mirror of
https://github.com/NationalSecurityAgency/ghidra.git
synced 2024-11-23 12:49:45 +00:00
Merge remote-tracking branch 'origin/GP-0_WhatsNew11.2' into Ghidra_11.2
This commit is contained in:
commit
7e6daf45e1
@ -47,33 +47,37 @@
|
||||
</P>
|
||||
<hr>
|
||||
|
||||
<H1>What's New in Ghidra 11.1</H1>
|
||||
|
||||
<H2>The not-so-fine print: Please Read!</H2>
|
||||
|
||||
<H1>What's New in Ghidra 11.2</H1>
|
||||
|
||||
<P>This release includes new features, enhancements, performance improvements, quite a few bug fixes, and many pull-request
|
||||
contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community thanks you too!</P>
|
||||
|
||||
<H2>The not-so-fine print: Please Read!</H2>
|
||||
|
||||
<P>Ghidra 11.x is fully backward compatible with project data from previous releases.
|
||||
However, programs and data type archives which are created or modified in 11.x will not be usable by an earlier Ghidra version. </P>
|
||||
<P>Ghidra 11.2 is fully backward compatible with project data from previous releases.
|
||||
However, programs and data type archives which are created or modified in 11.2 will not be usable by an earlier Ghidra version.</P>
|
||||
|
||||
<P>This distribution requires at minimum JDK 17 to run, but can also run under JDK 21.</P>
|
||||
<P><span class="gtitle">IMPORTANT:</span> Ghidra 11.2 requires at minimum JDK 21 to run.</P>
|
||||
|
||||
<P>NOTE: Each build distribution will include native components (e.g., decompiler) for at least one platform (e.g., Windows x86-64).
|
||||
<P><span class="gtitle">IMPORTANT:</span> To use the Debugger or do a full source distribution build, you will need Python3 (3.9 to 3.12 supported) installed on your system.</P>
|
||||
|
||||
<P><span class="gtitle">NOTE:</span> There have been reports of certain features causing the XWindows server to crash. A fix for
|
||||
CVE-2024-31083 in X.org software in April 2024 introduced a regression, which has been fixed in xwayland 23.2.6 and xorg-server 21.1.13. If you experience
|
||||
any crashing of Ghidra, most likely causing a full logout, check if your xorg-server has been updated to at least the noted version.</P>
|
||||
|
||||
<P><span class="gtitle">NOTE:</span> Each build distribution will include native components (e.g., decompiler) for at least one platform (e.g., Windows x86-64).
|
||||
If you have another platform that is not included in the build distribution, you can build
|
||||
native components for your platform directly from the distribution.
|
||||
See the <a href="InstallationGuide.html">Ghidra Installation Guide</a> for additional information.
|
||||
Users running with older shared libraries and operating systems (e.g., CentOS 7.x) may also run into
|
||||
compatibility errors when launching native executables such as the Decompiler and GNU Demangler which
|
||||
may necessitate a rebuild of native components.</P>
|
||||
|
||||
<P>IMPORTANT: To use the Debugger, you will need Python3 (3.7 to 3.12 supported) installed on your system.</P>
|
||||
|
||||
<P>NOTE: Ghidra Server: The Ghidra 11.x server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.x
|
||||
<P><span class="gtitle">NOTE:</span> Ghidra Server: The Ghidra 11.x server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.x
|
||||
clients are compatible with all 10.x and 9.x servers. Although, due to potential Java version differences, it is recommended
|
||||
that Ghidra Server installations older than 10.2 be upgraded. Those using 10.2 and newer should not need a server upgrade.</P>
|
||||
|
||||
<P>NOTE: Any programs imported with a Ghidra beta version or code built directly from source code outside of a release tag may not be compatible,
|
||||
<P><span class="gtitle">NOTE:</span> Any programs imported with a Ghidra beta version or code built directly from source code outside of a release tag may not be compatible,
|
||||
and may have flaws that won't be corrected by using this new release. Any programs analyzed from a beta or other local master source build should be considered
|
||||
experimental and re-imported and analyzed with a release version.</P>
|
||||
|
||||
@ -82,148 +86,77 @@
|
||||
Ghidra versions. You might consider comparing a fresh import of any program you will continue to reverse engineer to see if the latest Ghidra
|
||||
provides better results.</P>
|
||||
|
||||
<H2>Debugger </H2>
|
||||
<H2>Memory Search</H2>
|
||||
|
||||
<P><span class="gtitle">ATTENTION:</span> Please delete and re-import the default Debugger tool!</P>
|
||||
<P>The <span class="gtitle">Search Memory</span> feature in Ghidra has been updated substantially to provide two new features:</P>
|
||||
<BLOCKQUOTE>
|
||||
<UL>
|
||||
<LI>The ability to perform set operations on successive searches</LI>
|
||||
<LI>The ability to (re)scan memory for changes in value</LI>
|
||||
</UL>
|
||||
</BLOCKQUOTE>
|
||||
|
||||
<P>Set operations, accessible from the pull-down menu under <span class="gtitle">Search</span>, allow you to augment
|
||||
results by performing boolean operations on an existing search. For example, you might search for the hex pattern "DE AD" using <span class="gtitle">Search</span>,
|
||||
add "BE EF" to the pattern field, and then select "A-B" to retrieve a list of byte sequences that begin with "DE AD" but do not include "DE AD BE EF".
|
||||
Scanning for changes is most useful in a dynamic environment, such as the Debugger. Given an existing search, you can look for values that have changed,
|
||||
increased, decreased, or remained the same. Simple examples might include looking for counters while a process is running, checking for areas of decompressed
|
||||
memory, or identifying active areas of the heap.</P>
|
||||
|
||||
<H2>PDB</H2>
|
||||
|
||||
<P>The PDB Symbol Server Search Config dialog has been changed, allowing the user to mark symbol servers as trusted or untrusted.
|
||||
This is an improvement over the previous mechanism that based trust on the symbol server's connection type.</P>
|
||||
|
||||
<H2>Debugger</H2>
|
||||
|
||||
<P><span class="gtitle">ATTENTION:</span> Please either delete and re-import the default Emulator tool, or
|
||||
manually remove the TraceRmiPlugin from your EmulatorTool!</P>
|
||||
|
||||
<P>There are new launchers/features for the traceRMI version of dbgeng, including extended launch options, kernel debugging, and
|
||||
remote process server connections.</P>
|
||||
|
||||
<H2>Decompiler</H2>
|
||||
|
||||
<P>The Decompiler can now automatically recover strings built on the stack and initial support for optimized heap strings has been added.
|
||||
Stack strings are typically found in optimized code and obfuscated malware.</P>
|
||||
|
||||
<P>A new Search All action has been added which displays a table containing the results found within the current function.</P>
|
||||
|
||||
<H2>Programming Languages</H2>
|
||||
|
||||
<P> We are introducing a new debugger connection system called Trace RMI. This is replacing the older system,
|
||||
which we are calling the Recorder system.</P>
|
||||
<P>Golang support for versions 1.15 and 1.16 have been added. This brings the supported Golang versions to 1.15 thru 1.22.</P>
|
||||
|
||||
<H2>Processors</H2>
|
||||
|
||||
<P>There have been quite a few improvements to the Sparc processor specification, including additional instructions, 64-bit relocation support, and better
|
||||
handling of call/return detection through tracking of the o7 link register. In addition, the calling convention for both sparc 32 and 64 bit binaries
|
||||
have had an overhaul to support hidden structure return and much improved parameter allocation of floating point and general data types.</P>
|
||||
|
||||
<P>The most noticeable difference will be a new menu for launching targets. It is very similar to the previous system, but with some key differences:</P>
|
||||
<BLOCKQUOTE>
|
||||
<UL>
|
||||
<LI>Connection and launching are no longer separated into two different configuration panels. There is one panel to launch your target.</LI>
|
||||
<LI>Ghidra will no longer attempt to launch blindly with defaults. The first time you launch a program, you must select a launcher and configure it.</LI>
|
||||
<LI>After the initial launch you can re-launch with a previous configuration, without requiring a prompt.</LI>
|
||||
</UL>
|
||||
</BLOCKQUOTE>
|
||||
<P>The Intel M16C/60/80 sleigh processor specifications have been added. In addition, there have been numerous fixes to the
|
||||
ARM, RX, M68000, PIC16, PPC, and x86 processor specifications.</P>
|
||||
|
||||
<P>The next most noticeable difference will be the replacement of the Interpreter window with the Terminal window. This is a proper VT-100
|
||||
terminal emulator, so the experience will be much like, if not identical to, how you'd debug in a plain terminal, except embedded into and integrated with Ghidra.
|
||||
Some notable improvements that brings:</P>
|
||||
<BLOCKQUOTE>
|
||||
<UL>
|
||||
<LI>Tab completion, history, etc., should all work as implemented by the connected debugger's command-line interface.</LI>
|
||||
<LI>When the target is running, it has proper I/O in that terminal.</LI>
|
||||
<LI>If connecting goes poorly for some reason, the debugger's command-line interface is likely still operational.</LI>
|
||||
</UL>
|
||||
</BLOCKQUOTE>
|
||||
|
||||
<P>You may also notice the replacement of the Debugger Targets window with the Connection Manager window, and the replacement
|
||||
of the Objects window with the Model window. These are operationally very similar to their previous counterparts.</P>
|
||||
<H2>Other Improvements</H2>
|
||||
|
||||
<P>Actions have been added to compare functions directly from the Listing, Decompiler, or Functions Table via popup menu items. If there
|
||||
is already a Function Comparison window showing, there are two actions: one to add the selected function(s) to the existing comparison, and
|
||||
one to create a new Function Comparison Window. This allows a workflow where users can build up a set of functions to compare as they browse
|
||||
around instead of having to select them all at once.</P>
|
||||
|
||||
<P>For Ghidra script and plugin developers who would prefer to use Visual Studio Code, a new script VSCodeProjectScript will create a new
|
||||
Visual Studio Code project that is setup to do Ghidra scripting and module development. The capabilities are similar to the Eclipse
|
||||
GhidraDev plugin.</P>
|
||||
|
||||
<P>There have been major speed improvements when creating or modifying large structures within the structure editor. In general large structure manipulation
|
||||
should perform fluidly no matter the size of the structure. If the structure contains a large number of defined data, there could still be some degradation in
|
||||
speed. Some fixed performance issues include: resizing a structure smaller or larger, clicking on an item to select a row, and defining a data type either with keyboard actions or dragging
|
||||
and dropping from the data type manager. In addition, the behavior of automatically growing the size of a structure has been made consistent. Defining data on the last element of a structure
|
||||
is allowed to automatically grow the structure to fit the data type. Defining data anywhere other than the last element isn't allowed if the data type does not fit because
|
||||
of defined data that would need to be cleared, or there are not enough undefined bytes.</P>
|
||||
|
||||
<P><span class="gtitle">For Power Users:</span> The launchers are just shell scripts on Linux and macOS, and batch files on Windows. We have provided plugins
|
||||
for integrating with GDB, LLDB, and the Windows Debugger. So long as your target works with one of these debuggers, orchestrating
|
||||
another kind of target is mostly a matter of creating a new shell script. This is usually accomplished by using the most similar
|
||||
one as a template and then trying it out in Ghidra. When errors occur, Ghidra will inform you of what progress it made before it
|
||||
failed, and the Terminal should display any error messages produced by your script.</P>
|
||||
|
||||
<P><span class="gtitle">For Developers:</span> Developers may notice that debugger integration is now all done using Python 3.
|
||||
We have specified a new protocol we call Trace RMI, which provides client access to Ghidra's trace databases over TCP.
|
||||
It uses protobuf and is substantially simpler than the previous GADP protocol. We have provided the client implementation in
|
||||
Python 3. Existing integrations can be fairly easily extended, if necessary. For example, see the support for Wine we included in our GDB plugin.</P>
|
||||
|
||||
<P>If you wish to integrate a completely new debugger, and it has a Python 3 API, then things are relatively straightforward, so long as
|
||||
the debugger provides the events and information that Ghidra expects. Use an existing plugin as a template or reference and have fun.
|
||||
If the new debugger does not have Python 3 bindings, the protobuf specification is available, so the client can be ported, if necessary.</P>
|
||||
|
||||
<P><span class="gtitle">IMPORTANT:</span> To use the new Trace RMI system, you will need Python3 (3.7 to 3.12 supported) installed on your system.
|
||||
Additional setup may be required for each type of debug connection. Press <span class="gtitle">F1</span> in the debug connector's launch dialog
|
||||
for more information.</P>
|
||||
|
||||
<P>Overall, we believe this a substantially more approachable system than our previous DebuggerObjectModel SPI used in the Recorder system.</P>
|
||||
|
||||
|
||||
<H2>GhidraGo </H2>
|
||||
|
||||
<P>GhidraGo is an experimental feature that adds integration support for Ghidra URL's and Ghidra Tools. GhidraGO can now process GhidraURL's that
|
||||
locate folders within a project instead of only programs. For example a remote GhidraURL locating a project folder will open a read only view of
|
||||
the repository in the front end tool and select the folder from the URL. If the GhidraURL refers to a folder in the currently open
|
||||
active project, then the folder is selected within the active project's view instead of a read only view.
|
||||
</P>
|
||||
|
||||
<H2>PDB </H2>
|
||||
<P>The PDB data type processing changes from release 11.0 have been further enhanced, simplifying the processing model and reducing the number of datatype
|
||||
conflicts. The algorithm for choosing the primary symbol at an address has been improved to provide the richest possible information. The PDB Universal
|
||||
Analyzer has been split into multiple analyzers so that PDB function processing can follow interim analyzers that specialize in finding code.
|
||||
Lastly, the Load PDB Task has been improved to schedule appropriate follow-on analyzers that are selected in the Analysis Options.</P>
|
||||
|
||||
<H2>Version Tracking </H2>
|
||||
|
||||
<P> Version Tracking Session files may now be added to a shared project repository. Once a version tracking file has been checked in to a project,
|
||||
it must be checked out for exclusive access. For more information, see help found in the Version Tracking's
|
||||
Session Wizard help for more information.</P>
|
||||
|
||||
<P>NOTE: Prior to adding a pre-existing VT Session to a shared project repository, it is highly recommended that it first be re-opened
|
||||
and saved. This will upgrade the VT Session internal version to prevent its use with older versions of Ghidra which will not respect
|
||||
the exclusive checkout requirement.</P>
|
||||
|
||||
<H2>Mach-O Improvements</H2>
|
||||
<P>Mach-O support continues to improve, adding support for new features as well as filling in some gaps that existed for several years.
|
||||
The latest dyld_shared_cache files use a new format for pointer fixups, which Ghidra now supports. A new GFileSystem has also been
|
||||
implemented to import and/or extract individual Mach-O binaries from Mach-O "file sets" (i.e., kernelcache). A second new GFileSystem
|
||||
has been added which can extract Apple LZFSE-compressed files. Other improvements have also been made to provide more complete markup of Mach-O load commands.</P>
|
||||
|
||||
<H2>Swift </H2>
|
||||
<P>Initial support for binaries written in the Swift Programming Language has been added. The new support relies on the native Swift demangler being
|
||||
present on the user's system. Swift is automatically bundled with XCode on macOS, and can be optionally installed on Windows and Linux.
|
||||
See the "Demangler Swift" analyzer options for more information. Type information gathered from the demangled Swift symbol names is used to
|
||||
create corresponding Ghidra data types. This currently works for Swift primitives and structures, but more work needs to be done to include
|
||||
classes and other advanced data types. Swift-specific calling conventions are also applied to demangled Swift functions.</P>
|
||||
|
||||
<H2>Usability </H2>
|
||||
|
||||
<P>There have been many improvements to keyboard only actions and navigation in Ghidra. These changes will be welcome for those who
|
||||
prefer to use the keyboard as much as possible and those needing better accessibility. Improvements include:</P>
|
||||
<BLOCKQUOTE>
|
||||
<UL>
|
||||
<LI>Standard keyboard navigation should now work in most component windows and dialogs. In general, <span class="gtitle">Tab</span> and <span class="gtitle"><CTRL> Tab</span> will
|
||||
move focus to the next focusable component and <span class="gtitle"><SHIFT> Tab</span> and <span class="gtitle"><CTRL><SHIFT> Tab</span> will move to the
|
||||
previous focusable component. <span class="gtitle">Tab</span> and <span class="gtitle"><SHIFT> Tab</span> do not always work as some components use those keys internally, but
|
||||
<span class="gtitle"><CTRL> Tab,</span> and <span class="gtitle"><SHIFT><CTRL> Tab</span> should work universally.</LI>
|
||||
<LI>Ghidra now provides some convenient keyboard shortcut actions for transferring focus:</LI>
|
||||
<UL>
|
||||
<LI><span class="gtitle"><CTRL> F3</span> - Transfers focus to the next window or dialog.</LI>
|
||||
<LI><span class="gtitle"><CTRL><SHIFT> F3</span> - Transfers focus to the previous window or dialog.</LI>
|
||||
<LI><span class="gtitle"><CTRL> J</span> - Transfers focus to the next titled dockable component (titled windows).</LI>
|
||||
<LI><span class="gtitle"><CTRL><SHIFT> J</span> - Transfers focus to the previous titled dockable component.</LI>
|
||||
</UL>
|
||||
<LI>All actions can now be accessed via a searchable dialog.</LI>
|
||||
<UL>
|
||||
<LI>Pressing <span class="gtitle"><CTRL> 3</span> will bring up the actions dialog with the local toolbar, popup and keyboard actions.</LI>
|
||||
<LI>Pressing <span class="gtitle"><CTRL> 3</span> a second time will add in all the global actions. </LI>
|
||||
<LI>Pressing <span class="gtitle"><CTRL> 3</span> a third time will add in the disabled actions as well.</LI>
|
||||
<LI>The actions dialog was specifically designed to be easy to use without a mouse. Typing will filter the actions list and the
|
||||
arrow keys allow you to select an action and enter will invoke the selected action </LI>
|
||||
</UL>
|
||||
</UL>
|
||||
</BLOCKQUOTE>
|
||||
|
||||
<H2>Other Improvements </H2>
|
||||
|
||||
<P>Support for the <span class="gtitle">SquashFS</span> filesystem has been added.</P>
|
||||
|
||||
<P>A new wildcard assembler API has been added that can generate all possible variants of an instruction with a variety of wildcards for operands.
|
||||
Two new scripts, <span class="gtitle">FindInstructionWithWildcard</span> and <span class="gtitle">WildSleighAssemblerInfo</span>, demonstrate how to use the API.
|
||||
For more information, see help and search for <span class="gtitle">Wildcard Assembler</span>.
|
||||
|
||||
<P>A new <span class="gtitle">Runtime Information</span> dialog has replaced the Show VM Memory dialog. The dialog contains more information
|
||||
which can aid in debugging, including version information, classpath, defined properties, environment variables, and more.</P>
|
||||
|
||||
<P>The GhidraDev Eclipse plugin has a new wizard for importing an existing Ghidra module source directory. This will work best with Ghidra module projects
|
||||
created against Ghidra 11.1 or later.</P>
|
||||
|
||||
<P>Finding references to fields within a structure has been greatly improved. Previously many references to the field would be missed if they occurred within
|
||||
functions calling external functions using the structure, or when the field was used only in local variables dynamically generated by
|
||||
the decompiler.</P>
|
||||
|
||||
<P>Golang versions 17 thru 22 are now supported.</P>
|
||||
|
||||
<P>DWARF5 debug format is now supported. In addition, DWARF line number information processing has been incorporated into the base DWARF analyzer and the
|
||||
separate DWARF line number analyzer has been removed.</P>
|
||||
|
||||
<H2>Additional Bug Fixes and Enhancements</H2>
|
||||
<P> Numerous other new features, improvements, and bug fixes are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
|
||||
|
||||
<P> Numerous other new features, improvements, and bug fixes are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
|
||||
|
||||
<div align="center">
|
||||
<B><a href="https://www.nsa.gov/ghidra"> https://www.nsa.gov/ghidra</a></B>
|
||||
@ -231,4 +164,4 @@
|
||||
</div>
|
||||
|
||||
</BODY>
|
||||
</HTML>
|
||||
</HTML>
|
||||
|
Loading…
Reference in New Issue
Block a user