mirror of
https://github.com/NationalSecurityAgency/ghidra.git
synced 2024-11-22 04:05:39 +00:00
Updated 9.2 WhatsNew
This commit is contained in:
emteere
parent
a3f599694e
commit
282a030325
@ -53,30 +53,36 @@
|
||||
contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community
|
||||
thanks you too!</P>
|
||||
|
||||
<P>NOTE: The Ghidra 9.0 server is compatible with Ghidra 9.x clients, however starting with 9.1 the server
|
||||
<P>NOTE: Ghidra Server: The Ghidra 9.0 server is compatible with Ghidra 9.x clients, however starting with 9.1 the server
|
||||
requires clients to use a TLS secure connection for the initial RMI registry port access.
|
||||
If the Ghidra multi-user server is upgraded to 9.2, then all clients must
|
||||
upgrade to 9.2. A 9.x Ghidra client will fall back to a non-TLS connection when accessing the RMI Registry on
|
||||
a 9.0 server. Note that all other server interaction including authentication were and continue to be
|
||||
performed over a secure TLS connection.</P>
|
||||
|
||||
<P>Minor Note: If a processors instruction implementation has changed significantly, any generated .fidb files using that
|
||||
<P>Minor Note: FIDB Files: If a processors instruction implementation has changed significantly, any generated .fidb files using that
|
||||
processor definition may need to be regenerated.
|
||||
Changes that could require regeneration include, change in instruction size, number of operands, the nature of
|
||||
the operands, changes in register decoding for an operand. The x86-64bit has had such changes, for example there were
|
||||
changes to the decoded register for many instructions with prefix byte overrides. All the provided .fidb files have
|
||||
been regenerated, and new ones for VS 2017/2019 have been added.</P>
|
||||
|
||||
<P>Minor Note: Ghidra-compiled .sla files are not always backwards compatible due to changes in the underlying .sla
|
||||
<P>Minor Note: SLA Files: Ghidra-compiled .sla files are not always backwards compatible due to changes in the underlying .sla
|
||||
specification. In the pre-built ghidra, all .sla files are re-built from scratch. However if you have local processor modules,
|
||||
or are building ghidra from scratch, you may need to do a clean build. Any processor modules with changes are normally recompiled
|
||||
at Ghidra startup so this situation is rare.</P>
|
||||
|
||||
<P>Minor Note: AARCH64 Long: The size of a <b>long</b> on the AARCH64 has been changed from 4-bytes to 8-bytes in the data organization within the
|
||||
compiler specification. This change could have ramifications in existing AARCH64 programs using a <b>long</b> within data structures or
|
||||
custom storage of function parameters (dynamic storage should not be an issue). An included script <i><b>FixupCompositeDataTypesScript</b></i>
|
||||
can be run on programs, only with <i>exclusive checkout</i> in Multi-User, where the datatype sizes for <b>long</b> has changed. This general script can be used
|
||||
whenever a program's base datatypes have changed in the compiler specification, which should be rare occurence.</P>
|
||||
|
||||
|
||||
<H2>Open Source Based Graphing</H2>
|
||||
<P>Ghidra has been integrated with an open source graph visualization package, called JUNGGRAPHT, to display interactive
|
||||
block graphs, call graphs, AST control flow graphs, as well as a general API to create graphs within plugins and scripts.
|
||||
Prior to public release graphing had been provided by a legacy graphing package which was un-releasable publicly due to
|
||||
Prior to initial public release, graphing had been provided by a legacy graphing package which was un-releasable publicly due to
|
||||
licensing issues.</P>
|
||||
|
||||
<P>Graphs are displayed in a new tabbed graph window. Current location and selection of vertices are kept in sync with other
|
||||
@ -84,11 +90,23 @@
|
||||
layout algorithms to examine the program structure. In addition, Graphs can be exported in several standard graph formats, such as
|
||||
CSV, GRAPHML, GML, JSON, and VISIO. The exported file can then be imported into external tools.</P>
|
||||
|
||||
<P>The graphing capability is implemented by a general service mechanism allowing other graph providers to be implemented to support
|
||||
a favorite graphing tool, however, users will most likely be satisfied with the new default implementation.
|
||||
There will be a follow up capabilities such as graph specific popup actions on the the nodes and edges that can be added by
|
||||
<P>The graphing capability is implemented by a general service mechanism allowing other graph providers to be implemented
|
||||
to support a favorite graphing tool, however, users will most likely be satisfied with the new default implementation.
|
||||
There will be follow up capabilities such as graph specific popup actions on the the nodes and edges that can be added by
|
||||
the creator of the graph before display. As in everything, the Ghidra team is interested in any feedback you might provide
|
||||
on this new capability.</P>
|
||||
|
||||
<H2>JAVA based Univeral PDB Reader/Analzyer/Loader</H2>
|
||||
<P>Added a new platform-independent PDB Reader/Analyzer/Loader that has the ability to process
|
||||
raw PDB files and apply extracted information to a program. Written in Java, PDBs can be utilized on any supported
|
||||
platform, not just on Windows as in prior Ghidra versions. PDBs can be applied during analysis
|
||||
or by loading and applying the PDB before analysis. Information from PDBs can be force-loaded into a program
|
||||
with a mismatched PDB signature, which is very useful for extracting data types to be used with the
|
||||
program from a PDB related to that program. Loading the PDB utilizes a new underlying Universal
|
||||
Reader API.</P>
|
||||
<P>The PDB Reader and Analyzer capabilities are an evolutionary development and are expected to be
|
||||
expanded in future releases. We expect to improve this feature over time, adding to its capabilities
|
||||
and fixing bugs. If the new PDB Analyzer causes issues, you can turn it off and use the original PDB Analyzer.</P>
|
||||
|
||||
<H2>Dynamic Modules: OSGI model for scripting</H2>
|
||||
<P>A change to scripting brings a powerful form of dynamic extensibilty to Ghidra scripting, where Java source code is (re)compiled, loaded, and
|
||||
@ -96,25 +114,65 @@
|
||||
up code into modules. To support modularity while preserving the dynamic nature of scripts, Ghidra uses OSGi. The new feature
|
||||
provides better script change detection, external jar dependencies, script lifecycle management, and modularity.</P>
|
||||
<P>To find out more, bring up Help contents in Ghidra, and search for OSGi or Bundles.</P>
|
||||
|
||||
<H2>JAVA based Univeral PDB</H2>
|
||||
<P>Automatically applies. Extract data types. Mismatched PDB's. More to come.</P>
|
||||
<P>Reader API</P>
|
||||
|
||||
|
||||
<H2>Decompiler</H2>
|
||||
<P>There have been numerous changes to the decompiler addressing quality, readability, and usability. Decompilation has been improved by:
|
||||
<ul style="padding-left:80px">
|
||||
<li>Fewer Casts - The decompiler can better recognize lower precision operations performed with bigger registers, allowing it to eliminate
|
||||
extraneous casts and concatenations.</li>
|
||||
<li>Better Strings - All the alternate string formats and encodings recognized by Ghidra are now displayed properly by the decompiler,
|
||||
and string references contained inside larger strings are better recognized</li>
|
||||
<li>Controllable Namespace Info - Namespace information, as configured by the user, can now be displayed as part of rendering symbols in decompiler output.
|
||||
The default minimal display configuration will print only the minimal number of path
|
||||
elements necessary to uniquely resolve the symbol within the current scope.</li>
|
||||
<li>Arrays - Analysis of array expressions in the decompiler has improved, simplifying many new optimized array access forms.</li>
|
||||
</P>
|
||||
</ul>
|
||||
<P>The decompiler GUI as also been enhanced with the addition of multiple highlights of varying color, called secondary highlights. In addition,
|
||||
the Decompiler's Auto Create/Fill Structure commands incorporate data-type information from function prototypes
|
||||
and will override undefined or more general data-types with discovered data-types that are more specific.</P>
|
||||
<P>There is re-writen more comprehensive Decompiler documentation too!</P>
|
||||
|
||||
<H2>Performance Improvements</H2>
|
||||
<P>There have been major performance improvements in both analysis and the display or filtering of information within GUI components.
|
||||
These changes are most notable on large binaries, with reports of improvements from 24 plus hours to under an hour for analysis. Some operations
|
||||
were done very inefficiently such that the end user might give up on analysis. Please report if you notice any severe performance issues
|
||||
or binaries that take a large amount of time to process, if you can find an example binary that is easily obtainable that reproduces
|
||||
the issue we can identify the root cause and hopefully improve it. There are some continued sore performance areas we are still working
|
||||
or binaries that take a large amount of time to process. If you can find an example binary that is easily obtainable that reproduces
|
||||
the issue, the root cause can be identified and hopefully improved. There are some continued sore performance areas we are still working
|
||||
such as the non-returning function analyzer. We hope you will find the binary analysis speed and interactivity much improved.</P>
|
||||
<P>Some specific areas of improvement are binaries with rich data type information, RTTI information, Exception records, large number
|
||||
<P>Some specific areas of improvement are binaries with rich data type information, RTTI information, exception records, large number
|
||||
of bytes, large number of defined symbols, and many symbols at a single address.</P>
|
||||
|
||||
<H2>Function Identification Improvements</H2>
|
||||
|
||||
<P>Function Identification databases have been re-created from scratch, including new information for Visual Studio 2017 and 2019 libraries.
|
||||
The databases have been cleaned and should overall result in more matches with fewer mis-matched or multiple matches for identified functions.
|
||||
In addition the FID libraries had to be rebuilt from scratch due to errors or differences in instruction set decode (especially in the 64-bit X86)
|
||||
with prior versions of Ghidra. The FID is sensitive to the actual instruction bytes, the mnemonic, register, and number of operands.</P>
|
||||
|
||||
<P>There are several new improvements that have been identified that will be added in a future release. Until then to get an even better increased
|
||||
positive match rate, turn on the <i>Shared Return Calls Analyzer</i> option <i>Assume Contiguous Functions Only</i>, and possibly <i>Allow Conditional Jumps</i>.
|
||||
For normal clean non-heavily optimized, non-malware or obfuscated binaries, these options should cause few issues.</P>
|
||||
|
||||
<H2>Symbol Demangling</H2>
|
||||
<P>Both GNU and Microsoft symbol de-mangling has been greatly improved resulting in fewer unmangled symbols with better function signature recovery.</P>
|
||||
|
||||
<H2>Processor Models</H2>
|
||||
<P>Several new processor specifications have been added, from very old processors to more recent: CP1600, M6809, M8C, RISC-V, V850.</P>
|
||||
<P>Note: the Elan EM78xxx just missed the 9.2 cutoff, but should appear shortly.</P>
|
||||
|
||||
<P>Many improvements and bug fixes have been made to existing processor
|
||||
specifications: ARM, AARCH64, AVR8, CRC16C, PIC24/30, SH2, SH4, TriCore, X86, XGATE,
|
||||
6502, 68K, 6805, M6809, 8051, and others. Of note, the AARCH64 has been updated to support all v8.6 spec instructions.
|
||||
Many improvements have been contributed by the Ghidra
|
||||
community, while others were discovered and fixed using a currently internal tool which automates fuzzing
|
||||
of individual instructions against an external emulator or debugger. We hope to put the tool
|
||||
out in a near term future release.</P>
|
||||
|
||||
<H2>Processor Specification</H2>
|
||||
|
||||
<P>Minor changes have been made to the Build process of the Sleigh Editor. For those trying to build it from scratch the
|
||||
instructions are a little clearer and should work correctly. In addition the new popcount operator is supported.
|
||||
<P>Minor changes have been made to the build process of the Sleigh Editor. For those trying to build it from scratch the
|
||||
instructions are a little clearer and should work correctly. In addition the new POPCOUNT operator is supported.
|
||||
For those modifying or studying sleigh processor specifications, who were unaware of the Sleigh Editor, we encourage
|
||||
you to give it a try. We suggest you install/run the Sleigh Editor in a separate Eclipse installation, possibly the Eclipse
|
||||
you use with the Ghidra runtime, from the one you are using with the entire Ghidra source code base imported.
|
||||
@ -124,47 +182,20 @@
|
||||
the Xtra SleighDevTools project. The plugin integrates with an external disassembler such as binutils, and provides a code browser
|
||||
field that displays the disassembly from an external disassembler, such as bintutils, at each instruction or undefined byte in the listing.
|
||||
The only external disassembler integration provided is binutils, however it is possible to add support for additional external disassemblers.
|
||||
Previously the External Disassembler had trouble with instruction sets which have alternate mode set of instruction
|
||||
Previously the External Disassembler had trouble with instruction sets which have an alternate mode set of instruction
|
||||
such as Thumb or MicroMips. The working aide field has new configuration files to feed different options to the external disassembler
|
||||
to choose the correct alternate encoding set. This also works well with several scripts that also aide in processor development such as
|
||||
the <i>CompareSleighExternal</i> script.</P>
|
||||
|
||||
<P>A new pcode operation POPCOUNT is supported in sleigh processor specifications, this was mainly added to deal with instructions
|
||||
<P>A new pCode operation POPCOUNT is supported in sleigh processor specifications. POPCOUNT was mainly added to deal with instructions
|
||||
that needed to compute the parity of an operation.
|
||||
In addition, the Sleigh compiler error messages have been reworked to be more comprehensible, consistent in format layout, and to provide
|
||||
correct line numbers as close to the error as possible. In addition, several cases have been caught during compilation that previously would
|
||||
pass compilation but cause issues during use of the processor.</P>
|
||||
|
||||
<H2>Function Identification Improvements</H2>
|
||||
|
||||
<P>Function Identification databases have been recreated from scratch, including new information for Visual Studio 2017 and 2019 libraries.
|
||||
The databases have been cleaned and should overall result in more matches with fewer mis-matched or multiple matches for identified functions.
|
||||
In addition the FID libraries had to be rebuilt from scratch due to errors or differences in instruction set decode (especially in the 64-bit X86)
|
||||
with prior versions of Ghidra. The FID is sensitive to the actual instruction bytes, the mnemonic, register, and number of operands.</P>
|
||||
|
||||
<P>There are several new improvements that have been identified that will be added in a future release. Until then to get an even better increased
|
||||
positive match rate to turn on the Shared Return Calls Analyzer option Assume Contiguous Functions Only, and possibly Allow Conditional Jumps.
|
||||
For normal cleanly non-heavily optimized, non-malware or obfuscated binaries, these options should cause few issues.</P>
|
||||
|
||||
<H2>Symbol Demangling</H2>
|
||||
<P>Both GNU and Microsoft symbol de-mangling has been greatly improved resulting in fewer unmangled symbols and better function signature recovery.</P>
|
||||
|
||||
<H2>Decompiler</H2>
|
||||
|
||||
<H2>Languages</H2>
|
||||
<P>Several new processor specifications added, from very old processors to more recent: CP1600, M6809, M8C, RISC-V, V850.</P>
|
||||
|
||||
<P>Many improvements and bug fixes have been made to existing processor
|
||||
specifications: ARM, AARCH64, AVR8, CRC16C, PIC24/30, SH2, SH4, TriCore, X86, XGATE,
|
||||
6502, 68K, 6805, M6809, 8051, and others. Of note, the AARCH64 has been updated to support all v8.6 spec instructions.
|
||||
Many of the processor improvements have been contributed by the Ghidra
|
||||
community. Others were discovered and fixed with a currently internal tool which automates fuzzing
|
||||
of individual instructions against an external emulator or debugger. We hope to put the tool
|
||||
out in a near term future release.</P>
|
||||
|
||||
|
||||
<H2>Dynamic Analysis Framework - Debugger</H2>
|
||||
<P>The debugger is very much still in progress. You may have seen some commits, in the Ghidra github master branch, to get in sync with the debugger.
|
||||
Stay tuned for more to come soon after the 9.2 release.</P>
|
||||
<P>The debugger is very much still in progress. You may have seen some commits, in the Ghidra GitHub master branch, to get in sync with the debugger.
|
||||
Stay tuned for more on the Dynamic Analysis Framework soon after the 9.2 release.</P>
|
||||
|
||||
<H2>Bug Fixes and Enhancements</H2>
|
||||
<P> Numerous other bug fixes and improvements are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
|
||||
@ -290,8 +321,8 @@
|
||||
<H2>Ghidra Released to the Public!</H2>
|
||||
|
||||
<P>In case you missed it, in March 2019, a public version of Ghidra was released for the first time. Soon after,
|
||||
the full buildable source was made available as an open source project on the NSA github page. The response from the Ghidra
|
||||
Open Source community has been overwhelmingly positive. We welcome contributions from github including bug fixes,
|
||||
the full buildable source was made available as an open source project on the NSA GitHub page. The response from the Ghidra
|
||||
Open Source community has been overwhelmingly positive. We welcome contributions from GitHub including bug fixes,
|
||||
requests, scripts, processor modules, and plugins. </P>
|
||||
|
||||
<H2> Bug Fixes and Enhancements</H2>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user