Search the Community

Ghidra Software Reverse Engineering Framework Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python. In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems. If you are a U.S. citizen interested in projects like this, to develop Ghidra and other cybersecurity tools for NSA to help protect our nation and its allies, consider applying for a career with us. Ghidra 10.1.2 Change History (January 2022) Improvements Basic Infrastructure. Upgraded Gson to 2.8.9. (GP-1632, Issue #3802) Basic Infrastructure. Upgraded log4j to 2.17.1. (GP-1641) Build. Increased minimum supported Gradle version from 6.4 to 6.8. (GP-1680) Debugger:Emulator. Emulator's PcodeStepper now displays the decoded instruction. (GP-1474) Debugger:Watches. Double-clicking a pointer value in the Watches window navigates to the pointer rather than its address. (GP-1469) Listing. Updated the Listing Operands field to support word-wrapping for enum data types. (GP-1665, Issue #3812) Scripting. Improved the RecoverClassesFromRTTIScript to create function definitions for multi-inheritance and single virtual inheritance classes in the correct ancestor class data type folders. (GP-1663) Scripting. Updated RecoverClassesFromRTTI script for GCC programs to only create typeinfo structures in non-executable memory. (GP-1686) Bugs Analysis. Fixed another bug with recovering Objective-C method names. (GP-1642, Issue #3817) Analysis. Certain switch cases using the AARCH64 CSEL instruction will now recover correctly. Previously internal CBRANCH instructions could cause switch flow recovery failure in the decompiler switch analyzer. (GP-1687) Analysis. Fixed unused Microsoft Demangler options. (GP-1688, Issue #3892) Analysis. (U) Reverted change (GP-1575) introduced with Ghidra 10.1 which improperly factored image-base into analysis of ELF LSDA Gcc exception records. (GP-1702) Build. Fixed gradle buildGhidra issue where a second build doesn't include all the files. This issue appears to be a bug introduced in Gradle 7. (GP-1648, Issue #3827) Data Types. Fixed display of multiple Enum values. (GP-1657, Issue #3810) Debugger. Now invalidating caches for dbgeng/dbgmodel in the GADP variants so the memory is not left stale. (GP-846) Debugger. Fixed exception when cancelling password entry for GDBOverSSH. (GP-1655, Issue #3578) Debugger:Memory. Fixed Debugger Memory background colors during emulation. (GP-1590) Debugger:Trace. Fixed issue where emulated state leaked into recorded state. (GP-1620) Debugger:Trace. Fixed NullPointerException when disassembling stale memory. (GP-1646) Decompiler. Fixed the Decompiler Retype Field action to not rename the field. (GP-1654, Issue #3783) Decompiler. Decompiler now recovers jump tables that use PIC mechanisms or other forms relying on injected p-code. (GP-1659) Demangler. Fixed demangling bug that produced incorrect types such as unsigned_short. (GP-1662) GUI. Fixed incorrect tool option reference in the Create Table From Selection action. (GP-1676, Issue #3858) GUI. Fixed the Decompiler Find Text dialog's auto-complete feature to not change the default text entry added to the dialog. (GP-1685, Issue #3890) Importer:Mach-O. Fixed an IllegalArgumentException that occurred when loading some kernelcache images. (GP-1675, Issue #2487) Importer:PE. Fixed an exception that occurred when re-parsing PE programs with a .pdata section from memory. (GP-1636, Issue #3347, #3800, #3805) PDB. Fixed incorrect bounds on item type iteration; one effect of the fix is that the user might notice more unsupported PDB data type messages in the log. (GP-1677) Processors. Fixed issue with Motorola 6809 immediate operands being set to zero. (GP-1611, Issue #2116, #3755) Processors. Corrected PowerPC efscmp* and efstst* instructions condition register usage. (GP-1639, Issue #2528) Processors. Fixed the target of JUMP and JSR for the 6809 to use [target] instead of jumping directly to target which incorrectly jumped to the address of the unique variable. Also fixed a compile issue in the half-finished 6309 EXG and TFR instructions. (GP-1690, Issue #3825) Scripting. Fixed the ApplyClassFunctionDefinitionUpdatesScript and the ApplyClassFunctionSignatureUpdatesScript to work correctly with the recent RecoverClassesForRTTI changes to function definitions. (GP-1601) Scripting. Fixed bug in a class recovery helper class that was causing an exception in some cases when trying to replace a component in a structure. (GP-1670) Scripting. Removed a misplaced space character in the name passed to setLabel in RecoverClassesForRTTIScript. (GP-1671) Sleigh. Fixed bug that could cause erroneous decompilation of functions in overlays. (GP-1661, Issue #3828) [hide][Hidden Content]]