Ghidra v11.0
本帖最后由 FleTime 于 2023-12-23 15:30 编辑https://github.com/NationalSecurityAgency/ghidra/releases/tag/Ghidra_11.0_build
转国内网盘
https://www.123pan.com/s/IleA-5OTQh.html
提取码: UUBU
更新了啥
New Features
Analysis. Added initial Rust support, including the handling of mangled names and calling conventions. (GP-2412)
BSim. Introduced BSim support (see docs/GhidraClass/BSim/). (GP-4009)
Calling Conventions. Added support for the Indirect result location register for ARM64 calling conventions. (GP-3938, Issue #951)
CodeBrowser. Added a right-click Copy action in the CodeBrowser's Listing that copies a Local or Shared GhidraURL to the program. The GhidraURL points to the specific address at which the cursor is located within the program. (GP-3626)
Data Types. Added Search -> For Encoded Strings... dialog that simplifies finding and creating strings with various charsets and alphabets. (GP-2628, Issue #1582, #2106)
Debugger:Breakpoints. Added breakpoint indicators to Function Graph when active in Debugger. (GP-2737, Issue #5532)
Debugger:dbgeng.dll. Implemented Trace RMI connector/plugin for the dbgeng.dll. (GP-3754)
Debugger:dbgeng.dll. Introduced Trace RMI launch script for dbgeng.dll. (GP-3823)
Debugger:GDB. Introduced launchers for Debugger targets using new Trace RMI framework. Introduced Trace RMI launch script for GDB. (GP-3818)
Debugger:Targets. API: Added Target interface to abstract TraceRecorder and TraceRmi. (GP-2740)
Debugger:Targets. Created Connections panel for Trace RMI. (GP-3836)
FileSystems. Added a GFileSystem supporting the CaRT file format. (GP-3748, Issue #5568)
GhidraGo. Implemented GhidraGo, an experimental feature that, when enabled, causes Ghidra to listen for GhidraURLs. The only supported GhidraURLs for GhidraGo currently link to a Ghidra DomainFile handled by the CodeBrowser. The readme for GhidraGo includes instructions on setting up a protocol handler for GhidraURLs. GhidraGo will open Ghidra if a Ghidra is not already running, but Ghidra must be configured to listen (i.e., it has the GhidraGo plugin enabled). (GP-2774)
GUI. Added Select -> Create Table From Ranges action to create a table based on the address ranges in a selection. (GP-2297)
GUI. Added a new GTree filter setting that allows users to filter on the node's path. (GP-2419)
Importer:Mach-O. dyld_shared_cache components extracted from Ghidra's DyldCacheFileSystem can now be added together on-demand with the Add To Program feature. Broken references can be automatically resolved by right-clicking on them and clicking References -> Add To Program. (GP-3753, Issue #5023)
Processors. Added support for the Loongson processor architecture. (GP-3211, Issue #5083)
Version Tracking. Added a new Version Tracking correlator based on BSim function similarity. (GP-4076)
Improvements
Analysis. Golang improvements: Added the Golang String Analyzer that finds and marks up Golang strings. Improved Golang type and interface method markup. Improved Golang function parameter recovery. Using Golang package information to organize Golang type and symbol elements into namespaces. Using Golang run time type information to override the types of objects that are created by calls to malloc-like built-in functions. (GP-2109)
Analysis. Made minor fixes to ARM aggressive instruction finder for stack trace and speed improvement. (GP-3855)
API. Added a program caching system for use by clients that want to open programs, do some work, and then close them without them appearing in the tool. Prior to this, all programs that were opened were kept open by the tool until the user manually closed them. (GP-3979)
API. Updated ApplyFunctionSignatureCmd and FunctionUtility.updateFunction to optionally allow all applied composites to be cleaned (i.e., force to not-yet-defined state) before being applied. In addition, a datatype conflict handler may now be specified which can control how conflicts of applied datatypes should be handled. (GP-4051)
Basic Infrastructure. Upgraded to FlatLaf 3.2.1. (GP-3645, Issue #5539)
Basic Infrastructure. Upgraded Guava to 32.1.3. (GP-4053)
Build. The Ghidra Software Bill of Materials (SBOM) now includes entries for Ghidra's module jars. Jar descriptions are also now provided when available. (GP-3824, Issue #5513)
CodeCompare. The Decompiler Diff View now supports searching via Ctrl-F. (GP-4000)
CodeCompare. Fixed Function Comparison Window to not initially show the same function in both windows. (GP-4005)
Debugger. Introduced a plugin/service that supports proper Terminal Emulation (in contrast to the current Interpreter Panel plugin). (GP-1977)
Debugger. Added process name to Objects display. (GP-3895, Issue #5817)
Debugger. Added console display for exceptions. (GP-3896, Issue #5817)
Debugger:Emulator. Fixed issue starting the Emulator when the PC is in an overlay space. (GP-3904)
Debugger:GDB. Changed Trace RMI plugin for GDB to better obtain module base addresses. (GP-3725)
Debugger:Registers. Go-To actions from Registers panel now honor Force Full View setting from Regions panel. (GP-3886, Issue #5817)
Decompiler. Tokens labeling switch case values in the Decompiler window now support navigation and hovering and can be used to rename or retype the switch variable. (GP-3680, Issue #5286)
Decompiler. Added toggle buttons to quickly change the Eliminate unreachable code and Respect readonly flags Decompiler settings. These settings are local to the Decompiler view and will not persist in the tool. (GP-3919)
Decompiler. Added formatting options for braces, { and }, in Decompiler output. (GP-3965, Issue #1240, #1937, #1938, #4914, #81)
Demangler. Updated the GNU Demangler binary used by Ghidra to version 2.41. (GP-3577)
Demangler. Revised signature source type applied by GNU demanglers to ANALYSIS instead of IMPORTED. (GP-4139)
Exporter. The C/C++ exporter now includes equate definitions if data types are being emitted. (GP-3010, Issue #4878)
Extensions. Added a classpath isolation option for Extensions (settable in launch.properties). (GP-3623)
FileSystems. The dyld_shared_cache filesystem can now extract files for stubs and standalone data. (GP-3860)
GUI. Updated the tool windows to remember when they are fully maximized. (GP-2840, Issue #293, #3788)
GUI. Updated data type tooltips and previews to show size in hex as well as decimal. (GP-3763, Issue #5682)
GUI. Added Collapse and Expand actions to trees. (GP-3812, Issue #5731)
GUI. Added askValues() method to GhidraScripts which allows the script to show a dialog for entering multiple values with a single dialog. (GP-3924)
GUI. Fixed issue with program graph issuing location events in response to receiving location events. (GP-4021)
Importer. Improved library-import log messages. (GP-3910)
Importer:ELF. Completed additional changes to ELF Header code to eliminate unsupported mutability. (GP-3620)
Importer:Mach-O. When loading System Libraries From Disk on macOS, the dyld_shared_cache will be searched for in more default locations. (GP-3909)
Importer:Mach-O. The MachoLoader now uses binding information (if present) to associate libraries with imported symbol name without the need for those libraries to be already present/loaded in the project. (GP-3912)
Importer:Mach-O. The MachoLoader can now load binaries with obfuscated segment and section names. (GP-3926, Issue #3876)
Languages. Removed use of PC as having a valid value in SuperH and M68000. (GP-4049, Issue #5891)
Listing. Added options for disabling various EOL Auto-Comments. (GP-3531)
Listing. Corrected operand markup of offcut instruction references which failed to respect the Display Namespace operand field option. (GP-3985, Issue #5886)
Memory. Updated overlay address space support to allow multiple memory blocks to reside within a single overlay space. (GP-3903)
PDB. Changed the PDB data types processing to use a resolve-as-you-go model, eliminating the dependency graph and the need for holding onto the PDB types within the processing model. The benefits of this change are being made available by other improvements. In addition, changes have been made to improve the accuracy of some data types. (GP-3715)
PDB. In order to reduce memory consumption, modified PdbReader to load certain components and data structures only when needed and provided some iterators to consumers such as PDB Universal Analyzer. (GP-3995)
Processors. Added language module for the Tensilica Xtensa processor. (GP-1062, Issue #1407, #5442)
SARIF. Added support for SARIF data export/import. (GP-3832)
Version Tracking. Updated AutoVersionTrackingScript to create implied matches if option is chosen by the user. (GP-3765)
Version Tracking. Improved and sped up the AutoVersionTracking algorithm to determine and apply good matches from the possible matches returned from the DuplicateFunctionMatchCorrelator. (GP-3854, Issue #5857)
Version Tracking. Added numerous options to Auto Version Tracking that can change which correlators are used and control their individual options. (GP-3934)
Version Tracking. Auto Version Tracking now applies implied matches if the minimum number of votes and maximum number of conflicts conditions are met, as determined by the chosen options. (GP-3953)
Version Tracking. Updated Auto Version Tracking to check related associations for already-accepted matches before accepting new matches. (GP-4008, Issue #4875)
Version Tracking. Improved default Version Tracking session name generated by new session wizard. (GP-4091)
Bugs
Analysis. Fixed StackOverflowError encountered when processing self-referencing Golang slices. (GP-3906, Issue #5847)
Analysis. Fixed function body computation for functions with instructions that branch into delay slots; for example, the Fujitsu FR processor. This affects both function creation and the computation of an Undefined Function for the Decompiler when no function is currently defined. (GP-3962, Issue #5866)
Analysis. Fixed evaluator check before using it in constant analysis. (GP-3970)
Build. Fixed nodepJar task dependencies for Gradle 8. (GP-3977, Issue #5902)
Data Types. Corrected self-referencing data type resolution issue for function definitions which could result in datatype errors. (GP-4078, Issue #5927)
Debugger. Fixed when Control Target can be selected. (GP-4099)
Debugger:Agents. Fixed GADP agent launch scripts to pass arguments through. (GP-4132, Issue #6016)
Debugger:dbgeng.dll. Fixed an error that resulted in quotes being stripped from command-line arguments for dbgeng/dbgmodel. (GP-3846, Issue #5789)
Debugger:dbgeng.dll. Created better updating strategy for dbgeng/model memory. (GP-3899, Issue #5817)
Debugger:Emulator. Fixed issue with resuming after performing p-code steps in the Emulator. (GP-3706)
Debugger:GDB. Made fixes in preparation for changes coming in gdb-14. (GP-3690)
Debugger:GDB. Fixed line ending for Cygwin GDB. (GP-3825, Issue #5755)
Debugger:Objects. Fixed Elements table in Model provider to display array contents. (GP-3932)
Debugger:Registers. Fixed copied values from Registers panel to conform to display settings. (GP-3874, Issue #5820)
Decompiler. Fixed bug in conditional constant propagation that could affect switch recovery. (GP-3840, Issue #5514)
Decompiler. Fixed improper rendering of expressions involving pointer-to-array data-types in Decompiler output. (GP-3842, Issue #5591)
Decompiler. Fixed bug causing "Could not finish collapsing block structure" exceptions. (GP-3911)
Decompiler. Fixed "<unionfacetsymbol> does not have a union type" exception caused by deleting a union data-type. (GP-3942, Issue #5636)
Decompiler. Fixed bug in the brace-highlighting action for the Decompiler window that could cause it not to be able to find matching braces. (GP-3945, Issue #5643)
Decompiler. Fixed bug in Decompiler that could cause crashes when analyzing NaN operations. (GP-3981)
Decompiler. Fixed a bug that causes the Decompiler to fail on some systems with a "Datatype must have a valid id" exception. (GP-4020)
Decompiler. Fixed an infinite loop in the Decompiler caused by small parameters getting passed to subfunctions via larger registers containing stale values in their upper bytes. (GP-4102, Issue #5934)
Decompiler. Fixed a bug that could cause the Decompiler to crash when printing pieces of a dynamic symbol. (GP-4119, Issue #6005)
Demangler. Fixed GNU Demangler analysis live-lock issue. (GP-4071, Issue #5987)
Documentation. Fixed field constraint example in the Sleigh documentation. (GP-4046, Issue #5933)
Eclipse Integration. Ghidra can now launch Eclipse Ubuntu snap installations from the Script Manager. (GP-3473)
Eclipse Integration. The GhidraDev Eclipse plugin now prevents unsupported versions of PyDev from being used. Supported versions are 6.3.1 - 9.3.0. PyDev 10.0 and later no longer support Python 2. (GP-4062, Issue #5980)
Eclipse Integration. The GhidraDev Eclipse plugin no longer throws an IOException when performing a Link Ghidra action on a Ghidra project whose original Ghidra installation moved. (GP-4063, Issue #5981)
Exporter. Proper C-syntax is now used on structs exported to a header file when they contain a pointer to an array field. (GP-3608, Issue #5248)
GUI. Fixed the Data Types Exact Match filter to not include the archive name. (GP-3764, Issue #5685)
GUI. Updated GTableHeaderRenderer to fix an incorrect cast to Component. (GP-3819, Issue #5539)
GUI. Fixed bug in the Find Dialog that caused incorrect text to be selected when pressing Enter for a previous match. (GP-3856)
GUI. Fixed JTextArea not responding to theme font changes. (GP-3908)
GUI. Fixed incorrect Version Tracking foreground color in the Markup Items Table. (GP-3933, Issue #5865)
GUI. Updated how the tool saves window size information to allow better toggling between full-screen modes. (GP-3958, Issue #5879, #5890)
GUI. Fixed the Listing's Auto Comment color for the CDE/Motif theme. (GP-3959, Issue #5903)
GUI. Fixed Structure Editor bugs. Also updated the search to use the default field name as part of the search-matching. (GP-3967, Issue #5715)
GUI. Fixed an issue in the Function Editor dialog that caused incorrect parameter values to be assigned when cancelling an edit. (GP-4041)
GUI. Updated the Note Bookmark dialog to allow users to press Enter to close the dialog when the Category field is focused. (GP-4048, Issue #5962)
GUI. Fixed an issue that caused importing a file via drag-and-drop to silently fail on some Linux distributions. (GP-4066)
GUI. Fixed an IndexOutOfBoundsException that sometimes occurred while adding new entries to the Bundle Manager table or while opening a CodeBrowser tool that included an open Bundle Manager window. (GP-4075, Issue #5956)
Headless. The Headless Analyzer can now recurse into supported GFileSystem container files when a recursion depth of one or more is specified on the command line. (GP-3273, Issue #5167)
Importer. Importing libraries that are referenced by absolute path (such as with Mach-O) now get saved to the project with their folder structure intact. This fixes a potential DuplicateKeyException that could occur when using a Recursive Library Load Depth greater than 1, and removes any ambiguity that could occur when linking a program to its libraries. (GP-3922)
Importer. Fixed an uncaught InvalidPathException that could occur when loading libraries during import. (GP-4050, Issue #5894)
Importer:ELF. Corrected ELF object module GOT allocation for x86-64 object modules during relocation processing. (GP-4118, Issue #5961)
Importer:Mach-O. The MachoLoader now creates thunks on stubs. (GP-3248, Issue #3146)
Importer:PE. Fixed an exception that could sometimes occur when parsing PE files containing debug line number information. (GP-3963, Issue #5899)
Languages. Corrected MIPS pcode for di and ei instructions. (GP-3875)
Languages. Corrected stack pointer update in alloca_probe x64 windows callfixup. (GP-3915, Issue #5844)
Languages. Updated x86 register addressing for ST and MM registers to achieve proper overlap. The upper 16-bits of the ST registers still remain unaffected by MMX instructions which write to the MM registers. (GP-3956)
Multi-User. Corrected potential NullPointerException in Ghidra Server command proceesor. (GP-4056, Issue #5974)
PDB. Fixed memory performance issue created in 10.4. (GP-3890)
Processors. Implemented x86 FINTRZ instruction. (GP-3387, Issue #5205)
Processors. Corrected x86 POP instructions with operands that use the stack pointer. (GP-3677, Issue #4282)
Processors. Fixed missing ARM cbz instruction in the manual index file. (GP-3724)
Processors. Added test-register support back into the x86 processor module. (GP-3784, Issue #5662)
Processors. Fixed issue with 6x09 processor module STU instruction storing the X register instead of the U register. (GP-3786, Issue #5671)
Processors. Added ELF relocation support to Loongarch processor module (GP-3804)
Processors. Replaced or implemented count-leading-zeroes and count-leading-ones instructions with proper pcode operator in several languages. (GP-3879, Issue #5790)
Processors. Changed MIPS TEQ zero, zero into a trap, always-goto flow. (GP-3948)
Processors. Several fixes for some PowerPC VLE instructions (GP-3999, Issue #2843)
Processors. Added the x86 MMX register MXCSR to the compiler global list so that manipulations persist in the decompiled output. (GP-4018)
Processors. Fixed RISC-V custom-0 instruction patterns. (GP-4047, Issue #5932)
Processors. Fixed PIC24 DOEND register offset (GP-4054, Issue #5213)
Processors. Minor fix for the AVR8 DES instruction semantics. (GP-4055, Issue #5235)
Project. Corrected issue with ProjectLocator when using projects located in root directory. (GP-3914, Issue #5802)
Scripting. FixOldSTVariableStorageScript.java Ghidra script has been made available for users to run against x86 Programs created prior to Ghidra 10.0.3. This script will fixup ST0... ST7 variable storage addresses which were not properly migrated during an x86 language revision. (GP-3949, Issue #5640)
Search. Fixed incorrect template implementation of GenericByteSequencePattern. (GP-4024)
Sleigh. Fixed a bug in the Sleigh compiler preventing the declaration of bit-range symbols when their size was not a multiple of 8 bits. (GP-8, Issue #1144, #660)
Sleigh. Added pure 32-bit PowerPC e500mc processor variant (GP-3068)
Sleigh. Fixed stacktrace when a pcode pseudoOp has more than eight parameters. (GP-3986)
Version Tracking. Fixed Version Tracking Undo issue where running a correlator and accepting matches then undoing the results and then rerunning the correlator resulted in incorrectly blocked matches. (GP-3827)
Version Tracking. Fixed bug in Version Tracking matches table that prevented saved filters from being applied. (GP-3901)
Ghidra的主要用途包括以下几个方面:
逆向工程:Ghidra提供了一系列功能,使用户能够分析和逆向工程二进制文件,例如反汇编、反编译和调试。它能够将二进制文件转换为易于理解和修改的源代码表示,从而帮助研究人员深入了解程序的内部工作原理。
漏洞分析:Ghidra可用于发现和分析软件中的漏洞。通过对程序进行逆向工程,分析人员可以查找潜在的安全漏洞,并理解它们是如何被利用的。这对于加强软件的安全性以及开发防御措施非常重要。
恶意代码分析:恶意软件分析师可以使用Ghidra来研究和分析恶意软件的功能、行为和漏洞。这有助于发现恶意软件的隐藏功能、网络通信和攻击方法,并开发相应的防护策略。
安全审计:Ghidra可以用于评估软件的安全性和可信度。它可以帮助安全专家发现潜在的安全问题、漏洞或不安全实践,并提供改进建议。
总的来说,Ghidra是一款功能丰富的逆向工程工具,适用于软件分析、漏洞研究、恶意软件分析和安全审计等领域 这个NSA是不是上次入侵西工大的那个?这产品没啥后门吧? 好东西啊,感谢分享。{:301_993:} 谢谢大佬等下试试楼主的方法
干嘛用的这个 据说很骚。。。 学习学习 第一次了解这个工具时发现说是由美国国家安全局开发的。赞同Ghidra是逆向工程一个很好的选择,但因为心里原因就没使用过。 wsasecy 发表于 2023-5-15 16:05
第一次了解这个工具时发现说是由美国国家安全局开发的。赞同Ghidra是逆向工程一个很好的选择,但因为心里原 ...
你咋知道IDA背后没有美国国家安全局的影子? 这个软件能做汉化用吗:loveliness: