GP-5526 Added section tag to function start patterns. New thunk patterns

in x86 gcc .plt section.  Changed priority of pre analyzer and
disassembly.

Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -207,9 +207,10 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 		private int validCodeMin = NO_VALID_INSTRUCTIONS_REQUIRED;
 		private int validCodeMax = VALID_INSTRUCTIONS_NO_MAX;
 		private String label = null;
-		private boolean isThunk = false;  // true if this function should be turned into a thunk
+		private boolean isThunk = false;    // true if this function should be turned into a thunk
-		private boolean noreturn = false; // true to set function non-returning
+		private boolean noreturn = false;   // true to set function non-returning
-		boolean validFunction = false;    // must be defined at a function
+		private String sectionName = null;  // required section name
+		boolean validFunction = false;      // must be defined at a function
 		private boolean contiguous = true;  // require validcode instructions be contiguous
 
 		@Override
@@ -225,6 +226,14 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 		}
 
 		protected boolean checkPreRequisites(Program program, Address addr) {
+			// check required section name
+			if (sectionName != null) {
+				MemoryBlock block = program.getMemory().getBlock(addr);
+				if (block == null || !block.getName().matches(sectionName)) {
+					return false;
+				}
+			}
+			
 			/**
 			 * If the match's mark point occurs in undefined data, schedule disassembly
 			 * and a function start at that address. If the match's mark point occurs at an instruction, but that
@@ -641,6 +650,10 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 						isThunk = true;
 						break;
 						
+					case "section":
+						sectionName = attrValue;
+						break;
+						
 					case "noreturn":
 						noreturn = true;
 						break;
@@ -816,7 +829,14 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 
 		AutoAnalysisManager analysisManager = AutoAnalysisManager.getAnalysisManager(program);
 		if (!disassemResult.isEmpty()) {
-			analysisManager.disassemble(disassemResult, AnalysisPriority.DISASSEMBLY);
+			// disassemble known function starts now
+			AddressSet doNowDisassembly = disassemResult.intersect(funcResult);
+			// this will disassemble at this analyzers priority
+			analysisManager.disassemble(doNowDisassembly);
+			
+			// delay disassemble of possible function starts
+			AddressSet delayedDisassembly = disassemResult.subtract(funcResult);
+			analysisManager.disassemble(delayedDisassembly, AnalysisPriority.DISASSEMBLY);
 		}
 		analysisManager.setProtectedLocations(codeLocations);
 

Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartPreFuncAnalyzer.java

@@ -4,9 +4,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -44,7 +44,7 @@ public class FunctionStartPreFuncAnalyzer extends FunctionStartAnalyzer {
 	public FunctionStartPreFuncAnalyzer() {
 		super(FUNCTION_START_PRE_SEARCH, DESCRIPTION, AnalyzerType.BYTE_ANALYZER);
 		
-		setPriority(AnalysisPriority.BLOCK_ANALYSIS.after());
+		setPriority(AnalysisPriority.BLOCK_ANALYSIS.before());
 		setDefaultEnablement(true);
 		setSupportsOneTimeAnalysis();
 	}

Ghidra/Processors/x86/certification.manifest

@@ -92,5 +92,6 @@ data/patterns/x86-64gcc_patterns.xml||GHIDRA||||END|
 data/patterns/x86-64win_patterns.xml||GHIDRA||||END|
 data/patterns/x86delphi_patterns.xml||GHIDRA||||END|
 data/patterns/x86gcc_patterns.xml||GHIDRA||||END|
+data/patterns/x86gcc_prepatterns.xml||GHIDRA||||END|
 data/patterns/x86win_patterns.xml||GHIDRA||||END|
 data/patterns/x86win_prepatterns.xml||GHIDRA||||END|

Ghidra/Processors/x86/data/patterns/prepatternconstraints.xml

@@ -7,6 +7,15 @@
   	<compiler id="borlandcpp">
   	  <patternfile>x86win_prepatterns.xml</patternfile>
   	</compiler>
+  	<compiler id="gcc">
+  	  <patternfile>x86gcc_prepatterns.xml</patternfile>
+  	</compiler>
   </language>
-
+  
+  <language id="x86:LE:64:default">
+  	<compiler id="gcc">
+  	  <patternfile>x86gcc_prepatterns.xml</patternfile>
+  	</compiler>
+  </language>
+  
 </patternconstraints>

Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml

@@ -0,0 +1,20 @@
+<patternlist>
+  
+  <pattern>
+     <data>
+        0xff25........   <!-- jmp -->
+        0x68......00     <!-- push -->
+        0xe9......ff     <!-- jmp -addr -->
+     </data> <!-- .plt thunk -->
+     <funcstart thunk="true" section=".plt"/>
+  </pattern>
+  
+  <pattern>
+     <data>
+        0xf3 0x0f 0x1e 0x1a        <!-- ENDBR64 -->
+        0xf2 0xff 0x25 .. .. .. .. <!-- jmp -->
+     </data> <!-- .plt thunk -->
+     <funcstart thunk="true" section=".plt"/>
+  </pattern>
+
+</patternlist>