GP-5526 Added section tag to function start patterns. New thunk patterns

in x86 gcc .plt section. Changed priority of pre analyzer and disassembly.
2025-10-03 01:39:21 +02:00 · 2025-09-10 22:55:14 +00:00 · 2025-09-10 22:55:14 +00:00 · 4b6d90366c
commit 4b6d90366c
parent 0613d364fc
5 changed files with 60 additions and 10 deletions
--- a/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java
+++ b/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java
@ -207,9 +207,10 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 		private int validCodeMin = NO_VALID_INSTRUCTIONS_REQUIRED;
 		private int validCodeMax = VALID_INSTRUCTIONS_NO_MAX;
 		private String label = null;
-		private boolean isThunk = false;  // true if this function should be turned into a thunk
-		private boolean noreturn = false; // true to set function non-returning
-		boolean validFunction = false;    // must be defined at a function
+		private boolean isThunk = false;    // true if this function should be turned into a thunk
+		private boolean noreturn = false;   // true to set function non-returning
+		private String sectionName = null;  // required section name
+		boolean validFunction = false;      // must be defined at a function
 		private boolean contiguous = true;  // require validcode instructions be contiguous

 		@Override
@ -225,6 +226,14 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 		}

 		protected boolean checkPreRequisites(Program program, Address addr) {
+			// check required section name
+			if (sectionName != null) {
+				MemoryBlock block = program.getMemory().getBlock(addr);
+				if (block == null || !block.getName().matches(sectionName)) {
+					return false;
+				}
+			}
+			
 			/**
 			 * If the match's mark point occurs in undefined data, schedule disassembly
 			 * and a function start at that address. If the match's mark point occurs at an instruction, but that
@ -641,6 +650,10 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa
 						isThunk = true;
 						break;
 						
+					case "section":
+						sectionName = attrValue;
+						break;
+						
 					case "noreturn":
 						noreturn = true;
 						break;
@ -816,7 +829,14 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa

 		AutoAnalysisManager analysisManager = AutoAnalysisManager.getAnalysisManager(program);
 		if (!disassemResult.isEmpty()) {
-			analysisManager.disassemble(disassemResult, AnalysisPriority.DISASSEMBLY);
+			// disassemble known function starts now
+			AddressSet doNowDisassembly = disassemResult.intersect(funcResult);
+			// this will disassemble at this analyzers priority
+			analysisManager.disassemble(doNowDisassembly);
+			
+			// delay disassemble of possible function starts
+			AddressSet delayedDisassembly = disassemResult.subtract(funcResult);
+			analysisManager.disassemble(delayedDisassembly, AnalysisPriority.DISASSEMBLY);
 		}
 		analysisManager.setProtectedLocations(codeLocations);

--- a/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartPreFuncAnalyzer.java
+++ b/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartPreFuncAnalyzer.java
@ -44,7 +44,7 @@ public class FunctionStartPreFuncAnalyzer extends FunctionStartAnalyzer {
 	public FunctionStartPreFuncAnalyzer() {
 		super(FUNCTION_START_PRE_SEARCH, DESCRIPTION, AnalyzerType.BYTE_ANALYZER);
 		
-		setPriority(AnalysisPriority.BLOCK_ANALYSIS.after());
+		setPriority(AnalysisPriority.BLOCK_ANALYSIS.before());
 		setDefaultEnablement(true);
 		setSupportsOneTimeAnalysis();
 	}
--- a/Ghidra/Processors/x86/certification.manifest
+++ b/Ghidra/Processors/x86/certification.manifest
@ -92,5 +92,6 @@ data/patterns/x86-64gcc_patterns.xml||GHIDRA||||END|
 data/patterns/x86-64win_patterns.xml||GHIDRA||||END|
 data/patterns/x86delphi_patterns.xml||GHIDRA||||END|
 data/patterns/x86gcc_patterns.xml||GHIDRA||||END|
+data/patterns/x86gcc_prepatterns.xml||GHIDRA||||END|
 data/patterns/x86win_patterns.xml||GHIDRA||||END|
 data/patterns/x86win_prepatterns.xml||GHIDRA||||END|
--- a/Ghidra/Processors/x86/data/patterns/prepatternconstraints.xml
+++ b/Ghidra/Processors/x86/data/patterns/prepatternconstraints.xml
@ -7,6 +7,15 @@
  	<compiler id="borlandcpp">
  	  <patternfile>x86win_prepatterns.xml</patternfile>
  	</compiler>
+  	<compiler id="gcc">
+  	  <patternfile>x86gcc_prepatterns.xml</patternfile>
+  	</compiler>
+  </language>
+  
+  <language id="x86:LE:64:default">
+  	<compiler id="gcc">
+  	  <patternfile>x86gcc_prepatterns.xml</patternfile>
+  	</compiler>
  </language>
  
 </patternconstraints>
--- a/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml
+++ b/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml
@ -0,0 +1,20 @@
+<patternlist>
+  
+  <pattern>
+     <data>
+        0xff25........   <!-- jmp -->
+        0x68......00     <!-- push -->
+        0xe9......ff     <!-- jmp -addr -->
+     </data> <!-- .plt thunk -->
+     <funcstart thunk="true" section=".plt"/>
+  </pattern>
+  
+  <pattern>
+     <data>
+        0xf3 0x0f 0x1e 0x1a        <!-- ENDBR64 -->
+        0xf2 0xff 0x25 .. .. .. .. <!-- jmp -->
+     </data> <!-- .plt thunk -->
+     <funcstart thunk="true" section=".plt"/>
+  </pattern>
+
+</patternlist>