-
Notifications
You must be signed in to change notification settings - Fork 5.9k
/
WhatsNew.html
199 lines (147 loc) · 13.8 KB
/
WhatsNew.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> Ghidra What's New</TITLE>
<STYLE type="text/css" name="text/css">
li { font-family:times new roman; font-size:14pt; font-family:times new roman; font-size:14pt; margin-bottom: 8px; }
h1 { color:#000080; font-family:times new roman; font-size:28pt; font-style:italic; font-weight:bold; text-align:center; color:#000080; font-family:times new roman; }
h2 { padding-top:10px; color:#984c4c; font-family:times new roman; color:#984c4c; font-family:times new roman; font-size:18pt; font-weight:bold; }
h3 { margin-left:40px; padding-top:10px; font-family:times new roman; font-family:times new roman; font-size:14pt; font-weight:bold; }
h4 { margin-left:40px; padding-top:10px; font-family:times new roman; font-family:times new roman; font-size:14pt; font-weight:bold; }
p { margin-left:40px; font-family:times new roman; font-size:14pt; }
table, th, td { border: 1px solid black; border-collapse: collapse; font-size:10pt; }
td { font-family:times new roman; font-size:14pt; padding-left:10px; padding-right:10px; text-align:left; vertical-align:top; }
th { font-family:times new roman; font-size:14pt; font-weight:bold; padding-left:10px; padding-right:10px; text-align:left; }
code { color:black; font-family:courier new; font-size: 12pt; }
span.code { font-family:courier new font-size: 14pt; color:#000000; }
.gcode { font-family: courier new; font-weight: bold; font-size: 85%; }
.gtitle { font-style: italic; font-weight: bold; font-size: 95%; }
</STYLE>
</HEAD>
<BODY>
<H1>Ghidra: NSA Reverse Engineering Software</H2>
<P>
Ghidra is a software reverse engineering (SRE) framework developed by NSA's Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable
users to analyze compiled code on a variety of platforms including Windows, MacOS, and Linux.
Capabilities include disassembly, assembly, decompilation, debugging, emulation, graphing, and scripting, along with
hundreds of other features. Ghidra supports a wide variety of processor instruction sets and
executable formats and can be run in both user-interactive and automated modes. Users may also
develop their own Ghidra plug-in components and/or scripts using the exposed API. In addition there are
numerous ways to extend Ghidra such as new processors, loaders/exporters, automated analyzers,
and new visualizations.
</P>
<P>
In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems
on complex SRE efforts and to provide a customizable and extensible SRE research platform. NSA
has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious
code and generating deep insights for NSA analysts who seek a better understanding of potential
vulnerabilities in networks and systems.
</P>
<hr>
<H1>What's New in Ghidra 11.0</H1>
<H2>The not-so-fine print: Please Read!</H2>
<P>This release includes new features, enhancements, performance improvements, quite a few bug fixes, and many pull-request
contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community thanks you too!</P>
<P>Ghidra 11.0 is fully backward compatible with project data from previous releases.
However, programs and data type archives which are created or modified in 11.0 will not be useable by an earlier Ghidra version. </P>
<P>This distribution requires JDK 17 to run, and provides Linux x86-64, Windows x86-64, and macOS x86-64 native components.
If you have another platform or wish to use a newer JDK, please see the
<a href="InstallationGuide.html">Ghidra Installation Guide</a> for additional information.</P>
<P>NOTE: Ghidra Server: The Ghidra 11.0 server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.0
clients are compatible with all 10.x and 9.x servers. Although, due to potential Java version differences, it is recommended
that Ghidra Server installations older than 10.2 be upgraded. Those using 10.2 and newer should not need a server upgrade.</P>
<P>NOTE: Any programs imported with a Ghidra beta version or code built directly from source code outside of a release tag may not be compatible,
and may have flaws that won't be corrected by using this new release. Any programs analyzed from a beta or other local master source build should be considered
experimental and re-imported and analyzed with a release version. Programs imported with previous release versions should upgrade correctly through various
automatic upgrade mechanisms. Any program you will continue to reverse engineer should be imported fresh with a release version or a build you trust with the
latest code fixes.</P>
<H2>BSim </H2>
<P>A major new feature called BSim has been added. BSim can find structurally similar functions in (potentially large) collections of binaries or object files.
BSim is based on Ghidra's decompiler and can find matches across compilers used, architectures, and/or small changes to source code.</P>
<P>As you've reverse engineered software, you've likely asked the following questions:</P>
<UL style="padding-left:100px">
<LI>Which libraries were statically linked into this executable, and possibly what version of the library?</LI>
<LI>Does this executable share some code with another executable that I've analyzed?</LI>
<LI>What are the differences between version 1 and version 2 of a given executable?</LI>
<LI>Does this executable share code with another executable in a large collection of binaries?</LI>
<LI>Was this function pulled from an open-source library?</LI>
</UL>
<P>BSim is intended to help with these questions (and others) by providing a way to search collections of binaries for similar, but not necessarily identical, functions.</P>
<P>BSim can compare functions within a binary, within a collection of binaries or object files in a project on a local system, or within a large collection of binaries
utilizing a PostgreSQL or an Elasticsearch server. Using BSim locally does not require setting up a PostgreSQL or Elastic server or having administrator access.</P>
<P>There is a BSim tutorial that walks through use of BSim locally. Using BSim locally and the tutorial is the best way to try out BSim before deciding if you need to set up a server.</P>
<H2>GhidraGo </H2>
<P>GhidraGo is an experimental feature that adds integration support for Ghidra URL's and Ghidra Tools. The main use of GhidraGo is embedding hyperlinks within web pages
to pre-ingested programs within a Ghidra multi-user repository. Clicking on the hyperlink causes Ghidra to display the previously ingested program.
No data other than the Ghidra URL is transferred to Ghidra, and no socket is open within Ghidra listening for commands. GhidraGo must be enabled by
installing a plugin in the Ghidra project manager, and must also be configured as a protocol handler in your web browser. GhidraGo is not setup or enabled by default.
For details on setting up GhidraGo, please see the included <span class="gtitle">GhidraGoREADME.html</span> or search for GhidraGo within help.
</P>
<H2>Version Tracking </H2>
<P>Auto Version Tracking has been sped up, made customizable, and improved to find more matches. The mechanism to identify good matches from duplicate match
sets has been improved and sped up. Implied matches are now created and will be applied if the vote minimum and conflict maximum limits are met. In addition,
the ability to choose which correlators are run as well as setting the options of most correlators has been added. The Auto Version Tracking script has been
updated to prompt for all options in a single dialog. The script now works in headless mode and an example prescript to allow
setting of options in headless mode is included.</P>
<P>Version Tracking can also use the new BSim function matching capability in a new correlator called the BSim Correlator. Auto Version Tracking does not use the new BSim Correlator yet.</P>
<H2>Function Comparison Window</H2>
<P>The function comparison window, used by Version Tracking and BSim, has been overhauled a bit:
<UL style="padding-left:100px">
<LI>A help topic for Function Comparison has been added.</LI>
<LI>Token matching, scrolling to matches, and difference highlighting is much improved using
an algorithm based on BSim function matching. The colors used for the token matching highlights are configurable.</LI>
<LI>From the comparison window, users can click on called functions that have corresponding matches to bring up a new function comparison window showing those functions.
The action is currently not available within version tracking.</LI>
<LI>The functions can be displayed side by side vertically or horizontally.</LI>
<LI>The function signature from a function in the function comparison window can be applied to include name only, a skeleton signature, or the entire signature
including all referenced data types. Applying only the skeleton function signature can be useful if there is any question of differences in the
data structure composition used by the function signature between the two programs.</LI>
</UL>
<H2>Scripting</H2>
<P>A new multi-option script dialog has been added to the scripting API that can present and get all user inputs a script needs in one dialog.
The <span class="gcode">askValues()</span> scripting method replaces the cumbersome process of prompting the user for each input separately.</P>
<H2>Rust</H2>
<P>Initial support for Rust compiled binaries, mainly demangling of Rust method names and Rust in DWARF information, has been added. In addition, Rust strings are marked up so that the
decompiler will display Rust strings correctly. There is more work to do, especially with mapping Rust parameter passing. Custom storage may be required in some instances.</P>
<H2>Golang</H2>
<P>Golang reverse engineering within Ghidra is much improved by:
<UL style="padding-left:100px">
<LI>A new <span class="gtitle">Golang String Analyzer</span> which finds and marks up Golang strings so they display correctly in the decompiler</LI>
<LI>Type and interface method markup improvements</LI>
<LI>Better function parameter recovery</LI>
<LI>Using package information to organize type and symbol elements into namespaces</LI>
<LI>Using run time type information to override the types of objects that are created by calls to malloc-like built-in functions</LI>
</UL>
</P>
<H2>Search for Encoded Strings</H2>
<P>A new action in the Search menu, <span class="gtitle">Search -> For Encoded Strings...</span>, can help find and create strings encoded in alternate character sets and alphabets.
Valid strings are based on runs of bytes that would be valid in a particular character set and alphabet. There are currently no additional models for defining valid words within other languages.</P>
<H2>Import / Export</H2>
<P>The <span class="gtitle">CaRT</span> file format is now supported. The <span class="gtitle">CaRT</span> format is used to store and transfer malware along with metadata about
the malware in a neutered form such that it cannot be executed. It is encrypted so anti-virus software will not flag the file under analysis.</P>
<P>Headless importing of binaries from container files, such as .zip files, with multiple embedded files is now possible. This includes loading referenced .dll and .so files also
found within the container file.</P>
<P>The Headless Analyzer can now recurse into supported GFileSystem container files when a recursion depth of one or more is specified on the command line.</P>
<H2>Mach-O Improvements</H2>
<P>Support for the Mach-O binary file format has continued to receive updates. Improvements have been made to library linking and loading, as well as thunk creation. Additionally, dyld_shared_cache
components extracted from Ghidra's DyldCacheFileSystem can now be added together on-demand with the Add To Program feature. Broken references can be automatically resolved by right-clicking on them
and clicking <span class="gtitle">References -> Add To Program</span>.</P>
<H2>PDB</H2>
<P>The PDB data types processing has been changed to use a resolve-as-you-go model. The change eliminates the dependency graph and reduces the memory footprint required to load all
PDB types. The change allows larger PDB's to load successfully and improves the accuracy of some data types.</P>
<H2>Overlays with Multiple Memory Blocks</H2>
<P> Overlay spaces now support multiple memory blocks in the same overlay. After creating the initial memory
block as an overlay, the new overlay memory space will become available when adding new memory blocks. All overlay memory blocks can
be manipulated in the same way as normal memory blocks. The new feature is useful when analyzing binaries
meant to run on multiple processors with tasks running on each processor in their own overlapped virtual memory space such as an RTOS.</P>
<H2>Processors</H2>
<P>Support for the Loongson processor architecture has been added. All known instructions should disassemble. However semantics for a large number of instructions use pseudoOp calls currently.</P>
<H2>Additional Bug Fixes and Enhancements</H2>
<P> Numerous other new features, improvements, and bug fixes are fully listed in the <a href="ChangeHistory.html">ChangeHistory</a> file.</P>
<BR>
<P align="center">
<B><a href="https://www.nsa.gov/ghidra"> https://www.nsa.gov/ghidra</a></B>
</P>
</BODY>
</HTML>