This release includes new features, enhancements, performance improvements, quite a few bug fixes, and many pull-request contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community thanks you too!
+ +Ghidra 11.2 is fully backward compatible with project data from previous releases. + However, programs and data type archives which are created or modified in 11.2 will not be usable by an earlier Ghidra version.
+ +IMPORTANT: Ghidra 11.2 requires at minimum JDK 21 to run.
-Ghidra 11.x is fully backward compatible with project data from previous releases. - However, programs and data type archives which are created or modified in 11.x will not be usable by an earlier Ghidra version.
+IMPORTANT: To use the Debugger or do a full source distribution build, you will need Python3 (3.9 to 3.12 supported) installed on your system.
-This distribution requires at minimum JDK 17 to run, but can also run under JDK 21.
+NOTE: There have been reports of certain features causing the XWindows server to crash. A fix for + CVE-2024-31083 in X.org software in April 2024 introduced a regression, which has been fixed in xwayland 23.2.6 and xorg-server 21.1.13. If you experience + any crashing of Ghidra, most likely causing a full logout, check if your xorg-server has been updated to at least the noted version.
-NOTE: Each build distribution will include native components (e.g., decompiler) for at least one platform (e.g., Windows x86-64). +
NOTE: Each build distribution will include native components (e.g., decompiler) for at least one platform (e.g., Windows x86-64). If you have another platform that is not included in the build distribution, you can build native components for your platform directly from the distribution. See the Ghidra Installation Guide for additional information. Users running with older shared libraries and operating systems (e.g., CentOS 7.x) may also run into compatibility errors when launching native executables such as the Decompiler and GNU Demangler which may necessitate a rebuild of native components.
- -IMPORTANT: To use the Debugger, you will need Python3 (3.7 to 3.12 supported) installed on your system.
-NOTE: Ghidra Server: The Ghidra 11.x server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.x +
NOTE: Ghidra Server: The Ghidra 11.x server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 11.x clients are compatible with all 10.x and 9.x servers. Although, due to potential Java version differences, it is recommended that Ghidra Server installations older than 10.2 be upgraded. Those using 10.2 and newer should not need a server upgrade.
-NOTE: Any programs imported with a Ghidra beta version or code built directly from source code outside of a release tag may not be compatible, +
NOTE: Any programs imported with a Ghidra beta version or code built directly from source code outside of a release tag may not be compatible, and may have flaws that won't be corrected by using this new release. Any programs analyzed from a beta or other local master source build should be considered experimental and re-imported and analyzed with a release version.
@@ -82,148 +86,77 @@ATTENTION: Please delete and re-import the default Debugger tool!
- -We are introducing a new debugger connection system called Trace RMI. This is replacing the older system, - which we are calling the Recorder system.
- -The most noticeable difference will be a new menu for launching targets. It is very similar to the previous system, but with some key differences:
--- --
-- Connection and launching are no longer separated into two different configuration panels. There is one panel to launch your target.
-- Ghidra will no longer attempt to launch blindly with defaults. The first time you launch a program, you must select a launcher and configure it.
-- After the initial launch you can re-launch with a previous configuration, without requiring a prompt.
-
The next most noticeable difference will be the replacement of the Interpreter window with the Terminal window. This is a proper VT-100 - terminal emulator, so the experience will be much like, if not identical to, how you'd debug in a plain terminal, except embedded into and integrated with Ghidra. - Some notable improvements that brings:
--- --
-- Tab completion, history, etc., should all work as implemented by the connected debugger's command-line interface.
-- When the target is running, it has proper I/O in that terminal.
-- If connecting goes poorly for some reason, the debugger's command-line interface is likely still operational.
-
You may also notice the replacement of the Debugger Targets window with the Connection Manager window, and the replacement - of the Objects window with the Model window. These are operationally very similar to their previous counterparts.
- -For Power Users: The launchers are just shell scripts on Linux and macOS, and batch files on Windows. We have provided plugins - for integrating with GDB, LLDB, and the Windows Debugger. So long as your target works with one of these debuggers, orchestrating - another kind of target is mostly a matter of creating a new shell script. This is usually accomplished by using the most similar - one as a template and then trying it out in Ghidra. When errors occur, Ghidra will inform you of what progress it made before it - failed, and the Terminal should display any error messages produced by your script.
- -For Developers: Developers may notice that debugger integration is now all done using Python 3. - We have specified a new protocol we call Trace RMI, which provides client access to Ghidra's trace databases over TCP. - It uses protobuf and is substantially simpler than the previous GADP protocol. We have provided the client implementation in - Python 3. Existing integrations can be fairly easily extended, if necessary. For example, see the support for Wine we included in our GDB plugin.
- -If you wish to integrate a completely new debugger, and it has a Python 3 API, then things are relatively straightforward, so long as - the debugger provides the events and information that Ghidra expects. Use an existing plugin as a template or reference and have fun. - If the new debugger does not have Python 3 bindings, the protobuf specification is available, so the client can be ported, if necessary.
- -IMPORTANT: To use the new Trace RMI system, you will need Python3 (3.7 to 3.12 supported) installed on your system. - Additional setup may be required for each type of debug connection. Press F1 in the debug connector's launch dialog - for more information.
- -Overall, we believe this a substantially more approachable system than our previous DebuggerObjectModel SPI used in the Recorder system.
+The Search Memory feature in Ghidra has been updated substantially to provide two new features:
+++ ++
+- The ability to perform set operations on successive searches
+- The ability to (re)scan memory for changes in value
+
Set operations, accessible from the pull-down menu under Search, allow you to augment + results by performing boolean operations on an existing search. For example, you might search for the hex pattern "DE AD" using Search, + add "BE EF" to the pattern field, and then select "A-B" to retrieve a list of byte sequences that begin with "DE AD" but do not include "DE AD BE EF". + Scanning for changes is most useful in a dynamic environment, such as the Debugger. Given an existing search, you can look for values that have changed, + increased, decreased, or remained the same. Simple examples might include looking for counters while a process is running, checking for areas of decompressed + memory, or identifying active areas of the heap.
+ +The PDB Symbol Server Search Config dialog has been changed, allowing the user to mark symbol servers as trusted or untrusted. + This is an improvement over the previous mechanism that based trust on the symbol server's connection type.
-GhidraGo is an experimental feature that adds integration support for Ghidra URL's and Ghidra Tools. GhidraGO can now process GhidraURL's that - locate folders within a project instead of only programs. For example a remote GhidraURL locating a project folder will open a read only view of - the repository in the front end tool and select the folder from the URL. If the GhidraURL refers to a folder in the currently open - active project, then the folder is selected within the active project's view instead of a read only view. -
+ATTENTION: Please either delete and re-import the default Emulator tool, or + manually remove the TraceRmiPlugin from your EmulatorTool!
+ +There are new launchers/features for the traceRMI version of dbgeng, including extended launch options, kernel debugging, and + remote process server connections.
-The PDB data type processing changes from release 11.0 have been further enhanced, simplifying the processing model and reducing the number of datatype - conflicts. The algorithm for choosing the primary symbol at an address has been improved to provide the richest possible information. The PDB Universal - Analyzer has been split into multiple analyzers so that PDB function processing can follow interim analyzers that specialize in finding code. - Lastly, the Load PDB Task has been improved to schedule appropriate follow-on analyzers that are selected in the Analysis Options.
+The Decompiler can now automatically recover strings built on the stack and initial support for optimized heap strings has been added. + Stack strings are typically found in optimized code and obfuscated malware.
-Version Tracking Session files may now be added to a shared project repository. Once a version tracking file has been checked in to a project, - it must be checked out for exclusive access. For more information, see help found in the Version Tracking's - Session Wizard help for more information.
+A new Search All action has been added which displays a table containing the results found within the current function.
-NOTE: Prior to adding a pre-existing VT Session to a shared project repository, it is highly recommended that it first be re-opened - and saved. This will upgrade the VT Session internal version to prevent its use with older versions of Ghidra which will not respect - the exclusive checkout requirement.
- -Mach-O support continues to improve, adding support for new features as well as filling in some gaps that existed for several years. - The latest dyld_shared_cache files use a new format for pointer fixups, which Ghidra now supports. A new GFileSystem has also been - implemented to import and/or extract individual Mach-O binaries from Mach-O "file sets" (i.e., kernelcache). A second new GFileSystem - has been added which can extract Apple LZFSE-compressed files. Other improvements have also been made to provide more complete markup of Mach-O load commands.
- -Initial support for binaries written in the Swift Programming Language has been added. The new support relies on the native Swift demangler being - present on the user's system. Swift is automatically bundled with XCode on macOS, and can be optionally installed on Windows and Linux. - See the "Demangler Swift" analyzer options for more information. Type information gathered from the demangled Swift symbol names is used to - create corresponding Ghidra data types. This currently works for Swift primitives and structures, but more work needs to be done to include - classes and other advanced data types. Swift-specific calling conventions are also applied to demangled Swift functions.
+Golang support for versions 1.15 and 1.16 have been added. This brings the supported Golang versions to 1.15 thru 1.22.
+ +There have been quite a few improvements to the Sparc processor specification, including additional instructions, 64-bit relocation support, and better + handling of call/return detection through tracking of the o7 link register. In addition, the calling convention for both sparc 32 and 64 bit binaries + have had an overhaul to support hidden structure return and much improved parameter allocation of floating point and general data types.
-There have been many improvements to keyboard only actions and navigation in Ghidra. These changes will be welcome for those who - prefer to use the keyboard as much as possible and those needing better accessibility. Improvements include:
--- --
-- Standard keyboard navigation should now work in most component windows and dialogs. In general, Tab and <CTRL> Tab will - move focus to the next focusable component and <SHIFT> Tab and <CTRL><SHIFT> Tab will move to the - previous focusable component. Tab and <SHIFT> Tab do not always work as some components use those keys internally, but - <CTRL> Tab, and <SHIFT><CTRL> Tab should work universally.
-- Ghidra now provides some convenient keyboard shortcut actions for transferring focus:
--
-- <CTRL> F3 - Transfers focus to the next window or dialog.
-- <CTRL><SHIFT> F3 - Transfers focus to the previous window or dialog.
-- <CTRL> J - Transfers focus to the next titled dockable component (titled windows).
-- <CTRL><SHIFT> J - Transfers focus to the previous titled dockable component.
-- All actions can now be accessed via a searchable dialog.
--
-- Pressing <CTRL> 3 will bring up the actions dialog with the local toolbar, popup and keyboard actions.
-- Pressing <CTRL> 3 a second time will add in all the global actions.
-- Pressing <CTRL> 3 a third time will add in the disabled actions as well.
-- The actions dialog was specifically designed to be easy to use without a mouse. Typing will filter the actions list and the - arrow keys allow you to select an action and enter will invoke the selected action
-
Support for the SquashFS filesystem has been added.
- -A new wildcard assembler API has been added that can generate all possible variants of an instruction with a variety of wildcards for operands. - Two new scripts, FindInstructionWithWildcard and WildSleighAssemblerInfo, demonstrate how to use the API. - For more information, see help and search for Wildcard Assembler. - -
A new Runtime Information dialog has replaced the Show VM Memory dialog. The dialog contains more information - which can aid in debugging, including version information, classpath, defined properties, environment variables, and more.
- -The GhidraDev Eclipse plugin has a new wizard for importing an existing Ghidra module source directory. This will work best with Ghidra module projects - created against Ghidra 11.1 or later.
+The Intel M16C/60/80 sleigh processor specifications have been added. In addition, there have been numerous fixes to the + ARM, RX, M68000, PIC16, PPC, and x86 processor specifications.
+ +Finding references to fields within a structure has been greatly improved. Previously many references to the field would be missed if they occurred within - functions calling external functions using the structure, or when the field was used only in local variables dynamically generated by - the decompiler.
+Actions have been added to compare functions directly from the Listing, Decompiler, or Functions Table via popup menu items. If there + is already a Function Comparison window showing, there are two actions: one to add the selected function(s) to the existing comparison, and + one to create a new Function Comparison Window. This allows a workflow where users can build up a set of functions to compare as they browse + around instead of having to select them all at once.
-Golang versions 17 thru 22 are now supported.
+For Ghidra script and plugin developers who would prefer to use Visual Studio Code, a new script VSCodeProjectScript will create a new + Visual Studio Code project that is setup to do Ghidra scripting and module development. The capabilities are similar to the Eclipse + GhidraDev plugin.
-DWARF5 debug format is now supported. In addition, DWARF line number information processing has been incorporated into the base DWARF analyzer and the - separate DWARF line number analyzer has been removed.
- +There have been major speed improvements when creating or modifying large structures within the structure editor. In general large structure manipulation + should perform fluidly no matter the size of the structure. If the structure contains a large number of defined data, there could still be some degradation in + speed. Some fixed performance issues include: resizing a structure smaller or larger, clicking on an item to select a row, and defining a data type either with keyboard actions or dragging + and dropping from the data type manager. In addition, the behavior of automatically growing the size of a structure has been made consistent. Defining data on the last element of a structure + is allowed to automatically grow the structure to fit the data type. Defining data anywhere other than the last element isn't allowed if the data type does not fit because + of defined data that would need to be cleared, or there are not enough undefined bytes.
+Numerous other new features, improvements, and bug fixes are fully listed in the ChangeHistory file.
+ +Numerous other new features, improvements, and bug fixes are fully listed in the ChangeHistory file.