Nixyri/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2024-11-24 13:11:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

GP-0 WhatsNew for 11.1 release

Browse Source
This commit is contained in:
emteere 2024-06-03 13:23:48 -04:00 committed by ghidra1
parent 0506ba071a
commit 1090e35df3
1 changed files with 137 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.html
View File

@ -45,148 +45,172 @@
</P>
<hr>
<H1>What's New in Ghidra 11.0</H1>
<H1>What's New in Ghidra 11.1</H1>
<H2>The not-so-fine print: Please Read!</H2>
<P>This release includes new features, enhancements, performance improvements, quite a few bug fixes, and many pull-request
contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community thanks you too!</P>
<P>Ghidra 11.0 is fully backward compatible with project data from previous releases.
However, programs and data type archives which are created or modified in 11.0 will not be useable by an earlier Ghidra version. </P>
<P>Ghidra 11.x is fully backward compatible with project data from previous releases.
However, programs and data type archives which are created or modified in 11.x will not be usable by an earlier Ghidra version. </P>
<P>This distribution requires JDK 17 to run, and provides Linux x86-64, Windows x86-64, and macOS x86-64 native components.
If you have another platform or wish to use a newer JDK, please see the
<a href="InstallationGuide.html">Ghidra Installation Guide</a> for additional information.</P>
<P>This distribution requires at minimum JDK 17 to run, but can also run under JDK 21.</P>
<P>NOTE: Ghidra Server: The Ghidra 11.0 server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.0
<P>NOTE: Each build distribution will include native components (e.g., decompiler) for at least one platform (e.g., Windows x86-64).
If you have another platform that is not included in the build distribution, you can build
native components for your platform directly from the distribution.
See the <a href="InstallationGuide.html">Ghidra Installation Guide</a> for additional information.</P>
<P>IMPORTANT: To use the Debugger, you will need Python3 (3.7 to 3.12 supported) installed on your system.</P>
<P>NOTE: Ghidra Server: The Ghidra 11.x server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.x
clients are compatible with all 10.x and 9.x servers. Although, due to potential Java version differences, it is recommended
that Ghidra Server installations older than 10.2 be upgraded. Those using 10.2 and newer should not need a server upgrade.</P>
<P>NOTE: Any programs imported with a Ghidra beta version or code built directly from source code outside of a release tag may not be compatible,
and may have flaws that won't be corrected by using this new release. Any programs analyzed from a beta or other local master source build should be considered
experimental and re-imported and analyzed with a release version. Programs imported with previous release versions should upgrade correctly through various
automatic upgrade mechanisms. Any program you will continue to reverse engineer should be imported fresh with a release version or a build you trust with the
latest code fixes.</P>
<H2>BSim </H2>
experimental and re-imported and analyzed with a release version.</P>
<P>A major new feature called BSim has been added. BSim can find structurally similar functions in (potentially large) collections of binaries or object files.
BSim is based on Ghidra's decompiler and can find matches across compilers used, architectures, and/or small changes to source code.</P>
<P>As you've reverse engineered software, you've likely asked the following questions:</P>
<P>Programs imported with previous release versions should upgrade correctly through various
automatic upgrade mechanisms. However, there may be improvements or bug fixes in the import and analysis process that will provide better results than prior
Ghidra versions. You might consider comparing a fresh import of any program you will continue to reverse engineer to see if the latest Ghidra
provides better results.</P>
<H2>Debugger </H2>
<P><span class="gtitle">ATTENTION:</span> Please delete and re-import the default Debugger tool!</P>
<P> We are introducing a new debugger connection system called Trace RMI. This is replacing the older system,
which we are calling the Recorder system.<P>
<P>The most noticeable difference will be a new menu for launching targets. It is very similar to the previous system, but with some key differences:
<UL style="padding-left:100px">
<LI>Which libraries were statically linked into this executable, and possibly what version of the library?</LI>
<LI>Does this executable share some code with another executable that I've analyzed?</LI>
<LI>What are the differences between version 1 and version 2 of a given executable?</LI>
<LI>Does this executable share code with another executable in a large collection of binaries?</LI>
<LI>Was this function pulled from an open-source library?</LI>
<LI>Connection and launching are no longer separated into two different configuration panels. There is one panel to launch your target.
<LI> Ghidra will no longer attempt to launch blindly with defaults. The first time you launch a program, you must select a launcher and configure it.
<LI>After the initial launch you can re-launch with a previous configuration, without requiring a prompt.</LI>
</UL>
<P>BSim is intended to help with these questions (and others) by providing a way to search collections of binaries for similar, but not necessarily identical, functions.</P>
<P>The next most noticeable difference will be the replacement of the Interpreter window with the Terminal window. This is a proper VT-100
terminal emulator, so the experience will be much like, if not identical to, how you'd debug in a plain terminal, except embedded into and integrated with Ghidra.
Some notable improvements that brings:</P>
<UL style="padding-left:100px">
<LI>Tab completion, history, etc., should all work as implemented by the connected debugger's command-line interface.</LI>
<LI>When the target is running, it has proper I/O in that terminal.</LI>
<LI>If connecting goes poorly for some reason, the debugger's command-line interface is likely still operational.</LI>
</UL>
<P>BSim can compare functions within a binary, within a collection of binaries or object files in a project on a local system, or within a large collection of binaries
utilizing a PostgreSQL or an Elasticsearch server. Using BSim locally does not require setting up a PostgreSQL or Elastic server or having administrator access.</P>
<P>There is a BSim tutorial that walks through use of BSim locally. Using BSim locally and the tutorial is the best way to try out BSim before deciding if you need to set up a server.</P>
<H2>GhidraGo </H2>
<P>GhidraGo is an experimental feature that adds integration support for Ghidra URL's and Ghidra Tools. The main use of GhidraGo is embedding hyperlinks within web pages
to pre-ingested programs within a Ghidra multi-user repository. Clicking on the hyperlink causes Ghidra to display the previously ingested program.
No data other than the Ghidra URL is transferred to Ghidra, and no socket is open within Ghidra listening for commands. GhidraGo must be enabled by
installing a plugin in the Ghidra project manager, and must also be configured as a protocol handler in your web browser. GhidraGo is not setup or enabled by default.
For details on setting up GhidraGo, please see the included <span class="gtitle">GhidraGoREADME.html</span> or search for GhidraGo within help.
</P>
<P>You may also notice the replacement of the Debugger Targets window with the Connection Manager window, and the replacement
of the Objects window with the Model window. These are operationally very similar to their previous counterparts.</P>
<P><span class="gtitle">For Power Users:</span> The launchers are just shell scripts on Linux and macOS, and batch files on Windows. We have provided plugins
for integrating with GDB, LLDB, and the Windows Debugger. So long as your target works with one of these debuggers, orchestrating
another kind of target is mostly a matter of creating a new shell script. This is usually accomplished by using the most similar
one as a template and then trying it out in Ghidra. When errors occur, Ghidra will inform you of what progress it made before it
failed, and the Terminal should display any error messages produced by your script.</P>
<P><span class="gtitle">For Developers:</span> Developers may notice that debugger integration is now all done using Python 3.
We have specified a new protocol we call Trace RMI, which provides client access to Ghidra's trace databases over TCP.
It uses protobuf and is substantially simpler than the previous GADP protocol. We have provided the client implementation in
Python 3. Existing integrations can be fairly easily extended, if necessary. For example, see the support for Wine we included in our GDB plugin.</P>
<P>If you wish to integrate a completely new debugger, and it has a Python 3 API, then things are relatively straightforward, so long as
the debugger provides the events and information that Ghidra expects. Use an existing plugin as a template or reference and have fun.
If the new debugger does not have Python 3 bindings, the protobuf specification is available, so the client can be ported, if necessary.</P>
<P><span class="gtitle">IMPORTANT:</span> To use the new Trace RMI system, you will need Python3 (3.7 to 3.12 supported) installed on your system.
Additional setup may be required for each type of debug connection. Press <span class="gtitle">F1</span> in the debug connector's launch dialog
for more information.</P>
<P>Overall, we believe this a substantially more approachable system than our previous DebuggerObjectModel SPI used in the Recorder system.</P>
<H2>GhidraGo </H2>
<P>GhidraGo is an experimental feature that adds integration support for Ghidra URL's and Ghidra Tools. GhidraGO can now process GhidraURL's that
locate folders within a project instead of only programs. For example a remote GhidraURL locating a project folder will open a read only view of
the repository in the front end tool and select the folder from the URL. If the GhidraURL refers to a folder in the currently open
active project, then the folder is selected within the active project's view instead of a read only view.
</P>
<H2>PDB </H2>
<P>The PDB data type processing changes from release 11.0 have been further enhanced, simplifying the processing model and reducing the number of datatype
conflicts. The algorithm for choosing the primary symbol at an address has been improved to provide the richest possible information. The PDB Universal
Analyzer has been split into multiple analyzers so that PDB function processing can follow interim analyzers that specialize in finding code.
Lastly, the Load PDB Task has been improved to schedule appropriate follow-on analyzers that are selected in the Analysis Options.</P>
<H2>Version Tracking </H2>
<P>Auto Version Tracking has been sped up, made customizable, and improved to find more matches. The mechanism to identify good matches from duplicate match
sets has been improved and sped up. Implied matches are now created and will be applied if the vote minimum and conflict maximum limits are met. In addition,
the ability to choose which correlators are run as well as setting the options of most correlators has been added. The Auto Version Tracking script has been
updated to prompt for all options in a single dialog. The script now works in headless mode and an example prescript to allow
setting of options in headless mode is included.</P>
<P>Version Tracking can also use the new BSim function matching capability in a new correlator called the BSim Correlator. Auto Version Tracking does not use the new BSim Correlator yet.</P>
<P> Version Tracking Session files may now be added to a shared project repository. Once a version tracking file has been checked in to a project,
it must be checked out for exclusive access. For more information, see help found in the Version Tracking's
Session Wizard help for more information.<P>
<H2>Function Comparison Window</H2>
<P>The function comparison window, used by Version Tracking and BSim, has been overhauled a bit:
<UL style="padding-left:100px">
<LI>A help topic for Function Comparison has been added.</LI>
<LI>Token matching, scrolling to matches, and difference highlighting is much improved using
an algorithm based on BSim function matching. The colors used for the token matching highlights are configurable.</LI>
<LI>From the comparison window, users can click on called functions that have corresponding matches to bring up a new function comparison window showing those functions.
The action is currently not available within version tracking.</LI>
<LI>The functions can be displayed side by side vertically or horizontally.</LI>
<LI>The function signature from a function in the function comparison window can be applied to include name only, a skeleton signature, or the entire signature
including all referenced data types. Applying only the skeleton function signature can be useful if there is any question of differences in the
data structure composition used by the function signature between the two programs.</LI>
</UL>
<H2>Scripting</H2>
<P>A new multi-option script dialog has been added to the scripting API that can present and get all user inputs a script needs in one dialog.
The <span class="gcode">askValues()</span> scripting method replaces the cumbersome process of prompting the user for each input separately.</P>
<H2>Rust</H2>
<P>NOTE: Prior to adding a pre-existing VT Session to a shared project repository, it is highly recommended that it first be re-opened
and saved. This will upgrade the VT Session internal version to prevent its use with older versions of Ghidra which will not respect
the exclusive checkout requirement.</P>
<P>Initial support for Rust compiled binaries, mainly demangling of Rust method names and Rust in DWARF information, has been added. In addition, Rust strings are marked up so that the
decompiler will display Rust strings correctly. There is more work to do, especially with mapping Rust parameter passing. Custom storage may be required in some instances.</P>
<H2>Mach-O Improvements</H2>
<P>Mach-O support continues to improve, adding support for new features as well as filling in some gaps that existed for several years.
The latest dyld_shared_cache files use a new format for pointer fixups, which Ghidra now supports. A new GFileSystem has also been
implemented to import and/or extract individual Mach-O binaries from Mach-O "file sets" (i.e., kernelcache). A second new GFileSystem
has been added which can extract Apple LZFSE-compressed files. Other improvements have also been made to provide more complete markup of Mach-O load commands.</P>
<H2>Golang</H2>
<P>Golang reverse engineering within Ghidra is much improved by:
<UL style="padding-left:100px">
<LI>A new <span class="gtitle">Golang String Analyzer</span> which finds and marks up Golang strings so they display correctly in the decompiler</LI>
<LI>Type and interface method markup improvements</LI>
<LI>Better function parameter recovery</LI>
<LI>Using package information to organize type and symbol elements into namespaces</LI>
<LI>Using run time type information to override the types of objects that are created by calls to malloc-like built-in functions</LI>
<H2>Swift </H2>
<P>Initial support for binaries written in the Swift Programming Language has been added. The new support relies on the native Swift demangler being
present on the user's system. Swift is automatically bundled with XCode on macOS, and can be optionally installed on Windows and Linux.
See the "Demangler Swift" analyzer options for more information. Type information gathered from the demangled Swift symbol names is used to
create corresponding Ghidra data types. This currently works for Swift primitives and structures, but more work needs to be done to include
classes and other advanced data types. Swift-specific calling conventions are also applied to demangled Swift functions.</P>
<H2>Usability </H2>
<P>There have been many improvements to keyboard only actions and navigation in Ghidra. These changes will be welcome for those who
prefer to use the keyboard as much as possible and those needing better accessibility. Improvements include:</P>
<UL style="padding-left:100px">
<LI>Standard keyboard navigation should now work in most component windows and dialogs. In general, <span class="gtitle">Tab</span> and <span class="gtitle">&ltCTRL&gt Tab</span> will
move focus to the next focusable component and <span class="gtitle">&ltSHIFT&gt Tab</span> and <span class="gtitle">&ltCTRL&gt&ltSHIFT&gt Tab</span> will move to the
previous focusable component. <span class="gtitle">Tab</span> and <span class="gtitle">&ltSHIFT&gt Tab</span> do not always work as some components use those keys internally, but
<span class="gtitle">&ltCTRL&gt Tab,</span> and <span class="gtitle">&ltSHIFT&gt&ltCTRL&gt Tab</span> should work universally.
<LI>Ghidra now provides some convenient keyboard shortcut actions for transferring focus:
<UL style="padding-left:50px">
<LI><span class="gtitle">&ltCTRL&gt F3</span> - Transfers focus to the next window or dialog.</LI>
<LI><span class="gtitle">&ltCTRL&gt&ltSHIFT&gt F3</span> - Transfers focus to the previous window or dialog.</LI>
<LI><span class="gtitle">&ltCTRL&gt J</span> - Transfers focus to the next titled dockable component (titled windows).</LI>
<LI><span class="gtitle"><&ltCTRL&gt&ltSHIFT&gt J</span> - Transfers focus to the previous titled dockable component.</LI>
</UL>
<LI>All actions can now be accessed via a searchable dialog.</LI>
<UL style="padding-left:50px">
<LI>Pressing <span class="gtitle">&ltCTRL&gt 3</span> will bring up the actions dialog with the local toolbar, popup and keyboard actions.</LI>
<LI>Pressing <span class="gtitle">&ltCTRL&gt 3</span> a second time will add in all the global actions. </LI>
<LI>Pressing <span class="gtitle">&ltCTRL&gt 3</span> a third time will add in the disabled actons as well.</LI>
<LI>The actions dialog was specifically designed to be easy to use without a mouse. Typing will filter the actions list and the
arrow keys allow you to select an action and enter will invoke the selected action </LI>
</UL>
</UL>
</P>
<H2>Search for Encoded Strings</H2>
<P>A new action in the Search menu, <span class="gtitle">Search -> For Encoded Strings...</span>, can help find and create strings encoded in alternate character sets and alphabets.
Valid strings are based on runs of bytes that would be valid in a particular character set and alphabet. There are currently no additional models for defining valid words within other languages.</P>
<H2>Import / Export</H2>
<P>The <span class="gtitle">CaRT</span> file format is now supported. The <span class="gtitle">CaRT</span> format is used to store and transfer malware along with metadata about
the malware in a neutered form such that it cannot be executed. It is encrypted so anti-virus software will not flag the file under analysis.</P>
<P>Headless importing of binaries from container files, such as .zip files, with multiple embedded files is now possible. This includes loading referenced .dll and .so files also
found within the container file.</P>
<P>The Headless Analyzer can now recurse into supported GFileSystem container files when a recursion depth of one or more is specified on the command line.</P>
<H2>Mach-O Improvements</H2>
<P>Support for the Mach-O binary file format has continued to receive updates. Improvements have been made to library linking and loading, as well as thunk creation. Additionally, dyld_shared_cache
components extracted from Ghidra's DyldCacheFileSystem can now be added together on-demand with the Add To Program feature. Broken references can be automatically resolved by right-clicking on them
and clicking <span class="gtitle">References -> Add To Program</span>.</P>
<H2>PDB</H2>
<H2>Misc </H2>
<P>The PDB data types processing has been changed to use a resolve-as-you-go model. The change eliminates the dependency graph and reduces the memory footprint required to load all
PDB types. The change allows larger PDB's to load successfully and improves the accuracy of some data types.</P>
<H2>Overlays with Multiple Memory Blocks</H2>
<P> Overlay spaces now support multiple memory blocks in the same overlay. After creating the initial memory
block as an overlay, the new overlay memory space will become available when adding new memory blocks. All overlay memory blocks can
be manipulated in the same way as normal memory blocks. The new feature is useful when analyzing binaries
meant to run on multiple processors with tasks running on each processor in their own overlapped virtual memory space such as an RTOS.</P>
<H2>Processors</H2>
<P>Support for the Loongson processor architecture has been added. All known instructions should disassemble. However semantics for a large number of instructions use pseudoOp calls currently.</P>
<P>Support for the <span class="gtitle">squashfs</span> filesystem has been added.</P>
<P>A new wildcard assembler API has been added that can generate all possible variants of an instruction with a variety of wildcards for operands.
Two new scripts, <span class="gtitle">FindInstructionWithWildcard</span> and <span class="gtitle">WildSleighAssemblerInfo</span>, demonstrate how to use the API.
For more information, see help and search for <span class="gtitle">Wildcard Assembler</span>.
<P>A new <span class="gtitle">Runtime Information</span> dialog has replaced the Show VM Memory dialog. The dialog contains more information
which can aid in debugging, including version information, classpath, defined properties, environment variables, and more.</P>
<P>The GhidraDev Eclipse plugin has a new wizard for importing an existing Ghidra module source directory. This will work best with Ghidra module projects
created against Ghidra 11.1 or later.</P>
<P>Finding references to fields within a structure has been greatly improved. Previously many references to the field would be missed if they occurred within
functions calling external functions using the structure, or when the field was used only in local variables dynamically generated by
the decompiler.</P>
<P>Golang versions 17 thru 22 are now supported.</P>
<P>DWARF5 debug format is now supported. In addition, DWARF line number information processing has been incorporated into the base DWARF analyzer and the
separate DWARF line number analyzer has been removed.</P>
<H2>Additional Bug Fixes and Enhancements</H2>
<P> Numerous other new features, improvements, and bug fixes are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>