Mirrors_Framework/ghidra
1
0
Fork 0
mirror of https://github.com/NationalSecurityAgency/ghidra.git synced 2026-06-02 09:44:32 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

GP-6072 Fixed thunk detection and thunk address for Position Independent Code thunks that call to load a link register that is turned into a jump.

Browse Source
This commit is contained in:
emteere
2025-11-06 18:47:35 +00:00
parent f255b37871
commit 2419b08085
4 changed files with 36 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Ghidra/Features/Base/src/main/java/ghidra/app/cmd/function/CreateThunkFunctionCmd.java
+2
View File
@@ -635,6 +635,8 @@ public class CreateThunkFunctionCmd extends BackgroundCommand<Program> {
// keep going if flow target is right below, allow only a simple branch. // keep going if flow target is right below, allow only a simple branch.
if (isLocalBranch(listing, instr, flowType)) { if (isLocalBranch(listing, instr, flowType)) {
Address[] flows = instr.getFlows();
instr = listing.getInstructionAt(flows[0]);
continue; continue;
} }
Ghidra/Features/Base/src/main/java/ghidra/app/plugin/core/function/EditThunkFunctionAction.java
+4 -2
View File
@@ -75,14 +75,16 @@ class EditThunkFunctionAction extends ProgramContextAction {
Address funcEntry = func.getEntryPoint(); Address funcEntry = func.getEntryPoint();
Function refFunc = func.getThunkedFunction(false); Function refFunc = func.getThunkedFunction(false);
Symbol refSymbol = null;
if (refFunc == null) { if (refFunc == null) {
// if not already thunked, fill in a possible value from functions instructions // if not already thunked, fill in a possible value from functions instructions
Address thunkAddr = CreateThunkFunctionCmd.getThunkedAddr(program, funcEntry, false); Address thunkAddr = CreateThunkFunctionCmd.getThunkedAddr(program, funcEntry, false);
if (thunkAddr != null) { if (thunkAddr != null) {
refFunc = functionMgr.getFunctionAt(thunkAddr); refSymbol = program.getSymbolTable().getPrimarySymbol(thunkAddr);
} }
} else {
refSymbol = refFunc.getSymbol();
} }
Symbol refSymbol = (refFunc == null ? null : refFunc.getSymbol());
// Prompt for function referenced by thunk // Prompt for function referenced by thunk
ThunkReferenceAddressDialog dialog = new ThunkReferenceAddressDialog(funcPlugin.getTool()); ThunkReferenceAddressDialog dialog = new ThunkReferenceAddressDialog(funcPlugin.getTool());
Ghidra/Processors/PowerPC/data/patterns/PPC_BE_patterns.xml
+14
View File
@@ -73,4 +73,18 @@
<funcstart after="defined" thunk="true"/> <!-- must be something define before this --> <funcstart after="defined" thunk="true"/> <!-- must be something define before this -->
</pattern> </pattern>
<pattern> <!-- .plt entry thunk -->
<data>
011111.. ...01000 0x02 0xa6 <!-- mfspr rxx, LR -->
0x42 1....... 0x00 0x05 <!-- bl +0x4 -->
011111.. ...01000 0x02 0xa6 <!-- mfspr rxx,LR -->
001111.. ........ 0x.. 0x.. <!-- addis rxx, rxx, 0xxx -->
001110.. ........ 0x.. 0x.. <!-- addi rxx, rxx, 0xxx -->
011111.. ...01000 0x03 0xa6 <!-- mtspr LR, rxx -->
011111.. ...01001 0x03 0xa6 <!-- mtspr CTR, rxx -->
0x4e 10000... 0x04 0x20 <!--bctr -->
</data>
<funcstart thunk="true"/>
</pattern>
</patternlist> </patternlist>
Ghidra/Processors/PowerPC/data/patterns/PPC_LE_patterns.xml
+14
View File
@@ -73,4 +73,18 @@
<funcstart after="defined" thunk="true"/> <!-- must be something define before this --> <funcstart after="defined" thunk="true"/> <!-- must be something define before this -->
</pattern> </pattern>
<pattern> <!-- .plt entry thunk -->
<data>
0xa6 0x02 ...01000 011111.. <!-- mfspr rxx, LR -->
0x05 0x00 1....... 0x42 <!-- bl +0x4 -->
0xa6 0x02 ...01000 011111.. <!-- mfspr rxx,LR -->
0x.. 0x.. ........ 001111.. <!-- addis rxx, rxx, 0xxx -->
0x.. 0x.. ........ 001110.. <!-- addi rxx, rxx, 0xxx -->
0xa6 0x03 ...01000 011111.. <!-- mtspr LR, rxx -->
0xa6 0x03 ...01001 011111.. <!-- mtspr CTR, rxx -->
0x20 0x04 10000... 0x4e <!--bctr -->
</data>
<funcstart thunk="true"/>
</pattern>
</patternlist> </patternlist>