development/ghidra
development/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra synced 2024-09-19 10:11:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated ChangeHistory and WhatsNew for 10.0

Browse source
This commit is contained in:
ghidra1 2021-06-17 16:46:40 -04:00
parent 82c8ba1a1c
commit 51254872ba
2 changed files with 63 additions and 330 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.html
View file

@ -7,13 +7,14 @@
<BODY>
<H1 align="center">Ghidra 10.0 BETA Change History (May 2021)</H1>
<H1 align="center">Ghidra 10.0 Change History (June 2021)</H1>
<blockquote><p><u>New Features</u></p>
<ul>
<li><I>Debugger</I>. Introduced the Debugger, along with GDB and dbgeng.dll connectors for debugging user-mode applications on Linux and Windows, respectively. The UI includes threads, timeline, modules, memory, registers, watches, etc., for examining and controlling debug targets. See <B>Help -> Contents -> What's New</B> for more details. (GP-986)</li>
<li><I>Exporter</I>. Added new exporters that write programs imported with the PE and ELF loaders back to their original file layout. Any file-backed bytes that were modified by the user in the program database will be reflected in the written file (except on relocations). Writing back a modified Memory Map is not supported. (GP-786, Issue #1501, #1505, #19)</li>
<li><I>Exporter</I>. For programs imported with the PE and ELF loaders, new exporters are available that write back to the original file layout. Any file-backed bytes that were modified by the user in the program database will be reflected in the written file (except on relocations). Writing back a modified Memory Map is not supported. (GP-786, Issue #1501, #1505, #19)</li>
<li><I>Graphing</I>. Added <B>Graph -> Data </B> actions to the Code Browser, allowing visualization of specified pointer relationships in a graph. (GP-194)</li>
<li><I>Scripting</I>. Added prototype RecoverClassesFromRTTIScript and that uses RTTI information to enhance Ghidra's knowledge of class hierarchy, class member function types (constructors, destructors, deleting destructors, clones) and class member data. The script will label and put member functions into correct class namespace and apply new class structures created either using PDB information, if available, or Decompiler pcode information. (GP-339)</li>
<li><I>Scripting</I>. Added an example script, LocateMemoryAddressForFileOffset, to demonstrate mapping of a location in the original imported file to the program memory address. Useful for cases where the original file offset is known; for example, a YARA rule match. (GP-782)</li>
<li><I>Scripting</I>. Created a script to allow users to search for image base offsets to the current cursor location in 32-bit and 64-bit programs. (GP-863)</li>
</ul>
</blockquote>
@ -32,11 +33,12 @@
<li><I>Build</I>. Command <code><B>gradle -I gradle/support/fetchDependencies.gradle init</B></code> now downloads the Function ID datasets from the ghidra-data GitHub repository so they will be automatically included in development mode and custom builds. (GP-678, Issue #1007)</li>
<li><I>Build</I>. Performing a <code><B>gradle clean</B></code> no longer deletes downloaded dependencies. The top-level <B>flatRepo</B> directory has been replaced with the <B>dependencies</B> directory. (GP-811, Issue #1663)</li>
<li><I>Build</I>. Ghidra now requires Gradle 6.0 or later to build. Gradle 7.x is now supported. (GP-849, Issue #2949)</li>
<li><I>Build</I>. Made changes to gradle code to remove warnings. (GP-993, Issue #3039)</li>
<li><I>Data Types</I>. Added support for hexadecimal byte offset display within composite bitfield view. (GP-910, Issue #2959)</li>
<li><I>Decompiler</I>. Decompiler analysis now automatically identifies and displays loop variables using standard for-loop syntax. When a loop variable is discovered, a condition, iteration, and optional initializer statement are displayed at the top of the loop. (GP-565)</li>
<li><I>Decompiler</I>. Added the <B>Max Instructions per Function</B> Decompiler tool option, specifying the maximum number of instructions the Decompiler will decode in a single function before throwing an exception. Previously this, had been a hard-coded limit. (GP-767, Issue #2557)</li>
<li><I>Decompiler</I>. Added the <B>Max Instructions per Function</B> Decompiler tool option, specifying the maximum number of instructions the Decompiler will decode in a single function before throwing an exception. Previously, this had been a hard-coded limit. (GP-767, Issue #2557)</li>
<li><I>Decompiler</I>. The Decompiler now propagates datatypes across signed comparison operations, so constant integer and enum values display correctly. (GP-802, Issue #2565)</li>
<li><I>Demangler</I>. Updated the Gnu Demangler Analyzer options to provide a list of available formats from which to choose. (GP-94, Issue #2214)</li>
<li><I>Demangler</I>. Updated the GNU Demangler Analyzer options to provide a list of available formats from which to choose. (GP-94, Issue #2214)</li>
<li><I>Demangler</I>. Updated the GNU Demangler's Namespace-building to improve analysis performance. (GP-706, Issue #2509)</li>
<li><I>Demangler</I>. Improved Demangler error checking and reporting to give underlying cause of failure. (GP-850)</li>
<li><I>Documentation</I>. Added basic instructions on how to install, build, and develop Ghidra to README.md. (GP-847)</li>
@ -55,8 +57,9 @@
<li><I>Graphing</I>. Updated Function Graph edge routing when applying the <B>Use Condensed Layout</B> option to reduce edges being clipped by vertices. (GP-768)</li>
<li><I>Graphing</I>. Added option to disable the lightening of edges in the Function Graph. (GP-769, Issue #1106)</li>
<li><I>Graphing</I>. Added a distinct visual edge highlight beyond just a different color for graph edge selection. (GP-793, Issue #2953)</li>
<li><I>Graphing</I>. Added <B>Display as Graph</B> action to the Datatype Manager, allowing visualization of embedded and referenced types of the selected type(s). (GP-808)</li>
<li><I>Graphing</I>. Fixed function graph bug that prevented the satellite view from showing the primary view lens. Fixed a layout bug that allowed from some vertices to get clipped when condensing the graph. (GP-940)</li>
<li><I>Graphing</I>. Added <B>Display as Graph</B> action to the Data Type Manager, allowing visualization of embedded and referenced types of the selected types. (GP-808)</li>
<li><I>Graphing</I>. Fixed function graph bug that prevented the satellite view from showing the primary view lens. Fixed a layout bug that allowed some vertices to get clipped when condensing the graph. (GP-940)</li>
<li><I>Graphing</I>. Added graph API method to set descriptions (tooltips) on vertices and edges. (GP-949)</li>
<li><I>Graphing</I>. Added Vertex and Edge attributes to GraphML export format. (GP-957, Issue #2958)</li>
<li><I>GUI</I>. Added new <B>Copy Special</B> actions: <B>Python Byte String</B>, <B>Python List</B>, and <B>C Array</B>. (GP-210, Issue #744)</li>
<li><I>GUI</I>. Updated the Listing to allow structure members to display Plate Comments. (GP-421, Issue #2091)</li>
@ -64,20 +67,23 @@
<li><I>GUI</I>. Added right-click menu <B>Data -> Save Image</B> action to allow user to export embedded graphic resource images. (GP-426)</li>
<li><I>GUI</I>. Changed Symbol Comment Annotation to use the existing symbol when available. This allows for the direct navigation of that symbol's address instead of using the search feature of the Go To Service. (GP-675)</li>
<li><I>GUI</I>. Added the <B>Shift-F10</B> keybinding to allow users to show the popup context menu over the currently focused item. The Menu Key can also be used on supporting keyboards. (GP-732, Issue #2790)</li>
<li><I>GUI</I>. Fixed/Improved the behavior of global menu items and toolbar items with respect to which windows they appear in. These actions can now easily be configured to be either 1) only in menu bar and tool bar of the main window, 2) in the menu bar and tool bar of all windows, or 3) only the windows that have components that generate the type of context that the action consumes. Added methods to the ActionBuilder class to support these three options. Also, updated numerous actions to make sure they appear in the appropriate windows. (GP-759)</li>
<li><I>GUI</I>. Fixed/Improved the behavior of global menu items and toolbar items with respect to which windows they appear in. These actions can now easily be configured to be either 1) only in menu bar and tool bar of the main window, 2) in the menu bar and tool bar of all windows, or 3) only in the windows that have components that generate the type of context that the action consumes. Added methods to the ActionBuilder class to support these three options. Also, updated numerous actions to make sure they appear in the appropriate windows. (GP-759)</li>
<li><I>GUI</I>. Improved overall UI responsiveness when performing analysis with the Symbol Table open. (GP-788)</li>
<li><I>GUI</I>. Updated the Function Tags table column so that it may be used in most Ghidra tables. (GP-816, Issue #2873)</li>
<li><I>GUI</I>. Updated the Defined Strings view to reload less frequently during auto-analysis. (GP-835, Issue #2889)</li>
<li><I>GUI</I>. Updated function hovering in the Decompiler to find the correct function tooltip when multiple functions exist with the same name. (GP-959, Issue #2604)</li>
<li><I>Importer:ELF</I>. Added markup to ELF import for <code>.note.gnu.build-id</code> and <code>.gnu_debuglink</code> sections. (GP-468)</li>
<li><I>Importer:ELF</I>. Added ELF import support for SHN_MIPS_TEXT and SHN_MIPS_DATA symbol section index values and provided ability for other processor-specific ELF extensions to resolve ELF symbol memory addresses. (GP-664)</li>
<li><I>Importer:ELF</I>. Changed various ELF relocations to detect and mark unsupported data relocations which refer to the EXTERNAL block. Applied EXTERNAL data relocations, which have a non-zero offset from the external symbol, will still be incorrect but will have an error bookmark to flag the condition. The relocation addend will not be applied in this case to avoid references to a completely irrelevant symbol in the EXTERNAL block. (GP-1029)</li>
<li><I>Importer:Mach-O</I>. Improved support for Mach-O object files. (GP-700)</li>
<li><I>Importer:PE</I>. CustomAttrib blobs in CLI/.NET metadata are now decoded. (GP-414)</li>
<li><I>Importer:PE</I>. Created proper external references for PE Delay Load Imports. (GP-674, Issue #2554, #2623)</li>
<li><I>Importer:PE</I>. PeLoader can now read and interpret the <code>.pdata</code> section of PE files that include exception handling data. (GP-729)</li>
<li><I>Importer:PE</I>. Added <B>.exports</B> XML files for the <B>mfc71.dll</B> and <B>mfc71u.dll</B> libraries. Having them allows Ghidra to translate ordinal imports from applications compiled against MFC 7.1 (from Visual Studio .NET 2003) to class and function names with parameters. (GP-1010, Issue #3051)</li>
<li><I>Listing</I>. Improved Listing view performance, especially noticeable on functions with excessively large stack frames. (GP-268, Issue #109, #2351)</li>
<li><I>Listing</I>. Added a tool option to hide function auto-comments that appear, trailing a function call in the Listing. (GP-752)</li>
<li><I>PDB</I>. Improved Ghidra's ability to find and pull PDB files from symbol servers and symbol storage locations. (GP-42)</li>
<li><I>Processors</I>. Simplified PIC24 return instruction semantics. (GP-647)</li>
<li><I>Processors</I>. Added support for register alias specification within processor spec (*.pspec). Added <code>WREG</code> register aliases for PIC24 processor variants. (GP-901, Issue #2956)</li>
<li><I>Processors</I>. Fixed issue with the <code>PPAGE</code> register not being properly restored after <code>CALL</code> instructions in the HCS12 processor. (GP-920, Issue #1099)</li>
<li><I>Processors</I>. Fixed HCS12 <code>IDX1</code> addressing with negative immediate values. (GP-937, Issue #3008)</li>
@ -87,8 +93,10 @@
<li><I>Scripting</I>. Improved TableChooserDialog, allowing multiple rows to be processed at once. (GP-676)</li>
<li><I>Scripting</I>. Updated the TableChooserDialog to allow clients to set the default column sort. (GP-792)</li>
<li><I>Scripting</I>. Added Python script comment block support. (GP-843, Issue #1484, #2846)</li>
<li><I>Scripting</I>. Added ApplyClassFunctionSignatureUpdatesScript and ApplyClassFunctionDefinitionUpdatesScript fix-up scripts that can be applied if a user makes changes to a virtual function recovered by the RecoverClassesFromRTTIScript. Both scripts identify differences between Function Signatures in the Listing and Function Definitions in the Data Type Manager, but the first script fixes all changes to match the signature and the second to match the definition. (GP-973, Issue #3081)</li>
<li><I>Sleigh</I>. Debug info for Sleigh constructors now includes source file names. (GP-233)</li>
<li><I>Sleigh</I>. The Sleigh compiler now issues a warning if it generates a temporary varnode which might be large enough to overlap another temporary varnode. (GP-520)</li>
<li><I>Sleigh</I>. While register names should remain case-sensitive within a Sleigh spec during compilation/parse, register names must not duplicate in a case-insensitive manner since the Program API provides a case-insensitive register lookup by name. The Sleigh Compiler now enforces this. (GP-927)</li>
</ul>
</blockquote>
<blockquote><p><u>Bugs</u></p>
@ -102,17 +110,20 @@
<li><I>Assembler</I>. Fixed assemble <B>Patch Instruction</B> action to work on listings other than the primary static listing. (GP-623)</li>
<li><I>Assembler</I>. Modified assembler <B>Patch Instruction</B> action to ignore external symbols which produced bad offsets for instructions. (GP-645)</li>
<li><I>Basic Infrastructure</I>. Fixed an issue with Ghidra and its supporting launch scripts not being able to run correctly on Windows when an ampersand was in the path. Also fixed an issue with <B>svrAdmin.bat</B> and <B>buildGhidraJar.bat</B> not working if the Ghidra path contained a space. (GP-693, Issue #1726, #1728)</li>
<li><I>Basic Infrastructure</I>. Corrected <I>"LaunchSupport expected 2 to 4 arguments but got 1" </I> error when starting Ghidra on Windows. (GP-1050, Issue #2176, #3122)</li>
<li><I>Build</I>. Building of <B>pdb.exe</B> on Windows now works if the path to the Ghidra repository contains a space. (GP-916, Issue #2998)</li>
<li><I>Build</I>. Corrected GPL DMG module build to properly utilize the jar dependencies included within the repository and distribution. (GP-934)</li>
<li><I>Build</I>. Corrected an issue with <code><B>gradle prepDev</B></code> when the Ghidra repository is on a different drive than the user's home directory on Windows OS. (GP-970, Issue #3047, #3062)</li>
<li><I>Build</I>. Fixed a bug that prevented Ghidra from launching in <B>Single Jar Mode</B> when its path contained a space. (GP-1039)</li>
<li><I>C Parsing</I>. The C-Parser bitfield parsing has been relaxed to allow declared bitfield sizes to exceed the base datatype size. The effective bitfield size may be clamped based upon the current data organization while preserving the declared size. (GP-558)</li>
<li><I>Data Types</I>. Fixed a NullPointerException that occurred when trying to edit a function data type in a data type archive when there was no open program in the tool. (GP-356, Issue #2407)</li>
<li><I>Data Types</I>. Fixed a NullPointerException that occurred when trying to edit a function datatype in a datatype archive when there was no open program in the tool. (GP-356, Issue #2407)</li>
<li><I>Data Types</I>. Corrected the retention of datatype archive search paths, which did not properly remember disabled paths. (GP-639)</li>
<li><I>Data Types</I>. Fixed potential deadlock encountered when working with the DataTypes tree. (GP-774, Issue #2832)</li>
<li><I>Decompiler</I>. Fixed endianess issue for joined, two-register returns of <code>longlong</code> values for MIPS 32-bit little endian variants. (GP-513)</li>
<li><I>Decompiler</I>. The Decompiler no longer emits comments in the middle of conditional expressions. (GP-621, Issue #1670)</li>
<li><I>Decompiler</I>. Fixed <code>Redefinition of structure ...</code> exceptions in the Decompiler caused by a PNG Image and other opaque datatypes. (GP-820, Issue #2734)</li>
<li><I>Decompiler</I>. Fixed <code>Redefinition of structure...</code> exceptions in the Decompiler caused by a PNG Image and other opaque datatypes. (GP-820, Issue #2734)</li>
<li><I>Decompiler</I>. Fixed infinite loop in the Decompiler when analyzing return values. (GP-821, Issue #2851)</li>
<li><I>Decompiler</I>. Fixed bug in the Decompiler's handling of enumerated data types causing <code>Shared type id</code> exceptions. (GP-895, Issue #2909)</li>
<li><I>Decompiler</I>. Fixed bug in the Decompiler's handling of enumerated datatypes causing <code>Shared type id</code> exceptions. (GP-895, Issue #2909)</li>
<li><I>DWARF</I>. Fixed and consolidated DEX and DWARF implementations of LEB128. (GP-444, Issue #2512)</li>
<li><I>DWARF</I>. Fixed unnecessary ELF header parsing when DWARF analyzer checks if it needs to run. Improved DWARF analyzer's run-once logic. (GP-695)</li>
<li><I>DWARF</I>. Fixed issue with DWARF data type importing that could omit the definition of a structure. (GP-929)</li>
@ -132,13 +143,19 @@
<li><I>GUI</I>. Fixed Function Graph bug that caused some vertex text to get clipped when using wide address format width. (GP-755, Issue #1008)</li>
<li><I>GUI</I>. Fixed bug in the Listing scroll bar that caused some screen reader software to deadlock. (GP-772, Issue #2820)</li>
<li><I>GUI</I>. Fixed bug that caused the UI to freeze when clicking in the Program Tree UI. The bug manifested depending upon the contents of the system clipboard. (GP-775)</li>
<li><I>GUI</I>. Updated tooltip code to limit data types name length and updated formatting to place pertinent information at the top of the tooltip. (GP-836, Issue #2029)</li>
<li><I>GUI</I>. Fixed exception triggered when the Bookmarks table failed to remove a deleted symbol. (GP-989, Issue #3066)</li>
<li><I>GUI</I>. Fixed exception encountered when double-clicking a structure in an archive in the <code><B>closed for edit</B></code> state. (GP-998)</li>
<li><I>GUI</I>. Fixed Function Graph stack trace encountered when changing the graph's background color option after showing and then closing the graph. (GP-1013, Issue #3058)</li>
<li><I>Importer:ELF</I>. Added support for additional PIC30 ELF relocations (4, 5, 6) and improved register symbol resolution and markup. (GP-710, Issue #2792)</li>
<li><I>Importer:ELF</I>. Changed processing of ELF absolute symbols (section ID 0xfff1) to treat them as constants by defining equates instead of memory symbols. (GP-902)</li>
<li><I>Importer:ELF</I>. Corrected EXTERNAL symbol alignment for PIC24, PIC30, PIC33 during ELF import. The improperly aligned symbol addresses would cause incorrect external symbol references to appear on instructions (e.g., <code>RCALL</code>). (GP-906)</li>
<li><I>Importer:PE</I>. Fixed error when importing a PE file with an uninitialized <code>.textbss</code> section. (GP-397, Issue #2496)</li>
<li><I>Importer:PE</I>. Fixed a bug processing RUNTIME_INFO structures that caused a failure to load PE files under certain conditions when the list is empty. (GP-924, Issue #2995)</li>
<li><I>Importer:PE</I>. Fixed an issue in the PeLoader that prevented PE files with 0 data directories from being imported. (GP-997, Issue #2858)</li>
<li><I>Installation</I>. Renamed database <code>db.Record</code> class to <code>db.DBRecord</code> to avoid naming conflict with <code>java.lang.Record</code> class and potential import issues. (GP-193)</li>
<li><I>Jython</I>. Fixed pasting multi-line strings into the Python interpreter panel. (GP-487, Issue #2456)</li>
<li><I>Listing</I>. A default thunk function now reflects the <B>namespace</B> of the thunked function similar to the way it reflects its <B>name</B>. This change also allows thunk functions of a <code>this_call</code> to have the correct <code>this</code> pointer parameter. Symbol table queries based upon name and/or namespace will always exclude default thunk functions. (GP-17)</li>
<li><I>Listing</I>. Fixed #US table processing to correctly interpret the string as UTF-16LE for CIL binaries. (GP-318)</li>
<li><I>Listing</I>. Fixed a sporadic listing operand hover stacktrace bug. (GP-987)</li>
<li><I>PDB</I>. Escaped more character strings in MSDIA pdb.exe XML output. (GP-578, Issue #1690)</li>
@ -147,7 +164,7 @@
<li><I>Processors</I>. Fixed issue with ARM <code>VMRS</code> instruction parsing in thumb. (GP-735, Issue #2750)</li>
<li><I>Processors</I>. Corrected issue with M68000 floating point dynamic k-factor instruction semantics. (GP-736, Issue #2754)</li>
<li><I>Processors</I>. Fixed instruction semantics for x86 <code>MOVUPS</code> instruction. (GP-744, Issue #2789)</li>
<li><I>Processors</I>. Simplified SuperH <code>div1</code> instruction. (GP-753, Issue #2864)</li>
<li><I>Processors</I>. Simplified SuperH <code>div1</code> instruction. Corrected several SuperH instructions to set flags properly around the delay slot. (GP-753, Issue #2863, #2864)</li>
<li><I>Processors</I>. Corrected issue with ARM co-processor registers and the <code>MCR</code> instruction. (GP-761, Issue #2451)</li>
<li><I>Processors</I>. Fixed issued with x86 <code>INSx.rep</code> and <code>OUTSx.rep</code> pcode ordering. (GP-766, Issue #2829)</li>
<li><I>Processors</I>. Corrected addresses for PIC24 <code>TBLPAG</code> and <code>PSVPAG</code> registers. (GP-798, Issue #2844, #2855)</li>
@ -155,7 +172,13 @@
<li><I>Processors</I>. Updated 8085 processor definition to disassemble <code>XRA HL</code> instruction. (GP-818, Issue #2447)</li>
<li><I>Processors</I>. Corrected missing optional <code>rex.w</code> prefix for x86 conditional jump instructions. (GP-837, Issue #1163)</li>
<li><I>Processors</I>. Added <code>CALLW</code>, <code>ASRF</code>, <code>LSLF</code>, and <code>LSRF</code> instructions to PIC16 language. (GP-841, Issue #1362)</li>
<li><I>Processors</I>. Fixed ARM Thumb instructions which update the status flags to now correctly append an <code><B>s</B></code> to the instruction mnemonic. (GP-881)</li>
<li><I>Processors</I>. Made corrections to <code>wr</code> instruction for SPARC which in some cases did not write to the appropriate ASR register. (GP-928)</li>
<li><I>Processors</I>. Corrected issue with x86-64 <code>CALL</code> and <code>RET</code> instructions with <code>0x67</code> prefix pushing/popping the wrong address size from the stack. (GP-954, Issue #2976)</li>
<li><I>Processors</I>. Fixed issue with delay slots modifying some instructions in SuperH processor. (GP-969, Issue #2863)</li>
<li><I>Processors</I>. Corrected pcode for x86-64 <code>RDMSR</code> instruction. (GP-982, Issue #3046)</li>
<li><I>Processors</I>. Corrected size of 20-bit signed immediate value in PPC VLE <code>e_li</code> instruction. (GP-1060)</li>
<li><I>Scripting</I>. Fixed scripting bug where showing a TableChooserDialog while having <code><B>AnalysisMode.DISABLED</B></code> in use caused the dialog to be closed. (GP-1018, Issue #3103)</li>
<li><I>Sleigh</I>. Fixed multiple errors in x64 vector operation semantics. (GP-799)</li>
</ul>
</blockquote>

348
Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html
View file

@ -6,8 +6,9 @@
<STYLE type="text/css" name="text/css">
li { font-family:times new roman; font-size:14pt; font-family:times new roman; font-size:14pt; margin-bottom: 8px; }
h1 { color:#000080; font-family:times new roman; font-size:28pt; font-style:italic; font-weight:bold; text-align:center; color:#000080; font-family:times new roman; }
h2 { padding-top:20px; color:#984c4c; font-family:times new roman; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; }
h2 { padding-top:10px; color:#984c4c; font-family:times new roman; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; }
h3 { margin-left:40px; padding-top:10px; font-family:times new roman; font-family:times new roman; font-size:14pt; font-weight:bold; }
h4 { margin-left:40px; padding-top:10px; font-family:times new roman; font-family:times new roman; font-size:14pt; font-weight:bold; }
p { margin-left:40px; font-family:times new roman; font-size:14pt; }
table, th, td { border: 1px solid black; border-collapse: collapse; font-size:10pt; }
td { font-family:times new roman; font-size:14pt; padding-left:10px; padding-right:10px; text-align:left; vertical-align:top; }
@ -42,16 +43,23 @@
</P>
<H1> What's new in Ghidra 10.0 beta</H1>
<H1> What's new in Ghidra 10.0</H1>
<H2> <a id="finePrint10"/>The not-so-fine print: Please Read!</H2>
<P>Ghidra 10.0 is fully backward compatible with project data from previous releases. However, programs and data type archives
which are created or modified in 10.0 will not be useable by an earlier Ghidra version.</P>
<P>This release includes many new features and capabilities, performance improvements, quite a few bug fixes, and many pull-request
contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community
thanks you too!</P>
<P>NOTE: Ghidra Server: The Ghidra 10.0 server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 10.0
clients are compatible with all 9.x servers.</P>
<H2>Ghidra 10.0 Final Release<H2>
<P>We anticipate pushing out the final Ghidra 10.0 release sometime towards mid to end of June 2021. We appreciate any feedback you can provide, especially in any
new feature areas such as the debugger, and thanks for all your contributions and feedback you've already given!<P>
<H2>Debugger</H2>
<P>With the release of Ghidra 10.0-BETA, we are excited to officially introduce our new Debugger. It is still geared primarily for user-mode application debugging on Linux and Windows;
<P>With the release of Ghidra 10.0, we are excited to officially introduce our new Debugger. It is still geared primarily for user-mode application debugging on Linux and Windows;
however, you may find its components usable in other scenarios. To get started, please Ghidra Functionality / Debugger / Getting Started in the Help. For most, it is as easy as importing
your program, opening it with the Debugger tool, and clicking the "bug" icon in the main toolbar. The Debugger's features include:</P>
<BLOCKQUOTE><UL>
@ -64,7 +72,7 @@
<li>NOTE: We do <em>not</em> currently plan to support Trace database upgrades in future releases</li>
</UL></BLOCKQUOTE>
<li>Sharing of Trace databases via a Ghidra server</li>
<li>Sharing of Trace databases via a Ghidra Server</li>
<li>Time-travel(-like) exploration and annotation of Trace databases.</li>
<BLOCKQUOTE><UL>
<li>Includes capture of memory and register values over time</li>
@ -219,7 +227,6 @@
We'd like to devise something more cogent, perhaps allowing queries or establishing visual cues to identify interesting points in time.
</P>
</BLOCKQUOTE>
<BR />
<H2>User-defined Compiler Specification Extensions</H2>
@ -234,31 +241,27 @@
<P>Prior releases only provided compiler specifications statically via <B>.cspec</B> files in the distribution. The new extensions
are stored as part of the Program and can be added or adjusted dynamically as users build up their understanding.
Extensions can be added from the <B>Specification Extensions</B> tab under the <I>Options</I> dialog for the Program.</P>
<BR />
<H2>Prototype Class Recovery From RTTI</H2>
<P>A new prototype script <B>RecoverClassesFromRTTIScript</B> which recovers class information using RTTI structures has been added.
The script recovers class hierarchy, inheritance types, constructors and destructors, class data types, and more. If available, PDB information
is used to help fill in class structures with known names and types for class member data. If PDB is unavailable, the decompiler structure
recovery is utilized to populate class data structure members.</P>
<P>Things to consider when using this script:</P>
<BLOCKQUOTE><UL>
<P> NOTE: As this is a prototype script, the location, names, layout of data types, and default virtual function names created by this script are
likely to change in the future once an official design for Object Oriented representation is determined.<P>
<P>NOTE: Windows class recovery is fairly complete and tested, however GCC class recovery is still in early development.</P>
<P>NOTE: For best results, run this script on freshly imported and analyzed programs. No testing has been done on programs previously imported with pre-existing user mark-up.</P>
<LI>As this is a prototype script, the location, names, layout of data types, and default virtual function names created by this script are
likely to change in the future once an official design for Object Oriented representation is determined.</LI>
<LI>Windows class recovery is fairly complete and tested, however GCC class recovery is still in early development.</LI>
<LI>For best results, run this script on freshly imported and analyzed programs. No testing has been done on programs previously imported with pre-existing user mark-up.</LI>
</UL></BLOCKQUOTE>
<P>Two related scripts have been added, ApplyClassFunctionSignatureUpdatesScript and ApplyClassFunctionDefinitionUpdatesScript, which are fix-up scripts that can be applied if a user
makes changes to a virtual function recovered by the RecoverClassesFromRTTIScript. Both scripts identify differences between Function Signatures in the
<P>Two related scripts have been added, <B>ApplyClassFunctionSignatureUpdatesScript</B> and <B>ApplyClassFunctionDefinitionUpdatesScript</B>, which are fix-up scripts that can be applied if a user
makes changes to a virtual function recovered by the <B>RecoverClassesFromRTTIScript</B>. Both scripts identify differences between Function Signatures in the
Listing and Function Definitions in the Data Type Manager, but the first script fixes all changes to match the signature and the second to match the definition. NOTE: These
scripts are a temporary measure until an underlying connection between function signatures and their associated function definition can be implemented in the Ghidra API.</P>
<BR />
<H2>PDB Symbol Server</H2
<H2>PDB Symbol Server</H2>
<P>Managing and applying PDB files has a much improved GUI, including support for multiple symbol server locations.</P>
<BR />
<H2>Saved Analysis Options Configuration</H2>
<P>Analysis options configurations can be saved by name and quickly changed using a new feature in the Analysis configuration menu. The
@ -274,9 +277,7 @@
to other defined data or code using the Graph->Data menu.<P>
<P>A new favored edge and associated layout has been added for hierarchical graphs. This edge can help closely align graph nodes that should
be arranged more closely to a neighboring node, for example the node from a fall-thru edge should be arranged closer than from a branching edge.<P>
<BR />
be arranged more closely to a neighboring node, for example the node from a fall-thru edge should be arranged closer than from a branching edge.<P>
<H2>Structure/Union Changes</H2>
@ -295,7 +296,7 @@
is enabled it is important that the component datatypes emit the correct alignment to ensure proper
placement during packing.</P>
<P>The <B>align</B> setting may know be used when packing is disabled with the composite adopting
<P>The <B>align</B> setting may now be used when packing is disabled with the composite adopting
the specified alignment. The default alignment for a non-packed composite is <B>1</B> which is consistent
with the current behavior in Ghidra 9.x.</P>
@ -422,301 +423,10 @@
Any file-backed bytes that were modified by the user in the program database will be reflected in the written file.
Bytes that are part of the import process such as relocations or modified Memory Maps are not currently handled.</P>
<H2>
<H2>Bug Fixes and Enhancements</H2>
<P> Numerous other bug fixes and improvements are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
<H2>Bug Fixes and Enhancements</H2>
<P> Numerous other bug fixes and improvements are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
<BR />
<H1> What's New in Ghidra 9.2</H1>
<H2> <a id="finePrint92"/>The not-so-fine print: Please Read!</H2>
<P>Ghidra 9.2 is fully backward compatible with project data from previous releases. However, programs opened in 9.2 may no
longer be accessible by an earlier Ghidra version if the processor model has been updated. A processor version
number mismatch error is displayed if this occurs. In almost all cases, it is better to use the latest version than to
attempt to use both Ghidra 9.2 and a previous release, unless absolutely necessary.</P>
<P>This release includes many new features and capabilities, performance improvements, quite a few bug fixes, and many pull-request
contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community
thanks you too!</P>
<P>NOTE: Ghidra Server: The Ghidra 9.0 server is compatible with Ghidra 9.x clients, however starting with 9.1 the server
requires clients to use a TLS secure connection for the initial RMI registry port access.
If the Ghidra multi-user server is upgraded to 9.2, then all clients must
upgrade to 9.2. A 9.x Ghidra client will fall back to a non-TLS connection when accessing the RMI Registry on
a 9.0 server. Note that all other server interaction including authentication were and continue to be
performed over a secure TLS connection.</P>
<P>Minor Note: FIDB Files: If a processors instruction implementation has changed significantly, any generated .fidb files using that
processor definition may need to be regenerated.
Changes that could require regeneration include, change in instruction size, number of operands, the nature of
the operands, changes in register decoding for an operand. The x86-64bit has had such changes, for example there were
changes to the decoded register for many instructions with prefix byte overrides. All the provided .fidb files have
been regenerated, and new ones for VS 2017/2019 have been added.</P>
<P>Minor Note: SLA Files: Ghidra-compiled .sla files are not always backwards compatible due to changes in the underlying .sla
specification. In the prebuilt Ghidra, all .sla files are rebuilt from scratch. However if you have local processor modules,
or are building Ghidra from scratch, you may need to do a clean build. Any processor modules with changes are normally recompiled
at Ghidra startup so this situation is rare.</P>
<P>Minor Note: AARCH64 Long: The size of a <b>long</b> on the AARCH64 has been changed from 4-bytes to 8-bytes in the data organization within the
compiler specification. This change could have ramifications in existing AARCH64 programs using a <b>long</b> within data structures or
custom storage of function parameters (dynamic storage should not be an issue). An included script <i><b>FixupCompositeDataTypesScript</b></i>
can be run on programs, only with <i>exclusive checkout</i> in Multi-User, where the datatype sizes for <b>long</b> has changed. This general script can be used
whenever a program's base datatypes have changed in the compiler specification, which should be rare occurrence.</P>
<H2>Open Source Based Graphing</H2>
<P>Ghidra has been integrated with an open source graph visualization package, called JUNGGRAPHT, to display interactive
block graphs, call graphs, AST control flow graphs, as well as a general API to create graphs within plug-ins and scripts.
Prior to initial public release, graphing had been provided by a legacy graphing package which was unreleasable publicly due to
licensing issues.</P>
<P>Graphs are displayed in a new tabbed graph window. Current location and selection of vertices are kept in sync with other
information displays such as the listing and decompiler. Each graph can be filtered and visualized with various
layout algorithms to examine the program structure. In addition, Graphs can be exported in several standard graph formats, such as
CSV, GRAPHML, GML, JSON, and VISIO. The exported file can then be imported into external tools.</P>
<P>The graphing capability is implemented by a general service mechanism allowing other graph providers to be implemented
to support a favorite graphing tool, however, users will most likely be satisfied with the new default implementation.
There will be follow up capabilities such as graph specific popup actions on the the nodes and edges that can be added by
the creator of the graph before display. As in everything, the Ghidra team is interested in any feedback you might provide
on this new capability.</P>
<H2>JAVA based Universal PDB Reader/Analzyer/Loader</H2>
<P>Added a new platform-independent PDB Reader/Analyzer/Loader that has the ability to process
raw PDB files and apply extracted information to a program. Written in Java, PDBs can be utilized on any supported
platform, not just on Windows as in prior Ghidra versions. PDBs can be applied during analysis
or by loading and applying the PDB before analysis. Information from PDBs can be force-loaded into a program
with a mismatched PDB signature, which is very useful for extracting datatypes to be used with the
program from a PDB related to that program. Loading the PDB utilizes a new underlying Universal
Reader API.</P>
<P>The PDB Reader and Analyzer capabilities are an evolutionary development and are expected to be
expanded in future releases. We expect to improve this feature over time, adding to its capabilities
and fixing bugs. If the new PDB Analyzer causes issues, you can turn it off and use the original PDB Analyzer.</P>
<H2>Dynamic Modules: OSGI model for scripting</H2>
<P>A change to scripting brings a powerful form of dynamic extensibility to Ghidra scripting, where Java source code is (re)compiled, loaded, and
run without exiting Ghidra. When a script grows large or requires external dependencies, it might be worth the effort to split
up code into modules. To support modularity while preserving the dynamic nature of scripts, Ghidra uses OSGi. The new feature
provides better script change detection, external jar dependencies, script lifecycle management, and modularity.</P>
<P>To find out more, bring up Help contents in Ghidra, and search for OSGi or Bundles.</P>
<H2>Decompiler</H2>
<P>There have been numerous changes to the decompiler addressing quality, readability, and usability. Decompilation has been improved by:
<ul style="padding-left:80px">
<li>Fewer Casts - The decompiler can better recognize lower precision operations performed with bigger registers, allowing it to eliminate
extraneous casts and concatenations.</li>
<li>Better Strings - All the alternate string formats and encodings recognized by Ghidra are now displayed properly by the decompiler,
and string references contained inside larger strings are better recognized</li>
<li>Controllable Namespace Info - Namespace information, as configured by the user, can now be displayed as part of rendering symbols in decompiler output.
The default minimal display configuration will print only the minimal number of path
elements necessary to uniquely resolve the symbol within the current scope.</li>
<li>Arrays - Analysis of array expressions in the decompiler has improved, simplifying many new optimized array access forms.</li>
</P>
</ul>
<P>The decompiler GUI as also been enhanced with the addition of multiple highlights of varying color, called secondary highlights. In addition,
the Decompiler's Auto Create/Fill Structure commands incorporate datatype information from function prototypes
and will override undefined or more general datatypes with discovered datatypes that are more specific.</P>
<P>There is rewritten more comprehensive Decompiler documentation too!</P>
<H2>Performance Improvements</H2>
<P>There have been major performance improvements in both analysis and the display or filtering of information within GUI components.
These changes are most notable on large binaries, with reports of improvements from 24 plus hours to under an hour for analysis. Some operations
were done very inefficiently such that the end user might give up on analysis. Please report if you notice any severe performance issues
or binaries that take a large amount of time to process. If you can find an example binary that is easily obtainable that reproduces
the issue, the root cause can be identified and hopefully improved. There are some continued sore performance areas we are still working
such as the non-returning function analyzer. We hope you will find the binary analysis speed and interactivity much improved.</P>
<P>Some specific areas of improvement are binaries with rich datatype information, RTTI information, exception records, large number
of bytes, large number of defined symbols, and many symbols at a single address.</P>
<H2>Function Identification Improvements</H2>
<P>Function Identification databases have been recreated from scratch, including new information for Visual Studio 2017 and 2019 libraries.
The databases have been cleaned and should overall result in more matches with fewer mis-matched or multiple matches for identified functions.
In addition the FID libraries had to be rebuilt from scratch due to errors or differences in instruction set decode (especially in the 64-bit X86)
with prior versions of Ghidra. The FID is sensitive to the actual instruction bytes, the mnemonic, register, and number of operands.</P>
<P>There are several new improvements that have been identified that will be added in a future release. Until then to get an even better increased
positive match rate, turn on the <i>Shared Return Calls Analyzer</i> option <i>Assume Contiguous Functions Only</i>, and possibly <i>Allow Conditional Jumps</i>.
For normal clean non-heavily optimized, non-malware or obfuscated binaries, these options should cause few issues.</P>
<H2>Symbol Demangling</H2>
<P>Both GNU and Microsoft symbol demangling has been greatly improved resulting in fewer unmangled symbols with better function signature recovery.</P>
<H2>Processor Models</H2>
<P>Several new processor specifications have been added, from very old processors to more recent: CP1600, M6809, M8C, RISC-V, V850.</P>
<P>Note: the Elan EM78xxx just missed the 9.2 cutoff, but should appear shortly.</P>
<P>Many improvements and bug fixes have been made to existing processor
specifications: ARM, AARCH64, AVR8, CRC16C, PIC24/30, SH2, SH4, TriCore, X86, XGATE,
6502, 68K, 6805, M6809, 8051, and others. Of note, the AARCH64 has been updated to support all v8.6 spec instructions.
Many improvements have been contributed by the Ghidra
community, while others were discovered and fixed using a currently internal tool which automates fuzzing
of individual instructions against an external emulator or debugger. We hope to put the tool
out in a near term future release.</P>
<H2>Processor Specification</H2>
<P>Minor changes have been made to the build process of the Sleigh Editor. For those trying to build it from scratch the
instructions are a little clearer and should work correctly. In addition the new POPCOUNT operator is supported.
For those modifying or studying sleigh processor specifications, who were unaware of the Sleigh Editor, we encourage
you to give it a try. We suggest you install/run the Sleigh Editor in a separate Eclipse installation, possibly the Eclipse
you use with the Ghidra runtime, from the one you are using with the entire Ghidra source code base imported.
To find out more read the <i>GhidraSleighEditor_README.html</i>.</P>
<P>The External Disassembler is a plug-in useful when developing or trouble-shooting sleigh processor specifications. It is part of
the Xtra SleighDevTools project. The plug-in integrates with an external disassembler such as binutils, and provides a code browser
field that displays the disassembly from an external disassembler, such as bintutils, at each instruction or undefined byte in the listing.
The only external disassembler integration provided is binutils, however it is possible to add support for additional external disassemblers.
Previously the External Disassembler had trouble with instruction sets which have an alternate mode set of instruction
such as Thumb or MicroMips. The working aide field has new configuration files to feed different options to the external disassembler
to choose the correct alternate encoding set. This also works well with several scripts that also aide in processor development such as
the <i>CompareSleighExternal</i> script.</P>
<P>A new p-code operation POPCOUNT is supported in sleigh processor specifications. POPCOUNT was mainly added to deal with instructions
that needed to compute the parity of an operation.
In addition, the Sleigh compiler error messages have been reworked to be more comprehensible, consistent in format layout, and to provide
correct line numbers as close to the error as possible. In addition, several cases have been caught during compilation that previously would
pass compilation but cause issues during use of the processor.</P>
<H2>Dynamic Analysis Framework - Debugger</H2>
<P>The debugger is very much still in progress. You may have seen some commits, in the Ghidra GitHub master branch, to get in sync with the debugger.
Stay tuned for more on the Dynamic Analysis Framework soon after the 9.2 release.</P>
<H2>Bug Fixes and Enhancements</H2>
<P> Numerous other bug fixes and improvements are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
<BR />
<H1> What's New in Ghidra 9.1</H1>
<H2> <a id="finePrint91"/>The not so fine print: Please Read!</H2>
<P>Minor Note: Ghidra compiled .sla files are not backwards compatible due to the newly added OTHER space for syscalls
support. In the prebuilt Ghidra all .sla files are rebuilt from scratch. However if you have local processor modules,
or are building Ghidra from scratch, you may need to do a clean build. You will get an error if an old .sla file is loaded
without recompilation of the .slaspec file. Any processor modules with changes are normally recompiled at Ghidra startup
so this situation is rare.</P>
<H2>Data Improvements</H2>
<P>Bitfields within structures are now supported as a Ghidra datatype. Bitfield definitions
can come from PDB, DWARF, parsed header files, and can also be created within the structure
editor. All Datatype archives delivered with Ghidra have been reparsed to capture bitfield
information. In addition, compiler bitfield allocation schemes have been carefully implemented.
Full support for bitfield references within the decompiler is planned for a future
release.</P>
<P>In support of creating bitfields within structures, a new bitfield editor within the
structure editor has been added. The Bitfield Editor includes a visual depiction of the
datatype byte layout and the associated bits. The BitField Editor simplifies the creation
of bitfields within a structure.</P>
<H2>System Calls</H2>
<P>Ghidra now supports overriding indirect calls, CALLOTHER p-code ops, and conditional jumps via new overriding references.
These references can be used to achieve correct decompilation of syscall-like instructions. A new script,
ResolveX86orX64LinuxSyscallsScript, has been provided as part of this initial implementation.
Future releases will automatically identify and apply system calls for other operating systems and versions.</P>
<P>To support system calls, the decompiler follows references into OTHER address space overlays.
This allows users to create address spaces on the fly without worrying about conflicts with existing spaces.
For example, instructions with a unique calling
convention can be properly handled by adding a reference to a custom function signature.</P>
<H2>Processor Specification</H2>
<P>A new set of tools designed to make processor specifications easier to create, modify, and validate
have been added. The tools consist of a context sensitive Sleigh file editor, a p-code validation
framework, an external disassembler field, and several scripts to make development easier.
The Sleigh editor is a plug-in for Eclipse and provides modern editor features such as syntax coloring,
hover, navigation, code formatting, validation, reference finding, and error
navigation. The test suite emulates the p-code to automatically
validate the instructions most commonly used by the compiler for that processor.</P>
<H2>iOS DYLD and Macho Format</H2>
<P>DYLD shared cache images, extracted from an iOS image, can now be imported in their entirety.
A DYLD's embedded DYLIB's are split into memory blocks, greatly enhancing follow-on analysis.
Internal Macho headers are retained and marked up similarly to ELF and PE files, which includes
tracking the origin of the program bytes from the initial import binary.</P>
<H2>Ghidra Server</H2>
<P>The Ghidra server now requires the client to use a TLS secure connection for the initial RMI registry port access.
Previously, TLS was used for all remote object interactions and data transfers on the two other ports. This change will
now ensure that all connections to the Ghidra Server utilize TLS.
As noted above a 9.1 clients can connect to a 9.0 or 9.1 server, while clients prior to 9.1 will be unable to
connect to a 9.1 server.</P>
<P>The Ghidra server has two additional authentication methods, Active Directory using
Kerberos and Pluggable Authentication Modules (PAM) using JAAS. To utilize these new
methods you must configure the server.conf file and use either -a1 for windows authentication
or -a4 along with -jaas. The JAAS mode will require setup of an additional configuration file (jaas.conf).</P>
<H2>Import</H2>
<P>When importing files, the origin of all imported bytes can be tracked back to their offset
within the original binary source. This change lays the ground work for exporting back to the
original file after modifying the bytes. There are programmer API methods to get the bytes either
from the memory block or the underlying original source bytes. To see the original bytes a memory
block can be mapped onto the original filebytes. The source of each memory block within the memory
map is shown in a new Byte Source column. When hovering on the bytes in the program listing, the
origin of the bytes at that address are displayed.</P>
<H2>Decompiler</H2>
<P>The decompiler now implements a more detailed analysis of local variables on the
stack. This change resolves many problems with disappearing
structure initialization and incorrect dead code removal. </P>
<P>The decompiler now generates fewer duplicate assignments. For example, repeated assignment of
the same value to a variable in two branches will now appear
before either branch is taken.</P>
<P>In addition the decompiler now recognizes more optimization patterns used
by compilers for signed division, resulting in simplified decompilation.</P>
<P>AARCH64-based binary decompilation will be cleaner due to better handling of
zero extensions into larger registers. This improves data flow analysis and
primarily affects functions using floating point Neon instructions.</P>
<P>Renaming a parameter in the decompiler will no longer commit the
datatypes of all parameters, allowing datatypes
to continue to "float" without getting locked into a potentially
incorrect initial datatype. In addition, the cumbersome warning dialog
for renaming and retyping has been removed, improving your RE workflow.</P>
<H2>Languages</H2>
<P>There are many new processor specifications including SuperH4, MCS-96,
HCS12X/XGATE, HCS08, and user-contributed specifications for MCS-48,
SuperH1/2a, and Tricore.</P>
<P>The 16-bit x86 processor specification has been reworked to include
protected mode addressing, which the NE loader now uses by default. Handling of
segmented or paged memory has been updated to use a newer scheme, hiding its
complications from decompilation results. The implementation handles the HCS12X paging scheme as well.</P>
<P>Many improvements and bug fixes have been made to existing processor
specifications: ARM, AARCH64, PIC, 68K, MIPS, PPC, JVM, Sparc, AVR8,
8051, 6502, and others.</P>
<H2>Bug Fixes and Enhancements</H2>
<P> Numerous other bug fixes and improvements are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
<BR />
<H1>What's New in Ghidra 9.0</H1>
<H2>Ghidra Released to the Public!</H2>
<P>In case you missed it, in March 2019, a public version of Ghidra was released for the first time. Soon after,
the full buildable source was made available as an open source project on the NSA GitHub page. The response from the Ghidra
Open Source community has been overwhelmingly positive. We welcome contributions from GitHub including bug fixes,
requests, scripts, processor modules, and plug-ins. </P>
<H2> Bug Fixes and Enhancements</H2>
<P> Bug fixes and improvements for 9.0.x are listed in the
<a href="ChangeHistory.html">Change History</a> file.</P>
<BR>
<P align="center">
<B><a href="https://www.nsa.gov/ghidra"> https://www.nsa.gov/ghidra</a></B>
</P>