yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-03 09:49:23 +02:00
Code Issues Releases Wiki Activity

GP-0 11.4 WhatsNew

Browse source
This commit is contained in:
emteere 2025-06-17 19:48:17 +00:00 committed by ghidra1
parent 560497c5ff
commit c87e45857c
1 changed files with 60 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

149
Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md
View file

@ -15,17 +15,17 @@ applied Ghidra SRE capabilities to a variety of problems that involve analyzing
generating deep insights for NSA analysts who seek a better understanding of potential generating deep insights for NSA analysts who seek a better understanding of potential
vulnerabilities in networks and systems. vulnerabilities in networks and systems.
# What's New in Ghidra 11.3 # What's New in Ghidra 11.4
This release includes new features, enhancements, performance improvements, quite a few bug fixes, This release includes new features, enhancements, performance improvements, quite a few bug fixes,
and many pull-request contributions. Thanks to all those who have contributed their time, thoughts, and many pull-request contributions. Thanks to all those who have contributed their time, thoughts,
and code. The Ghidra user community thanks you too! and code. The Ghidra user community thanks you too!
### The not-so-fine print: Please Read! ### The not-so-fine print: Please Read!
Ghidra 11.3 is fully backward compatible with project data from previous releases. However, programs Ghidra 11.4 is fully backward compatible with project data from previous releases. However, programs
and data type archives which are created or modified in 11.3 will not be usable by an earlier Ghidra and data type archives which are created or modified in 11.4 will not be usable by an earlier Ghidra
version. version.
**IMPORTANT:** Ghidra 11.3 requires at minimum JDK 21 to run. **IMPORTANT:** Ghidra 11.4 requires at minimum JDK 21 to run.
**IMPORTANT:** To use the Debugger or do a full source distribution build, you will need Python3 **IMPORTANT:** To use the Debugger or do a full source distribution build, you will need Python3
(3.9 to 3.13 supported) installed on your system. (3.9 to 3.13 supported) installed on your system.
@ -59,110 +59,79 @@ process that will provide better results than prior Ghidra versions. You might
fresh import of any program you will continue to reverse engineer to see if the latest Ghidra fresh import of any program you will continue to reverse engineer to see if the latest Ghidra
provides better results. provides better results.
## PyGhidra
The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center
(DC3) under the name *Pyhidra*, is a Python library that provides direct access to the Ghidra API
within a native CPython 3 interpreter using JPype. PyGhidra contains some conveniences for setting
up analysis on a given sample and running a Ghidra script locally. It also contains a Ghidra plugin
to allow the use of CPython 3 from the Ghidra GUI.
To launch Ghidra in PyGhidra mode, run `./support/pyghidra` (or `support\pyghidra.bat`). See the ## Search
*"PyGhidra Mode"* section of the *Getting Started* document and `Ghidra/Features/PyGhidra/README.html`
for more information.
## Visual Studio Code A new "Search and Replace" feature allows searching for string patterns in a wide variety
Ghidra 11.2 introduced a `VSCodeProjectScript.java` GhidraScript to assist in setting up Visual Studio Code of Ghidra elements and replacing that text with a different text sequence. Using this feature, many different
project folders for Ghidra module development and debugging. This GhidraScript has been replaced in Ghidra elements can be renamed all at once including labels, functions, name-spaces, parameters, data-types,
Ghidra 11.3 by 2 new actions, accessible from a *CodeBrowser* tool: field names, and enum values. This feature also supports regular expressions (including capture groups).
+ *Tools -> Create VSCode Module Project...* After initiating a search and replace, a results table is displayed with a list of items that match the
+ "*Edit Script with Visual Studio Code*" button in the Script Manager search. From this table, the replace actions can be applied in bulk or individually, one item at a time
as they are reviewed.
The "*Create VSCode Module Project...*" action provides the same capability as the old ## Taint Engine Support
`VSCodeProjectScript.java` GhidraScript, creating a Visual Studio Code project folder that contains a
skeleton module which can be used to build a variety of different Ghidra extension points
(Plugins, Analyzers, Loaders, etc). Launchers are also provided to run and debug the module in
Ghidra, as well as a Gradle task to export the module as a distributable Ghidra extension zip file.
The "*Edit Script with Visual Studio Code*" button in the Script Manager enables quick editing and Extended support for using taint engines, particularly CTADL (https://github.com/sandialabs/ctadl)
debugging of the selected script in a Visual Studio Code workspace that is automatically created and AngryGhidra (https://github.com/Nalen98/AngryGhidra), from the decompiler. Allows users to mark
behind the scenes in Ghidra's user settings directory. This provides a much snappier and modern pcode varnodes as sources and sinks, displaying paths from sources to sinks as both address selections
alternative to Eclipse, while maintaining all of the core fuctionality you would expect from an IDE in the disassembly and token selections in the decompiler.
(auto complete, hover, navigation, etc).
Ghidra will do its best to automatically locate your Visual Studio Code installation, but if cannot ## Dockerized Ghidra
find it, it can be set via the Front-End GUI at *Edit -> Tool Options -> Visual Studio Code
Integration*. A new capability to build a docker image that demonstrates Ghidra's various entrypoint executions for `headless`,
`ghidra-server`, `bsim-server`, `bsim`, `pyghidra`, and `gui` within the docker container has been included. The Docker
image can be used as is, or can be tailored to your workflow needs. Configuration such as the base
image (linux distro), additional packages, and more is possible using Docker.
See the `docker/README.md` for information about building a docker image for Ghidra and running within the Ghidra container.
## Binary Formats
+ New loaders for the a.out and OMF-51 binary file formats.
+ Support for Mach-O "re-exports".
+ New ability to load Mach-O binaries directly from a Universal Binary without needing to open the File System Browser.
+ DWARF will now load external debug files during analysis as is done for PDB files.
## Debugger ## Debugger
The old "IN-VM" and "GADP" launchers and connectors have been removed, as their replacement
TraceRmi-based implementations have been satisfactorily completed. On that same note, the entire API
and supporting code base for IN-VM and GADP connectors have been removed.
We've begun to explore more kernel-level debugging. Our lldb connector can now debug the macOS There have been numerous improvements, extensions for new targets, better launching and configuration, and bug fixes to the debugger.
kernel, and our dbgeng connector can now debug a Windows kernel running in a VM via eXDI.
## Emulator ## Analysis Speed
We have introduced a new accelerated p-code emulator that uses Jit-in-Time translation (JIT).
This is *not* currently integrated in the UI but is available for scripting and plugin developers.
Its implementation is named `JitPcodeEmulator`, and it's a near drop-in replacement for `PcodeEmulator`.
See its javadoc for usage and implementation details. The JIT emulator is very new, so there may
still be many bugs.
## Source File Information Constant and Stack analysis time has been greatly decreased through algorithm improvements and better threading. There has been additional
Source file and line information can now be added to Ghidra using a Program's SourceFileManager. work to loosen locking of the program database where possible. By locking only when necessary, multiple threads can better analyze the program
The DWARF, PDB, and Go analyzers now record this information by default. Source information can also and interaction with the GUI during analysis should be more responsive.
be added programmatically; see the example scripts in the *SourceMapping* script category.
Source information can be viewed in the *"Source Map"* Listing Field or the `SourceFilesTablePlugin`,
which is accessible from the Code Browser via *Window -> Source Files and Transforms*.
The *"View Source..."* Listing action, enabled on addresses with source file information, opens a ## Golang
source file at the correct line in either Eclipse or Visual Studio Code (there is a *"Source Files
and Transforms"* tool option to determine the viewer). The SourceFilesTablePlugin can be used to
modify the source file paths stored in the SourceFileManager before sending them to Eclipse or
Visual Studio Code.
## Function Graph Golang binary analysis analysis has been improved.
The Function Graph has had a number of improvements: + Analysis has been improved to model closures, interface methods, and generic functions more accurately.
+ Added new *"Flow Chart"* layouts + Function signatures for core golang library functions are automatically applied.
+ Position of the satellite view can be configured + Decompilation results are improved by filtering some verbose golang garbage collection function logic.
+ Ctrl-Space toggles between the Listing and the Function Graph (starting fully zoomed in vs. fully + Addressed finding the Golang bootstrap information in stripped PE binaries.
zoomed out is controlled by a Function Graph option)
## String Translation and Text Search ## BSim
+ String translation has an additional translator available using the LibreTranslate service.
The LibreTranslate project (currently hosted at libretranslate.com) is an independent project
that provides an open source translation package that can be self-hosted, meaning you can translate
strings without sending them to a second party to translate, using an existing LibreTranslate server.
For more information search for LibreTranslate in the online Ghidra help pages.
**NOTE:** The LibreTranslate plugin is not enabled by default, and is added in the
*File -> Configure* menu.
+ The ability to search the text of all decompiled functions has been added. Decompilation during PostgreSQL for BSim has been updated to version 15.13 and the JDBC driver to 42.7.6. This resolves issues with building PostgreSQL
search occurs on the fly, so the latest decompilation results of all functions are used for the server on newer releases of Linux and compiler toolchains which compile with -std=c23 option by default. In addition,
search. The search can take some time depending on the number and size of functions in your binary. building of PostgreSQL for linux_arm_64 and mac_arm_64 based platforms is supported.
The new action can be found at *Search -> Decompiled Text...*.
+ BSim is now installed in the default Codebrowser tool.
+ Function names now update in BSim search results overview if the name is changed elsewhere in Ghidra.
## Processors ## Processors
+ The x86 EVEX instruction write and read masking has been implemented for all AVX-512 instructions.
The handling of the mask is necessary as semantics are added for individual AVX-512 instructions. + Enhanced support for the x86 AVX-512 processor extension with additional instruction support - including the BF16, FP16 and VNNI extensions.
+ TI_MSP430 decompilation has been improved through numerous changes to the processor's compiler + Implemented many AARCH64 Neon instruction semantics to improve decompilation.
specifications file. + Upgraded pcodetest framework scripts to python3 and improved command-line options.
+ Corrected ARM VFPv2 instructions which were not disassembling correctly.
## Other Improvements ## Other Improvements
+ Much of Ghidra's standalone documentation has been modernized to the Markdown format. Generated + Many calling conventions for various processors/compilers have been improved using the more flexible decompiler rules
HTML versions are provided alongside the Markdown files for convenience. Converting all relevant when the data types for parameters and return values are known.
documents to Markdown remains an ongoing process. **NOTE:** There are no plans to convert the + Upgraded many 3rd party dependencies to address potential bugs and CVE's, including jars for Bouncy Castle,
internal Ghidra help system to Markdown, as the Java Help library does not support it. Apache Commons Compress, Apache Commons Lang3, Apache Commons IO, protobuf, and JUnit.
+ Libraries can now be loaded into an already-imported program with the *File -> Load Libraries...*
action.
+ The CParser macro pre-processing will now halt on *"#error"* directives. This change had a ripple
effect and uncovered a myriad of bugs which have been addressed. In addition, the interim parsing
output has been improved to allow easier diagnosis when problems in parsing occur due to incorrect
define values or other header file issues.
+ Finally, a new `CreateUEFIGDTArchivesScript.java` parsing script has been added to parse UEFI header files
available from `github.com/tianocore/edk2`. Using a script vice released pre-parsed GDT files allows the
end user to parse the correct version with a configuration fitting their needs.
## Additional Bug Fixes and Enhancements ## Additional Bug Fixes and Enhancements
Numerous other new features, improvements, and bug fixes are fully listed in the Numerous other new features, improvements, and bug fixes are fully listed in the