yetangitu/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2025-10-03 01:39:21 +02:00
Code Issues Releases Wiki Activity
14941 commits 3 branches 48 tags 428 MiB
Commit graph

14941 commits

This branch
This branch
All branches
Author SHA1 Message Date
Ryan Kurtz
cdc5af10e4 GP-5648: Certification header support for .bat and .ps1 files 2025-08-20 05:58:46 -04:00
Ryan Kurtz
154aa4460c Merge remote-tracking branch 'origin/GP-0-dragonmacher-test-fixes-8-19-25-2' into patch 2025-08-20 05:10:24 -04:00
ghidra1
d38f512437 GP-1 Added ability to skip building of all natives for gradle build 2025-08-19 18:08:30 -04:00
dragonmacher
3e240563ab Test debug 2025-08-19 16:49:40 -04:00
Ryan Kurtz
21b27795dd Merge remote-tracking branch 'origin/GP-5889_SwitchGuardDuplicate' into patch 2025-08-19 14:53:47 -04:00
Ryan Kurtz
105f9ef570 GP-5916: Checking for IMAGE_FUNCTION_RUNTIME_ENTRY.BeginAddress != 0 
before creating function (#8414)
 2025-08-19 07:19:10 -04:00
Ryan Kurtz
729642cbf6 Merge remote-tracking branch 'origin/GP-5912_emteere_SuperH_GBR' into 
patch (Closes #4387)
 2025-08-19 05:57:47 -04:00
Ryan Kurtz
f4ddff1a2c Merge remote-tracking branch 'origin/GP-5935_ryanmkurtz_pe' into patch 
(Closes #8446)
 2025-08-18 13:41:23 -04:00
Ryan Kurtz
328042f00f GP-5935: The IMAGE_RESOURCE_DIRECTORY_ENTRY data type is now correctly 
defined as a structures instead of a union
 2025-08-18 13:40:34 -04:00
Ryan Kurtz
465fba743b GP-5901: Fixing Gradle 9 archive file permissions 2025-08-18 07:15:49 -04:00
Ryan Kurtz
2ca382da7d Merge remote-tracking branch 'origin/GP-5928_ghizard_PDB_Fixed_issue_with_members_only_layout_losing_members' into patch 2025-08-13 06:02:33 -04:00
Ryan Kurtz
ed7c7019cd Merge remote-tracking branch 
'origin/GP-5910_ryanmkurtz_IntelHexExporter--SQUASHED' into patch
(Closes #8409)
 2025-08-13 06:00:28 -04:00
Ryan Kurtz
8c4bb84489 GP-5910: IntelHexExporter fixes 2025-08-13 05:56:40 -04:00
ghizard
dcd26f14d2 GP-5928 - PDB - Fix lost members of some composites 2025-08-12 16:46:46 -04:00
ghidra1
cf61a2ffaf Merge remote-tracking branch 'origin/GP-5918_ELF_MIPS64_RelocationFix' into patch 2025-08-11 17:51:36 -04:00
ghidra1
f7138da6f7 GP-5918 Corrected ELF Relocation regression for MIPS 64-bit introduced 
with GP-5826 in Ghidra 11.4.1
 2025-08-11 13:00:58 -04:00
caheckman
9c9938e066 GP-5889 Check for common source in duplicated switch guard detection 2025-08-08 21:59:45 +00:00
Ryan Kurtz
8055da80b8 Merge remote-tracking branch 'origin/GP-5915_ConditionalJoinFix' into 
patch (Closes #8310)
 2025-08-07 12:14:49 -04:00
caheckman
29b7cb6552 GP-5915 Fix bug in ConditionalJoin 2025-08-07 15:19:32 +00:00
emteere
28313c6574 GP-5912 Adding SH2 GBR register to the preserved by call list 2025-08-07 12:44:05 +00:00
Ryan Kurtz
3e550cf08f GP-5919: Backporting decompiler highSymbol NPE fix (Closes #8413) 2025-08-07 06:41:37 -04:00
Ryan Kurtz
a638bb9a66 GP-5916: Fixing PE ImageFuntimeFunctionEntries 11.4.1 regression 
(Closes #8414)
 2025-08-06 13:17:00 -04:00
Ryan Kurtz
22de131dd0 Merge branch 'GP-5901_ryanmkurtz_gradle9' into patch 2025-08-04 06:22:05 -04:00
Ryan Kurtz
2180fd2851 GP-5901: Support for Gradle 9.0.0 2025-08-04 06:21:21 -04:00
ghidra1
ada4b5c4ae GP-0 Update Ghidra patch version to 11.4.2 2025-07-31 13:52:18 -04:00
ghidra1
da059ed907 GP-0 Reverted version to 11.4.1 for patch release 2025-07-31 11:21:23 -04:00
ghidra1
2f439d6909 GP-0 Set release version to 11.4.2 2025-07-30 10:11:39 -04:00
ghidra1
cc932b12b2 GP-5888 Corrected regression error in stack editor 2025-07-30 10:09:35 -04:00
Ryan Kurtz
369804843c GP-0: Fixing docker README file location 2025-07-30 07:56:15 -04:00
ghidra1
fe7cbd8ee8 GP-0 Updated ChangeHistory for 11.4.1 release 2025-07-29 14:31:09 -04:00
ghidra1
a3137e33d7 GP-5881 Corrected regression error with Structure editor change 2025-07-29 14:00:21 -04:00
ghidorahrex
4abf6d55ad GP-5766: Fixed instruction AVX512 disassembly errors 2025-07-29 08:56:43 -04:00
Ryan Kurtz
9b8468b6b6 Merge remote-tracking branch 
'origin/GP-5592_ghidorahrex_PR-7982_niooss-ledger_ebpf-ISA-v4' into
patch (Closes #7982)
 2025-07-29 08:53:18 -04:00
Nicolas Iooss
24d19f6e8c Add eBPF ISA v4 instructions 
In 2023, the eBPF instruction set was modified to add several
instructions related to signed operations (load with sign-extension,
signed division, etc.), a 32-bit jump instruction and some byte-swap
instructions. This became version 4 of eBPF ISA.

Here are some references about this change:

- https://pchaigno.github.io/bpf/2021/10/20/ebpf-instruction-sets.html
  (a blog post about eBPF instruction set extensions)
- https://lore.kernel.org/bpf/4bfe98be-5333-1c7e-2f6d-42486c8ec039@meta.com/
  (documentation sent to Linux Kernel mailing list)
- https://www.rfc-editor.org/rfc/rfc9669.html#name-sign-extension-load-operati
  (IETF's BPF Instruction Set Architecture standard defined the new
  instructions)
- https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c?h=v6.14#n1859
  (implementation of signed division and remainder in Linux kernel.
  This shows that 32-bit signed DIV and signed MOD are zero-extending
  the result in DST)
- https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/core.c?h=v6.14#n2135
  (implementation of signed memory load in Linux kernel)
- https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f9a1ea821ff25353a0e80d971e7958cd55b47a3
  (commit which added signed memory load instructions in Linux kernel)

This can be tested with a recent enough version of clang and LLVM (this
works with clang 19.1.4 on Alpine 3.21).
For example for signed memory load instructions:

    signed int sext_8bit(signed char x) {
        return x;
    }

produces:

    $ clang -O0 -target bpf -mcpu=v4 -c test.c -o test.ebpf
    $ llvm-objdump -rd test.ebpf
    ...
    0000000000000000 <sext_8bit>:
           0:  73 1a ff ff 00 00 00 00  *(u8 *)(r10 - 0x1) = r1
           1:  91 a1 ff ff 00 00 00 00  r1 = *(s8 *)(r10 - 0x1)
           2:  bc 10 00 00 00 00 00 00  w0 = w1
           3:  95 00 00 00 00 00 00 00  exit

(The second instruction is a signed memory load)

Instruction MOVS (Sign extend register MOV) uses offset to encode the
conversion (whether the source register is to be considered as signed
8-bit, 16-bit or 32-bit integer). The mnemonic for these instructions is
quite unclear:

- They are all named MOVS in the proposal
  https://lore.kernel.org/bpf/4bfe98be-5333-1c7e-2f6d-42486c8ec039@meta.com/
- LLVM and Linux disassemblers only display pseudo-code (`r0 = (s8)r1`)
- RFC 9669 (https://datatracker.ietf.org/doc/rfc9669/) uses MOVSX for
  all instructions.
- GCC uses MOVS for all instructions:
  https://github.com/gcc-mirror/gcc/blob/releases/gcc-14.1.0/gcc/config/bpf/bpf.md?plain=1#L326-L365

To make the disassembled code clearer, decode such instructions with a
size suffix: MOVSB, MOVSH, MOVSW.

The decoding of instructions 32-bit JA, BSWAP16, BSWAP32 and BSWAP64 is
straightforward.
 2025-07-29 12:45:06 +00:00
Ryan Kurtz
0d8a39a07a Merge remote-tracking branch 
'origin/GP-5857_ghidorahrex_PR-7979_niooss-ledger_ebpf-fix-load-zext'
into patch (Closes #7979)
 2025-07-29 08:24:03 -04:00
Ryan Kurtz
b4239911c9 Merge remote-tracking branch 
'origin/GP-5858_ghidorahrex_PR-7929_niooss-ledger_fix-ebpf-call-operand'
into patch (Closes #7929)
 2025-07-29 08:21:27 -04:00
Ryan Kurtz
179263a592 Merge remote-tracking branch 
'origin/GP-5593_ghidorahrex_PR-7985_niooss-ledger_ebpf-fix-semantic-byte-swap-instructions'
into patch (Closes #7985)
 2025-07-29 08:19:37 -04:00
Ryan Kurtz
28b46c5c93 Merge remote-tracking branch 
'origin/GP-5336_ghidorahrex_PR-7065_philpem_6805_hcs08_xidx_fix' into
patch (Closes #7065, Closes #7064)
 2025-07-29 08:16:11 -04:00
ghidra1
296778319e GP-5881 Minor Structure editor event handling improvement 2025-07-28 17:01:42 -04:00
Ryan Kurtz
1486a06165 Merge remote-tracking branch 
'origin/GP-5877_Dan_fixReDisassembler--SQUASHED' into patch
(Closes #8382)
 2025-07-28 17:25:05 +00:00
Ryan Kurtz
b729d9b217 Merge remote-tracking branch 
'origin/GP-5876-dragonmacher-vt-column-exception-patch' into patch
(Closes #8094)
 2025-07-28 17:23:02 +00:00
Dan
39c0a83c0c GP-5877: Fix Patch Instruction action in some Harvard architectures. 2025-07-28 15:48:40 +00:00
Ryan Kurtz
60ff7c9791 Merge remote-tracking branch 'origin/GP-5867_dev747368_dwarf_only_iterate_defined_dtc' into patch 2025-07-28 15:46:50 +00:00
Ryan Kurtz
6f339247ef Merge remote-tracking branch 
'origin/GP-5788_Dan_addActionForciblyCloseTxes--SQUASHED' into patch
(Closes #8298)
 2025-07-28 12:41:31 +00:00
Ryan Kurtz
790fe71c41 Merge remote-tracking branch 'origin/GP-5553_Dan_lessTimingOut' into patch 2025-07-28 12:39:41 +00:00
Ryan Kurtz
35202441cc Merge remote-tracking branch 
'origin/GP-5764_ghidra007_rttiscript_vfunctions_dont_force_thiscalls--SQUASHED'
into patch (Closes #8163)
 2025-07-28 12:32:06 +00:00
Dan
1ad0a0f719 GP-5788: Add an action to forcibly close all transactions for a target (in case of back-end misbehavior) 2025-07-28 12:31:48 +00:00
dragonmacher
0286fb59fa GP-5876 - Fixed table column exception seen when using Version Tracking 2025-07-25 19:29:07 -04:00
ghidra007
cee04048cb GP-5764 added option to RecoverClassesFromRTTIScript enabling users to not force vfunctions to be thiscalls. 2025-07-25 22:15:27 +00:00
Dan
9767073b32 GP-5553: Disable timing out when we have a ProgressService. 2025-07-25 19:36:55 +00:00