- Joined
- Jan 8, 2019
- Messages
- 56,623
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,457
- Points
- 2,313
- Credits
- 32,750
6 Years of Service
76%
Ghidra: NSA Reverse Engineering Software
Ghidra is a software reverse engineering (SRE) framework developed by NSA's Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, MacOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using the exposed API. In addition there are numerous ways to extend Ghidra such as new processors, loaders/exporters, automated analyzers, and new visualizations.
In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for NSA analysts who seek a better understanding of potential vulnerabilities in networks and systems.
Ghidra 10.0.3 Change History (September 2021)
New Features
Debugger:Watches. Added ability to modify target memory and registers via the Watches window. (GP-1264, Issue #2866)
Improvements
Analysis. Improved SH4 constant reference analysis for PIC code, reference placement for jumps/calls, and non-return function analysis. General constant reference analysis has also been improved. (GP-1258)
Basic Infrastructure. Removed usage of the --illegal-access=permit JVM argument for improved JDK 17 runtime support. The Ghidra Server continues to require JDK 11 to successfully run at this time. (GP-1193, Issue #3355)
Debugger. Debugger Agent windows now display log messages. (GP-507)
Debugger. Changed Debugger's Launch action to propose the current program as the command line. (GP-1176)
Debugger. Providing broader defaults for recording GDB-supported architectures. (GP-1237)
Debugger:GDB. GDB connector's Use existing session prompts with more instructions. (GP-1076)
Debugger:GDB. Added use starti option to GDB launcher. (GP-1158)
Debugger:Mappings. Added Map Identically action to Modules window. (GP-1232)
GUI. Changed analysis options to always show current program options when accessed via Edit -> Options for <program>.... Also added warning if the user makes changes to the analysis options and then changes the combo box without saving the changes first. (GP-1188)
Importer. The ContinuesInterceptor, which allows the import process to proceed past uncaught exceptions that can be encountered while parsing corrupted headers, has been disabled by default. Its usage is now deprecated and will be removed in a future Ghidra release. It can be temporarily re-enabled in support/launch.properties. (GP-1248)
Importer:ELF. Added support for additional ELF AARCH64 relocations such as R_AARCH64_LDST64_ABS_LO12_NC. (GP-1278, Issue #3352)
Processors. Corrected semantics for x86/x64 FXSAVE and related instructions. (GP-1228)
Processors. Added semantics for several x86/x64 vector operations. (GP-1262)
Bugs
Byte Viewer. Fixed stack overflow issue in ByteViewer. (GP-1276)
C Parsing. Eliminated static variables that caused follow-on CParser tasks to error because they started in a bad state. (GP-1251, Issue #1421, #3350)
Debugger. Fixed NullPointerException in Objects window's Import/Export actions. (GP-1047)
Debugger. Fixed NullPointerException in DBTraceStack. (GP-1059)
Debugger. Fixed a rare deadlock involving DBTrace.addListener. (GP-1154)
Debugger. Track PC action now scrolls to cursor even if the cursor is already at PC. (GP-1175)
Debugger. Created better mapping of GDB ARM architecture names to Ghidra languages for the Debugger. (GP-1221, Issue #3333)
Debugger. Capture Memory button is more aggressive in finding the correct region to capture, reducing bad region errors. (GP-1227)
Debugger. Fixed delay slot disassembly in Debugger dynamic listing. (GP-1246, Issue #3358)
Debugger:Emulator. Fixed cache-reading issue in trace emulation. (GP-1187)
Debugger:Emulator. Fixed a critical typo in PairedPcodeArithmetic. (GP-1191)
Debugger:Trace. Dynamic listing now updates immediately when changing data type settings. (GP-1215)
Debugger:Trace. Removed Missing Instruction Prototype exception in favor of using InvalidPrototype. (GP-1226)
Debugger:Trace. Adding context fields to Register viewer no longer throws an exception. (GP-1256)
Decompiler. Fixed a bug that could cause an infinite loop in the Decompiler when using bonded register pairs. (GP-1270, Issue #3105)
Decompiler. Fixed a bug causing Exceeded maximum restarts with more pending warnings in the Decompiler. (GP-1277, Issue #3104)
Disassembly. Fixed an IllegalArgumentException in the Non-Returning Functions analyzer caused by processor specifications without a defined context, such as Sparc and SH4. (GP-1216)
DWARF. Corrected potential random errors in DWARF parsing caused by modifications to a shared global static DWARF decoder. (GP-1272)
Exporter. Exporters with empty default extension names will no longer append a dot to the output filename. (GP-1201, Issue #3325)
GUI. Fixed the missing mnemonic of the Graph menu. (GP-1244, Issue #3330)
Processors. Corrected carry flag semantics for the 6502 processor's SBC instruction. (GP-1109, Issue #3189, #3190)