This was fixed and should eliminate the NullPointerException caused when the Symbolic Propagator calls the Varnode constructor. (GP-751, Issue #2785, #2787)
Assembler. Fixed assembler issue with delay-slotted instructions. (GP-587)
Assembler. Fixed assemble Patch Instruction action to work on listings other than the primary static listing. (GP-623)
Assembler. Modified assembler Patch Instruction action to ignore external symbols which produced bad offsets for instructions. (GP-645)
Basic Infrastructure. Fixed an issue with Ghidra and its supporting launch scripts not being able to run correctly on Windows when an ampersand was in the path. Also fixed an issue with svrAdmin.bat and buildGhidraJar.bat not working if the Ghidra path contained a space. (GP-693, Issue #1726, #1728)
Basic Infrastructure. Corrected "LaunchSupport expected 2 to 4 arguments but got 1" error when starting Ghidra on Windows. (GP-1050, Issue #2176, #3122)
Build. Building of pdb.exe on Windows now works if the path to the Ghidra repository contains a space. (GP-916, Issue #2998)
Build. Corrected GPL DMG module build to properly utilize the jar dependencies included within the repository and distribution. (GP-934)
Build. Corrected an issue with gradle prepDev when the Ghidra repository is on a different drive than the user's home directory on Windows OS. (GP-970, Issue #3047, #3062)
Build. Fixed a bug that prevented Ghidra from launching in Single Jar Mode when its path contained a space. (GP-1039)
C Parsing. The C-Parser bitfield parsing has been relaxed to allow declared bitfield sizes to exceed the base datatype size. The effective bitfield size may be clamped based upon the current data organization while preserving the declared size. (GP-558)
Data Types. Fixed a NullPointerException that occurred when trying to edit a function datatype in a datatype archive when there was no open program in the tool. (GP-356, Issue #2407)
Data Types. Corrected the retention of datatype archive search paths, which did not properly remember disabled paths. (GP-639)
Data Types. Fixed potential deadlock encountered when working with the DataTypes tree. (GP-774, Issue #2832)
Decompiler. Fixed endianess issue for joined, two-register returns of longlong values for MIPS 32-bit little endian variants. (GP-513)
Decompiler. The Decompiler no longer emits comments in the middle of conditional expressions. (GP-621, Issue #1670)
Decompiler. Fixed Redefinition of structure... exceptions in the Decompiler caused by a PNG Image and other opaque datatypes. (GP-820, Issue #2734)
Decompiler. Fixed infinite loop in the Decompiler when analyzing return values. (GP-821, Issue #2851)
Decompiler. Fixed bug in the Decompiler's handling of enumerated datatypes causing Shared type id exceptions. (GP-895, Issue #2909)
DWARF. Fixed and consolidated DEX and DWARF implementations of LEB128. (GP-444, Issue #2512)
DWARF. Fixed unnecessary ELF header parsing when DWARF analyzer checks if it needs to run. Improved DWARF analyzer's run-once logic. (GP-695)
DWARF. Fixed issue with DWARF data type importing that could omit the definition of a structure. (GP-929)
Eclipse Integration. Fixed a GhidraDev bug that prevented Ghidra projects from recognizing extensions installed in the user's ~/.ghidra/.ghidra_<version>/Extensions directory. (GP-873)
Extensions. Changed classpath configuration to not contain paths of removed extension libraries. (GP-522, Issue #2637)
FileSystems. Fixed several issues with extracting and importing DYLIB files contained within a DYLD file system. (GP-719, Issue #2934, #682)
FileSystems. Fixed SevenZipFileSystem to correctly fail when opening password-protected archives. (GP-730)
FileSystems. Fixed Ext4 file system to correctly handle sparse files. (GP-871)
Graphing. Fixed IllegalArgumentException when showing a graph popup window after the source component was hidden. (GP-756, Issue #1643)
Graphing. Fixed bug that caused all address in a function graph node to be colored when only the entry point address had a color applied. (GP-757, Issue #1080)
Graphing. Fixed bug in graph dominance algorithm that could cause the Select -> Scoped Flow actions to go into an infinite loop. (GP-776, Issue #2836)
GUI. Fixed UI lock-up issue related to the Function Tags table. (GP-266, Issue #2366)
GUI. Fixed missing spaces in Front End multi-line log messages. (GP-463, Issue #2534)
GUI. Fixed the following modal dialog issues: z-order changing when showing a modal dialog over a detached window; focusing the incorrect window after showing a modal dialog; script progress dialog not getting placed behind input dialog; script dialogs appearing over different windows. (GP-628, Issue #2398, #2480)
GUI. Fixed NullPointerException encountered when creating a new category in the Data Types tree while the tree is filtered. (GP-745, Issue #2799)
GUI. Fixed Right Alt key that did not work for Ghidra actions on some Windows systems. (GP-747, Issue #2008)
GUI. Fixed Function Graph bug that caused some vertex text to get clipped when using wide address format width. (GP-755, Issue #1008)
GUI. Fixed bug in the Listing scroll bar that caused some screen reader software to deadlock. (GP-772, Issue #2820)
GUI. Fixed bug that caused the UI to freeze when clicking in the Program Tree UI. The bug manifested depending upon the contents of the system clipboard. (GP-775)
GUI. Updated tooltip code to limit data types name length and updated formatting to place pertinent information at the top of the tooltip. (GP-836, Issue #2029)
GUI. Fixed exception triggered when the Bookmarks table failed to remove a deleted symbol. (GP-989, Issue #3066)
GUI. Fixed exception encountered when double-clicking a structure in an archive in the closed for edit state. (GP-998)
GUI. Fixed Function Graph stack trace encountered when changing the graph's background color option after showing and then closing the graph. (GP-1013, Issue #3058)
Importer:ELF. Added support for additional PIC30 ELF relocations (4, 5, 6) and improved register symbol resolution and markup. (GP-710, Issue #2792)
Importer:ELF. Changed processing of ELF absolute symbols (section ID 0xfff1) to treat them as constants by defining equates instead of memory symbols. (GP-902)
Importer:ELF. Corrected EXTERNAL symbol alignment for PIC24, PIC30, PIC33 during ELF import. The improperly aligned symbol addresses would cause incorrect external symbol references to appear on instructions (e.g., RCALL). (GP-906)
Importer:PE. Fixed error when importing a PE file with an uninitialized .textbss section. (GP-397, Issue #2496)
Importer:PE. Fixed a bug processing RUNTIME_INFO structures that caused a failure to load PE files under certain conditions when the list is empty. (GP-924, Issue #2995)
Importer:PE. Fixed an issue in the PeLoader that prevented PE files with 0 data directories from being imported. (GP-997, Issue #2858)
Installation. Renamed database db.Record class to db.DBRecord to avoid naming conflict with java.lang.Record class and potential import issues. (GP-193)
Jython. Fixed pasting multi-line strings into the Python interpreter panel. (GP-487, Issue #2456)
Listing. A default thunk function now reflects the namespace of the thunked function similar to the way it reflects its name. This change also allows thunk functions of a this_call to have the correct this pointer parameter. Symbol table queries based upon name and/or namespace will always exclude default thunk functions. (GP-17)
Listing. Fixed #US table processing to correctly interpret the string as UTF-16LE for CIL binaries. (GP-318)
Listing. Fixed a sporadic listing operand hover stacktrace bug. (GP-987)
PDB. Escaped more character strings in MSDIA pdb.exe XML output. (GP-578, Issue #1690)
Processors. Fixed various issues pertaining to x86 instruction prefixes. (GP-220, Issue #2286, #2297)
Processors. Refactored PPC interrupt returns to include return pcode statement. (GP-703)
Processors. Fixed issue with ARM VMRS instruction parsing in thumb. (GP-735, Issue #2750)
Processors. Corrected issue with M68000 floating point dynamic k-factor instruction semantics. (GP-736, Issue #2754)
Processors. Fixed instruction semantics for x86 MOVUPS instruction. (GP-744, Issue #2789)
Processors. Simplified SuperH div1 instruction. Corrected several SuperH instructions to set flags properly around the delay slot. (GP-753, Issue #2863, #2864)
Processors. Corrected issue with ARM co-processor registers and the MCR instruction. (GP-761, Issue #2451)
Processors. Fixed issued with x86 INSx.rep and OUTSx.rep pcode ordering. (GP-766, Issue #2829)
Processors. Corrected addresses for PIC24 TBLPAG and PSVPAG registers. (GP-798, Issue #2844, #2855)
Processors. Corrected decoding of some MODR/M opcode bytes in x86. (GP-800, Issue #2504)
Processors. Updated 8085 processor definition to disassemble XRA HL instruction. (GP-818, Issue #2447)
Processors. Corrected missing optional rex.w prefix for x86 conditional jump instructions. (GP-837, Issue #1163)
Processors. Added CALLW, ASRF, LSLF, and LSRF instructions to PIC16 language. (GP-841, Issue #1362)
Processors. Fixed ARM Thumb instructions which update the status flags to now correctly append an s to the instruction mnemonic. (GP-881)
Processors. Made corrections to wr instruction for SPARC which in some cases did not write to the appropriate ASR register. (GP-928)
Processors. Corrected issue with x86-64 CALL and RET instructions with 0x67 prefix pushing/popping the wrong address size from the stack. (GP-954, Issue #2976)
Processors. Fixed issue with delay slots modifying some instructions in SuperH processor. (GP-969, Issue #2863)
Processors. Corrected pcode for x86-64 RDMSR instruction. (GP-982, Issue #3046)
Processors. Corrected size of 20-bit signed immediate value in PPC VLE e_li instruction. (GP-1060)
Scripting. Fixed scripting bug where showing a TableChooserDialog while having AnalysisMode.DISABLED in use caused the dialog to be closed. (GP-1018, Issue #3103)
Sleigh. Fixed multiple errors in x64 vector operation semantics. (GP-799)

官网:https://ghidra-sre.org
官方Git:https://github.com/NationalSecurityAgency/ghidra国内下载链接
链接:https://pan.baidu.com/s/12YNmEBZI7ZqVq_bIVbcjXA
提取码:rncphttps://down.52pojie.cn/Tools/Di ... PUBLIC_20210621.zip
最新回复 (9)
  • mokson2021-6-22
    引用2
    Ghidra是由美国国家安全局(NSA)研究部门开发的软件逆向工程(SRE)套件,是一个软件逆向工程(SRE)框架,包括一套功能齐全的高端软件分析工具,使用户能够在各种平台上分析编译后的代码,包括Windows、Mac OS和Linux。功能包括反汇编,汇编,反编译,绘图和脚本,以及数百个其他功能。Ghidra支持各种处理器指令集和可执行格式,可以在用户交互模式和自动模式下运行。用户还可以使用公开的API开发自己的Ghidra插件和脚本。
  • yiwozhutou2021-6-22
    引用3
    看着大佬发出这样的贴子 我是羞愧的泪水是直接没法说了  除了膝盖着地没法说了 要好好学习了  记得又一次人说这是老美的一个很牛的一个软件 卧槽了
  • 毁我容颜2021-6-22
    引用4
    感谢提供分享
  • Cai_LC2021-6-22
    引用5
    多谢大佬分享
  • 兲下人2021-6-22
    引用6
    多谢分享
  • tanhaibigg2021-6-22
    引用7
    收藏一个先,万一以后能够用上嘞,多谢分享。
  • third19792021-6-22
    引用8
    太专业了,看不懂,不过还是谢谢分享
  • yixuezhuihan2021-6-22
    引用9
    mokson 发表于 2021-6-22 08:03
    Ghidra是由美国国家安全局(NSA)研究部门开发的软件逆向工程(SRE)套件,是一个软件逆向工程(SRE)框架 ...

    谢谢答疑
  • longbbyl2021-6-22
    引用10
    太专业了,谢谢分享
  • 游客
    11
返回