yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-03 09:49:23 +02:00
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'origin/Ghidra_11.4'

Browse source
This commit is contained in:
Ryan Kurtz 2025-06-20 06:03:45 -04:00
commit bba400ee2f
2 changed files with 243 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

183
Ghidra/Configurations/Public_Release/src/global/docs/ChangeHistory.md
View file

@ -1,3 +1,186 @@
# Ghidra 11.4 Change History (June 2025)
### New Features
* _Basic Infrastructure_. Implemented Dockerized Ghidra. See `docker/README.md` for information about how to build the docker image for Ghidra and how to run the Ghidra container. This feature includes `headless`, `ghidra-server`, `bsim-server`, `bsim`, `pyghidra`, and `gui` entrypoints. (GP-3579)
* _Debugger_. Added support for Meta's drgn debugger, undertaken as a test case to generate new Debugger documentation. (GP-326)
* _Debugger_. Added time overview to the Dynamic Listing. (GP-870)
* _Debugger_. Implemented remote options for dbgeng targets. (GP-4732)
* _Debugger_. Added event/exception handling for the dbgeng. (GP-4786)
* _Debugger_. Added support for `rr` via gdb. (GP-5452, Issue #3133)
* _Debugger:Agents_. Provided additional `catch` methods for gdb. (GP-5466)
* _Debugger:Listing_. Support for 32-bit pointers on WoW64 targets is now added. The pointer size is automatically determined by the PE header of the module containing the PC. (GP-616, Issue #4127)
* _Debugger:Time_. Added actions to __Debugger__ menu to set the display radix for snapshot keys and time schedules. (GP-5523)
* _Importer_. Provided new loader for the `Unix A.out` binary file format. (GP-3182, Issue #4943, #5004)
* _Search_. Added new Search-and-Replace feature. This feature make it easy to globally rename many different types of program elements and update related comments. (GP-5310)
### Improvements
* _Accessibility_. Provided accessible names for most dialog components. (GP-4555)
* _Analysis_. Added support for Golang closures and generic functions. Added support for applying function signatures to core Golang library functions that were captured and stored in API snapshot files. (GP-2432, Issue #6367)
* _Analysis_. Improved speed of constant reference analysis and stack analysis. (GP-4512)
* _Analysis_. Improved decompilation of Golang functions by eliminating compiler-generated boilerplate calls to internal garbage-collection functions. (GP-5373, Issue #7484)
* _Analysis_. Updated the IMAGE_RUNTIME_FUNCTION_ENTRY structure for x86 programs to change the EndAddress type from an ImageBaseOffset32 to a DWORD. This helps prevent references and code from being incorrectly created at the address after each listed function. (GP-5430)
* _Analysis_. Improved how Golang interface methods are modeled. (GP-5455, Issue #7529)
* _Analysis_. The __Rust String Analyzer__ no longer clears and converts strings defined in the header to character arrays. (GP-5643, Issue #8019)
* _API_. Updated some Decompiler locations to better navigate the Listing. (GP-5453, Issue #7518)
* _Basic Infrastructure_. Upgraded 3rd party jars for Bouncy Castle, Apache Commons Compress, Apache Commons Lang3, Apache Commons IO, and JUnit. (GP-5631)
* _BSim_. The BSim `support/make-postgres.sh` script now runs on linux_arm_64 and mac_arm_64 platforms. (GP-5282, Issue #7287)
* _BSim_. Made BSim installed by default. (GP-5435)
* _BSim_. Added checks to `AddProgramToH2BSimDatabaseScript` to prevent the generation of signatures when a program has unsaved changes or no functions. (GP-5562, Issue #7897)
* _BSim_. Function names in the BSim Overview Results table now update if they are changed in the program. (GP-5604, Issue #7903)
* _BSim_. Upgraded Postgres for BSim to version 15.13 and JDBC driver to 42.7.6. This resolves issues with building PostgreSQL server on newer releases of Linux and compiler toolchains which compile with `-std=c23` option by default. (GP-5680, Issue #8122)
* _Byte Viewer_. Byteviewer now centers the cursor on the screen when going to a new offscreen location instead of putting the cursor at the top or bottom. (GP-2148)
* _Calling Conventions_. Corrected specifications for parameter and return storage of homogeneous float aggregate types in AARCH64.cspec. Made a number of improvements and corrections to AARCH64_win.cspec. (GP-5192, Issue #8016)
* _Data Types_. Improved handling of datatype removal and the impact it can have within Structure and Union components. Previously, affected components were removed, causing unknown loss of information. With this change, components will be preserved with the use of a `BadDataType`, allowing their size and field names to be preserved. Each affected component comment will also be updated to indicate the name of the datatype that was removed. A similar situation for a Structure bit-field will revert its base datatype to an appropriate primitive integer type if it had been based upon a deleted Enum or Typedef. (GP-2949)
* _Data Types_. Fixed issue where a datatype node in the datatype tree had a stale tool tip if a datatype it contained was renamed. (GP-5434)
* _Data Types_. Improved Structure Editor `unpack` action to include typedef of arrays and structures. This change also corrects unpacking of structures which contain zero-length components. (GP-5527, Issue #7528)
* _Debugger_. Fixed issue where, when hovering over struct members, the left-hand side of assignment statements gave incorrect values. (GP-3450, Issue #5337)
* _Debugger_. Provided better launcher defaults. (GP-4611)
* _Debugger_. Added various Debugger launchers, especially Windows equivalents of existing Linux launchers. Fixed launch logic for targets and arguments with spaces in their paths. (GP-5360, Issue #4977)
* _Debugger:Agents_. Integrated timeline for `dbgeng-trace` connector. Navigating in the __Time__ window or using the __Go-To Time__ action now issues the corresponding `!tt` command, and vice versa. (GP-4209)
* _Debugger:Agents_. Replaced the experimental pyTTD implementation with direct use of the Microsoft DLLs; enables heap / memory visualization based on LINQ queries in the Memview Display. (GP-5407)
* _Debugger:Agents_. Added __Image__ option to __remote gdb__ and __remote lldb__ connectors. (GP-5538, Issue #7955)
* _Debugger:Agents_. The connectors will now prompt to automatically remedy some missing setup steps. (GP-5551)
* _Debugger:Breakpoints_. Added __Set Breakpoint__ drop-down action. (GP-4546)
* _Debugger:dbgeng.dll_. Added a few more options for dbgeng targets. (GP-5270)
* _Debugger:drgn_. Added type annotations to drgn. (GP-5511)
* _Debugger:Emulator_. Moved display of the current time (schedule) from Threads to the Listing's tabs. (GP-5265)
* _Debugger:Listing_. Fixed issue where Dynamic and Static Listings could get out of sync when another component directed navigation (i.e., not directly input-driven). (GP-5548)
* _Debugger:LLDB_. Added documentation to bootstrap pip into the Android NDK's lldb. (GP-5533)
* _Debugger:Memory_. The primary __Dynamic Listing__ and __Memory Bytes__ windows are now synchronized. (GP-3405)
* _Debugger:Stack_. Improved stack unwinder to handle the ARM `bx` instruction. (GP-3771, Issue #5658)
* _Debugger:Targets_. Added a __busy__ indicator to each connection and target. (GP-4080)
* _Debugger:Time_. Added __PC__, __Function__, and __Module__ columns to the __Time__ window. Changed default visibility and widths. (GP-5264)
* _Debugger:Time_. Added a __Time__ column to the __Time__ window. Hid the __Snap__ and __Snapshot__ columns by default. (GP-5499)
* _Debugger:Time_. Double-clicking or pressing `Enter` on a row in the __Time Selection__ dialog now confirms the dialog. (GP-5674)
* _Decompiler_. The Decompiler simplifies new situations where optimized code packs multiple variables into a single register. (GP-5240, Issue #7277)
* _Decompiler_. Updated Decompiler highlighting to ignore syntax tokens. (GP-5414, Issue #7527)
* _Decompiler_. Fixed a performance issue seen in the Decompiler when using a large number of custom global highlighters. (GP-5477, Issue #7520)
* _Decompiler_. Enabled optimizations for C++ source files when compiling native executables on Windows. (GP-5543, Issue #7953)
* _Decompiler_. Updated the Decompiler to now show a warning when executing DockingActions while the Decompiler is busy. (GP-5572, Issue #7893)
* _Documentation_. Updated BSim documentation to mention PostgreSQL support on arm64. (GP-5384, Issue #7387, #7388)
* _Documentation_. Renamed `InstallationGuide.md` to `GettingStarted.md`. (GP-5598)
* _DWARF_. DWARF analyzer now imports symbols found in external debug files. (GP-5570)
* _Emulator:JIT_. Fixed an issue with transition to THUMB on indirect branches. (GP-5301)
* _Exporter_. The C/C++ exporter now has an option to export declarations for referenced global variables (on by default). (GP-4123, Issue #2635)
* _Function Tags_. Added __Make Selection__ action to Function Tags Window. (GP-5354)
* _GhidraGo_. Improved GhidraGo CLI to print correct usage upon invalid/missing GhidraURL argument. (GP-5504)
* _Graphing_. Added __Truncate Function Name__ option to the Function Call Graph to control name truncation, which was previously always enabled. (GP-2307, Issue #1684)
* _GUI_. Added the ability to search for text in the Console. (GP-3858, Issue #2567, #7136)
* _GUI_. Added more data type filter options to the Data Types provider. (GP-3870, Issue #5734)
* _GUI_. Updated Listing Label hovers to show symbol type and source type. (GP-4393)
* _GUI_. Updated the Function Editor dialog to find the next editable table cell when initiating a table edit via `F2` on an uneditable cell. (GP-5316, Issue #7241)
* _GUI_. Added the __Copy Formatted__ action to most trees to allow a copy operation that maintains tree node indentation. (GP-5317, Issue #7417)
* _GUI_. Added an __Edit Structure Field__ action to allow changing the name, datatype, and comment for a structure (or union) at the same time. (GP-5326, Issue #7407)
* _GUI_. Improved function parameter/return custom storage editor to employ a filtered pull-down combo-box for register selection. (GP-5369)
* _GUI_. Symbol Tree - Improved event handling to maintain user view position; added an option for organization node group threshold; fixed missing nodes under classes; updated tree to maintain user selection. (GP-5474, Issue #7889, #7891)
* _GUI_. Updated the Decompiler's rename dialog to pick the correct parent namespace. (GP-5565, Issue #7507)
* _Importer_. The MapLoader now parses and applies the symbols found in the `Static symbols` section of a MAP file. (GP-5530, Issue #7945)
* _Importer:Mach-O_. The `dyld_shared_cache` filesystem no longer throws exceptions when trying to perform slide fixups on very large cache files. (GP-5357)
* _Importer:Mach-O_. The extracted dyld_shared_cache component loader now has options to automatically add common components that contribute to better analysis such as libobjc.dylib, constant data, and text stubs. (GP-5396, Issue #7289, #7469)
* _Importer:Mach-O_. The Mach-O loader now properly handles the `LC_REEXPORT_DYLIB` load command, transitively exporting the exported symbols from one library to another. (GP-5429, Issue #7537)
* _Importer:Mach-O_. Mach-O files contained within a Universal Binary container can now be directly imported without having to go through the File System Browser. Use the __Language__ field of the import dialog to select the architecture to import. (GP-5552)
* _Listing_. Changed Listing comment fields to now display offcut comments. Offcut comments are comments at addresses in the middle of an instruction or data item instead of at the start address. They are displayed in red to distinguish them from non-offcut comments. (GP-4037)
* _Navigation_. Added previously missing navigation history when using __Repeat Memory Search__ action. (GP-5440, Issue #7445)
* _PDB_. Added a post-analysis pop-up message for when PDB file could not be found. (GP-5697)
* _Performance_. Fixed performance issue with __Defined Strings__ table when other very large data types are present in the program. (GP-2941, Issue #3498, #5726, #8134)
* _Processors_. Added support for ARM Cortex stack limit register instructions (GP-4731, Issue #5255, #5256, #6667)
* _Processors_. Improved display of x87 floating-point operands. (GP-5030, Issue #6786)
* _Processors_. Updated appropriate x87 instructions to modify the FPU instruction pointer. (GP-5191, Issue #7205, #7508)
* _Processors_. Added support for ARM additional VFP system registers. (GP-5469, Issue #6573)
* _Processors_. Added implementation of additional x86 AVX512 instructions. (GP-5537)
* _Processors_. Improved pcode generated for certain x86 `PUSH FS` and `PUSH GS` variants. (GP-5638, Issue #6602)
* _ProgramDB_. Provided various locking-related speed improvements for multi-threaded access. (GP-5619)
* _Scripting_. Changed __In Tool__ option in the Script Manager table to automatically add actions to the global menu bar under a __Scripts__ menu if not already specified to be placed in another location specified by `@menupath`. (GP-5428)
* _Scripting_. Removed old prototype `GccAnalysisScript` since it is no longer maintained and has been long since replaced with the `RecoverClassesFromRTTIScript`. (GP-5451, Issue #7871)
* _Scripting_. PyGhidra can now open projects created with the Ghidra GUI by setting the `nested_project_location` optional parameter to `False`. (GP-5627, Issue #8040)
* _SourceMatching_. The actions to create SourceFile transforms now use file choosers. (GP-5255)
* _Version Tracking_. Made Version Tracking Wizard more efficient when choosing programs to be compared if either one is versioned or needs to be upgraded. (GP-4151)
* _Version Tracking_. Changed the minimum function length in the Auto Version Tracker for the duplicate instruction correlator to be larger to improve the correlator speed. Users can change this option in the Auto Version Tracking options folder. (GP-5762)
### Bugs
* _Analysis_. Fixed an issue with a missing magic value for Golang 1.20+ that could cause a failure in finding the root `moduledata` structure and subsequently all RTTI and function information in stripped PE binaries. (GP-5728, Issue #8213)
* _Basic Infrastructure_. Fixed a bug that prevented new installations of Ghidra from applying preferences found in older installed versions of Ghidra. (GP-5633, Issue #8107)
* _Calling Conventions_. Added compiler specification support for the ARM APCS calling convention. (GP-4923, Issue #7434)
* _Calling Conventions_. Corrected specifications of return storage locations of structures for the default prototypes in x86gcc.cspec and x86-64-win.cspec. Made a number of improvements to the `MSABI` prototype in x86-64-gcc.cspec. (GP-5183)
* _Debugger_. Fixed a bug that occurred when editing memory after closing and re-opening a trace in another tool. (GP-5314, Issue #7413)
* _Debugger_. Fixed an issue where object key re-use caused incorrect merging of objects. Often, this led to stale values being used or displayed in parts of the UI. In particular, this caused breakpoints to appear at incorrect addresses. (GP-5379, Issue #7497)
* _Debugger_. Provided a fix such that Debugger image defaults are not applied if there is a program. (GP-5607)
* _Debugger:Breakpoints_. Fixed a bug with removing and re-adding the `BreakpointMarkerPlugin`. (GP-5364)
* _Debugger:Breakpoints_. Fixed an issue with breakpoint state consistency when the containing program image is not mapped. (GP-5671)
* _Debugger:dbgeng.dll_. Fixed a bug in the exception handler for dbgeng that caused stopping despite the settings. (GP-5606, Issue #8029)
* _Debugger:dbgeng.dll_. For dbgeng-backed targets, if reading the PE-header to determine x86/x64 mode times out, the error is now in the Debug Console instead of a popup dialog. This automatic memory read is now also modulated by the main Listing's __Auto-Read Target Memory__ setting. (GP-5678, Issue #8155)
* _Debugger:GDB_. Provided fix for signed/unsigned address errors in gdb. (GP-5331, Issue #6787)
* _Debugger:GDB_. Fixed an issue where gdb connector couldn't list sections if any had zero length. (GP-5612)
* _Debugger:Listing_. Fixed an issue with __Select All__ and similar actions in the __Dynamic Listing__. (GP-5438)
* _Debugger:Listing_. Fixed `NullPointerException` in tab panel when exiting. (GP-5540, Issue #7956)
* _Debugger:Memory_. Fixed a performance issue for long-lived (many snapshots) targets. (GP-5494, Issue #4940)
* _Debugger:Objects_. Fixed an issue where __Refresh__ actions on Model view expansion were getting mixed up. (GP-5425)
* _Debugger:Registers_. Fixed hang at launch when the __Registers__ table had a filter. (GP-5673)
* _Debugger:Targets_. Fixed an issue that required user to click the __trace tab__ when launching without an Image; e.g., to attach manually. (GP-5668)
* _Decompiler_. Upgraded taint analysis to interface with CTADL v0.11.0. (GP-5573)
* _Decompiler_. Fixed issue preventing decompilation of certain functions containing a FLOAT_NAN pcode op. (GP-5676, Issue #8092)
* _Demangler_. Fixed GnuDemangler to support the mangled TLS init function. (GP-5642, Issue #8105)
* _Documentation_. Fixed some typos in the Debugger Course. (GP-5670)
* _DWARF_. Fixed DWARF analyzer to handle Apple Mach-O truncation of DWARF5 section names. Fixed DWARF analyzer to handle DW_TAG_atomic_type. (GP-5755)
* _Framework_. Fixed an issue where the installation directory was incorrectly reported in development mode. (GP-5698, Issue #8146)
* _GUI_. Fixed a bug that caused the Symbol Tree to be blank when shown with a filter applied. (GP-5258, Issue #7365)
* _GUI_. Fixed a table filter bug that caused some escaped glob characters to prevent items from passing the filter. (GP-5337, Issue #7444)
* _GUI_. Fixed sporadic Decompiler function color bug that caused bad function colors to oscillate. (GP-5346, Issue #7453)
* _GUI_. Fixed an issue with program tabs when the panel is size-restricted. (GP-5578, Issue #7915)
* _GUI_. Fixed an issue where toolbar buttons sometimes got spaced far apart. (GP-5584, Issue #7984)
* _GUI_. Fixed bug in __Search Memory__ that created a bad component title which ultimately prevented the tool from saving. (GP-5597, Issue #8015)
* _GUI_. Fixed a bug that prevented the correct clearing of the `Esc` keybinding after restarting Ghidra. (GP-5599)
* _GUI_. Fixed a bug in GoTo dialog where entering a backslash (`\`) caused a stack trace. (GP-5615, Issue #8038)
* _GUI_. Fixed a bug on the Mac that caused `Ctrl-Mouse-Click` to clear the table selection when showing the popup menu. (GP-5618, Issue #7902)
* _GUI_. Fixed a bug that introduced duplicate data when renaming functions with a filter. (GP-5620, Issue #8031)
* _GUI_. Fixed the Data Type Manager's __Find Structures by Size...__ action so that it can find zero-length structures. (GP-5634, Issue #8096)
* _Importer:ELF_. Added ELF SH4 partial in-place relocation processing for R_SH_DIR32 and R_SH_REL32 relocations. This was done in response to observed cases for VxWorks binaries. (GP-5605, Issue #8021)
* _Importer:Mach-O_. The `dyld_shared_cache` filesystem now exposes a complete set of files that encompass the cache's entire address space. Performing an __Add To Program__ on broken references should no longer result in the address not being found. (GP-5349)
* _Importer:Mach-O_. Fixed an issue in the Mach-O loader that prevented uninitialized segments from being mapped into memory. (GP-5532, Issue #7949)
* _Importer:Mach-O_. Fixed a bug that resulted in incorrect external addresses of Mach-O undefined symbols. (GP-5554, Issue #5941)
* _Languages_. Corrected x86-16 Protected Mode / System Management Mode language upgrade issues which could cause problems. This has been a long-standing problem which may have gone unnoticed but in some cases may have failed during the upgrade. (GP-5704, Issue #8140)
* _Multi-User:Merge_. Corrected various Multi-User Merge issues related to data types, including handling of missing/deleted datatypes, zero-length Structure components, and bit-field components. (GP-5421)
* _Multi-User:Merge_. Corrected various __Merge Tool__ Listing rendering issues related to external symbols. (GP-5480)
* _Multi-User:Merge_. Corrected possible exception during Bookmark merging. (GP-5626)
* _Processors_. Corrected patterns for x86 `INCSS`/`RDSSP` instructions. (GP-5267, Issue #6520)
* _Processors_. Corrected issue with AARCH64 `LDnR` instructions only writing to one register. (GP-5286, Issue #6470)
* _Processors_. Corrected `PUSHF` and `POPF` constructors in x86. (GP-5424, Issue #6601)
* _Processors_. Fixed instruction parsing for AARCH64 `dsb` instruction. (GP-5587, Issue #7996)
* _Processors_. Improved semantics for several AARCH64 Neon instructions. (GP-5622, Issue #5217)
* _Processors_. Fixed z80 `sub` instruction semantics. (GP-5659, Issue #8144)
* _Processors_. Corrected pcode for x86 `CVTTSD2SI` instruction. (GP-5665, Issue #8004, #8151)
* _Processors_. Corrected disassembly for several x86 AVX512 instructions missing immediate operands. (GP-5725)
* _Processors_. Corrected disassembly for RISC-V `max` and `minu` instructions. (GP-5729, Issue #8215)
* _Project_. Corrected project-folder-rename problem which was preventing subsequent use of decedent files. This change also corrected related project file refresh and corrects invalid file index data which could prevent file creation after a combination of folder-renaming and file-versioning control actions. (GP-5660)
* _SARIF_. Corrected various SARIF import/export failures. (GP-5749)
* _Scripting_. Fixed a bug in the VxWorksSymTab_Finder script when run in headless mode. (GP-5682, Issue #8156)
* _Scripting_. Fixed a bug that prevented PyGhidra from properly using the user's already-active virtual environment. (GP-5710, Issue #8180)
* _Testing_. Updated pcodetest scripts to Python3. (GP-4995)
### Notable API Changes
* _API_. (GP-5458) `GhidraProject.openProject.openProject()` now throws `NotFoundException, NotOwnerException, LockException`.
* _API_. (GP-5591) Removed unused and unsupported `DataType.getDocs()` method.
* _Debugger_. (GP-2040) Deleted `AbstractAsyncServer`, `AsyncClaimQueue`, `AsyncLock`, `AsyncLoop`, `AsyncPairingCache`, `AsyncRace`, `AsyncSequence*`, `BitmaskSet`, `DebugByteChannel`, `TypeSpec` and related, without replacements.
* _Debugger_. (GP-3450) Added `UnwoundFrame.evaluate(Program, Varnode, AddressSetView)`.
* _Debugger_. (GP-5379) Most accessor methods on `TraceUniqueObject` derivatives now require a `snap` argument. For getters, this is the snap for which the value is sought. For setters, this implies the effect is from that snap onward. In most cases, the GUI's current snap is suitable. (The deprecated legacy-mode objects ignore the argument.) This required argument has cascaded throughout many other parts of the API: `DebuggerStaticMappingService`, `AutoMapSpec`, `MapProposal.MapEntry`, `DebuggerStaticMappingService`, `ProgramModuleIndexer`, `DebuggerObjectActionContext`, `DebugerSectionActionContext`, `BreakpointActionSet`, and `*EmuBreakpointActionItem`. Additionally, `getLifespan` and similar, including setters and "split-and-set," have been removed from most `TraceObjectUnique` derivatives. For cases where you need to check if the object is valid at a particular time, use `isValid(long)`. For cases where you need to enumerate (e.g., to plot) the life, use the underlying `TraceObject`. To truncate the life of an object, use `remove(long)`. For `TraceThread` in particular, the destruction snap is now considered part of its life, which is consistent with how every other object has been treated. Connectors should (and already have been) using `remove`, which sets the "destruction snap" to the one preceding the current.
* _Debugger:Agents_. (GP-4209) On the Python side: The ghidratrace package is now type-checked using mypy. As a result, the annotations used for the method registry now use `typing.Annotated` when parameters need additional description. `Client.create_trace()` now also requires a named parameter `extra`. On the Java side: Added `TraceTimeManager.findScratchSnapshot`. The trace-rmi protocol has also changed.
* _Debugger:Agents_. (GP-5538) Powershell is now supported as a debug launcher language on Windows.
* _Debugger:Breakpoints_. (GP-4546) TraceRmi methods with `action="break_ext"` now appear in the new drop-down. TraceRmi methods can now also specify their menu icon, as well as the text for their confirmation button in parameter dialogs. These are the `icon` and `ok_text` attributes, respectively. The `icon` attribute should be the id of an icon given in a theme.properties file.
* _Debugger:dbgeng.dll_. (GP-5678) Added `DebuggerListingService.getAutoReadMemorySpec()`. Moved `AutoReadMemorySpec` into the Debugger-api module. Created `AutoReadMemorySpecFactory` and refactored accordingly.
* _Debugger:Listing_. (GP-616) Added `Trace.getBaseDataTypeManager()` method. Added `TracePlatform.getDataTypeManager()` method. Added `TraceBasedDataTypeManager.getPlatform()` method. `TraceDefinedDataView.create()` now takes optional `platform` argument. Added `TraceVariableSnapProgramView.setPlatform()` method. `DebuggerPlatformService.setCurrentMapperFor()` has an additional `focus` parameter. Most methods in `DebuggerPlatformMapper` now take both `object` and `snap` parameters. Added `AbstractDebuggerPlatformMapper.getDisassemblyPlatform()` method. `DbgengX64DisassemblyInject.Mode` and related methods moved to `DbgengDebuggerPlatformOpinion`.
* _Debugger:Listing_. (GP-5548) Added `DebuggerStaticSyncService` interface and its Plugin implementation. Moved `DebuggerOpenProgramActionContext` into API project. Added `DebuggerConsolePlugin.clear()` method.
* _Debugger:Memory_. (GP-3405) Added `TraceHighlightEvent`.
Added `TrackingChangedPluginEvent`.
Added `AbstractLocation/Selection/HighlightPluginEvent`.
* _Debugger:Objects_. (GP-5425) Several protected abstract methods in `AbstractTarget` are removed without replacement. `Target.collectActions` now requires an argument specifying how its object arguments are gathered.
* _Debugger:Stack_. (GP-3771) Added `UnwindInfo.maskOfReturn`.
* _Debugger:Time_. (GP-5523) Added `TimeRadix` class. Added `TraceTimeManager.set/getTimeRadix` methods. `TraceSchedule.toString` and `.parse` methods now accept radix argument. `Span.toString` can now accept custom endpoint formatter.
* _Decompiler_. (GP-5477) Added new methods to the DecompilerHighlightService to allow function-specific highlights.
* _Framework_. (GP-5436) Deleted the Debug/Framework-AsyncComm project/module. Most of its few remaining classes were moved to Framework/Generic.
* _GUI_. (GP-5375) `GTree.forceNewNodeIntoView()` has been replaced by `GTree.whenNodeIsReady()`.
* _ProgramDB_. (GP-5742) Deprecated the use of `int` to indicate a CommentType in favor of the newly created enum.
* _Version Tracking_. (GP-4151) The Dialog Wizard API has been completely rewritten.
# Ghidra 11.3.2 Change History (April 2025)
### Improvements

149
Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md
View file

@ -15,17 +15,17 @@ applied Ghidra SRE capabilities to a variety of problems that involve analyzing
generating deep insights for NSA analysts who seek a better understanding of potential
vulnerabilities in networks and systems.
# What's New in Ghidra 11.3
# What's New in Ghidra 11.4
This release includes new features, enhancements, performance improvements, quite a few bug fixes,
and many pull-request contributions. Thanks to all those who have contributed their time, thoughts,
and code. The Ghidra user community thanks you too!
### The not-so-fine print: Please Read!
Ghidra 11.3 is fully backward compatible with project data from previous releases. However, programs
and data type archives which are created or modified in 11.3 will not be usable by an earlier Ghidra
Ghidra 11.4 is fully backward compatible with project data from previous releases. However, programs
and data type archives which are created or modified in 11.4 will not be usable by an earlier Ghidra
version.
**IMPORTANT:** Ghidra 11.3 requires at minimum JDK 21 to run.
**IMPORTANT:** Ghidra 11.4 requires at minimum JDK 21 to run.
**IMPORTANT:** To use the Debugger or do a full source distribution build, you will need Python3
(3.9 to 3.13 supported) installed on your system.
@ -59,110 +59,79 @@ process that will provide better results than prior Ghidra versions. You might
fresh import of any program you will continue to reverse engineer to see if the latest Ghidra
provides better results.
## PyGhidra
The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center
(DC3) under the name *Pyhidra*, is a Python library that provides direct access to the Ghidra API
within a native CPython 3 interpreter using JPype. PyGhidra contains some conveniences for setting
up analysis on a given sample and running a Ghidra script locally. It also contains a Ghidra plugin
to allow the use of CPython 3 from the Ghidra GUI.
To launch Ghidra in PyGhidra mode, run `./support/pyghidra` (or `support\pyghidra.bat`). See the
*"PyGhidra Mode"* section of the *Getting Started* document and `Ghidra/Features/PyGhidra/README.html`
for more information.
## Search
## Visual Studio Code
Ghidra 11.2 introduced a `VSCodeProjectScript.java` GhidraScript to assist in setting up Visual Studio Code
project folders for Ghidra module development and debugging. This GhidraScript has been replaced in
Ghidra 11.3 by 2 new actions, accessible from a *CodeBrowser* tool:
+ *Tools -> Create VSCode Module Project...*
+ "*Edit Script with Visual Studio Code*" button in the Script Manager
A new "Search and Replace" feature allows searching for string patterns in a wide variety
of Ghidra elements and replacing that text with a different text sequence. Using this feature, many different
Ghidra elements can be renamed all at once including labels, functions, name-spaces, parameters, data-types,
field names, and enum values. This feature also supports regular expressions (including capture groups).
After initiating a search and replace, a results table is displayed with a list of items that match the
search. From this table, the replace actions can be applied in bulk or individually, one item at a time
as they are reviewed.
The "*Create VSCode Module Project...*" action provides the same capability as the old
`VSCodeProjectScript.java` GhidraScript, creating a Visual Studio Code project folder that contains a
skeleton module which can be used to build a variety of different Ghidra extension points
(Plugins, Analyzers, Loaders, etc). Launchers are also provided to run and debug the module in
Ghidra, as well as a Gradle task to export the module as a distributable Ghidra extension zip file.
## Taint Engine Support
The "*Edit Script with Visual Studio Code*" button in the Script Manager enables quick editing and
debugging of the selected script in a Visual Studio Code workspace that is automatically created
behind the scenes in Ghidra's user settings directory. This provides a much snappier and modern
alternative to Eclipse, while maintaining all of the core fuctionality you would expect from an IDE
(auto complete, hover, navigation, etc).
Extended support for using taint engines, particularly CTADL (https://github.com/sandialabs/ctadl)
and AngryGhidra (https://github.com/Nalen98/AngryGhidra), from the decompiler. Allows users to mark
pcode varnodes as sources and sinks, displaying paths from sources to sinks as both address selections
in the disassembly and token selections in the decompiler.
Ghidra will do its best to automatically locate your Visual Studio Code installation, but if cannot
find it, it can be set via the Front-End GUI at *Edit -> Tool Options -> Visual Studio Code
Integration*.
## Dockerized Ghidra
A new capability to build a docker image that demonstrates Ghidra's various entrypoint executions for `headless`,
`ghidra-server`, `bsim-server`, `bsim`, `pyghidra`, and `gui` within the docker container has been included. The Docker
image can be used as is, or can be tailored to your workflow needs. Configuration such as the base
image (linux distro), additional packages, and more is possible using Docker.
See the `docker/README.md` for information about building a docker image for Ghidra and running within the Ghidra container.
## Binary Formats
+ New loaders for the a.out and OMF-51 binary file formats.
+ Support for Mach-O "re-exports".
+ New ability to load Mach-O binaries directly from a Universal Binary without needing to open the File System Browser.
+ DWARF will now load external debug files during analysis as is done for PDB files.
## Debugger
The old "IN-VM" and "GADP" launchers and connectors have been removed, as their replacement
TraceRmi-based implementations have been satisfactorily completed. On that same note, the entire API
and supporting code base for IN-VM and GADP connectors have been removed.
We've begun to explore more kernel-level debugging. Our lldb connector can now debug the macOS
kernel, and our dbgeng connector can now debug a Windows kernel running in a VM via eXDI.
There have been numerous improvements, extensions for new targets, better launching and configuration, and bug fixes to the debugger.
## Emulator
We have introduced a new accelerated p-code emulator that uses Jit-in-Time translation (JIT).
This is *not* currently integrated in the UI but is available for scripting and plugin developers.
Its implementation is named `JitPcodeEmulator`, and it's a near drop-in replacement for `PcodeEmulator`.
See its javadoc for usage and implementation details. The JIT emulator is very new, so there may
still be many bugs.
## Analysis Speed
## Source File Information
Source file and line information can now be added to Ghidra using a Program's SourceFileManager.
The DWARF, PDB, and Go analyzers now record this information by default. Source information can also
be added programmatically; see the example scripts in the *SourceMapping* script category.
Source information can be viewed in the *"Source Map"* Listing Field or the `SourceFilesTablePlugin`,
which is accessible from the Code Browser via *Window -> Source Files and Transforms*.
Constant and Stack analysis time has been greatly decreased through algorithm improvements and better threading. There has been additional
work to loosen locking of the program database where possible. By locking only when necessary, multiple threads can better analyze the program
and interaction with the GUI during analysis should be more responsive.
The *"View Source..."* Listing action, enabled on addresses with source file information, opens a
source file at the correct line in either Eclipse or Visual Studio Code (there is a *"Source Files
and Transforms"* tool option to determine the viewer). The SourceFilesTablePlugin can be used to
modify the source file paths stored in the SourceFileManager before sending them to Eclipse or
Visual Studio Code.
## Golang
## Function Graph
The Function Graph has had a number of improvements:
+ Added new *"Flow Chart"* layouts
+ Position of the satellite view can be configured
+ Ctrl-Space toggles between the Listing and the Function Graph (starting fully zoomed in vs. fully
zoomed out is controlled by a Function Graph option)
Golang binary analysis analysis has been improved.
+ Analysis has been improved to model closures, interface methods, and generic functions more accurately.
+ Function signatures for core golang library functions are automatically applied.
+ Decompilation results are improved by filtering some verbose golang garbage collection function logic.
+ Addressed finding the Golang bootstrap information in stripped PE binaries.
## String Translation and Text Search
+ String translation has an additional translator available using the LibreTranslate service.
The LibreTranslate project (currently hosted at libretranslate.com) is an independent project
that provides an open source translation package that can be self-hosted, meaning you can translate
strings without sending them to a second party to translate, using an existing LibreTranslate server.
For more information search for LibreTranslate in the online Ghidra help pages.
**NOTE:** The LibreTranslate plugin is not enabled by default, and is added in the
*File -> Configure* menu.
## BSim
+ The ability to search the text of all decompiled functions has been added. Decompilation during
search occurs on the fly, so the latest decompilation results of all functions are used for the
search. The search can take some time depending on the number and size of functions in your binary.
The new action can be found at *Search -> Decompiled Text...*.
PostgreSQL for BSim has been updated to version 15.13 and the JDBC driver to 42.7.6. This resolves issues with building PostgreSQL
server on newer releases of Linux and compiler toolchains which compile with -std=c23 option by default. In addition,
building of PostgreSQL for linux_arm_64 and mac_arm_64 based platforms is supported.
+ BSim is now installed in the default Codebrowser tool.
+ Function names now update in BSim search results overview if the name is changed elsewhere in Ghidra.
## Processors
+ The x86 EVEX instruction write and read masking has been implemented for all AVX-512 instructions.
The handling of the mask is necessary as semantics are added for individual AVX-512 instructions.
+ TI_MSP430 decompilation has been improved through numerous changes to the processor's compiler
specifications file.
+ Corrected ARM VFPv2 instructions which were not disassembling correctly.
+ Enhanced support for the x86 AVX-512 processor extension with additional instruction support - including the BF16, FP16 and VNNI extensions.
+ Implemented many AARCH64 Neon instruction semantics to improve decompilation.
+ Upgraded pcodetest framework scripts to python3 and improved command-line options.
## Other Improvements
+ Much of Ghidra's standalone documentation has been modernized to the Markdown format. Generated
HTML versions are provided alongside the Markdown files for convenience. Converting all relevant
documents to Markdown remains an ongoing process. **NOTE:** There are no plans to convert the
internal Ghidra help system to Markdown, as the Java Help library does not support it.
+ Libraries can now be loaded into an already-imported program with the *File -> Load Libraries...*
action.
+ The CParser macro pre-processing will now halt on *"#error"* directives. This change had a ripple
effect and uncovered a myriad of bugs which have been addressed. In addition, the interim parsing
output has been improved to allow easier diagnosis when problems in parsing occur due to incorrect
define values or other header file issues.
+ Finally, a new `CreateUEFIGDTArchivesScript.java` parsing script has been added to parse UEFI header files
available from `github.com/tianocore/edk2`. Using a script vice released pre-parsed GDT files allows the
end user to parse the correct version with a configuration fitting their needs.
+ Many calling conventions for various processors/compilers have been improved using the more flexible decompiler rules
when the data types for parameters and return values are known.
+ Upgraded many 3rd party dependencies to address potential bugs and CVE's, including jars for Bouncy Castle,
Apache Commons Compress, Apache Commons Lang3, Apache Commons IO, protobuf, and JUnit.
## Additional Bug Fixes and Enhancements
Numerous other new features, improvements, and bug fixes are fully listed in the