From 69ed84a069255d06e500691dfd9229067bb8b209 Mon Sep 17 00:00:00 2001 From: emteere <47253321+emteere@users.noreply.github.com> Date: Wed, 24 Sep 2025 18:03:10 +0000 Subject: [PATCH] GP-5526 bug fix for .plt.sec and pattern matching optimization --- .../app/cmd/function/CreateThunkFunctionCmd.java | 6 ++++++ .../ghidra/app/analyzers/FunctionStartAnalyzer.java | 13 +++++++++---- .../x86/data/patterns/x86gcc_prepatterns.xml | 8 ++++---- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java b/Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java index 24eb186393..1743a23304 100644 --- a/Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java +++ b/Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java @@ -566,6 +566,12 @@ public class CreateThunkFunctionCmd extends BackgroundCommand { if (instr == null) { return null; } + // if there is no pcode, go to the next instruction + // assume fallthrough (ie. x86 instruction ENDBR64) + // TODO: at some point, might need to do a NOP detection + if (instr.getPcode().length == 0) { + instr = listing.getInstructionAfter(entry); + } FlowType flowType; diff --git a/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java b/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java index c02e18321e..a19668ff81 100644 --- a/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java +++ b/Ghidra/Features/BytePatterns/src/main/java/ghidra/app/analyzers/FunctionStartAnalyzer.java @@ -17,6 +17,7 @@ package ghidra.app.analyzers; import java.math.BigInteger; import java.util.*; +import java.util.regex.Matcher; import generic.jar.ResourceFile; import ghidra.app.cmd.function.CreateFunctionCmd; @@ -209,7 +210,7 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa private String label = null; private boolean isThunk = false; // true if this function should be turned into a thunk private boolean noreturn = false; // true to set function non-returning - private String sectionName = null; // required section name + private java.util.regex.Pattern sectionNamePattern = null; // required section name as a regex pattern boolean validFunction = false; // must be defined at a function private boolean contiguous = true; // require validcode instructions be contiguous @@ -227,9 +228,13 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa protected boolean checkPreRequisites(Program program, Address addr) { // check required section name - if (sectionName != null) { + if (sectionNamePattern != null) { MemoryBlock block = program.getMemory().getBlock(addr); - if (block == null || !block.getName().matches(sectionName)) { + if (block == null) { + return false; + } + Matcher m = sectionNamePattern.matcher(block.getName()); + if (!m.matches()) { return false; } } @@ -651,7 +656,7 @@ public class FunctionStartAnalyzer extends AbstractAnalyzer implements PatternFa break; case "section": - sectionName = attrValue; + sectionNamePattern = java.util.regex.Pattern.compile(attrValue); break; case "noreturn": diff --git a/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml b/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml index 190acf223f..84b6d20dee 100644 --- a/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml +++ b/Ghidra/Processors/x86/data/patterns/x86gcc_prepatterns.xml @@ -6,15 +6,15 @@ 0x68......00 0xe9......ff - + - 0xf3 0x0f 0x1e 0x1a - 0xf2 0xff 0x25 .. .. .. .. + 0xf3 0x0f 0x1e 0xfa + 0xf2 0xff 0x25 - +