GP-5526 bug fix for .plt.sec and pattern matching optimization

2025-10-03 01:39:21 +02:00 · 2025-09-24 18:03:10 +00:00 · 2025-09-24 18:03:10 +00:00 · 136a28d603
commit 136a28d603
parent 0b88d55bea
3 changed files with 19 additions and 8 deletions
--- a/Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java
+++ b/Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java
@ -566,6 +566,12 @@ public class CreateThunkFunctionCmd extends BackgroundCommand<Program> {
 		if (instr == null) {
 			return null;
 		}
+		// if there is no pcode, go to the next instruction
+		// assume fallthrough (ie. x86 instruction ENDBR64)
+		// TODO: at some point, might need to do a NOP detection
+		if (instr.getPcode().length == 0) {
+			instr = listing.getInstructionAfter(entry);
+		}

 		FlowType flowType;

--- a/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java
+++ b/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java
@ -17,6 +17,7 @@ package ghidra.app.analyzers;

 import java.math.BigInteger;
 import java.util.*;
+import java.util.regex.Matcher;

 import generic.jar.ResourceFile;
 import ghidra.app.cmd.function.CreateFunctionCmd;
@ -209,7 +210,7 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 		private String label = null;
 		private boolean isThunk = false;    // true if this function should be turned into a thunk
 		private boolean noreturn = false;   // true to set function non-returning
-		private String sectionName = null;  // required section name
+		private java.util.regex.Pattern sectionNamePattern = null;  // required section name as a regex pattern
 		boolean validFunction = false;      // must be defined at a function
 		private boolean contiguous = true;  // require validcode instructions be contiguous

@ -227,9 +228,13 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa

 		protected boolean checkPreRequisites(Program program, Address addr) {
 			// check required section name
-			if (sectionName != null) {
+			if (sectionNamePattern != null) {
 				MemoryBlock block = program.getMemory().getBlock(addr);
-				if (block == null || !block.getName().matches(sectionName)) {
+				if (block == null) {
+					return false;
+				}
+		        Matcher m = sectionNamePattern.matcher(block.getName());
+			    if (!m.matches()) {
 					return false;
 				}
 			}
@ -651,7 +656,7 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 						break;
 						
 					case "section":
-						sectionName = attrValue;
+						sectionNamePattern = java.util.regex.Pattern.compile(attrValue);
 						break;
 						
 					case "noreturn":
--- a/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml
+++ b/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml
@ -6,15 +6,15 @@
        0x68......00     <!-- push -->
        0xe9......ff     <!-- jmp -addr -->
     </data> <!-- .plt thunk -->
-     <funcstart thunk="true" section=".plt"/>
+     <funcstart thunk="true" section="(?i)(\.plt)"/>
  </pattern>
  
  <pattern>
     <data>
-        0xf3 0x0f 0x1e 0x1a        <!-- ENDBR64 -->
-        0xf2 0xff 0x25 .. .. .. .. <!-- jmp -->
+        0xf3 0x0f 0x1e 0xfa        <!-- ENDBR64 --> 
+        0xf2 0xff 0x25             <!-- jmp qword ptr [0xxxx] -->
     </data> <!-- .plt thunk -->
-     <funcstart thunk="true" section=".plt"/>
+     <funcstart thunk="true" section="(?i)(\.plt(\.sec)?)"/>
  </pattern>

 </patternlist>