From 0815f463f543e0f09e582de612e04b612460bc4d Mon Sep 17 00:00:00 2001
From: emteere <47253321+emteere@users.noreply.github.com>
Date: Wed, 24 Sep 2025 18:01:43 +0000
Subject: [PATCH] GP-5998 Added security_check_cookie function patterns and
 callfixup for VS2022 based binaries.

---
 .../Processors/x86/data/languages/x86-64-win.cspec  |  9 +++++++++
 Ghidra/Processors/x86/data/languages/x86win.cspec   |  9 +++++++++
 .../x86/data/patterns/x86-64win_patterns.xml        | 13 +++++++++++++
 .../x86/data/patterns/x86win_patterns.xml           |  9 +++++++++
 4 files changed, 40 insertions(+)

diff --git a/Ghidra/Processors/x86/data/languages/x86-64-win.cspec b/Ghidra/Processors/x86/data/languages/x86-64-win.cspec
index 846134c13f..5310d4e1af 100644
--- a/Ghidra/Processors/x86/data/languages/x86-64-win.cspec
+++ b/Ghidra/Processors/x86/data/languages/x86-64-win.cspec
@@ -233,4 +233,13 @@
       ]]></body>
     </pcode>
   </callfixup>
+  
+  <callfixup name="security_check_cookie">
+    <target name="__security_check_cookie"/>
+    <pcode>
+      <body><![CDATA[
+        tmpzero:4 = 0;
+      ]]></body>
+    </pcode>
+  </callfixup>
 </compiler_spec>
diff --git a/Ghidra/Processors/x86/data/languages/x86win.cspec b/Ghidra/Processors/x86/data/languages/x86win.cspec
index d759822606..19c6a28786 100644
--- a/Ghidra/Processors/x86/data/languages/x86win.cspec
+++ b/Ghidra/Processors/x86/data/languages/x86win.cspec
@@ -386,4 +386,13 @@
    ]]></body>
   </pcode>
 </callfixup>
+
+<callfixup name="security_check_cookie">
+    <target name="__security_check_cookie"/>
+    <pcode>
+      <body><![CDATA[
+        tmpzero:4 = 0;
+      ]]></body>
+    </pcode>
+</callfixup>
 </compiler_spec>
diff --git a/Ghidra/Processors/x86/data/patterns/x86-64win_patterns.xml b/Ghidra/Processors/x86/data/patterns/x86-64win_patterns.xml
index 50b144afae..0b3d282905 100644
--- a/Ghidra/Processors/x86/data/patterns/x86-64win_patterns.xml
+++ b/Ghidra/Processors/x86/data/patterns/x86-64win_patterns.xml
@@ -89,4 +89,17 @@
     <data>0xcccc * 0x4c8b 11...100 01001.01 0x89</data> <!-- CC filler : MOV -,RSP : MOV [- + #], -->
     <funcstart/>
   </pattern>
+  
+  <pattern> <!-- This can most likely be removed when VS2022 FID files are added __security_check_cookie -->
+    <data>  01001... 0x3b 0x0d ........ ........ ........ ........
+            0x75 0x10
+            01001... 0xc1 0xc1 0x10
+            0x66 0xf7 0xc1 0xff 0xff
+            0x75 0x01
+            0xc3
+            01001... 0xc1 0xc9 0x10
+            0xe9 </data>
+     <align mark="0" bits="3"/>
+     <funcstart label="__security_check_cookie" validcode="function"/>
+   </pattern>
 </patternlist>
diff --git a/Ghidra/Processors/x86/data/patterns/x86win_patterns.xml b/Ghidra/Processors/x86/data/patterns/x86win_patterns.xml
index 4c4b59e73c..c048c9f334 100644
--- a/Ghidra/Processors/x86/data/patterns/x86win_patterns.xml
+++ b/Ghidra/Processors/x86/data/patterns/x86win_patterns.xml
@@ -144,4 +144,13 @@
      <funcstart label="__break" validcode="function" noreturn="true"/>  <!-- must be defined at an existing function -->
   </pattern>
   
+  <pattern> <!-- This can most likely be removed when VS2022 FID files are added __security_check_cookie -->
+    <data>  0x3b 0x0d 0x.. 0x.. 0x.. 0x..
+            0x75 0x01 
+            0xc3 
+            0xe9 
+            </data>
+     <funcstart label="__security_check_cookie" validcode="function"/>
+   </pattern>
+  
 </patternlist>