Ghidra 10.1.4 Change History (May 2022)

Improvements

Debugger:Listing. Refresh button in Debugger's Dynamic Listing and Memory Bytes views now operates without a selection and is more thorough with respect to cache invalidation. (GP-1930)

Bugs

Analysis. Fixed an exception that occurred when loading programs created in previous versions where the analysis option's type had changed (String to Long). (GP-1738)

Analysis. Constant reference propagation now uses pcode injection for segment and all userops. This affects 16-bit code and the HCS12 processor. (GP-1987, Issue #4252)

C Parsing. Added C-Parser support for static_assert and _Static_assert keywords. (GP-1958, Issue #4038)

C Parsing. Corrected C-Parser to parse sizeof structure members, both sizeof(ptr->member) and sizeof(struct.member). (GP-1964, Issue #4173)

Decompiler. Fixed bug causing the Decompiler to not label pointer references to the first parameter on the stack. (GP-2018)

GUI. Fixed bug that caused some edited functions to appear twice in the Functions window. (GP-2025)

GUI. Fixed potentially slow computer name lookup in the Error Dialog. (GP-2034)

Importer:COFF. Fixed importing of non-Microsoft COFF files when any section crosses address 0x80. COFF sections marked as data that won't fit into the default data address space will be loaded in the code address space. (GP-2045)

Ghidra 10.1.3 Change History (April 2022)

Improvements

API. Added the getActiveGraphDisplay() API method to GraphDisplayProvider to get the active graph. (GP-1804, Issue #4060)

Debugger. Created better comment in Dynamic Listing Go To dialog so users don't default to *:4 EAX syntax. (GP-1820)

Debugger. Created new navigation methods for Objects representing addresses. (GP-1822)

Debugger. Switched to DomainFile name in Debugger dialogs to avoid confusion. (GP-1872)

Debugger:Trace. Improved performance of trace database. (GP-1727)

FID. Updated stale signatures in the FID database files. (GP-1853, Issue #2877)

Importer:ELF. Added support for additional ELF ARM-32 relocations not previously handled (R_ARM_THM_JUMP8, R_ARM_THM_JUMP11, R_ARM_THM_MOVW_ABS_NC, R_ARM_THM_MOVT_ABS, R_ARM_THM_MOVW_PREL_NC, R_ARM_THM_MOVT_PREL, R_ARM_THM_MOVW_BREL_NC, R_ARM_THM_MOVW_BREL, R_ARM_THM_MOVT_BREL). (GP-1742, Issue #2794)

Processors. Refactored the 6805/6809 processor to better allow variants of MC6800 processor line. (GP-1695, Issue #3673)

Processors. Added 16-byte return values for AARCH64 in X0, X1. (GP-1739)

Scripting. Improved RecoverClassesFromRTTIScript's method to validate GCC programs. (GP-1832)

Bugs

Analysis. Fixed FID Analyzer to run only once on programs with call-fixups or identified non-returning flow. (GP-1502)

Analysis. Corrected the creation of Objective-C structures when structures collided with existing generic pointers laid down by chained-pointer processing during import. (GP-1841)

Analysis. Corrected stack reference creation and the display of current instruction stack depth in the stack-depth browser field for MIPS 64-bit language processor with 32-bit addressing. (GP-1862)

Analysis. Fixed placement of constant references when a parent register's value is built up using the smaller sub-registers (hi/low). This is common on MIPS and other 8-bit processors such as AVR8. This would occasionally cause a reference to be placed incorrectly on a previous function call. (GP-1942)

Basic Infrastructure. Fixed a NoClassDefFoundError that occurred when launching Ghidra in single-jar mode. (GP-1741, Issue #3961)

C Parsing. CParser fixes for pragma(push), re-included header files, #if/defined() tests on define values, unicode BOM files, and full evaluation of macro expansion. Added more information to the CParserPlugin.out file prefixed with /// comments which should enable easier diagnosis of parsing issues. Reparsed current standard data archives with correct 64/32 data organizations. Fixed issue where many data types had incorrect pack() values in Windows archives, such as WNDCLASSEXW. To make use of the corrected data types, programs data types will need to be re-synchronized if they depend on the included Windows or clib data type archives. Windows VS2022 and Windows 11 SDK header files can now parse and will be included in the next feature release. (GP-1744, Issue #3756)

Data Types. Corrected UnsupportedOperationException error which could occur when dragging a datatype from one archive to another. (GP-1758)

Data Types. Fixed Data Types filter not being applied when using the various Find actions. (GP-1799)

Debugger. Fixed the defaults for log4j file locations; template patterns for empty values were crashing the process on Windows. (GP-1731, Issue #3965)

Debugger. Fixed NullPointerException caused by Debugger Console's preferred height. (GP-1766)

Debugger. Fixed race condition on right-click of non-selected tree node. (GP-1845, Issue #4093)

Debugger. Fixed missing eflags in Register View for dbgeng. (GP-1873)

Debugger. Fixed IllegalArgumentException in TraceObjectManager. (GP-1874)

Debugger:Breakpoints. Fixed issue with toggling breakpoints from within the Dynamic Listing. (GP-1706)

Debugger:Memory. Fixed timing issue where Debugger Memory view may have incorrect location label. (GP-1882)

Debugger:Trace. Fixed issue with StringDataType null terminators in stale trace ranges. (GP-1737)

Decompiler. Updated the Decompiler Find dialog's default text when showing the dialog with comment text selected. (GP-1721, Issue #3946)

Decompiler. Fixed the Decompiler Find dialog's sometimes incorrect result highlighting. (GP-1765, Issue #3928)

Decompiler. Fixed a bug in the Decompiler preventing prototype overrides from being applied to calls produced by Call-Fixup injection. (GP-1792, Issue #3319)

Decompiler. Updated the Decompiler hover for structure fields to show the parent name and the offset in the parent. (GP-1793, Issue #3920)

Decompiler. Eliminated infinite loop in the Decompiler encountered when applying convert/equate. (GP-1924, Issue #4121)

FID. Fixed bug causing Program ... has different compiler spec... exception when populating FID signatures. (GP-1839, Issue #4042)

FileSystems. Fixed problem opening files in paths that start with a UNC location (\\location\path). (GP-1696, Issue #3912)

Framework. Fixed bug that could cause a NullPointerException when removing custom Compiler Specification extensions from a Program. (GP-1715, Issue #3906)

GUI. Fixed default function Plate Comment formatting. (GP-1717)

GUI. Fixed the Search Memory Dialog buttons to re-enable after closing a long-running search results table. (GP-1753, Issue #4014)

GUI. Updated Symbol Edit dialog to not allow namespaces editing with a blank name. (GP-1754, Issue #4015)

GUI. Fixed table CSV export of boolean values. (GP-1764, Issue #3947, #4026)

Headless. Corrected potential NullPointerException for Headless Analyzer when a specified filename to process does not exist in a searched project folder. (GP-1916)

Help. Fixed Help Viewer Find feature, clearing search result highlights when the search dialog is closed. (GP-1718)

Importer:ELF. Corrected MIPS type 5/6 relocation calculation. Previously, the LO16 value, extracted as an addend from the instruction, was not sign-extended. (GP-1834)

Importer:PE. Fixed a bug that prevented certain types of PE files from being recognized by the PeLoader. (GP-1713, Issue #3830, #3902)

Importer:PE. Detect .NET managed code in mixed Native/MangedCode binaries and only disassemble the correct x86 or CLR routines based on the current processor. (GP-1938, Issue #4159)

Processors. ARM BL conditional call instruction, which calls to the next instruction, has been changed to a branch instead of a call. Calling the next instruction on ARM is generally only to get the LR register loaded for PIC code. (GP-1752)

Processors. Fix bug in MIPS rdhwr instruction to use correct hardware registers. (GP-1879)

Scripting. Fixed the Bytes table column rendering in the scripting TableChooserDialog. (GP-1714)

Scripting. Fixed two bugs in RecoverClassesFromRTTIScript.java encountered when creating class structures. (GP-1781)

Scripting. OSGI jar bundles now correctly load on Windows. (GP-1846, Issue #3995)

Sleigh. Fixed bug preventing prototype model extensions with p-code from being imported. (GP-1915)

Ghidra 10.1.2 Change History (January 2022)

Improvements

Basic Infrastructure. Upgraded Gson to 2.8.9. (GP-1632, Issue #3802)

Basic Infrastructure. Upgraded log4j to 2.17.1. (GP-1641)

Build. Increased minimum supported Gradle version from 6.4 to 6.8. (GP-1680)

Debugger:Emulator. Emulator's PcodeStepper now displays the decoded instruction. (GP-1474)

Debugger:Watches. Double-clicking a pointer value in the Watches window navigates to the pointer rather than its address. (GP-1469)

Listing. Updated the Listing Operands field to support word-wrapping for enum data types. (GP-1665, Issue #3812)

Scripting. Improved the RecoverClassesFromRTTIScript to create function definitions for multi-inheritance and single virtual inheritance classes in the correct ancestor class data type folders. (GP-1663)

Scripting. Updated RecoverClassesFromRTTI script for GCC programs to only create typeinfo structures in non-executable memory. (GP-1686)

Bugs

Analysis. Fixed another bug with recovering Objective-C method names. (GP-1642, Issue #3817)

Analysis. Certain switch cases using the AARCH64 CSEL instruction will now recover correctly. Previously internal CBRANCH instructions could cause switch flow recovery failure in the decompiler switch analyzer. (GP-1687)

Analysis. Fixed unused Microsoft Demangler options. (GP-1688, Issue #3892)

Analysis. Reverted change (GP-1575) introduced with Ghidra 10.1 which improperly factored image-base into analysis of ELF LSDA GCC exception records. (GP-1702)

Build. Fixed gradle buildGhidra issue where a second build doesn't include all the files. This issue appears to be a bug introduced in Gradle 7. (GP-1648, Issue #3827)

Data Types. Fixed display of multiple Enum values. (GP-1657, Issue #3810)

Debugger. Now invalidating caches for dbgeng/dbgmodel in the GADP variants so the memory is not left stale. (GP-846)

Debugger. Fixed exception when cancelling password entry for GDBOverSSH. (GP-1655, Issue #3578)

Debugger:Memory. Fixed Debugger Memory background colors during emulation. (GP-1590)

Debugger:Trace. Fixed issue where emulated state leaked into recorded state. (GP-1620)

Debugger:Trace. Fixed NullPointerException when disassembling stale memory. (GP-1646)

Decompiler. Fixed the Decompiler Retype Field action to not rename the field. (GP-1654, Issue #3783)

Decompiler. Decompiler now recovers jump tables that use PIC mechanisms or other forms relying on injected p-code. (GP-1659)

Demangler. Fixed demangling bug that produced incorrect types such as unsigned_short. (GP-1662)

GUI. Fixed incorrect tool option reference in the Create Table From Selection action. (GP-1676, Issue #3858)

GUI. Fixed the Decompiler Find Text dialog's auto-complete feature to not change the default text entry added to the dialog. (GP-1685, Issue #3890)

Importer:Mach-O. Fixed an IllegalArgumentException that occurred when loading some kernelcache images. (GP-1675, Issue #2487)

Importer:PE. Fixed an exception that occurred when re-parsing PE programs with a .pdata section from memory. (GP-1636, Issue #3347, #3800, #3805)

PDB. Fixed incorrect bounds on item type iteration; one effect of the fix is that the user might notice more unsupported PDB data type messages in the log. (GP-1677)

Processors. Fixed issue with Motorola 6809 immediate operands being set to zero. (GP-1611, Issue #2116, #3755)

Processors. Corrected PowerPC efscmp* and efstst* instructions condition register usage. (GP-1639, Issue #2528)

Processors. Fixed the target of JUMP and JSR for the 6809 to use [target] instead of jumping directly to target which incorrectly jumped to the address of the unique variable. Also fixed a compile issue in the half-finished 6309 EXG and TFR instructions. (GP-1690, Issue #3825)

Scripting. Fixed the ApplyClassFunctionDefinitionUpdatesScript and the ApplyClassFunctionSignatureUpdatesScript to work correctly with the recent RecoverClassesForRTTI changes to function definitions. (GP-1601)

Scripting. Fixed bug in a class recovery helper class that was causing an exception in some cases when trying to replace a component in a structure. (GP-1670)

Scripting. Removed a misplaced space character in the name passed to setLabel in RecoverClassesForRTTIScript. (GP-1671)

Sleigh. Fixed bug that could cause erroneous decompilation of functions in overlays. (GP-1661, Issue #3828)

Ghidra 10.1.1 Change History (December 2021)

Improvements

Analysis. Fixed headless analysis exception related to running UI code from the GNU Demangler analyzer. (GP-1613, Issue #3765)

Basic Infrastructure. Upgrade logging dependency to use log4j 2.17.0 (GP-1621)

Debugger:Memory. Added New Memory Bytes View to Window->Debugger menu. (GP-1465)

Debugger:Memory. Fixed issue with Debugger Memory view scrolling. (GP-1591)

GUI. Removed restriction that prevented renaming tree nodes while the tree is filtered. (GP-1507)

GUI. Fixed issue where renaming a symbol in the symbol tree could result in the symbol appearing more than once (under different organizational nodes) (GP-1587)

Help. Fixed NullPointerException when using the help system with animation disasbled. (GP-1612, Issue #3767)

Bugs

Basic Infrastructure. Fixed the "ERROR StatusLogger Reconfiguration failed" message that appeared in the log when Ghidra was launched with support/ghidraDebug script. (GP-1607)

Debugger. Fixed null pointer exception in Debugger when opening a program from a shared project. (GP-1490)

Debugger. Fixed issue with context menus on the trace selector tabs in Debugger Threads window. (GP-1494)

Debugger. Fix for font resizing (GP-1597, Issue #3752)

Debugger. Fixes null-pointer exceptions in lldb (GP-1600, Issue #3645)

Debugger:Listing. Fixed default configuration problem when cloning the Debugger Listing window. (GP-1479)

Importer. Fix issue importing NE binaries that have a segment number greater than 127. (GP-1576, Issue #3715)

Ghidra 10.1 Change History (December 2021)

New Features

Build. Ghidra now builds on 64-bit Linux ARM and macOS M1 platforms. (GP-1106, Issue #3197)

Build. Native binaries for the current platform can now be built/rebuilt from within a release using the support/buildNatives(.bat) script. Please see the "Building Ghidra Native Components" section of the Installation Guide for additional information. (GP-1209, Issue #3387)

Data Types. DataType API: Added encodeValue and encodeRepresentation methods which facilitate patching. (GP-1265)

Debugger. Added Memory view (raw bytes) to the Debugger. (GP-80)

Debugger. Added new agent for LLDB on macOS and Linux. (GP-1005, Issue #2591, #2967)

Debugger. Added Copy Into Current Program and Copy Into New Program actions to Debugger. (GP-1214)

Debugger. Added Compare action to Dynamic Listing to compare points in time. (GP-1222)

Debugger. Added Events/Exceptions to Objects View. (GP-1288, Issue #3049)

Debugger:Emulator. Added Emulate Program and Add Emulated Thread actions for loading a program into a purely emulated trace. (GP-660)

Decompiler. Added support for else if syntax in Decompiler output. (GP-1172, Issue #1609)

Importer. Added support for Android formats (ART, OAT, ODEX, DEX, CDEX, VDEX) and Dalvik VM Sleigh modules for each major Android release up to version 12.x (S). (GP-1247)

Scripting. Created RunYARAFromGhidra.py to map YARA rules to Ghidra comments. (GP-1199)

Improvements

Analysis. The called ___chkstk_ms() function is now properly recognized and handled with a call fixup for windows x86-64. (GP-1347, Issue #1888, #1889)

Analysis. Added support for Objective-C small methods. (GP-1397, Issue #2719, #2732)

Analysis. Fixed several memory usage issues with constant propagation for very large functions, resulting in an average 10-20 percent time savings for constant propagation and stack analysis. (GP-1418, Issue #3508)

API. Updated API methods of the DataTypeChooserDialog. (GP-1349, Issue #3140)

Basic Infrastructure. Symbol performance in Ghidra was significantly improved. Specifically, new database indexes were created to improve finding primary symbols as well as improving lookups by combinations of name, namespace, and address. (GP-1082)

Basic Infrastructure. Added optional columns in the Functions table for several boolean-valued function attributes. (GP-1393)

Basic Infrastructure. Upgraded log4j dependency from 2.12.1 to 2.15.0 to resolve a security vulnerability. (GP-1588)

Build. Extension builds can now declare jar dependencies from standard Gradle repositories such as Maven Central. (GP-1144, Issue #2219, #2226)

Build. Increased minimum supported Gradle version from 6.0 to 6.4. (GP-1521, Issue #3650)

Data Types. Added support for zero-element arrays and zero-length components within structures and unions. Eliminated flex-array API methods and added/improved other Structure methods to handle multiple components which share the same offset. (GP-943)

Data Types. Added the ability to set comments on enum values. (GP-1316, Issue #1680, #2421)

Data Types. Updated Windows and generic clib data type archives to take advantage of improved CParser including changes to handle sizeof() correctly. (GP-1551, Issue #615)

Debugger. Respond to CLI-driven memory changes in dbgeng. (GP-853)

Debugger. User can now override the Debugger's processor selection when manually activating the Record (R) action. (GP-1233)

Debugger. User can now double-click in Listing margin to toggle breakpoints. (GP-1395)

Debugger. Adjusted alignment of Description tag in Debugger's Connect dialog. (GP-1416)

Debugger:Emulator. Added more accessor methods to PcodeThread, Machine, Executor, and similar classes. (GP-1223)

Debugger:Emulator. Added more accessor methods to PairedCodeArithmetic, ExecutorState, ExecutorStatePiece, and similar classes. (GP-1224)

Debugger:Emulator. Emulator now responds better to memory and register edits. (GP-1486)

Debugger:Emulator. Registers window can now modify emulated register values. (GP-1530)

Debugger:GDB. GDB manager handles =cmd-param-changed events. (GP-1330)

Debugger:GDB. Ported GDB's SSH connector to JSch. (GP-1387)

Debugger:LLDB. Improved build scripts for LLDB Java language bindings. (GP-1477)

Debugger:Memory. Added Force Full View override toggle to Debugger's Regions window. (GP-1447)

Debugger:Stack. Fixed various NullPointerExceptions among the Debugger Stack and Threads windows. (GP-1475)

Debugger:Trace. Trace API now supports Overlay spaces. (GP-484)

Decompiler. Added the Rename Label Decompiler action to allow label name editing. (GP-1195, Issue #1751)

Decompiler. The Decompiler now recognizes typedef relationships between data-types when determining if casts are necessary. (GP-1297, Issue #2393, #3249)

Decompiler. Improved the Decompiler's analysis of pointer calculations affected by common subexpression elimination. (GP-1312)

Decompiler. Added methods to ClangTokenGroup to facilitate iteration and filtering over the Decompiler's output tokens. (GP-1317, Issue #2040)

DWARF. Relaxed DWARF symbol name mangling to allow colons and forward slashes; changed space mangling to use underscores. (GP-1122, Issue #2014, #2043)

DWARF. Improved DWARF analyzer to handle MIPSPro 64-bit file format oddity. (GP-1171, Issue #3223)

DWARF. Improved DWARF analyzer to import DWARF data from PE binaries. (GP-1192, Issue #1267)

DWARF. Add support for DWARF external debug files. (GP-1286, Issue #3513)

DWARF. Added support for DWARF noreturn function attribute. (GP-1390)

Eclipse Integration. Eclipse Python breakpoints now work when Eclipse installs PyDev in .p2 bundle pool directory. (GP-1338, Issue #3453, #3454)

Exporter. Updated the DataTypeWriter to emit enum comments. Furthermore, the enum data type has been updated to return names sorted by enum value, which is now the order in which enum values will be emitted by the DataTypeWriter. (GP-1374, Issue #1664)

Exporter. The PE Exporter no longer forces files to be saved with a .exe extension. (GP-1385, Issue #3391)

Extensions. Building extensions now fails gracefully if an unsupported Gradle version is used. (GP-1189, Issue #3313)

FileSystems. Temporary files created by GFilesystem implementations are now obfuscated when written to disk. (GP-253)

FileSystems. Added support for opening password-protected zip files. (GP-725, Issue #377)

FileSystems. Add support for opening HFS+ volume images. Improved support for ISO9660 images by using 7-Zip library. (GP-807)

Graphing. Created concept of graph types that define specific vertex and edge types so that color and shape attributes can be assigned indirectly to vertices and edges. Created tool options for setting/changing the display attributes for these types. (GP-773)

GUI. Added new layouts to the Function Graph. Each new layout is using one of the Jungrapht layouts. (GP-926)

GUI. Added option to change the background color of the Function Call Graph. (GP-1014)

GUI. Added menu support for the following navigation keys: Page Up, Page Down, Home, End, and number keys 1-9. (GP-1081, Issue #2811)

GUI. Added an option to group the XRef field in the Listing by function. (GP-1093, Issue #1305)

GUI. Symbol tree has been changed to improve its behavior in the presence of large scale changes such as analysis, loading PDB, etc. It now will auto-close the label or function category if the internal organization becomes too much out of balance. This will also improve the analysis performance when the root category nodes are closed. (GP-1198)

GUI. Improved composite interior selection of components with shared offset such as bit-fields. Previous behavior was forcing selection of multiple components. (GP-1261)

GUI. Fixed ClassCastException due to the Patch action incorrectly being added to the Function Graph context menu. (GP-1334, Issue #3288)

GUI. Updated the Search Memory dialog to allow the user to enter a single wildcard character to search for any byte value. Previously, two consecutive wildcard characters were required. (GP-1358, Issue #3351)

GUI. Updated auto-comments to show user-defined repeatable comments from the reference destination. (GP-1361, Issue #2475)

GUI. Changed the Context column to allow for filtering of special characters in the results table of the Find Uses of action. (GP-1370, Issue #3473)

GUI. Updated the CodeBlockIterator interface to extend Iterable. This allows the iterator to be used in Java's foreach loops. (GP-1381, Issue #3478)

GUI. Added Find Structures by Offset... and Find Structures by Size... actions to the Data Type Manager window. (GP-1382, Issue #759)

GUI. Added the ability to remove a non-default symbol by setting the Edit Label dialog text to the empty string; added an action to the Decompiler to remove non-default labels. (GP-1383, Issue #3285)

GUI. Fixed the Function Editor's Storage Address Editor dialog to ensure that the Cancel button will not allow data type changes to be passed through to the primary editor. (GP-1398, Issue #3490)

GUI. Updated the Comments Dialog to allow the Shift-Enter keystroke to insert a newline at the cursor position. (GP-1428, Issue #3548)

GUI. Updated the Symbol Table to allow users to enter optional namespaces when editing a symbol name. (GP-1430)

GUI. Fixed issue with shared actions across windows sometimes getting the wrong (non-focused) context. This was mostly related to windows with snapshot components. (GP-1440)

GUI. Updated the Data Types context menu to include all actions when showing the menu from the keyboard via Shift-F10. (GP-1566, Issue #3678)

Importer. Added support for new Mach-O load commands and file types. (GP-398, Issue #2487, #3572)

Importer. Added method to Memory to find addresses where a specific byte from a loaded FileBytes object is used in memory. (GP-1166)

Importer:Mach-O. The Mach-O loader now outputs a warning when it encounters encrypted sections. (GP-1406, Issue #1935)

Importer:Mach-O. Added support for the new iOS 15 and macOS Monterey dyld_shared_cache format. (GP-1524, Issue #3345, #3666)

Importer:PE. Added support for long section names (e.g., "/1234" indicates offset into string table where actual section name is found) in PE binaries. (GP-1177, Issue #1267)

Multi-User. Upgraded YAJSW to 13.01-beta. Ghidra Server can now run with JDK 17. (GP-1266, Issue #3406)

PDB. Improved processing time on huge PDBs, especially when many labels are seen at the same address, such as with Identical COMDAT Folding. This change also allows some additional valid labels to be applied at these addresses. (GP-1298)

Processors. Added pcodetests for ARM version 5, which does not support thumb mode. (GP-1078)

Processors. Added 65C02 opcodes to the 6502 processor. (GP-1112, Issue #1261, #3170)

Processors. Made numerous improvements to the SPARC language module. (GP-1135)

Processors. Improved and fixed several issues involving the SuperH4 language module. (GP-1212)

Processors. Updated manual index page numbers for AMD VMX instructions. (GP-1219, Issue #2923)

Processors. Updated x86 and AARCH64 processor manual index files. (GP-1234)

Processors. Added longMode bit to x64 language spec for mixed 32-/64-bit use cases; e.g., WoW64. (GP-1255)

Processors. Made minor improvements to the RISC-V language module. (GP-1409)

Processors. Corrected swap instruction semantics for PIC-24,30,33 processors. (GP-1565, Issue #3670)

Scripting. Improved RecoverClassesFromRTTIScript to better define virtual function data definitions to be more generically used by all related class structures. (GP-1311, Issue #3417)

Scripting. Added options to allow removal of replaced class structure data types when replaced with ones created by RecoverClassesFromRTTIScript. (GP-1315, Issue #3443)

Scripting. Changed class structures created by RecoverClassesfromRTTI so that the vftable pointers are separated from the class data structures inside a derived class. This allows the derived class vftables structures to be accessed correctly by the Decompiler. (GP-1408)

Sleigh. Modeled undocumented encoding of REP prefix for x86 instructions. (GP-1294, Issue #731)

Version Tracking. Updated Version Tracking to address multiple performance issues. (GP-1421, Issue #3221)

Version Tracking. Slightly relaxed score thresholds for the reference correlator portions of auto version tracking to enable discovery of more high scoring matches. (GP-1448)

Bugs

Analysis. Fixed a bug that would result in the COFF Header Annotation analyzer running on PIC binaries when it was not intended to. (GP-1366, Issue #3386)

Analysis. The Objective-C analyzer no longer crashes when encountering categories with an implementation in an external binary. (GP-1413, Issue #3510)

Analysis. Fixed a stack overflow in the Objective-C 2 Class analyzer. (GP-1420, Issue #2378)

Analysis. Fixed a bug with recovering Objective-C method names. (GP-1548, Issue #3611)

Analysis. Corrected a potential infinite loop in stack analysis and constant propagation due to recurring call-fixup injection to the same location. (GP-1554, Issue #3683)

Analysis. Fixed certain ELF exception records in ELF binaries marked as DW_EH_PE_absptr that are not relocated correctly when the binary is loaded in an alternate image base. (GP-1575)

API. Fixed issues related to moving memory blocks where the source and/or destination have pinned symbols. This could have resulted in addresses with symbols where no symbol is primary or having multiple symbols at an address that are primary. It could also have resulted in pinned symbols being moved from the destination to the source address range. (GP-1103)

API. Fixed an issue with the SymbolManager method getClassNamespaces() where it was only returning class namespaces in the global namespace. (GP-1346)

API. Critical Ghidra 10.1-BETA Issue: Corrected external function bug introduced in Ghidra 10.1-BETA which caused new functions to not be marked as primary. This is a critical bug which could impact most programs imported with 10.1-BETA. Such imports should be re-imported with this fix in place. (GP-1525)

C Parsing. Several issues parsing C header files have been fixed including ternary macro expression evaluation, #line preprocessor markup within functions and structures, far/near recognized as a keyword, and handling of __asm syntax. (GP-1335, Issue #1069, #1082, #2667, #464, #929)

Debugger. Fixed program actions (Save, Close, Undo, etc.) to work properly in the Debugger. (GP-508)

Debugger. Fixed issue getting registers on ARM targets with GDB where command exceeded 4096 characters. (GP-1356, Issue #3297, #3509)

Debugger. Fixed several issues with the GDB connector's use existing session option. (GP-1365)

Debugger. Fixed a NullPointerException from canceling a debug launch. (GP-1442)

Debugger. Fixed Select Addresses button for Debugger Modules pane. (GP-1450)

Debugger. Fixed issue with duplicate selection actions in the Debugger tool. (GP-1452)

Debugger. Fixed a bug in emulation where read/write ranges include the max address. (GP-1493)

Debugger. Fixed exception behavior for toggled Continue/Handled options. (GP-1558, Issue #3049)

Debugger:Emulator. Fixed Debugger integration and trace emulation for WoW64. (GP-1245)

Debugger:Emulator. Relaxed and corrected some logging of UNKNOWN/uninitialized values during emulation. (GP-1488)

Debugger:Emulator. Fixed several issues in Emulator with respect to Harvard architectures, memory-mapped registers, and word-addressable systems. (GP-1540)

Debugger:GDB. Fixed issue with GDB/GADP hang in development mode. (GP-1360)

Debugger:GDB. Fixed issue interrupting GDB targets launched without temporary breakpoint on main. (GP-1362)

Debugger:GDB. Fixed issues parsing and displaying various types of GDB breakpoints. (GP-1364)

Debugger:GDB. Fixed problem passing arguments to GDB in IN-VM and SSH modes. (GP-1368)

Debugger:GDB. Fixed a NullPointerException when terminating GDB. Changed PtySession API to prevent future occurrence. (GP-1399, Issue #3487)

Debugger:Listing. Fixed stack trace when switching to trace of a different processor language. (GP-1547)

Debugger:Trace. Fixed 'ram' not in this trace/language error. (GP-1411, Issue #3509)

Decompiler. Fixed a corner case in the manipulation of integer ranges by the Decompiler. (GP-1243, Issue #3064)

Decompiler. Fixed a bug in the Decompiler's renaming algorithm that could cause memory corruption in rare cases. (GP-1380, Issue #3429)

Demangler. Fixed GNU Demangling bug encountered when Address Table types have spaces in the parent namespace name. (GP-1051)

DWARF. Fixed check for invalid function addresses. (GP-1573)

Eclipse Integration. Fixed an exception in the GhidraDev Eclipse plugin that occurred when performing a Link Ghidra operation on projects that use a Gradle classpath container. (GP-1149, Issue #3087, #3088)

Exporter. IDA exporter no longer fails when function stack variables have comments. (GP-1190, Issue #2350, #3309, #748)

Exporter. Fixed an issue with the ElfExporter not correctly undoing relocations when they spanned partially file-backed memory blocks. (GP-1570, Issue #3696)

FileSystems. Fixed Ext4 handling of longer symlink paths and added support for inline data. (GP-1088)

FileSystems. Fixed Ext4 file system to handle volumes with blocksize 1024 and a first data block value of 1. Also added support for old style block maps. (GP-1094, Issue #1877)

Framework. Fixed error causing exception in the Specification Extensions panel when importing a new callotherfixup. (GP-1414, Issue #3502)

GUI. Fixed potential infinite loop in Function Graph edge painting. (GP-1019, Issue #2114)

GUI. Fixed minor memory leak encountered when using Search -> For Address Tables. (GP-1030, Issue #3013)

GUI. Fixed bug that prevented the Decompiler scalar hover tooltip from showing. (GP-1071, Issue #3142)

GUI. Fixed NullPointerException in File System Browser when closing the current project. (GP-1096, Issue #3179)

GUI. Fixed the script console to not lock the GUI when a large amount of text is being written. (GP-1148, Issue #3251)

GUI. Fixed long GUI hang when attempting to Set External Program on an import within in a large Ghidra project. (GP-1155, Issue #3245)

GUI. Fixed UI freeze when connecting to a large remote project. (GP-1200, Issue #3305)

GUI. Tweaked enablement of several search actions so that instead of being disabled when on a restricted view provider (e.g., Decompiler, FunctionGraph), they instead are enabled, but apply to the global listing provider. (GP-1259)

GUI. Fixed stack trace in the Function Call Graph when using the Show Incoming Level Edges action. (GP-1302, Issue #3327)

GUI. Fixed the Search Memory dialog issue that caused odd resize behavior when using the Advanced button. (GP-1333, Issue #3158)

GUI. Fixed tracking of Favorite data types when switching between multiple open programs. (GP-1391)

GUI. Fixed user list scrollbar in shared project dialog when there is a large number of users. (GP-1410)

GUI. Fixed bug that cause a structure field name to change when using the Retype Field action without picking a new data type. (GP-1429, Issue #3483)

GUI. Fixed issue when attempting to rename a datatype that has the same name as a category in the same parent cateogory. The rename would attempt to rename the category instead of the datatype. (GP-1445)

Importer. Fixed issue with Extract and Import action trying to create invalid filenames. (GP-1024, Issue #3114)

Importer. Fixed Extract and Import action when highlighting bytes in the debugger view. (GP-1449)

Importer:ELF. Corrected ELF importer error which could occur when processing memory section overlay blocks caused by AddressOutOfBoundsException exception. (GP-1052, Issue #3128)

Importer:ELF. Corrected various markup issues related to packed ELF Android relocations. Added missing ELF Arm 32-bit RELR relocation support. (GP-1352, Issue #3462)

PDB. Fixed short timeout values when downloading PDB files. (GP-1105, Issue #3184)

PDB. Fixed the Load PDB dialog to better handle missing or incomplete metadata. (GP-1180, Issue #3289)

PDB. Fixed NullPointerException encountered for a particular array of enums scenario where the enum definition processing had not completed. (GP-1456, Issue #3484)

Processors. Corrected return type for MIPS32 JIC instruction. (GP-938, Issue #3022)

Processors. Corrected pcode for ARM/ARM-Thumb adcs and sbcs carry and overflow flag updates. (GP-1043)

Processors. Corrected flag handling for some 6502 instructions. (GP-1054, Issue #3096)

Processors. Fixed issues with PPC register overwrites. (GP-1075, Issue #1672)

Processors. Fixed 6502 bit instruction semantics. (GP-1115, Issue #2558, #3095)

Processors. Fixed MIPS 32-bit little endian floating point register ordering. (GP-1129, Issue #3212)

Processors. Corrected PowerPC ISA instruction manual index page numbers. (GP-1218, Issue #2927)

Processors. Updated Tricore manual index file to match correct page numbers. (GP-1220, Issue #2926)

Processors. Fixed bug in SuperH moveml.l instruction which caused a load instead of store register. (GP-1263, Issue #3379)

Processors. Corrected semantics for MIPS INS instruction. (GP-1290, Issue #3405)

Processors. Corrected MIPS64 DINS instruction semantics. (GP-1291, Issue #2232)

Processors. Corrected semantics of PA-RISC shift conditions, which was incorrectly using the register size in bytes, as opposed to bits. (GP-1292)

Processors. Corrected ARM neon vmrs instruction disassembly. (GP-1322, Issue #3446)

Processors. Corrected SuperH bld and movemu instruction semantics. (GP-1331, Issue #3449)

Processors. Removed deprecated ARM condition code 15. (GP-1332)

Processors. Corrected issue with x86 call instructions when stack pointer is used as a reference. (GP-1357, Issue #3455)

Processors. Corrected MIPS pcodeop error in tlbr instruction. (GP-1363, Issue #3463)

Processors. Corrected ARM Thumb conditional instruction it to allow the al (always) conditional. (GP-1402, Issue #3499)

Processors. Removed extraneous sb from ARM ldrsb instruction. (GP-1412, Issue #3522)

Processors. Implemented M68000 CHK, CHK2, and CMP2 instructions. (GP-1478, Issue #2856, #3616)

Processors. Corrected SuperH trapa instruction to use a call p-code op instead of a goto. (GP-1504, Issue #3600)

Processors. Corrected x86 instruction parse and semantics for RDRAND and RDSEED. (GP-1564)

ProgramDB. Corrected language upgrade issue which could result in lost memory reference due to RefType change. (GP-1392)

Scripting. RecoverClassesFromRTTIScript now consistently applies its class structures in programs that have PDB information applied. Also, an option was added so users can decide whether to replace existing class data in thiscall functions regardless of whether they originated as PDB or not. (GP-1464)

Scripting. Fixed an issue where some GhidraScript print methods were not getting output to the script log file. (GP-1541, Issue #3657)

Sleigh. Corrected sleigh-language endian-mismatch error-message formatting. (GP-1132, Issue #3215)

Sleigh. Made numerous fixes to the PowerPC SLEIGH language module. Note: minor language version upgrade. (GP-1250)

Version Tracking. Fixed UnsupportedOperationException in Version Tracking when attempting to find references to register or stack addresses. (GP-1084, Issue #1152)

Version Tracking. Fixed Version Tracking Swap button to not trigger the reloading of programs. (GP-1183)

Ghidra 10.0.4 Change History (September 2021)

Improvements

Multi-User. Added class serialization filter to Ghidra Server as a security measure. (GP-1314)

Bugs

C Parsing. Changes to the CParser have been made to successfully parse a greater number of header files. The CParser will now correctly evaluate the truth of expanded macro substitutions in #if statements. Operator precedence has been corrected and support for additional operators added for constant simplification that is used to specify array sizes during parse. In addition, C17 structure initialization syntax and multiple type casts are now parsed. (GP-1295, Issue #1652, #2665, #2666, #3410)

Debugger. Changed Track Program Counter, etc., to re-track even when clicking them doesn't change the current setting. (GP-1282)

Debugger:GDB. Fixed issue with CRLF using GDB/SSH from Windows. (GP-1309, Issue #3426)

Decompiler. Fixed a NullPointerException encountered when hovering over the name of an Undefined Function in the Decompiler window. (GP-1260)

Decompiler. Fixed bug causing the Missing userop attribute in segmentop tag error message in the Decompiler for Z80 executables. (GP-1305, Issue #3329)

Decompiler. The Decompiler now handles small dynamically sized data types, like Alignment. (GP-1327, Issue #3399)

GUI. Fixed an AssertException in the Default Graph Display encountered when loading a saved graph layout. (GP-1313, Issue #3441)

Headless. Corrected NullPointerException for headless when no opinion results are found. (GP-1323)

Importer:PE. Fixed a regression with parsing COFF Aux symbols for PE/MZ loaders. (GP-1174, Issue #3442)

Multi-User. Corrected and improved specification of TLS version restrictions for client use via launch.properties and Ghidra Server use via server.conf. (GP-1287)

Processors. Corrected endianness mix-up in MIPS function start bit-patterns. (GP-1310, Issue #3421)

Ghidra 10.0.3 Change History (September 2021)

New Features

Debugger:Watches. Added ability to modify target memory and registers via the Watches window. (GP-1264, Issue #2866)

Improvements

Analysis. Improved SH4 constant reference analysis for PIC code, reference placement for jumps/calls, and non-return function analysis. General constant reference analysis has also been improved. (GP-1258)

Basic Infrastructure. Removed usage of the --illegal-access=permit JVM argument for improved JDK 17 runtime support. The Ghidra Server continues to require JDK 11 to successfully run at this time. (GP-1193, Issue #3355)

Debugger. Debugger Agent windows now display log messages. (GP-507)

Debugger. Changed Debugger's Launch action to propose the current program as the command line. (GP-1176)

Debugger. Providing broader defaults for recording GDB-supported architectures. (GP-1237)

Debugger:GDB. GDB connector's Use existing session prompts with more instructions. (GP-1076)

Debugger:GDB. Added use starti option to GDB launcher. (GP-1158)

Debugger:Mappings. Added Map Identically action to Modules window. (GP-1232)

GUI. Changed analysis options to always show current program options when accessed via Edit -> Options for <program>.... Also added warning if the user makes changes to the analysis options and then changes the combo box without saving the changes first. (GP-1188)

Importer. The ContinuesInterceptor, which allows the import process to proceed past uncaught exceptions that can be encountered while parsing corrupted headers, has been disabled by default. Its usage is now deprecated and will be removed in a future Ghidra release. It can be temporarily re-enabled in support/launch.properties. (GP-1248)

Importer:ELF. Added support for additional ELF AARCH64 relocations such as R_AARCH64_LDST64_ABS_LO12_NC. (GP-1278, Issue #3352)

Processors. Corrected semantics for x86/x64 FXSAVE and related instructions. (GP-1228)

Processors. Added semantics for several x86/x64 vector operations. (GP-1262)

Bugs

Byte Viewer. Fixed stack overflow issue in ByteViewer. (GP-1276)

C Parsing. Eliminated static variables that caused follow-on CParser tasks to error because they started in a bad state. (GP-1251, Issue #1421, #3350)

Debugger. Fixed NullPointerException in Objects window's Import/Export actions. (GP-1047)

Debugger. Fixed NullPointerException in DBTraceStack. (GP-1059)

Debugger. Fixed a rare deadlock involving DBTrace.addListener. (GP-1154)

Debugger. Track PC action now scrolls to cursor even if the cursor is already at PC. (GP-1175)

Debugger. Created better mapping of GDB ARM architecture names to Ghidra languages for the Debugger. (GP-1221, Issue #3333)

Debugger. Capture Memory button is more aggressive in finding the correct region to capture, reducing bad region errors. (GP-1227)

Debugger. Fixed delay slot disassembly in Debugger dynamic listing. (GP-1246, Issue #3358)

Debugger:Emulator. Fixed cache-reading issue in trace emulation. (GP-1187)

Debugger:Emulator. Fixed a critical typo in PairedPcodeArithmetic. (GP-1191)

Debugger:Trace. Dynamic listing now updates immediately when changing data type settings. (GP-1215)

Debugger:Trace. Removed Missing Instruction Prototype exception in favor of using InvalidPrototype. (GP-1226)

Debugger:Trace. Adding context fields to Register viewer no longer throws an exception. (GP-1256)

Decompiler. Fixed a bug that could cause an infinite loop in the Decompiler when using bonded register pairs. (GP-1270, Issue #3105)

Decompiler. Fixed a bug causing Exceeded maximum restarts with more pending warnings in the Decompiler. (GP-1277, Issue #3104)

Disassembly. Fixed an IllegalArgumentException in the Non-Returning Functions analyzer caused by processor specifications without a defined context, such as Sparc and SH4. (GP-1216)

DWARF. Corrected potential random errors in DWARF parsing caused by modifications to a shared global static DWARF decoder. (GP-1272)

Exporter. Exporters with empty default extension names will no longer append a dot to the output filename. (GP-1201, Issue #3325)

GUI. Fixed the missing mnemonic of the Graph menu. (GP-1244, Issue #3330)

Processors. Corrected carry flag semantics for the 6502 processor's SBC instruction. (GP-1109, Issue #3189, #3190)

Ghidra 10.0.2 Change History (August 2021)

New Features

Scripting. Created an example script which demonstrates how to use the FileBytes class to do a binary export of the current program. (GP-1157)

Improvements

Data Types. When creating a substructure from existing components, the new structure will adopt the pack setting of the parent structure from which it was created. Note that a packed structure may still move based upon component alignment rules. (GP-1111, Issue #3193)

Decompiler. Added E key binding to the Decompiler's Equate action. (GP-1146, Issue #3195)

GUI. Added Apply button to analysis options dialog. Also added a last chance save/cancel dialog that is shown when a user cancels an options dialog that has unsaved changes. (GP-1169, Issue #3274)

Scripting. For stripped GCC binaries, improved prototype RecoverClassesFromRTTIScript identification of vtables and simple class data, constructors, and destructors. (GP-1055, Issue #3266)

Bugs

Basic Infrastructure. Fixed regression that prevented Ghidra from launching on Windows when its path contained spaces. (GP-1113, Issue #3201, #3205)

Data Types. Fixed IllegalArgumentException error message when adding a duplicate enumerate name for EnumDataType. (GP-1173, Issue #3246)

Debugger. Changed diagnostics to write GDB.log to user directory, not installation. Clarified an error message. (GP-1133, Issue #3218)

Debugger. Improved error reporting when failing to start a Debugger GADP agent. (GP-1136, Issue #3175)

Debugger. Added system property to toggle alternative icons/colors for breakpoints. (GP-1139, Issue #3204)

Debugger. Applying a default everything memory map for GDB targets if info proc mappings fails or produces an empty list. (GP-1142, Issue #3071, #3074, #3161, #3169)

Debugger. Fixed issue with Debugger ignoring JAVA_HOME when launching child JVM. (GP-1143, Issue #3231)

Debugger. Fixed command-reply matching issue when using GDB via SSH. (GP-1153, Issue #3238)

Debugger:Emulator. Fixed bug in Trace Emulation causing ArrayIndexOutOfBoundsExceptions. (GP-1058)

Decompiler. Fixed issue causing Offset must be between... AddressOutOfBoundsException, when decompiling real-mode x86 programs. (GP-1163, Issue #239, #2948)

Decompiler. The decompiler now shows results when a HighGlobal has no associated symbol reference in the program. (GP-1184)

DWARF. Changed processing to ignore incomplete DWARF parameter lists in Rust binaries. (GP-1121, Issue #3060)

Exporter. The C/C++ Exporter now emits semicolons after function prototypes when using the Create Header File option. (GP-1145, Issue #1644)

Framework. Corrected address comparison for 64-bit signed address spaces (e.g., stack space, constant space) which could produce non-transitive comparison results. (GP-1178, Issue #3302)

Graphing. Corrected graph magnification behavior when using a high resolution mouse wheel. (GP-1181, Issue #3281, #3284)

GUI. Fixed NullPointerException when Hovering in Decompiler over a function that is not in memory. (GP-1131)

GUI. Fixed bug in Find References to search results that prevented '<' characters from being rendered. (GP-1137, Issue #3217)

GUI. Fixed issue where duplicate label names could cause the symbol tree to become unstable, evidenced by broken display and scrolling actions. Also, improved grouping algorithm. (GP-1159, Issue #3263)

GUI. Fixed Enter key in Set Equates dialog to choose the selected table row. Updated the Function Signature Editor dialog to allow the Cancel key to close the dialog when the focus is in the top text editor. (GP-1162, Issue #3235)

Headless. Fixed a regression in analyzeHeadless.bat that prevented the headless analyzer from running on Windows in some cases. (GP-1156, Issue #3261)

Importer. The MzLoader now populates the relocation table when relocations are performed. (GP-1160)

Importer:ELF. Corrected dynamic GOT/PLT markup problem for images which do not contain section headers. In cases where image does not define symbols within the PLT, analysis may be relied upon for its disassembly. ELF Importer's goal is to migrate symbols which may be defined within the PLT to the External symbol space. (GP-1110, Issue #3198)

Importer:Mach-O. The Mach-O importer now correctly interprets indirect symbols as references to symbols within another .dylib. (GP-1120)

Importer:PE. Improved ControlFlowGuard markup and creation of functions (GP-1179, Issue #1547, #1565)

Processors. Fixed bug in SuperH4 fmov.s pcode. (GP-1152)

Processors. The ARM instruction semantics for the mulitple-single-element forms of the vld1/vst1 vector instructions have been corrected. (GP-1167)

Sleigh. Fixed a string formatting error in the sleigh compiler. (GP-1124, Issue #3168)

Ghidra 10.0.1 Change History (July 2021)

New Features

Decompiler. The Decompiler now supports conversion (hex, dec, bin, oct, char) and equate actions directly on constant tokens in the Decompiler window. To the extent possible, these actions also affect matching scalar operands in the listing. (GP-1053, Issue #21)

Improvements

Basic Infrastructure. Ghidra now gracefully fails to launch when its path contains an exclamation point. (GP-1057, Issue #1817)

FileSystems. Can now handle multi-level Ext4 extent nodes when reading a file. (GP-1070)

Bugs

Build. No longer building and distributing the Debugger native test binaries. (GP-1080, Issue #3160, #3177)

Debugger. Corrected potential deadlock condition within Debugger which could occur under some circumstances during a breakpoint or while stepping. (GP-1072)

Decompiler. Fixed a bug in the Decompiler causing Overriding symbol with different type size exceptions. (GP-1041)

Exporter. PE and ELF exporters no longer error out when processing non-file-backed relocations. (GP-1091)

FileSystems. Corrected problem mounting Ext4 file systems when the container file is larger than the file system. (GP-1067)

Importer:ELF. Corrected ELF relocation error reporting, including error bookmarks, when relocation handler extension is missing. (GP-1097)

Jython. Added __file__ attribute support in Jython scripts. (GP-1099, Issue #3181)

PDB. Fixed bug that prevented constructor signatures from being created properly. (GP-1086)

PDB. Fixed bug in PDB CLI processing that could kill analysis for binaries imported with older versions of Ghidra. (GP-1104)

Processors. Added ELF Relocation handler for SuperH processors. Only a few common relocation types have been added. (GP-1090)

Scripting. Fixed a potential NullPointerException that could occur when trying to run a script that doesn't exist. (GP-1074, Issue #2742)

Scripting. Improved graphing of class hierarchy in RecoverClassesFromRTTIScript and the GraphClassesScript to handle duplicate class names, class namespace delimiters, and to make better vertex descriptions. (GP-1095)

Scripting. Fixed a flaw in the RecoverClassesFromRTTIScript that was not using PDB information to create data member names in class data structures. (GP-1101)

Ghidra 10.0 Change History (June 2021)

New Features

Debugger. Introduced the Debugger, along with GDB and dbgeng.dll connectors for debugging user-mode applications on Linux and Windows, respectively. The UI includes threads, timeline, modules, memory, registers, watches, etc., for examining and controlling debug targets. See Help -> Contents -> What's New for more details. (GP-986)

Exporter. For programs imported with the PE and ELF loaders, new exporters are available that write back to the original file layout. Any file-backed bytes that were modified by the user in the program database will be reflected in the written file (except on relocations). Writing back a modified Memory Map is not supported. (GP-786, Issue #1501, #1505, #19)

Graphing. Added Graph -> Data actions to the Code Browser, allowing visualization of specified pointer relationships in a graph. (GP-194)

Scripting. Added prototype RecoverClassesFromRTTIScript and that uses RTTI information to enhance Ghidra's knowledge of class hierarchy, class member function types (constructors, destructors, deleting destructors, clones) and class member data. The script will label and put member functions into correct class namespace and apply new class structures created either using PDB information, if available, or Decompiler pcode information. (GP-339)

Scripting. Added an example script, LocateMemoryAddressForFileOffset, to demonstrate mapping of a location in the original imported file to the program memory address. Useful for cases where the original file offset is known; for example, a YARA rule match. (GP-782)

Scripting. Created a script to allow users to search for image base offsets to the current cursor location in 32-bit and 64-bit programs. (GP-863)

Improvements

Analysis. Function signatures, including return types and argument data types, are now decoded from CLI Metadata for .NET binaries. (GP-327)

Analysis. Switched #Strings table processing from ASCII to UTF-8 for CIL binaries. (GP-330, Issue #423)

Analysis. Added Constant, Assembly, and AssemblyRef blob processing for CIL binaries. (GP-465)

Analysis. Added the Variadic Function Signature Override analyzer, which identifies functions that take a format string as a parameter and applies the correct signature override at each call site. (GP-516)

Analysis. Added ability to save and easily reuse analysis options in customer-defined configurations. (GP-544, Issue #2182, #312)

Analysis. Ghidra analysis is now aware of more PE/Windows non-returning functions. (GP-733, Issue #2111)

Analysis. ResolveX86orX64LinuxSyscallsScript now properly marks non-returning syscalls. (GP-868, Issue #2761)

API. Revised Structure and Union API, and associated editor, to eliminate the use of the terms Unaligned/Aligned in favor of a packing enablement designation. Also corrected various change notification issues which may improve archive synchronization and merge behavior. (GP-862, Issue #2681)

API. Renamed Datatype.isDynamicallySized() to DataType.hasLanguageDependantLength() to avoid confusion. This method is used internally to differentiate between fixed-length types and those whose length is determined by the compiler specification's data organization (e.g., pointers). (GP-932)

Basic Infrastructure. Improved error reporting when trying to launch Ghidra from the git repo without Eclipse having compiled it. (GP-815, Issue #2872)

Build. Command gradle -I gradle/support/fetchDependencies.gradle init now downloads the Function ID datasets from the ghidra-data GitHub repository so they will be automatically included in development mode and custom builds. (GP-678, Issue #1007)

Build. Performing a gradle clean no longer deletes downloaded dependencies. The top-level flatRepo directory has been replaced with the dependencies directory. (GP-811, Issue #1663)

Build. Ghidra now requires Gradle 6.0 or later to build. Gradle 7.x is now supported. (GP-849, Issue #2949)

Build. Made changes to gradle code to remove warnings. (GP-993, Issue #3039)

Data Types. Added support for hexadecimal byte offset display within composite bitfield view. (GP-910, Issue #2959)

Decompiler. Decompiler analysis now automatically identifies and displays loop variables using standard for-loop syntax. When a loop variable is discovered, a condition, iteration, and optional initializer statement are displayed at the top of the loop. (GP-565)

Decompiler. Added the Max Instructions per Function Decompiler tool option, specifying the maximum number of instructions the Decompiler will decode in a single function before throwing an exception. Previously, this had been a hard-coded limit. (GP-767, Issue #2557)

Decompiler. The Decompiler now propagates datatypes across signed comparison operations, so constant integer and enum values display correctly. (GP-802, Issue #2565)

Demangler. Updated the GNU Demangler Analyzer options to provide a list of available formats from which to choose. (GP-94, Issue #2214)

Demangler. Updated the GNU Demangler's Namespace-building to improve analysis performance. (GP-706, Issue #2509)

Demangler. Improved Demangler error checking and reporting to give underlying cause of failure. (GP-850)

Documentation. Added basic instructions on how to install, build, and develop Ghidra to README.md. (GP-847)

DWARF. Improved speed and memory usage when importing large DWARF binaries. (GP-419)

DWARF. Added M68000/SVR4 DWARF register mappings. (GP-556, Issue #1610)

DWARF. Improved handling of zero-length structure components during DWARF processing. (GP-851, Issue #2191)

Exporter. Made various improvements and bug fixes and to the IDA Pro exporter. (GP-831, Issue #1897, #2788, #2882, #2891)

FileSystems. Added support for recognizing unencrypted DMG files. (GP-845)

Framework. Added support for program-specific extensions to a compiler specification. Users can now define their own calling conventions and call-fixups to integrate into decompilation and other analysis (see help for Specification Extensions). (GP-653)

Graphing. Added capability to collapse and expand nodes in the default graph display. (GP-371)

Graphing. Upgraded jungrapht to version 1.1. (GP-377)

Graphing. Refactored graph exporters into a more extensible framework. (GP-440)

Graphing. Graph layout algorithms can now be chosen programmatically. (GP-551)

Graphing. Created additional modified versions of the MinCross layout algorithms, all named to start with Vertical Hierarchical Min-Cross, so that they accept a favoredEdge predicate. When an edge is favored, a pass though the graph layers attempts to align those edges vertically. (GP-625)

Graphing. Added an option to change the background color of the Function Graph window. (GP-760, Issue #1324)

Graphing. Updated Function Graph edge routing when applying the Use Condensed Layout option to reduce edges being clipped by vertices. (GP-768)

Graphing. Added option to disable the lightening of edges in the Function Graph. (GP-769, Issue #1106)

Graphing. Added a distinct visual edge highlight beyond just a different color for graph edge selection. (GP-793, Issue #2953)

Graphing. Added Display as Graph action to the Data Type Manager, allowing visualization of embedded and referenced types of the selected types. (GP-808)

Graphing. Fixed function graph bug that prevented the satellite view from showing the primary view lens. Fixed a layout bug that allowed some vertices to get clipped when condensing the graph. (GP-940)

Graphing. Added graph API method to set descriptions (tooltips) on vertices and edges. (GP-949)

Graphing. Added Vertex and Edge attributes to GraphML export format. (GP-957, Issue #2958)

GUI. Added new Copy Special actions: Python Byte String, Python List, and C Array. (GP-210, Issue #744)

GUI. Updated the Listing to allow structure members to display Plate Comments. (GP-421, Issue #2091)

GUI. Copy/Pasting and Dragging data types now uses a progress monitor. (GP-422, Issue #2379)

GUI. Added right-click menu Data -> Save Image action to allow user to export embedded graphic resource images. (GP-426)

GUI. Changed Symbol Comment Annotation to use the existing symbol when available. This allows for the direct navigation of that symbol's address instead of using the search feature of the Go To Service. (GP-675)

GUI. Added the Shift-F10 keybinding to allow users to show the popup context menu over the currently focused item. The Menu Key can also be used on supporting keyboards. (GP-732, Issue #2790)

GUI. Fixed/Improved the behavior of global menu items and toolbar items with respect to which windows they appear in. These actions can now easily be configured to be either 1) only in menu bar and tool bar of the main window, 2) in the menu bar and tool bar of all windows, or 3) only in the windows that have components that generate the type of context that the action consumes. Added methods to the ActionBuilder class to support these three options. Also, updated numerous actions to make sure they appear in the appropriate windows. (GP-759)

GUI. Improved overall UI responsiveness when performing analysis with the Symbol Table open. (GP-788)

GUI. Updated the Function Tags table column so that it may be used in most Ghidra tables. (GP-816, Issue #2873)

GUI. Updated the Defined Strings view to reload less frequently during auto-analysis. (GP-835, Issue #2889)

GUI. Updated function hovering in the Decompiler to find the correct function tooltip when multiple functions exist with the same name. (GP-959, Issue #2604)

Importer:ELF. Added markup to ELF import for .note.gnu.build-id and .gnu_debuglink sections. (GP-468)

Importer:ELF. Added ELF import support for SHN_MIPS_TEXT and SHN_MIPS_DATA symbol section index values and provided ability for other processor-specific ELF extensions to resolve ELF symbol memory addresses. (GP-664)

Importer:ELF. Changed various ELF relocations to detect and mark unsupported data relocations which refer to the EXTERNAL block. Applied EXTERNAL data relocations, which have a non-zero offset from the external symbol, will still be incorrect but will have an error bookmark to flag the condition. The relocation addend will not be applied in this case to avoid references to a completely irrelevant symbol in the EXTERNAL block. (GP-1029)

Importer:Mach-O. Improved support for Mach-O object files. (GP-700)

Importer:PE. CustomAttrib blobs in CLI/.NET metadata are now decoded. (GP-414)

Importer:PE. Created proper external references for PE Delay Load Imports. (GP-674, Issue #2554, #2623)

Importer:PE. PeLoader can now read and interpret the .pdata section of PE files that include exception handling data. (GP-729)

Importer:PE. Added .exports XML files for the mfc71.dll and mfc71u.dll libraries. Having them allows Ghidra to translate ordinal imports from applications compiled against MFC 7.1 (from Visual Studio .NET 2003) to class and function names with parameters. (GP-1010, Issue #3051)

Listing. Improved Listing view performance, especially noticeable on functions with excessively large stack frames. (GP-268, Issue #109, #2351)

Listing. Added a tool option to hide function auto-comments that appear, trailing a function call in the Listing. (GP-752)

PDB. Improved Ghidra's ability to find and pull PDB files from symbol servers and symbol storage locations. (GP-42)

Processors. Simplified PIC24 return instruction semantics. (GP-647)

Processors. Added support for register alias specification within processor spec (*.pspec). Added WREG register aliases for PIC24 processor variants. (GP-901, Issue #2956)

Processors. Fixed issue with the PPAGE register not being properly restored after CALL instructions in the HCS12 processor. (GP-920, Issue #1099)

Processors. Fixed HCS12 IDX1 addressing with negative immediate values. (GP-937, Issue #3008)

Processors. Fixed V850 multiply-by-immediate calculation that produced an incorrect value when the fifth bit was set. (GP-939, Issue #2970)

References. Improved performance of reference management for special cases when large a number of references from the same address exist (e.g., entry point designation). (GP-696)

Scripting. ExportImageScript now exports all images within a user-selected region to files within a user-selected folder. (GP-231)

Scripting. Improved TableChooserDialog, allowing multiple rows to be processed at once. (GP-676)

Scripting. Updated the TableChooserDialog to allow clients to set the default column sort. (GP-792)

Scripting. Added Python script comment block support. (GP-843, Issue #1484, #2846)

Scripting. Added ApplyClassFunctionSignatureUpdatesScript and ApplyClassFunctionDefinitionUpdatesScript fix-up scripts that can be applied if a user makes changes to a virtual function recovered by the RecoverClassesFromRTTIScript. Both scripts identify differences between Function Signatures in the Listing and Function Definitions in the Data Type Manager, but the first script fixes all changes to match the signature and the second to match the definition. (GP-973, Issue #3081)

Sleigh. Debug info for Sleigh constructors now includes source file names. (GP-233)

Sleigh. The Sleigh compiler now issues a warning if it generates a temporary varnode which might be large enough to overlap another temporary varnode. (GP-520)

Sleigh. While register names should remain case-sensitive within a Sleigh spec during compilation/parse, register names must not duplicate in a case-insensitive manner since the Program API provides a case-insensitive register lookup by name. The Sleigh Compiler now enforces this. (GP-927)

Bugs

Analysis. Fixed how managed code entry points in .NET binaries with CIL entry points are detected and labeled. (GP-319)

Analysis. Can now process implementation-specific data structures for Microsoft CIL compilers. (GP-461)

Analysis. Corrected processing for pointers, function pointers, custom modifiers, ValueTypes, static methods, MethodRefs, MethodDefs, and PInvokes found in .NET mixed binaries. (GP-656)

Analysis. Improved constant analysis speed when processing large binaries with a large amount of code not in defined functions, such as exception handlers. (GP-746, Issue #2509)

Analysis. When OverlayAddressSpace was refactored and Decompiler made aware of it for Ghidra 9.2, the VarnodeContext was not aware of the overlays. This was fixed and should eliminate the NullPointerException caused when the Symbolic Propagator calls the Varnode constructor. (GP-751, Issue #2785, #2787)

Assembler. Fixed assembler issue with delay-slotted instructions. (GP-587)

Assembler. Fixed assemble Patch Instruction action to work on listings other than the primary static listing. (GP-623)

Assembler. Modified assembler Patch Instruction action to ignore external symbols which produced bad offsets for instructions. (GP-645)

Basic Infrastructure. Fixed an issue with Ghidra and its supporting launch scripts not being able to run correctly on Windows when an ampersand was in the path. Also fixed an issue with svrAdmin.bat and buildGhidraJar.bat not working if the Ghidra path contained a space. (GP-693, Issue #1726, #1728)

Basic Infrastructure. Corrected "LaunchSupport expected 2 to 4 arguments but got 1" error when starting Ghidra on Windows. (GP-1050, Issue #2176, #3122)

Build. Building of pdb.exe on Windows now works if the path to the Ghidra repository contains a space. (GP-916, Issue #2998)

Build. Corrected GPL DMG module build to properly utilize the jar dependencies included within the repository and distribution. (GP-934)

Build. Corrected an issue with gradle prepDev when the Ghidra repository is on a different drive than the user's home directory on Windows OS. (GP-970, Issue #3047, #3062)

Build. Fixed a bug that prevented Ghidra from launching in Single Jar Mode when its path contained a space. (GP-1039)

C Parsing. The C-Parser bitfield parsing has been relaxed to allow declared bitfield sizes to exceed the base datatype size. The effective bitfield size may be clamped based upon the current data organization while preserving the declared size. (GP-558)

Data Types. Fixed a NullPointerException that occurred when trying to edit a function datatype in a datatype archive when there was no open program in the tool. (GP-356, Issue #2407)

Data Types. Corrected the retention of datatype archive search paths, which did not properly remember disabled paths. (GP-639)

Data Types. Fixed potential deadlock encountered when working with the DataTypes tree. (GP-774, Issue #2832)

Decompiler. Fixed endianess issue for joined, two-register returns of longlong values for MIPS 32-bit little endian variants. (GP-513)

Decompiler. The Decompiler no longer emits comments in the middle of conditional expressions. (GP-621, Issue #1670)

Decompiler. Fixed Redefinition of structure... exceptions in the Decompiler caused by a PNG Image and other opaque datatypes. (GP-820, Issue #2734)

Decompiler. Fixed infinite loop in the Decompiler when analyzing return values. (GP-821, Issue #2851)

Decompiler. Fixed bug in the Decompiler's handling of enumerated datatypes causing Shared type id exceptions. (GP-895, Issue #2909)

DWARF. Fixed and consolidated DEX and DWARF implementations of LEB128. (GP-444, Issue #2512)

DWARF. Fixed unnecessary ELF header parsing when DWARF analyzer checks if it needs to run. Improved DWARF analyzer's run-once logic. (GP-695)

DWARF. Fixed issue with DWARF data type importing that could omit the definition of a structure. (GP-929)

Eclipse Integration. Fixed a GhidraDev bug that prevented Ghidra projects from recognizing extensions installed in the user's ~/.ghidra/.ghidra_<version>/Extensions directory. (GP-873)

Extensions. Changed classpath configuration to not contain paths of removed extension libraries. (GP-522, Issue #2637)

FileSystems. Fixed several issues with extracting and importing DYLIB files contained within a DYLD file system. (GP-719, Issue #2934, #682)

FileSystems. Fixed SevenZipFileSystem to correctly fail when opening password-protected archives. (GP-730)

FileSystems. Fixed Ext4 file system to correctly handle sparse files. (GP-871)

Graphing. Fixed IllegalArgumentException when showing a graph popup window after the source component was hidden. (GP-756, Issue #1643)

Graphing. Fixed bug that caused all address in a function graph node to be colored when only the entry point address had a color applied. (GP-757, Issue #1080)

Graphing. Fixed bug in graph dominance algorithm that could cause the Select -> Scoped Flow actions to go into an infinite loop. (GP-776, Issue #2836)

GUI. Fixed UI lock-up issue related to the Function Tags table. (GP-266, Issue #2366)

GUI. Fixed missing spaces in Front End multi-line log messages. (GP-463, Issue #2534)

GUI. Fixed the following modal dialog issues: z-order changing when showing a modal dialog over a detached window; focusing the incorrect window after showing a modal dialog; script progress dialog not getting placed behind input dialog; script dialogs appearing over different windows. (GP-628, Issue #2398, #2480)

GUI. Fixed NullPointerException encountered when creating a new category in the Data Types tree while the tree is filtered. (GP-745, Issue #2799)

GUI. Fixed Right Alt key that did not work for Ghidra actions on some Windows systems. (GP-747, Issue #2008)

GUI. Fixed Function Graph bug that caused some vertex text to get clipped when using wide address format width. (GP-755, Issue #1008)

GUI. Fixed bug in the Listing scroll bar that caused some screen reader software to deadlock. (GP-772, Issue #2820)

GUI. Fixed bug that caused the UI to freeze when clicking in the Program Tree UI. The bug manifested depending upon the contents of the system clipboard. (GP-775)

GUI. Updated tooltip code to limit data types name length and updated formatting to place pertinent information at the top of the tooltip. (GP-836, Issue #2029)

GUI. Fixed exception triggered when the Bookmarks table failed to remove a deleted symbol. (GP-989, Issue #3066)

GUI. Fixed exception encountered when double-clicking a structure in an archive in the closed for edit state. (GP-998)

GUI. Fixed Function Graph stack trace encountered when changing the graph's background color option after showing and then closing the graph. (GP-1013, Issue #3058)

Importer:ELF. Added support for additional PIC30 ELF relocations (4, 5, 6) and improved register symbol resolution and markup. (GP-710, Issue #2792)

Importer:ELF. Changed processing of ELF absolute symbols (section ID 0xfff1) to treat them as constants by defining equates instead of memory symbols. (GP-902)

Importer:ELF. Corrected EXTERNAL symbol alignment for PIC24, PIC30, PIC33 during ELF import. The improperly aligned symbol addresses would cause incorrect external symbol references to appear on instructions (e.g., RCALL). (GP-906)

Importer:PE. Fixed error when importing a PE file with an uninitialized .textbss section. (GP-397, Issue #2496)

Importer:PE. Fixed a bug processing RUNTIME_INFO structures that caused a failure to load PE files under certain conditions when the list is empty. (GP-924, Issue #2995)

Importer:PE. Fixed an issue in the PeLoader that prevented PE files with 0 data directories from being imported. (GP-997, Issue #2858)

Installation. Renamed database db.Record class to db.DBRecord to avoid naming conflict with java.lang.Record class and potential import issues. (GP-193)

Jython. Fixed pasting multi-line strings into the Python interpreter panel. (GP-487, Issue #2456)

Listing. A default thunk function now reflects the namespace of the thunked function similar to the way it reflects its name. This change also allows thunk functions of a this_call to have the correct this pointer parameter. Symbol table queries based upon name and/or namespace will always exclude default thunk functions. (GP-17)

Listing. Fixed #US table processing to correctly interpret the string as UTF-16LE for CIL binaries. (GP-318)

Listing. Fixed a sporadic listing operand hover stacktrace bug. (GP-987)

PDB. Escaped more character strings in MSDIA pdb.exe XML output. (GP-578, Issue #1690)

Processors. Fixed various issues pertaining to x86 instruction prefixes. (GP-220, Issue #2286, #2297)

Processors. Refactored PPC interrupt returns to include return pcode statement. (GP-703)

Processors. Fixed issue with ARM VMRS instruction parsing in thumb. (GP-735, Issue #2750)

Processors. Corrected issue with M68000 floating point dynamic k-factor instruction semantics. (GP-736, Issue #2754)

Processors. Fixed instruction semantics for x86 MOVUPS instruction. (GP-744, Issue #2789)

Processors. Simplified SuperH div1 instruction. Corrected several SuperH instructions to set flags properly around the delay slot. (GP-753, Issue #2863, #2864)

Processors. Corrected issue with ARM co-processor registers and the MCR instruction. (GP-761, Issue #2451)

Processors. Fixed issued with x86 INSx.rep and OUTSx.rep pcode ordering. (GP-766, Issue #2829)

Processors. Corrected addresses for PIC24 TBLPAG and PSVPAG registers. (GP-798, Issue #2844, #2855)

Processors. Corrected decoding of some MODR/M opcode bytes in x86. (GP-800, Issue #2504)

Processors. Updated 8085 processor definition to disassemble XRA HL instruction. (GP-818, Issue #2447)

Processors. Corrected missing optional rex.w prefix for x86 conditional jump instructions. (GP-837, Issue #1163)

Processors. Added CALLW, ASRF, LSLF, and LSRF instructions to PIC16 language. (GP-841, Issue #1362)

Processors. Fixed ARM Thumb instructions which update the status flags to now correctly append an s to the instruction mnemonic. (GP-881)

Processors. Made corrections to wr instruction for SPARC which in some cases did not write to the appropriate ASR register. (GP-928)

Processors. Corrected issue with x86-64 CALL and RET instructions with 0x67 prefix pushing/popping the wrong address size from the stack. (GP-954, Issue #2976)

Processors. Fixed issue with delay slots modifying some instructions in SuperH processor. (GP-969, Issue #2863)

Processors. Corrected pcode for x86-64 RDMSR instruction. (GP-982, Issue #3046)

Processors. Corrected size of 20-bit signed immediate value in PPC VLE e_li instruction. (GP-1060)

Scripting. Fixed scripting bug where showing a TableChooserDialog while having AnalysisMode.DISABLED in use caused the dialog to be closed. (GP-1018, Issue #3103)

Sleigh. Fixed multiple errors in x64 vector operation semantics. (GP-799)

Ghidra 9.2.4 Change History (April 2021)

Improvements

Basic Infrastructure. Improved support running under JDK 16. Note that Ghidra still only officially supports JDK 11 LTS. (GP-824, Issue #2879, #2888)

Bugs

API. Corrected error condition which could occur if overlay memory block duplicates another memory space name or overlay block name in a case-insensitive manner. The names are intended to be case-sensitive. (GP-839, Issue #2898)

Demangler. Improved handling of mangled names on thunk functions which were previously left unmangled and could prevent name of underlying thunked function from appearing. (GP-809)

Ghidra 9.2.3 Change History (March 2021)

Improvements

Analysis. Added check for vftable entries in .NEP section and relaxed the requirement that the code must have a return. (GP-649)

Analysis. Corrected flaw in RTTI analyzer determination of size of vftables. (GP-688)

Basic Infrastructure. Updated TLS protocol preference to use the most preferred/recent version available to both sides of an SSL connection (e.g., TLSv1.3) instead of forcing use of TLSv1.2. (GP-622)

Build. Corrected build issues which had prevented users from building Ghidra on an Apple M1 (OS X, AARCH64 architecture). (GP-600, Issue #2653)

Demangler. Increased Gnu Demangler parsing performance by changing some regular expressions. (GP-705)

Eclipse Integration. Updated SleighEditor to support new endian tag on define token definitions. (GP-721)

GUI. Updated the Choose Data Type dialog to apply data types in the same manner as dragging types from the Data Types window. This provides users more control when choosing how to overwrite existing types. (GP-521)

Importer:ELF. Added support for ELF relocation R_X86_64_IRELATIVE. (GP-651, Issue #1189)

Importer:ELF. Sped up loading of ELF files with large symbol tables. (GP-697)

Bugs

Analysis. The RTTI analyzer now runs prior to Reference analysis so that references into vftables are not turned into code or data before the vftables are created. (GP-517)

API. Function.getCalledFunctions(TaskMonitor) and Function.getCallingFunctions(TaskMonitor) now support passing null for the task monitor parameter, which previously would have thrown an exception. (GP-589, Issue #2643)

Data Types. Corrected segmented 32-bit pointer datatype address generation for 16:16 x86 far pointers. (GP-534, Issue #2548)

Decompiler. Fixed Decompiler issue where, when a function name extends beyond the line limit, an end-of-line comment could wrap around to additional lines without including additional // comment indicators. (GP-473)

Decompiler. Corrected an exception that could occur when attempting to edit function signature from the Decompiler. (GP-597, Issue #2601)

Demangler. Changed return type applied to constructors by Demangler from void to Undefined, allowing the Decompiler to determine the type. (GP-790)

DWARF. Improved handling of empty DWARF compile units. (GP-743)

DWARF. Improved handling of DWARF function signatures when parameter info contains unsupported location opcodes or failed to resolve datatypes. (GP-794)

Eclipse Integration. When installing the SleighEditor into Eclipse, the plugin will now show up under the Ghidra category. Previously the Group Items by Category option had to be turned off before the SleighEditor would appear as a visible entry. (GP-564)

Eclipse Integration. Fixed an issue with Eclipse PyDev breakpoints not catching. (GP-668, Issue #2713)

Eclipse Integration. Fixed an Eclipse GhidraDev exception that occurred when creating a new Ghidra scripting project if a ~/ghidra_scripts directory did not exist. (GP-669)

Emulator. Replaced Java floating point emulation to fix multiple rounding issues. (GP-357, Issue #2414)

Graphing. Fixed issue with graph filters not updating satellite view when changing edge filters. (GP-557)

Graphing. Fixed Function Graph keybindings that did not work when docked in the main Code Browser window. (GP-586, Issue #2641)

GUI. Fixed NullPointerException due to using Go To action when there was no open program in the Listing. (GP-66)

GUI. Fixed bug in Reference Code Viewer options that caused an exception. (GP-620, Issue #2672)

Importer. Fixed exception caused when importing previously exported XML data where the bookmark override option was turned off. (GP-667)

Importer:ELF. Fixed a NullPointerException caused by importing an ELF with an uninitialized .got section. (GP-360, Issue #2416)

Importer:ELF. Added Support for ELF R_ARM_MOVW_ABS_NC and R_ARM_MOVT_ABS ELF Relocations for ARM. (GP-555, Issue #2510)

Importer:ELF. Corrected ELF processing of .init_array and .fini_array which was incorrectly overadjusting entries for an image base change. (GP-699)

Importer:Mach-O. Corrected Mach-O fat-binary library import issue and resolved error related to unnamed Mach-O segment. (GP-652, Issue #2702)

Importer:Mach-O. Fixed an issue with DYLD Load Command data structures being created in the wrong locations. (GP-689, Issue #2624)

Importer:Mach-O. Fixed an exception that occurred when importing Mach-O files that define zero LC_BUILD_VERSION tool entries. (GP-702, Issue #2192)

PDB. Fixed createPdbXmlFiles.bat to permit spaces in the path name of Ghidra installation folder and the batch argument name. (GP-575, Issue #2167)

PDB. Fixed PDB Universal analyzer to set the run-once flag when finished. (GP-724)

PDB. Changed return type applied to constructors by PDB Universal from void to Undefined, allowing the Decompiler to determine the type. (GP-791)

Processors. Added missing RFE instruction in MIPS up to version R3000. (GP-33, Issue #1766)

Processors. ARM instruction VMUL now decodes correctly. (GP-627, Issue #2677)

Processors. Added missing CFINV instruction to AARCH64 processor specification and added definitions for locals in neon instructions. (GP-655, Issue #2710)

Scripting. Fixed analyzeHeadless -scriptPath option that didn't work for Python and other non-Java scripts located in non-default directories. (GP-528, Issue #2561)

Scripting. Fixed concurrency issue with management of scripting bundle paths. (GP-576)

Scripting. Corrected handling for Ghidra Script files which are symlinks that were broken in Ghidra 9.2. (GP-650, Issue #2698)

Scripting. Fixed the analyzeHeadless -scriptPath option to correctly parse $GHIDRA_HOME and $USER_HOME. (GP-781)

Ghidra 9.2.2 Change History (December 2020)

Bugs

Graphing. Fixed issue with Graph filters not working and satellite view sometimes not matching graph. (GP-526)

Importer:Mach-O. Mach-O DYLD cache incorrect offset use has been fixed. (GP-550, Issue #2560)

Listing. Fixed issue where Edit Label action (L key) did not work on primary function symbols. (GP-537)

Multi-User. Corrected Ghidra Server build issue for version 9.2.1 which had an improperly generated classpath.frag file. Issue caused server to fail startup with a ClassNotFoundException. (GP-542)

Processors. The V850 JMP instruction has been corrected not to use the PC in the address calculation. (GP-548, Issue #2570)

Processors. Removed erroneous VST4 variant, most likely from a copy/paste error. This fixes the ARM Thumb BL instruction disassembly with a negative offset. (GP-549, Issue #2559)

Ghidra 9.2.1 Change History (December 2020)

Improvements

Analysis. Updated RTTI analyzer to find type_info vftable when it cannot be found with its mangled name. This will enable many more Windows programs to have their RTTI structures created that were unable to be parsed in previous Ghidra versions. (GP-141)

API. Relaxed memory block naming restrictions and restored ability to have spaces in memory block names. However, if a memory block is flagged as an overlay, the associated overlay space name may be modified to ensure validity and uniqueness. The DuplicateNameException has been removed from all memory block API methods since this was entirely an overlay space concern. Memory block GUI has also been changed eliminate the duplicate block name restriction. (GP-420, Issue #2465)

Build. Eliminated the need for installation of bison and flex when performing source-based gradle build of Ghidra or the Decompiler module. The generated files are now included with source files and maintained in source control. A separate gradle Decompiler:generateParsers task, which still requires bison and flex, must be used, explicitly, when changes are made to lex/yacc source files. (GP-467)

Graphing. Fixed issue with exporting graphs to DOT format due to invalid vertex IDs. (GP-280)

Graphing. Improved graphing where it did not navigate when clicking on external function nodes. Now it will navigate to the fake function location in the program, which is the location of the pointer to the external function. (GP-493)

Listing:Symbols. Removed restriction for naming labels that resemble default label names. (GT-3185, Issue #1057)

PDB. Crafted PDB type ID records 0x1608 and 0x1609 with presumed class and struct types and follow-on application of these types. Also fixed up some fall-back data type logic and improved some warning messages to reflect the cause of the conditions. (GP-474, Issue #2523)

Scripting. Removed unnecessary 1-second delay when launching a script. (GP-443)

Bugs

Analysis. Fixed the processing of CIL metadata that express arrays of non-primitive types. (GP-331)

API. WrappedMemBuffer methods getInt, getShort, getLong, and getBigInteger have been fixed when allocated at a non-zero offset, wrapping another MemBuffer such as DumbMemBufferImpl. (GP-486)

Decompiler. Fixed issue with the Auto Create/Fill Structure command that caused it to silently miss some pointer accesses. (GP-344)

Decompiler. Jump table recovery now takes into account encoded bits, like ARM/THUMB mode transition, that may be present in address tables. (GP-387, Issue #2420)

Decompiler. Fixed a bug in the Decompiler renaming action when applied to function references. (GP-477, Issue #2415)

Decompiler. Corrected 8-byte return value storage specification in compiler-spec affecting longlong and double return values. Endianess ordering of r0/r1 was incorrect. (GP-512, Issue #2547)

Graphing. Fixed the Function Graph's drag-to-select-nodes feature. (GP-430)

Graphing. Fixed issue where the graph in the satellite view is sometimes truncated. (GP-469)

Graphing. Fixed a stack trace issue caused by reusing a graph display window to show a graph that is larger than is allowed. (GP-492)

Graphing. Fixed issue where graph satellite view did not reflect main graph when graph vertices are hidden using hide actions or filters. (GP-514)

GUI. Fixed stack overflow in TableChooserDialogs. (GP-460, Issue #2536)

PDB. Corrected PDB parser selection bug affecting PDB load/download on Windows. (GP-390)

Processors. Fixed handling of certain ARM/THUMB switch calculation functions. (GP-389)

Ghidra 9.2 Change History (November 2020)

New Features

Graphing. A new graph service and implementation was created. The graph service provides basic graphing capabilities. It was also used to generate several different types of graphs including code block graphs, call graphs, and AST graphs. In addition, an export graph service was created that supports various formats. (GP-211)

PDB. Added a new, prototype, platform-independent PDB analyzer that processes and applies data types and symbols to a program from a raw (non-XML-converted) PDB file, allowing users to more easily take advantage of PDB information. (GT-3112)

Processors. Added M8C SLEIGH processor specification. (GT-3052)

Processors. Added support for the RISC-V processor. (GT-3389, Issue #932)

Processors. Added support for the Motorola 6809 processor. (GT-3390, Issue #1201)

Processors. Added CP1600-series processor support. (GT-3426, Issue #1383)

Processors. Added V850 processor module. (GT-3523, Issue #1430)

Improvements

Analysis. Increased the speed of the Embedded Media Analyzer, which was especially poor for large programs, by doing better checking and reducing the number of passes over the program. (GT-3258)

Analysis. Improved the performance of the RTTI analyzer. (GT-3341, Issue #10)

Analysis. The handling of Exception records found in GCC-compiled binaries has been sped up dramatically. In addition, incorrect code disassembly has been corrected. (GT-3374)

Analysis. Updated Auto-analysis to preserve work when encountering recoverable exceptions. (GT-3599)

Analysis. Improved efficiency when creating or checking for functions and namespaces which overlap. (GP-21)

Analysis. Added partial support of Clang for Windows. (GP-64)

Analysis. RTTI structure processing speed has been improved with a faster technique for finding the root RTTI type descriptor. (GP-168, Issue #2075)

API. The performance of adding large numbers of data types to the same category has been improved. (GT-3535)

API. Added the BigIntegerNumberInputDialog that allows users to enter integer values larger than Integer.MAX_VALUE (2147483647). (GT-3607)

API. Made JSON more available using GSON. (GP-89, Issue #1982)

Basic Infrastructure. Introduced an extension point priority annotation so users can control extension point ordering. (GT-3350, Issue #1260)

Basic Infrastructure. Changed file names in launch.bat to always run executables from System32. (GT-3614, Issue #1599)

Basic Infrastructure. Unknown platforms now default to 64-bit. (GT-3615, Issue #1499)

Basic Infrastructure. Updated sevenzipjbinding library to version 16.02-2.01. (GP-254)

Build. Ghidra's native Windows binaries can now be built using Visual Studio 2019. (GT-3277, Issue #999)

Build. Extension builds now exclude gradlew artifacts from zip file. (GT-3631, Issue #1763)

Build. Reduced the number of duplicated help files among the build jar files. (GP-57, Issue #2144)

Build. Git commit hash has been added to application.properties file for every build (not just releases). (GP-67)

Contrib. Extensions are now installed to the user's settings directory, not the Ghidra installation directory. (GT-3639, Issue #1960)

Data Types. Added mutability data settings (constant, volatile) for Enum datatype. (GT-3415)

Data Types. Improved Structure Editor's Edit Component action to work on array pointers. (GP-205, Issue #1633)

Decompiler. Added Secondary Highlights to the Decompiler. This feature allows the user to create a highlight for a token to show all occurrences of that token. Further, multiple secondary highlights are allowed at the same time, each using a unique color. See the Decompiler help for more information. (GT-3292, Issue #784)

Decompiler. Added heuristics to the Decompiler to better distinguish whether a constant pointer refers to something in the CODE or DATA address space, for Harvard architectures. (GT-3468)

Decompiler. Improved Decompiler analysis of local variables with small data types, eliminating unnecessary casts and mask operations. (GT-3525)

Decompiler. Documentation for the Decompiler, accessible from within the Code Browser, has been rewritten and extended. (GP-166)

Decompiler. The Decompiler can now display the namespace path (or part of it) of symbols it renders. With the default display configuration, the minimal number of path elements necessary are printed to fully resolve the symbol within the current scope. (GP-236)

Decompiler. The Decompiler now respects the Charset and Translate settings for string literals it displays. (GP-237)

Decompiler. The Decompiler's analysis of array accesses is much improved. It can detect more and varied access patterns produced by optimized code, even if the base offset is not contained in the array. Multi-dimensional arrays are detected as well. (GP-238, Issue #461, #1348)

Decompiler. Extended the Decompiler's support for analyzing class methods. The class data type is propagated through the this pointer even in cases where the full prototype of the method is not known. The methods isThisPointer() and isHiddenReturn() are now populated in HighSymbol objects and are accessible in Ghidra scripts. (GP-239, Issue #2151)

Decompiler. The Decompiler will now infer a string pointer from a constant that addresses the interior of a string, not just the beginning. (GP-240, Issue #1502)

Decompiler. The Decompiler now always prints the full precision of floating-point values, using the minimal number of characters in either fixed point or scientific notation. (GP-241, Issue #778)

Decompiler. The Decompiler's Auto Create Structure command now incorporates into new structures data-type information from function prototypes. The Auto Fill in Structure variant of the command will override undefined and other more general data-types with discovered data-types if they are more specific. (GP-242)

Demangler. Modified Microsoft Demangler (MDMang) to handle symbols represented by MD5 hash codes when their normal mangled length exceeds 4096. (GT-3409, Issue #1344)

Demangler. Upgraded the GNU Demangler to version 2.33.1. Added support for the now-deprecated GNU Demangler version 2.24 to be used as a fallback option for demangling. (GT-3481, Issue #1195, #1308, #1451, #1454)

Demangler. The Demangler now more carefully applies information if generic changes have been made. Previously if the function signature had changed in any way from default, the demangler would not attempt to apply any information including the function name. (GP-12)

Demangler. Changed MDMang so cast operator names are complete within the qualified function name, effecting what is available from internal API. (GP-13)

Demangler. Added additional MDMang Extended Types such as char8_t, char16_t, and char32_t. (GP-14)

Documentation. Removed Eclipse BuildShip instructions from the DevGuide. (GT-3634, Issue #1735)

FID. Regenerated FunctionID databases. Added support for Visual Studio versions 2017 and 2019. (GP-170)

Function Diff. Users may now add functions ad-hoc to existing function comparison panels. (GT-2229)

Function Graph. Added Navigation History Tool option for Function Graph to signal it to produce fewer navigation history entries. (GT-3233, Issue #1115)

GUI. Users can now view the Function Tag window to see all functions associated with a tag, without having to inspect the Listing. (GT-3054)

GUI. Updated the Copy Special action to work on the current address when there is no selection. (GT-3155, Issue #1000)

GUI. Significantly improved the performance of filtering trees in the Ghidra GUI. (GT-3225)

GUI. Added many optimizations to increase the speed of table sorting and filtering. (GT-3226, Issue #500)

GUI. Improved performance of bit view component recently introduced to Structure Editor. (GT-3244, Issue #1141)

GUI. Updated usage of timestamps in the UI to be consistent. (GT-3286)

GUI. Added tool actions for navigating to the next/previous functions in the navigation history. (GT-3291, Issue #475)

GUI. Filtering now works on all tables in the Function Tag window. (GT-3329)

GUI. Updated the Ghidra File Chooser so that users can type text into the list and table views in order to quickly jump to a desired file. (GT-3396)

GUI. Improved the performance of the Defined Strings table. (GT-3414, Issue #1259)

GUI. Updated Ghidra to allow users to set a key binding to perform an equivalent operation to double-clicking the XREF field in the Listing. See the Show Xrefs action in the Tool Options... Key Bindings section. (GT-3446)

GUI. Improved mouse wheel scrolling in Listing and Byte Viewers. (GT-3473)

GUI. Ghidra's action context mechanism was changed so that actions that modify the program are not accidentally invoked in the wrong context, thus possibly modifying the program in ways the user did not want or without the user knowing that it happened. This also fixed an issue where the navigation history drop-down menu did not represent the locations that would be used if the next/previous buttons were pressed. (GT-3485)

GUI. Updated Ghidra tables to defer updating while analysis is running. (GT-3604)

GUI. Updated Font Size options to allow the user to set any font size. (GT-3606, Issue #160, #1541)

GUI. Added ability to overlay text on an icon. (GP-41)

GUI. Updated Ghidra options to allow users to clear default key binding values. (GP-61, Issue #1681)

GUI. ToggleDirectionAction button now shows in snapshot windows. (GP-93)

GUI. Added a new action to the Symbol Tree to allow users to convert a Namespace to a Class. (GP-225, Issue #2301)

Importer. Updated the XML Loader to parse symbol names for namespaces. (GT-3293)

Importer:ELF. Added support for processing Android packed ELF Relocation Tables. (GT-3320, Issue #1192)

Importer:ELF. Added ELF import opinion for ARM BE8. (GT-3642, Issue #1187)

Importer:ELF. Added support for ELF RELR relocations, such as those produced for Android. (GP-348)

Importer:Mach-O. DYLD Loader can now load x86_64 DYLD from macOS. (GT-3611, Issue #1566)

Importer:PE. Improved parsing of Microsoft ordinal map files produced with DUMPBIN /EXPORTS (see Ghidra/Features/Base/data/symbols/README.txt). (GT-3235)

Jython. Upgraded Jython to version 2.7.2. (GP-109)

Listing. In the PCode field of the Listing, accesses of varnodes in the unique space are now always shown with the size of the access. Fixed bug which would cause the PCode emulator to reject valid pcode in rare instances. (GP-196)

Listing:Data. Improved handling and display of character sequences embedded in operands or integer values. (GT-3347, Issue #1241)

Multi-User:Ghidra Server. Added ability to specify initial Ghidra Server user password (-a0 mode only) for the svrAdmin add and reset commands. (GT-3640, Issue #321)

Processors. Updated AVR8 ATmega256 processor model to reflect correct memory layout specification. (GT-933)

Processors. Implemented semantics for vstmia/db vldmia/db, added missing instructions, and fixed shift value for several instructions for the ARM/Thumb NEON instruction set. (GT-2567)

Processors. Added the XMEGA variant of the AVR8 processor with general purpose registers moved to a non-memory-mapped register space. (GT-2909)

Processors. Added support for x86 SALC instruction. (GT-3367, Issue #1303)

Processors. Implemented pcode for 6502 BRK instruction. (GT-3375, Issue #1049)

Processors. Implemented x86 PTEST instruction. (GT-3380, Issue #1295)

Processors. Added missing instructions to ARM language module. (GT-3394)

Processors. Added support for RDRAND and RDSEED instructions to x86-32. (GT-3413)

Processors. Improved x86 breakpoint disassembly. (GT-3421, Issue #872)

Processors. Added manual index file for the M6809 processor. (GT-3449, Issue #1414)

Processors. Corrected issues related to retained instruction context during a language upgrade. In some rare cases this retained context could interfere with the instruction re-disassembly. This context-clearing mechanism is controlled by a new pspec property: resetContextOnUpgrade. (GT-3531)

Processors. Updated PIC24/PIC30 index file to match latest manual. Added support for dsPIC33C. (GT-3562)

Processors. Added missing call-fixup to handle call side-effects for 32 bit GCC programs for get_pc_thunk.ax/si. (GP-10)

Processors. Added ExitProcess to PEFunctionsThatDoNotReturn. (GP-35)

Processors. External Disassembly field in the Listing now shows Thumb disassembly when appropriate TMode context has been established on a memory location. (GP-49)

Processors. Changed RISC-V jump instructions to the more appropriate goto instead of call. (GP-54, Issue #2120)

Processors. Updated AARCH64 to v8.5, including new MTE instructions. (GP-124)

Processors. Added support for floating point params and return for SH4 processor calling conventions. (GP-183, Issue #2218)

Processors. Added semantic support for many AARCH64 neon instructions. Addresses for register lanes are now precalculated, reducing the amount of p-code generated. (GP-343)

Processors. Updated RISCV processor to include reorganization, new instructions, and fixes to several instructions. (GP-358, Issue #2333)

Program API. Improved multi-threaded ProgramDB access performance. (GT-3262)

Scripting. Improved ImportSymbolScript.py to import functions in addition to generic labels. (GT-3249, Issue #946)

Scripting. Python scripts can now call protected methods from the GhidraScript API. (GT-3334, Issue #1250)

Scripting. Updated scripting feature with better change detection, external jar dependencies, and modularity. (GP-4)

Scripting. Updated the GhidraDev plugin (v2.1.1) to support Python Debugging when PyDev is installed via the Eclipse dropins directory. (GP-186, Issue #1922)

Sleigh. Error messages produced by the SLEIGH compiler have been reformatted to be more consistent in layout as well as more descriptive and more consistent in providing line number information. (GT-3174)

Bugs

Analysis. Function start patterns found at 0x0, function signatures applied from the Data Type Manager at 0x0, and DWARF debug symbols applied at 0x0 will no longer cause stack traces. In addition, DWARF symbols with zero length address range no longer stack trace. (GT-2817, Issue #386, #1560)

Analysis. Constant propagation will treat an OR with zero (0) as a simple copy. (GT-3548, Issue #1531)

Analysis. Corrected Create Structure from Selection, which failed to use proper data organization during the construction process. This could result in improperly sized components such as pointers and primitive types. (GT-3587)

Analysis. Fixed an issue where stored context is initializing the set of registers constantly. (GP-25)

Analysis. Fixed an RTTI Analyzer regression when analyzing RTTI0 structures with no RTTI4 references to them. (GP-62, Issue #2153)

Analysis. Fixed an issue where the RTTI analyzer was not filling out RTTI3 structures in some cases. (GP-111)

API. Fixed NullPointerException when attempting to delete all bookmarks from a script. (GT-3405)

API. Updated the Class Searcher so that Extension Points found in the Ghidra/patch directory get loaded. (GT-3547, Issue #1515)

Build. Updated dependency fetch script to use HTTPS when downloading CDT. (GP-69, Issue #2173)

Build. Fixed resource leak in Ghidra jar builder. (GP-342)

Byte Viewer. Fixed Byte Viewer to correctly load the middle-mouse highlight color options change. (GT-3471, Issue #1464, #1465)

Data Types. Fixed decoding of static strings that have a character set with a smaller character size than the platform's character size. (GT-3333, Issue #1255)

Data Types. Correctly handle Java character sets that do not support the encoding operation. (GT-3407, Issue #1358)

Data Types. Fixed bug that caused Data Type Manager Editor key bindings to get deleted. (GT-3411, Issue #1355)

Data Types. Updated the DataTypeParser to handle data type names containing templates. (GT-3493, Issue #1417)

Data Types. Corrected pointer data type isEquivalent() method to properly check the equivalence of the base data type. The old implementation could cause a pointer to be replaced by a conflicting pointer with the same name whose base datatype is not equivalent. This change has a negative performance impact associated with it and can cause additional conflict datatypes due to the rigid datatype relationships. (GT-3557)

Data Types. Improved composite conflict resolution performance and corrected composite merge issues when composite bitfields and/or flexible arrays are present. (GT-3571)

Data Types. Fixed bug in SymbolPathParser naive parse method that caused a less-than-adequate fall-back parse when angle bracket immediately followed the namespace delimiter. (GT-3620)

Data Types. Corrected size of long for AARCH64 per LP64 standard. (GP-175)

Decompiler. Fixed bug causing the Decompiler to miss symbol references when they are stored to the heap. (GT-3267)

Decompiler. Fixed bug in the Decompiler that caused Deleting op with descendants exception. (GT-3506)

Decompiler. Decompiler now correctly compensates for integer promotion on shift, division, and remainder operations. (GT-3572)

Decompiler. Fixed handling of 64-bit implementations of alloca_probe in the Decompiler. (GT-3576)

Decompiler. Default Decompiler options now minimize the risk of losing code when renaming or retyping variables. (GT-3577)

Decompiler. The Decompiler no longer inherits a variable name from a subfunction if that variable incorporates additional data-flow unrelated to the subfunction. (GT-3580)

Decompiler. Fixed the Decompiler Override Signature action to be enabled on the entire C-code statement. (GT-3636, Issue #1589)

Decompiler. Fixed frequent ClassCast and IllegalArgument exceptions when performing Auto Create Structure or Auto Create Class actions in the Decompiler. (GP-119)

Decompiler. Fixed a bug in the Decompiler that caused different variables to be assigned the same name in rare instances. (GP-243, Issue #1995)

Decompiler. Fixed a bug in the Decompiler that caused PTRSUB off of non-pointer type exceptions. (GP-244, Issue #1826)

Decompiler. Fixed a bug in the Decompiler that caused load operations from volatile memory to be removed as dead code. (GP-245, Issue #393, #1832)

Decompiler. Fixed a bug causing the Decompiler to miss a stack alias if its offset was, itself, stored on the stack. (GP-246)

Decompiler. Fixed a bug causing the Decompiler to lose Equate references to constants passed to functions that were called indirectly. (GP-247)

Decompiler. Addressed various situations where the Decompiler unexpectedly removes active instructions as dead code after renaming or retyping a stack location. If the location was really an array element or structure field, renaming forced the Decompiler to treat the location as a distinct variable. Subsequently, the Decompiler thought that indirect references based before the location could not alias any following stack locations, which could then by considered dead. As of the 9.2 release, the Decompiler's renaming action no longer switches an annotation to forcing if it wasn't already. A retyping action, although it is forcing, won't trigger alias blocking for atomic data-types (this is configurable). (GP-248, Issue #524, #873)

Decompiler. Fixed decompiler memory issues reported by a community security researcher. (GP-267)

Decompiler. Fix for Decompiler error: Pcode: XML comms: Missing symref attribute in <high> tag. (GP-352, Issue #2360)

Decompiler. Fixed bug preventing the Decompiler from seeing Equates attached to compare instructions. (GP-369, Issue #2386)

Demangler. Fixed the GnuDemangler to parse the full namespace for operator symbols. (GT-3474, Issue #1441, #1448)

Demangler. Fixed numerous GNU Demangler parsing issues. Most notable is the added support for C++ Lambda functions. (GT-3545, Issue #1457, #1569)

Demangler. Updated the GNU Demangler to correctly parse and apply C++ strings using the unnamed type syntax. (GT-3645)

Demangler. Fixed duplicate namespace entry returned from getNamespaceString() on DemangledVariable. (GT-3646, Issue #1729)

Demangler. Fixed a GnuDemangler ClassCastException when parsing a typeinfo string containing operator text. (GP-160, Issue #1870, #2267)

Demangler. Added stdlib.h include to the GNU Demangler to fix a build issue on some systems. (GP-187, Issue #2294)

DWARF. Corrected DWARF relocation handling where the address image base adjustment was factored in twice. (GT-3330)

File Formats. Fixed a potential divide-by-zero exception in the EXT4 file system. (GT-3400, Issue #1342)

File Formats. Fixed date and time parsing of dates in cdrom iso9660 image files. (GT-3451, Issue #1403)

Graphing. Fixed a ClassCastException sometimes encountered when performing Select -> Scoped Flow -> Forward Scoped Flow. (GP-180)

GUI. Fixed inconsistent behavior with the interactive python interpreter's key bindings. (GT-3282)

GUI. Fixed Structure Editor bug that prevented the F2 Edit action from editing the correct table cell after using the arrow keys. (GT-3308, Issue #703)

GUI. Updated the Structure Editor so the Delete action is put into a background task to prevent the UI from locking. (GT-3352)

GUI. Fixed IndexOutOfBoundsException when invoking column filter on Key Bindings table. (GT-3445)

GUI. Fixed the analysis log dialog to not consume all available screen space. (GT-3610)

GUI. Fixed issue where Location column, when used in the column filters, resulted in extraneous dialogs popping up. (GT-3623)

GUI. Fixed Data Type Preview copy action so that newlines are preserved; updated table export to CSV to escape quotes and commas. (GT-3624)

GUI. Fixed tables in Ghidra to copy the text that is rendered. Some tables mistakenly copied the wrong value, such as the Functions Table's Function Signature Column. (GT-3629, Issue #1628)

GUI. Structure editor name now updates in title bar and tab when structure is renamed. (GP-19)

GUI. Fixed an issue where drag-and-drop import locks the Windows File Explorer source window until the import dialog is closed by the user. (GP-27)

GUI. Fixed an issue in GTreeModel where fireNodeChanged had no effect. This could result in stale node information and truncation of the text associated with a node in a GTree. (GP-30)

GUI. Fixed an issue where the file chooser directory list truncated filenames with ellipses on HiDPI Windows. (GP-31)

GUI. Fixed an uncaught exception when double-clicking on UndefinedFunction_ in Decompiler window. (GP-40)

GUI. Updated error handling to only show one dialog when a flurry of errors is encountered. (GP-65, Issue #2185)

GUI. Fixed an issue where Docking Windows are restored incorrectly if a snapshot is present. (GP-92)

GUI. Fixed a File Chooser bug causing a NullPointerException for some users. (GP-171, Issue #1706)

GUI. Fixed an issue that caused the script progress bar to appear intermittently. (GP-179, Issue #1819)

GUI. Fixed a bug that caused Call Tree nodes to go missing when showing more than one function with the same name. (GP-213, Issue #1682)

GUI:Project Window. Fixed Front End copy action to allow for the copy of program names so that users can paste those names into external applications. (GT-3403, Issue #1257)

Headless. Headless Ghidra now properly honors the -processor flag, even if the specified processor is not a valid opinion. (GT-3376, Issue #1311)

Importer. Corrected an NeLoader flags parsing error. (GT-3381, Issue #1312)

Importer. Fixed the File -> Add to Program... action to not show a memory conflict error when the user is creating an overlay. (GT-3491, Issue #1376)

Importer. Updated the XML Importer to apply repeatable comments. (GT-3492, Issue #1423)

Importer. Fixed issue in Batch Import where only one item of a selection was removed when attempting to remove a selection of items. (GP-138)

Importer. Corrected various issues with processing crushed PNG images. (GP-146, Issue #1854, #1874, #1875, #2252)

Importer. Fixed RuntimeException occurrence when trying to load NE programs with unknown resources. (GP-182, Issue #1596, #1713, #2012)

Importer. Fixed batch import to handle IllegalArgumentExceptions thrown by loaders. (GP-227, Issue #2328)

Importer:ELF. Corrected ELF relocation processing for ARM BE8 (mixed-endian). (GT-3527, Issue #1494)

Importer:ELF. Corrected ELF relocation processing for R_ARM_PC24 (Type: 1) that was causing improper flow in ARM disassembly. (GT-3654)

Importer:ELF. Corrected ELF import processing of DT_JMPREL relocations and markup of associated PLT entries. (GP-252, Issue #2334)

Importer:PE. Fixed an IndexOutOfBoundsException in the PeLoader that occurred when the size of a section extends past the end of the file. (GT-3433, Issue #1371)

Listing:Comments. Fixed bug in Comment field that prevented navigation when clicking on an address or symbol where tabs were present in the comment. (GT-3440)

Memory. Fixed bug where sometimes random bytes are inserted instead of 0x00 when expanding a memory block. (GT-3465)

Processors. Corrected the offset in SuperH instructions generated by sign-extending a 20-bit immediate value composed of two sub-fields. (GT-3251, Issue #1161)

Processors. Fixed AVR8 addition/subtraction flag macros. (GT-3276)

Processors. Corrected XGATE ROR instruction semantics. (GT-3278)

Processors. Corrected semantics for SuperH movi20 and movi20s instructions. (GT-3337, Issue #1264)

Processors. Corrected SuperH floating point instruction token definition. (GT-3340, Issue #1265)

Processors. Corrected SuperH movu.b and movu.w instruction semantics. (GT-3345, Issue #1271)

Processors. Corrected AVR8 lpm and elpm instruction semantics. (GT-3346, Issue #631)

Processors. Corrected pcode for the 6805 BSET instruction. (GT-3366, Issue #1307)

Processors. Corrected ARM constructors for instructions vnmla, vnmls, and vnmul. (GT-3368, Issue #1277)

Processors. Corrected bit-pattern for ARM vcvt instruction. (GT-3369, Issue #1278)

Processors. Corrected TriCore abs instructions. (GT-3379, Issue #1286)

Processors. Corrected x86 BT instruction semantics. (GT-3423, Issue #1370)

Processors. Fixed issue where CRC16C LOAD/STOR with abs20 were not mapped correctly. (GT-3529, Issue #1518)

Processors. Fixed M68000 MOVE USP,x and MOVE x,USP opcodes. (GT-3594, Issue #1593)

Processors. Fixed the ARM/Thumb TEQ instruction pcode to be an XOR. (GP-23, Issue #1802)

Processors. Emulation was broken by a regression in version 9.1.2. Emulation and Sleigh Pcodetests now work correctly. (GP-24, Issue #1579)

Processors. Fixed carry flag issue for 6502 CMP, CPX, and CPY instructions. (GP-34)

Processors. Corrected the SuperH high-order bit calculation for the rotr instruction. (GP-47)

Processors. Corrected ELF ARM relocation processing for type 3 (R_ARM_REL32) and added support for type 42 (R_ARM_PREL31). (GP-164, Issue #2261, #2276)

Scripting. Moved Jython cache directory out of tmp. (GP-36)

Scripting. Fixed a NoClassDefFoundError when compiling GhidraScript under JDK14. (GP-59, Issue #2152)

Scripting. Fixed issues with null result when searching for the script directory. (GP-103, Issue #2187)

Scripting. Fixed scripting issue where, if there were non-ASCII characters in the user path, Jython would not work. (GP-204, Issue #1890)

Sleigh. Corrected IndexOutOfBoundsException in SLEIGH when doing simple assignment in disassembly actions block. (GT-3382, Issue #745)

Symbol Tree. Fixed the Symbol Tree so that clicking an already-selected symbol node will still trigger a Listing navigation. (GT-3436, Issue #453)

Symbol Tree. Fixed the Symbol Tree to not continuously rebuild while performing Auto-analysis. (GT-3542)

Version Tracking. Fixed Version Tracking Create Manual Match action. (GT-3305, Issue #2215)

Version Tracking. Fixed a NullPointerException encountered when changing the Version Tracking options for the Listing Code Comparison when no data was loaded. (GT-3437, Issue #1143)

Version Tracking. Fixed Version Tracking exception triggered in the Exact Functions Instructions Match correlator encountered when the two functions being compared differed in their number of instructions. (GT-3438, Issue #1352)

Ghidra 9.1.2 Change History (February 2020)

Bugs

Data Types. Improved PDB composite reconstruction to attempt pack(1) alignment if default alignment fails. (GT-3401)

Data Types. Added missing support for multi-user merge of unions and structures containing bitfields or a trailing flexible array member. (GT-3479)

Data Types. Corrected structure editor save button enablement issue when editing bitfields within a non-packed structure. (GT-3519, Issue #1297)

Disassembly. Corrected potential infinite loop with disassembler caused by branch to self with invalid delay slot instruction. (GT-3511, Issue #1486)

GUI. Corrected processor manual display for Microsoft Windows users, which was not displaying processor manual and was, instead, rendering a blank page in web browser. (GT-3444)

GUI:Bitfield Editor. Added field comment support to composite bitfield editor. (GT-3410)

Importer:Mach-O. A Mach-O loader regression, in Ghidra 9.1.1, when laying down symbols at the correct location, has been fixed. (GT-3487, Issue #1446)

Multi-User:Ghidra Server. Corrected Ghidra Server remote interface errors that occur when running with Java 11.0.6 (and later) release, which would throw RemoteException Method is not Remote errors. (GT-3521, Issue #1440)

PDB. Corrected PDB XML generation for zero-length classes and structures and resolved various datatype dependency issues encountered during PDB Analysis. Changed line numbers from hex to decimal. (GT-3462, Issue #1410)

Processors. Corrected mnemonic for ARM thumb RSB.w instruction. (GT-3420, Issue #1365)

Processors. Corrected issue in M68000 with some move instructions not creating correct array assignments. (GT-3429, Issue #1394)

Processors. Updated x86 processor manual index file with latest Intel and AMD manuals. (GT-3489, Issue #1078)

Ghidra 9.1.1 Change History (December 2019)

Improvements

Importer:Mach-O. Improved import/load time of DYLD shared cache files. (GT-3261)

Program API. Cached the addresses that correspond to executable memory to improve analysis performance. (GT-3260)

Bugs

Analysis. Fixed a symbol name error that occurred in the Objective-C analyzer. (GT-3321, Issue #1200)

Analysis. Constant references are now computed correctly within functions in overlay spaces. (GT-3373)

Build. Corrected build of DMG.jar which was improperly built within Ghidra 9.1 release. (GT-3364)

Decompiler. Fixed bug causing Pcode: XML comms: Badly formed address errors when decompiling HCS12 XGATE code. (GT-3297)

Decompiler. Fixed Array DataType must be Fixed length exceptions related to function pointer data types. (GT-3309)

Decompiler. Fixed bug causing decompiler to drop statements, assigning string constants to global variables. (GT-3315)

Decompiler. Fixed issue with enum name strings causing Low-level Error: XML error: syntax error in the decompiler. (GT-3387, Issue #1329)

GUI. Fixed a potential ConcurrentModificationException in the interactive python interpreter. (GT-3280)

Importer:PE. Fixed an exception in the PeLoader that occurred when the size of the memory block for the headers is larger than the file size. (GT-3344, Issue #1266)

Listing. Fixed missing scroll bar in listing. (GT-3290)

Listing. Fixed issue that was causing a stack trace to be generated when contiguous addresses were cleared for a range greater than Integer.MAX. (GT-3357)

Listing:References. Corrected Create Default Reference action bug which did not handle composite/array data components properly. (GT-3371)

Processors. Corrected Sparc floating point instruction pcode implementation. (GT-3202)

Processors. Corrected the semantics of the PowerPC e_cmpi instruction. (GT-3228, Issue #1127)

Processors. Corrected bit generation for PowerPC instructions se_bclri, se_bgeni, se_bseti, and se_btsti. (GT-3232, Issue #967)

Processors. Corrected register definitions for x86 RDRAND instruction. (GT-3253, Issue #1169)

Processors. Corrected signed immediate calculation for some powerPC VLE offsets being incorrect. (GT-3254, Issue #1160)

Processors. Resolved issue with x86 escape opcodes preventing certain instruction patterns from decoding. (GT-3256)

Processors. Corrected bug in XGATE LDH instruction shifting out high bits. (GT-3268)

Processors. Corrected processing of R_MIPS_REL32, R_X86_64_RELATIVE, and R_X86_64_RELATIVE64 ELF relocations affecting relocatable binaries which have non-zero section/segment load addresses. (GT-3349)

Ghidra 9.1 Change History (October 2019)

New Features

Data Types. Added bit-field support to Structure and Union editor. An additional Bit-field Editor was also added for explicit bit-field placement within non-packed structures. (GT-559)

Eclipse Integration. Added new GhidraSleighEditor Eclipse plugin in the installation directory under Extensions/Eclipse. (GT-113)

GUI. Added method for turning off table sorting by control-clicking the only sorted table column. (GT-2763, Issue #87)

GUI. Hovering on an address will now show where the byte at that address came from in the imported file. (GT-3016, Issue #154)

Importer:Mach-O. Added new importer/loader for DYLD-shared cache files. (GT-2343)

Memory. Added new API to preserve imported program's original bytes and how they map to memory blocks. (GT-2845)

Processors. Implemented Intel MCS-96 processor module. (GT-2350)

Processors. Added SH1/2/2a sleigh processor specification. (GT-3029, Issue #715)

Processors. Added Tricore processor specification. (GT-3041, Issue #567)

Processors. Added HCS12X processor specification. (GT-3049)

Processors. Added HCS05 and HCS08 sleigh processor specifications. (GT-3050)

Processors. Added SH4 sleigh processor specification. (GT-3051, Issue #37)

Processors. Added MCS-48 processor specification. (GT-3058, Issue #638)

Program API. Added Bit-field support for structures and unions. Warning: Version upgrade will be forced on all modified programs and data type archives that are open for update. (GT-557)

Sleigh. Added two new extension modules (SleighDevTools and GnuDisassembler) in support of processor module development. Added support for pcode junit tests which utilize emulation of cross-compiled C test code to verify sleigh pcode (i.e., instruction semantics). The SleighDevTools extension provides the pcode test C source and associated build scripts, as well as external disassembler support for aiding in the validation of disassembled instruction syntax. (GT-3067)

Improvements

Analysis. Added example script, ResolveX86orX64LinuxSyscallsScript.java, for decompiling Linux system calls in x86 and x64. Added syscall-related exercises to Advanced class. (GT-3113)

Basic Infrastructure. Made bash scripts more portable, allowing Ghidra to be launched on additional platforms. (GT-2742, Issue #347)

Build. Created a new Gradle task that automates some installation procedures defined in DevGuide.md. (GT-2897)

Build. The build now allows newer versions of Gradle to be used. (GT-3017, Issue #737)

Data Types. All DataType archives have been regenerated to support the new bit-field functionality. (GT-2878)

Data Types. CategoryPath now accepts forward slashes in its components. (GT-2961)

Data Types. Fixed Structure Editor bug that caused the Data Type field of a row to be edited after a successful name field edit. (GT-3109, Issue #703)

Decompiler. Most forms of unnecessary or redundant copy statements are now removed from the decompiler output. (GT-2839)

Decompiler. Added ability to double-click a Decompiler brace syntax token to navigate to the matching brace. (GT-2846)

Decompiler. Updated the Decompiler to navigate to the label of a goto statement when that label is double-clicked. (GT-2847)

Decompiler. Updated the Decompiler's Copy action to copy the symbol under the cursor when there is no selection. (GT-2914, Issue #411)

Decompiler. Fixed broken External Navigation: Navigate to External Program option found in Edit -> Tool Options.... (GT-2932)

Decompiler. The decompiler's logic for handling optimized division has been updated to recognize forms typically found in executables generated with more recent 64-bit compilers. (GT-2968, Issue #668)

Decompiler. Implemented call-fixup for x64 __chkstk function. (GT-3006, Issue #670, #671)

Decompiler. The decompiler simplifies many new sign-bit extraction forms used in optimized division and comparison expressions. (GT-3036)

Decompiler. Ghidra now supports protected mode addressing when analyzing 16-bit x86 programs. This is the default variant when analyzing NE format executables, but it can also be used for MZ (and other) formats. (GT-3090, Issue #98)

Decompiler. Added the Show References to Address and Find References to Symbol actions to the Decompiler. Added Find Uses of Field action to the Structure Editor. (GT-3115, Issue #474, #542, #543)

Decompiler. Updated the Decompiler's Edit Data Type action to work on more fields. (GT-3116, Issue #275, #511)

Decompiler. Renaming a single parameter within the decompiler window no longer prevents the data types of parameters from floating. Retyping a single parameter locks the data type for that parameter but no longer prevents the data types of other parameters from floating. (GT-3162)

Documentation. Fixed typos and other errors in GitHub-related documentation. (GT-2748, Issue #345, #361, #370, #375, #398)

Documentation. Added documentation to the DevGuide.md on how to run unit/integration tests. (GT-3046, Issue #815, #832)

DWARF. Corrected DWARF analysis to handle binaries that are imported at non-default locations. (GT-2963, Issue #637)

Emulator. Added improved emulation support at the API level including a simplified API exposed via the EmulatorHelper class. Sample GhidraScripts, which utilize this API, have been provided. (GT-3066)

Function Graph. Updated the Function Graph to show the current program selection when zoomed out. (GT-2735)

Function Graph. Added an option to the Function Graph to allow more complex edge routing that will go around non-incident vertices. See the Tool Options for more information and to enable this feature. (GT-3019, Issue #811)

Function Graph. Fixed Function Graph edge layout bugs that caused some edges to get clipped by vertices. (GT-3161)

GUI. Added listener to Script Table Chooser Dialog that will get notified when the dialog closes. (GT-2216)

GUI. Fixed global Tool auto-save option so that it persists between Ghidra sessions. (GT-2818, Issue #231)

GUI. Added the apple.laf.useScreenmenuBar option to hoist the menu bar out of the window on macOS. The option is off by default but can be activated in support/launch.properties. (GT-2859, Issue #562)

GUI. Updated the Repeat Text Search/Repeat Memory Search menu items to show the search dialog for long searches. (GT-2872, Issue #585)

GUI. Updated Structure Editor to allow user key bindings to work. (GT-2894, Issue #504)

GUI. Python interpreter key bindings for sending reset and interrupt commands are now configurable. (GT-2901, Issue #588)

GUI. Tweaked default graphic settings in support/launch.properties to support a wider range of displays out-of-the-box. (GT-2913, Issue #341)

GUI. Added the ability to assign key bindings to activate individual component providers. (GT-2925, Issue #539)

GUI. Fixed rendering issue in the Search Results table's Preview column. (GT-2942, Issue #550)

GUI. Updated the Function Signature Editor's Data Type Chooser dialog to allow for keyboard navigation. (GT-3110, Issue #636)

GUI. Fixed NullPointerException in the DB Viewer component. (GT-3163, Issue #1023)

Importer. Updated x86 16-bit processor binding for IDA. (GT-3004, Issue #771)

Importer:ELF. Improved ELF loader ability to cope with malformed headers including negative file offsets and missing section names. (GT-2933, Issue #35)

Importer:PE. PeLoader better accounts for section alignment when laying out memory blocks, allowing additional bytes from the file to be loaded into memory. (GT-2827, Issue #327, #418)

Importer:PE. Removed out-of-place call to demangler and laying down of types from PeLoader. This fix enables demangling and other analyzers to be applied correctly and in the proper order. (GT-2849)

Importer:PE. PeLoader now adds TLS callback functions as entry points. (GT-2898, Issue #102)

Listing. Updated Listing to support horizontal scrolling by holding the Shift key when using the mouse wheel. (GT-3105, Issue #451)

Listing:References. Created new overriding reference types, which improve and extend the ability to override calls, jumps, and callothers. (GT-2885)

Multi-User. Added a script to allow repository admins the ability to terminate multiple file checkouts belonging to an individual user on a shared project. (GT-2893)

Multi-User:Ghidra Server. Added additional Ghidra Server authentication modes including: Active Directory via Kerberos and JAAS. The JAAS framework can facilitate use of LDAP, PAM, and other JAAS-supported extensions which utilize a login name and password. (GT-2658)

Multi-User:Ghidra Server. Changed Ghidra Server repositories storage to ignore file/folder names which start with a period. This will impose a restriction on naming of Ghidra projects where they can no longer start with a period. (GT-3218)

PDB. Now using HTTPS for Microsoft symbol server URL. (GT-2819, Issue #369)

PDB. PDB processing can now store data types that contain forward slashes under a CategoryPath. (GT-2974, Issue #94, #182)

PDB. PDB Analyzer no longer automatically includes the PDB path specified in the program's PE header when searching for the PDB. However, the filename in this path is considered during the search. The analyzer's Unsafe: Include PE PDB Path in PDB Search option allows the user to revert to the original PDB search algorithm. (GT-3076, Issue #277)

Processors. Added new Task Monitor service to better handle user experience when there are delays in building languages. (GT-2376)

Processors. Corrected ARM/Thumb instruction parsing for Thumb bl and add instructions. (GT-2744, Issue #362)

Processors. Added AVR8 manual index file. (GT-2828, Issue #346)

Processors. Improved support for ARM on Windows. (GT-2880)

Processors. M68000 LSL.W, ASL.B, LSL.B, and ASL.W instructions now correctly set the CF flag. (GT-2907, Issue #619)

Processors. Updated x86 manual index files. (GT-2943, Issue #366)

Processors. Improved macro label-related error reporting in slaspec files. (GT-2995, Issue #522)

Processors. Added MIPS special 0x1f patterns. (GT-3005, Issue #709)

Processors. Added proper updating of the X condition flag register for the M68000 processor lsl and lsr instructions. (GT-3137, Issue #983)

Processors. Implemented PowerPc VLE Interrupt Handler Efficiency Instructions. (GT-3143, Issue #935)

Processors. Ghidra now correctly models SPARC 64-bit stack bias. (GT-3201)

Processors. Updated AVR32 instruction manual index to latest version. (GT-712)

Program API. Added SHA256 hash to Program metadata and API. (GT-2753, Issue #331)

Scripting. Updated Script Table Chooser Dialog: to fix bug with tracking work items, to add new API methods for item removal and dialog closed notification, and to prevent the same item from being worked on more than once. (GT-2724, Issue #307)

Scripting. Fixed MultiInstructionMemReference Ghidra script to place the reference correctly on instructions with a delay slot. (GT-2906)

Sleigh. The sleigh compiler now reports line numbers for the -n NOP command line option. (GT-2905, Issue #561)

Sleigh. SLEIGH compiler now warns when building an operand in a constructor may unintentionally overwrite another operand. (GT-3085)

Testing:Junits. test.gradle getLogFileUrl() no longer searches user .dir for log4j properties file. (GT-2834, Issue #499)

Testing:Junits. Added new Gradle task to run integration tests and generate an HTML report. (GT-3060, Issue #870)

Tool. Fixed bug that caused an exported tool to exclude plugin configuration settings. (GT-3193, Issue #1065)

Bugs

Analysis. Fixed an exception in the EmbeddedMediaAnalyzer that occurred when media was discovered at the very end of the address space. (GT-2890)

Analysis. Recognition and disassembly of the FMA, F16C, and several missing AVX instructions have been added to the base x86 processor specification. The pcode for these instructions is pseudo-op and not a full pcode implementation. (GT-3168)

Basic Infrastructure. Updated the apache-commons-lang3 library to version 3.9 which supports Java 11. (GT-2879)

Basic Infrastructure. Prevented Ghidra from launching with 32-bit Java installations. (GT-3146, Issue #882)

Data Types. Corrected string data default label generation when defined within uninitialized memory, which will now render as STRING_address. (GT-2715, Issue #272)

Data Types. Improved ASCII string data handling for processors with a char size greater than one (1). (GT-2842)

Data Types. Changed BooleanDataType to extend AbstractIntegerDataType including support as a bit-field. (GT-3170)

DbViewer. Corrected concurrent modification issue within DbViewer resulting in NullPointerException. (GT-3192, Issue #1076)

Decompiler. Fixed aliasing issue where the decompiler would sometimes drop initialization or other code writing to the stack. (GT-2369)

Decompiler. Fixed bug causing the decompiler to incorrectly omit the display of infinite loops when they contained switch statements. (GT-2852, Issue #443)

Decompiler. Integer extension casts are no longer printed in the decompiler if the extension is implied. (GT-2857)

Decompiler. Improved handling of overlay spaces. In particular, the decompiler is now able to handle references into overlays defined on the OTHER space. Added SLEIGH version numbers. (GT-2873)

Decompiler. Updated the Decompiler to place the cursor on the function signature when a function is decompiled. (GT-2882)

Decompiler. Fixed a common source of Data type does not fit errors when using the Retype actions in the decompiler. (GT-2956)

Decompiler. Fixed equals() method in Varnode AST. (GT-2959, Issue #677)

Decompiler. Users can no longer rename undefined functions from the decompiler. (GT-3043, Issue #753)

Decompiler. Fixed a bug that did not allow the prototype for a specific CALL to an external function to be overridden in the decompiler. (GT-3145)

Decompiler. Restricted Auto Fill in Structure command to operate only on pointer variables. (GT-3182)

Decompiler. Fixed bug in the analysis of stack variables for SPARC, which caused extraneous local variables and missed stack parameters in the decompiler. (GT-3200)

Decompiler. Fixed one source of Type propagation algorithm not settling warnings in the decompiler. (GT-3213, Issue #839)

Decompiler:Java. Updated Decompiler's hovers to show preview for data types on variables and return types. (GT-2629)

Decompiler:Java. Fixed error involving decompilation of certain invokedynamic instructions in JVM class files. Made numerous minor improvements to decompilation of JVM bytecode. (GT-2757, Issue #287)

Demangler. Fixed a NullPointerException in DemangledFunctionPointer. (GT-2948, Issue #609)

DWARF. Empty DWARF compilation unit sections will now be ignored. (GT-2939, Issue #690)

Exporter. Negative memory references in idaxml.py no longer cause errors. (GT-2696, Issue #213, #885)

Exporter. Fixed Intel Hex Exporter to not ignore the Address Space option value. (GT-2749)

Exporter. Fixed cancellation behavior of the C/C++ exporter. (GT-2881, Issue #591)

File Formats. Fixed an out-of-memory error in the CPIO file system. (GT-2912)

File Formats. DmgClientFileSystem no longer falsely matches zlib compressed files. (GT-2926, Issue #583)

File System Browser. Fixed NullPointerException when clicking Get Info on a directory in a zip file in the file system browser when the element was a directory that did not have a corresponding entry in the zip file. Changed the Get Info action to show information about both the highlighted file and any file system mounted from that file. (GT-2758)

File System Browser. Fixed dialog stacking problem in File System Browser when double-clicking a container file to open the filesystem inside it. (GT-2764)

File System Browser. Reduced the disk usage of the DYLD-shared cache file system. (GT-2887)

Function Graph. Fixed exception encountered when a Function Graph's entry node was put into a group node. (GT-3074)

Function Graph. Fixed Function Graph edge routing bug that sometimes caused edge flowing upward to route unexpectedly. (GT-3153, Issue #994)

GUI. Fixed stack trace when deleting large memory block that is in its own address space. (GT-2699)

GUI. Changed Data Type Preview to allow adding string data types. (GT-2832)

GUI. Fixed display of operand scalar values in tooltip popup of Decompiler and Listing windows. (GT-2836, Issue #120)

GUI. Fixed bug in Data Type Preview that caused a rendering error in Structures as primitive types were deleted. (GT-2844)

GUI. Fixed Symbol Tree ClassCastException that happened when clicking a node while the tree was still loading. (GT-2870, Issue #96)

GUI. Fixed bug that prevented the XRef's Ref Type column from sorting correctly. (GT-2892)

GUI. Fixed Listing bug so that the cursor gets restored to the previous location on Ghidra startup. (GT-2927, Issue #505)

GUI. Updated Edit Function Signature dialog to have focus in the signature field when first opened. Also added undo/redo support. (GT-2947, Issue #635)

GUI. Fixed exception in the References Editor encountered when closing the editor with an active edit in the table. (GT-2951)

GUI. Fixed bug where the Ghidra menu mnemonic was not being set by the ampersand ('&') character in the last field of the menu path. (GT-2954)

GUI. Updated the Component Provider's Close button to allow for key bindings. (GT-2971, Issue #533)

GUI. Fixed tool navigation button enablement when using snapshot windows. (GT-2973)

GUI. Corrected Function Editor issue where parsed signature text resulted in incorrect type sizes which impacted custom storage selection. Also added support for parsing signatures which reference types from an open datatype archive. (GT-3059)

GUI. Updated resizing in Select Bytes dialog. (GT-3072)

GUI. Fixed bug where listing would jump to random location when opening or closing a large structure or array. (GT-3088)

GUI. Fixed bug that caused some tables (e.g., the Symbol Table) to sort twice during their initial loading of data. (GT-3142)

GUI. Drag-and-Drop bug causing incorrect drop highlighting has been fixed. (GT-3219, Issue #1093)

Help. Fixed NullPointerException when navigating the Help UI. (GT-2830, Issue #493)

Importer. Fixed issues in the MapLoader that prevented .map files from being added to an existing program. (GT-2972, Issue #762)

Importer. For batch import, fixed issue where last character of directory name was truncated on Windows workstations. (GT-3012, Issue #797)

Importer. Fixed a bug in how the NE importer creates External Function symbols for the procedures it imports, allowing the decompiler to properly access any available information. (GT-3140, Issue #770)

Importer. Fixed a bug that prevented some old-style Windows executables from getting loaded by the MzLoader. (GT-3180, Issue #1054)

Importer:ELF. Added ELF relocation handler for R_AARCH64_JUMP26. (GT-2999, Issue #775)

Importer:ELF. Improved ELF MIPS support for GP-relative relocations encountered in PIC compiled binaries. Also added support for R_MIPS_RPREL32 relocation. (GT-3026, Issue #764)

Importer:ELF. ELF x86-64 relocations R_X86_64_GOT32, R_X86_64_PLT32, R_X86_64_SIZE32, R_X86_64_SIZE64, and R_X86_64_GOTPC32 have been fixed to relocate correctly. Additional ELF x86-64 relocations, found mostly in unlinked .o files, have been added. (GT-3089, Issue #910)

Importer:PE. Fixed a problem in the PeLoader that would result in section names being incorrectly used as primary symbols. This could result in function names being wrong. (GT-3195, Issue #761, #1051)

Listing. Fixed potential infinite loop when editing long comments. (GT-2824, Issue #437)

Listing. Fixed potential ClassCastException in Listing comments. (GT-3023)

Listing. Cursor in the listing now stays in the proper column after editing a field. (GT-3045, Issue #702)

Listing. Fixed a problem with register highlighting that could occur on certain register/sub-register combinations. (GT-3071, Issue #810)

Multi-User. Corrected terminate checkout from viewed checkout list which was always terminating first row range based upon number of selected rows and not the actual selected rows. (GT-2903)

Multi-User. Corrected ability for user to cancel checkin/checkout to Ghidra Server. (GT-3208)

Multi-User:Ghidra Server. Added proper Ghidra Server interface binding with new -i option. Corrected -ip option to strictly convey remote access hostname to clients. The updated server will only accept connections from Ghidra 9.1 and later clients due to the registry port now employing TLS. (GT-2685, Issue #101, #645)

Multi-User:Ghidra Server. Fixed argument-passing bug in svrAdmin script. (GT-3082, Issue #907)

Multi-User:Merge. Corrected merge problem affecting modified Function Definition datatypes which could result in a NullPointerException. (GT-2922)

PDB. Added char16_t and char32_t to PDB BASIC_TYPE_STRINGS. (GT-2952, Issue #685)

PDB. Addressed memory leaks and string handling issues in pdb.exe. (GT-2975, Issue #674, #597, #598, #599, #600)

PDB. Can now recover stack variables from more recent Visual Studio version PDBs. (GT-3014)

PDB. Fixed PDB validation logic, which caused a more severe error message to be created, masking the real issue. (GT-3209, Issue #198, #1024)

Processors. Utilized FLOAT_NEG pcodeop to simplify PowerPC fneg instructions. (GT-2781, Issue #387)

Processors. Added 6502 I status bit save and restore. (GT-2826, Issue #469)

Processors. Corrected alternate register definitions in z80 processor. (GT-2876, Issue #520)

Processors. Reviewed all processor modules for GhidraSleighEditor syntax errors. (GT-2902)

Processors. Added support for RD, WR, FS, and GSBASE instructions in x86. (GT-2940, Issue #554, #555)

Processors. Added fixes for sign extension of ADD, AND, CMP, and SUB instructions on x86-64bit. (GT-2955, Issue #881)

Processors. Updated PIC-30 division pcode to correct decompilation issue. (GT-3008)

Processors. Fixed x86 AAM instruction. (GT-3015)

Processors. Corrected x86 decode of MOVBE instruction. (GT-3039, Issue #822)

Processors. Corrected M68000 mov3q instruction decode and semantics. (GT-3080, Issue #905)

Processors. The JVM instruction I2D now correctly pushes an 8-byte double on the stack. (GT-3081)

Processors. Fixed problem displaying processor manuals in Windows Firefox. (GT-3084)

Processors. Encoding of MOV into debug registers has been relaxed. (GT-3117)

Processors. Corrected behavior of PowerPC vectorPermute pcodeop for emulation. (GT-3148)

Processors. Corrected MIPS relocation computation for R_MIPS_26, R_MIPS16_26, and R_MICROMIPS_26_S1. (GT-3154, Issue #1001)

Processors. Corrected the bit patterns for PowerPC VLE rlwimi and rlwinm instructions. (GT-3159, Issue #752)

Processors. Corrected instruction semantics for AARCH64 BLR instruction. (GT-3191)

Processors. Corrected fall-through override semantics for cases where pcode simply drops into the next address. (GT-3196, Issue #1083)

Processors. Corrected the semantics of the PowerPC se_bmaski instruction. (GT-3230, Issue #1123)

Program API. Corrected parameter storage which failed to properly refresh after undo/redo. (GT-3130, Issue #960)

Program API. Corrected function parameter ordinal numbering when more than one auto-parameter is present. (GT-3214)

Project Manager. Fixed a problem with creating Ghidra projects in Windows root directories (e.g., Z:\). (GT-2585)

Project Manager. Fixed a path-traversal vulnerability that could occur when restoring a malicious project archive. (GT-3001, Issue #789)

Scripting. GhidraScript.askDomainFile() now correctly throws a CancelledException when the cancel button is clicked. (GT-2841)

Scripting. Removed deprecated scripting methods older than 5 releases. (GT-2949)

Security. Removed use of nonsecure XMLEncoder/XMLDecoder from Ghidra code base. (GT-3198, Issue #1090)

Sleigh. Corrected Sleigh compiler bug which performed improper bounds checking for named register offset specification when space wordsize is not one (1). (GT-3034, Issue #831)

Testing:CUnits. Fixed error logging in pcodetest for reporting an error when running a compile command. (GT-3199, Issue #1089)

Version Tracking. Fixed NullPointerException in Version Tracking hashing algorithm. (GT-2976)

Ghidra 9.0.4 Change History (May 2019)

Bugs

Multi-User:Ghidra Server. Corrected severe script error in svrAdmin.bat introduced with 9.0.3 build. (GT-2874)

GUI. Restored the default 'p' key binding for creating pointers within the listing display. (GT-2854)

Ghidra 9.0.3 Change History (April 2019)

New Features

GUI. Function tags are now viewable from Functions Window table using new column. (GT-2114)

Improvements

Decompiler. Improved modeling of CFG on Windows 10. (GT-2755, Issue #340)

Patcher. Renamed patch directory to /Ghidra/patch and added README.txt that explains how the patch directory is used. (GT-2734)

Search. Updated the Decompiler Data Type Finder to find references inside of nested array access in a line of Decompiler C output. (GT-2756, Issue #416)

Sleigh. Improved error reporting for SLEIGH compiler. (GT-2820, Issue #364)

Bugs

Analysis. Code that checks for thunks no longer throws an exception if the PC is not set for the processor. (GT-2730)

Analysis. Made a fix to enable Apply button when changing tool options. (GT-2801, Issue #40)

Data Types. Fixed concurrent modification exception when replacing one datatype for another that results in some other datatype being renamed. (GT-2736)

Decompiler. Fixed dynamic variables and equates in 16-bit x86 programs. (GT-2745, Issue #336)

Decompiler:Java. Fixed DEX decompilation regression issue. (GT-2743, Issue #350)

Eclipse Integration. Fixed exception in Eclipse GhidraDev plugin that occurred when performing certain actions on a Ghidra project that was imported from a previously exported Archive File. (GT-2721, Issues #283, #383)

GUI. Improved documentation on how to deal with HiDPI monitor issues in Linux. In the <ghidra_installation>/support/launch.properties file, change VMARGS=-Dsun.java2d.xrender from false to true.

Importer. Fixed an exception that occurred when batch importing APK files. (GT-2767, Issue #426)

Multi-User:Ghidra Server. Restored ability to execute svrAdmin script in development mode. (GT-2740)

Processors. The 6502 Zero page indexed addressing has been corrected to only access the Zero page. (GT-2759, Issue #201)

Processors. The M68000 BCD arithmetic instructions now have pcode semantics that allow disassembly to continue. (GT-2807, Issue #227)

Search. Fixed NullPointerException in Decompiler Data Type Reference Finder. (GT-2754, Issue #407)

Ghidra 9.0.2 Change History (April 2019)

Bugs

Analysis. Constant reference analysis boundary controls for speculative references has been fixed. Speculative references are references created from computed constants passed as parameters, stored to a location, or from indexed offsets from a register. (GT-2723, Issue #228)

Decompiler. Fixed Decompiler handling of Function Definition data types. (GT-2704, Issue #247)

Decompiler. Fixed rendering bug in the Decompiler when the "Find" dialog is closed. (GT-2716, Issue #282)

Decompiler. Fixed "Free Varnode" exception in RuleConditionalMove. (GT-2726, Issue #294)

Diff. Fixed exceptions that can occur in the Diff View for programs with overlays. (GT-2706)

Documentation. Corrected the spelling of "listener" throughout the source code. (GT-2702, Issue #235)

Exporter. Exporting a selection as Intel Hex will now allow a selection of any length. Previously this was restricted to multiples of 16 bytes. (GT-2703, Issue #260)

GUI. Fixed exception that occurs after disabling MyProgramChangesDisplayPlugin. (GT-2712)

GUI. Updated the "Open Program" dialog to disallow file drop operations. (GT-2705, Issue #252)

Multi-User:Ghidra Server. Corrected bug introduced into ghidraSvr.bat which could prevent Ghidra Server startup. (GT-2717, Issue #279)

Processors. The ARM Thumb CMP.W and LSL instructions have been changed to correctly decode. There are still issues to work out with Unpredictable execution when Rd is the PC. (GT-2722, Issue #280)

Scripting. MultiInstructionMemReference script has been corrected to consider input and output registers when placing a reference on an instruction. (GT-2723)

Security

Basic Infrastructure. Added a property to support/launch.properties to prevent log4j from using jansi.dll on Windows. (GT-2725, Issue #286)

Ghidra 9.0.1 Change History (March 2019)

New Features

Scripting. Created ShowEquatesInSelectionScript to show all equates within the current selection. (GT-2651, Issue #111)

Improvements

Basic Infrastructure. Updated commons-compress library to version 1.18. (GT-2657, Issue #171)

Eclipse Integration. Ghidra now connects to the Eclipse GhidraDev plugin on 127.0.0.1 rather than localhost. (GT-2691)

GUI. Turned on font anti-aliasing by default for Linux. (GT-2674, Issue #212)

GUI. Fixed Options Dialog slow scrolling speed. (GT-2679, Issue #27)

Importer:ELF. Corrected bug in ELF loader which can improperly process the GOT, PLT and relocations when multiple symbol tables exist within the ELF binary. (GT-2646, Issue #52)

Multi-User:Ghidra Server. Corrected the Ghidra Server service wrapper (YAJSW) configuration for Mac OS X to prevent a startup timeout condition which could occur. (GT-2637)

Processors. Added ARM/Thumb SRS instruction decodes for undefined modes. (GT-2676, Issue #216)

Bugs

API. Fixed equals method on Varnode class. (GT-2648, Issue #97)

API. Fixed a bug in MaskImpl.complementMask(). (GT-2694, Issue #187)

Basic Infrastructure. Fixed special character handling in idaxml.py. (GT-2669, Issue #75)

Basic Infrastructure. Ghidra now forces the locale to en_US by default. Only the en_US is currently supported. This fixes certain unexpected exceptions. (GT-2680, Issue #209)

Diff. Fixed exception occasionally encountered when starting a Diff session. (GT-2672, Issue #211)

Documentation. Fixed javadoc search box redirecting to broken links. (GT-2655, Issue #129)

Function Graph. Fixed Function Graph exception when generating tooltip. (GT-2650, Issue #65)

GUI. Updated window placement to keep windows on screen. (GT-1516, Issue #41)

GUI. Add/Edit References dialog now restricts users to creating refs in valid memory address spaces. (GT-2638)

GUI. Fixed exception when exiting Ghidra while a table is being edited. (GT-2642, Issue #51)

GUI. Fixed some touchpad scrolling issues. (GT-2647, Issue #2)

GUI. Fixed stack trace in the Data Type Manager's tooltip generation. (GT-2656, Issue #133)

GUI. User key binding settings for the Recently Used and Define Pointer actions no longer lost after re-launching tool. (GT-2659, Issue #152)

GUI. Toolbar buttons now respond to fast clicking. (GT-2689)

Importer:Mach-O. The Mach-O loader can now find import libraries found in Universal Binary files. (GT-2663, Issue #136)

Importer:PE. The PeLoader now correctly parses the GuardCFFunctionTable when table entries are more than 4 bytes each. (GT-2671, Issue #220)

Multi-User:Ghidra Server. Removed support for native OS authentication from Ghidra Server (removed modes -a2 and -a3) due to incompatibility with newer OS releases including Windows 10 and Windows Server 2016. Re-introduction of this will be considered for a future release. (GT-2653)

PDB. Corrected NullPointerException when processing PDB files. (GT-2673, Issues #138, #188)

Processors. Added missing PowerPC VLE conditional branch instructions: e_bdnz and e_bdz. (GT-2652, Issue #103)

Processors. Fixed instruction semantics for several instructions and added Control Flow Enforcement, NOP variants, CMP variants, UD1, and prefixed call instructions to X86 processor specification. (GT-2660, Issues #22, #53, #158, #157)

Processors. The M68000 MOVE instruction now correctly sets the CF and VF flags. (GT-2661, Issue #163)

Processors. Added four missing MOVEM instruction variants to the M68000 processor. (GT-2675, Issue #219)

Processors. An incorrect usage of X instead of Y in indexed mode for the 6502 has been corrected. (GT-2677, Issue #201)

Processors. PPC VLE now disassembles base PPC instructions that are valid in VLE mode. (GT-2681, Issue #127)

Processors. Added support for ARM Thumb half BL instruction on processor variants prior to v6. (GT-2684, Issue #39)

Scripting. Fixed a bug in ImportSymbolsScript.py that prevented it from running. (GT-2668, Issue #170)

Security

Basic Infrastructure. Running Ghidra in debug mode no longer opens remotely accessible ports by default. (GT-2641, Issue #6)

GUI. The Defined Strings plugin no longer renders HTML in its table. (GT-2686, Issue #45)

Project Manager. Fixed an XXE vulnerability affecting projects and many other saved components. (GT-2643, Issue #71)