Ghidra Changelog

What's new in Ghidra 11.0.3

Apr 11, 2024

Improvements:
Decompiler. Fixed v850 Decompiler treatment of global GP and TP registers as separate registers.
Languages. Added thunk patterns for use of BTI C/CJ instruction at start of AARCH64 thunk functions.
Processors. Added p0/p8 registers as prefer split to Tricore.cspec
Bugs:
Build. Corrected build problem that causes module src.zip files to be omitted from distribution when a externalGhidraExtension is present. This did not impact the current Public release since it does not include any such modules.
Decompiler. Fixed bug causing switch analysis to lay down jump tables with extra entries.
Processors. Fixed regression in Tricore calling convention for parameters and returns that are a smaller datatype than the full register size.
Scripting. Fixed NullPointerException in the RecoverClassFromRTTIScript that happened for Windows programs when a class had a hierarchy at least four levels deep, with a single inheritance chain, and with the root being a virtual class.
Version Tracking. Corrected potential Exception within address correlators that check function parameters.

New in Ghidra 11.0.2 (Mar 27, 2024)

Improvements:
Accessibility. Eliminated redundant screen-reading of text with cursor-up and cursor-down movements in the Decompiler view. (GP-4297, Issue #6177)
Debugger:GDB. Fixed an issue connecting to GDB on some builds of Windows. (GP-4392, Issue #6107)
Decompiler. The Decompiler now treats software breakpoints as indirect calls that do not take parameters and do not return. (GP-4332)
Decompiler. Improved detection of switch variables when their path crosses a call. (GP-4369)
Headless. Updated analyzer options to not create Java Swing components in headless mode. (GP-4309)
Importer:ELF. Revised ELF PowerPC relocation processing for R_PPC_ADDR16_LO and R_PPC_ADDR16_HA to address FreeBSD conventions. (GP-4397)
Multi-User. Updated Ghidra Server server.conf to facilitate specification of enabled TLS cipher suites. Enabled cipher suites have been constrained by default, consistent with RFC 9151. (GP-4330)
Multi-User. Made minor improvement to shared project performance when populating folders containing a large number of files. This was done by caching the FileID associated with each remote project file. (GP-4455)
Processors. Added support for ARM v8-M Custom Datapath Extension. (GP-1791)
Scripting. Added check to RecoverClassesFromRTTIScript to not run if there are unhandled relocations in GCC programs for the necessary RTTI symbols. (GP-4371)
Bugs:
Analysis. Fixed analysis lockup if the fall-through of an instruction is overridden to itself. (GP-4312, Issue #6179)
Analysis. Loosened MIPS jump target function-start pattern. (GP-4442, Issue #3677, #4193)
BSim. Corrected BSim command listexes --limit option processing. (GP-4362, Issue #6246)
Build. Removed unused log4j-jcl 2.16.0 jar dependency. Updated postgresql JDBC driver jar to 42.6.2. (GP-4449)
Debugger. Removed leading slash in executable path for Windows launch options. (GP-4331)
Debugger:GDB. Fixed issue parsing breakpoints with command lists, especially with Use existing session (new-ui). (GP-4368, Issue #6257)
Debugger:Listing. Auto-disassembly now ignores UNKNOWN memory (fixed regression) and re-disassembles if PC lands offcut in an existing instruction. (GP-4278)
Debugger:Recorder. Changed register-recording errors to go to log only, not popup. (GP-4305)
Decompiler. The Decompiler will now convert an indirect branch into a return operation if the branch target can be traced to the formal return address storage location. (GP-4226)
Decompiler. Fixed bug causing "Could not find op at target address" exception when applying SwitchOverride script. (GP-4314)
Decompiler. Fixed bug that could cause the Decompiler display to drop characters with a multi-byte UTF8 encoding. (GP-4360)
Function Compare. Corrected handling of thunked functions in the Compare Matching Callees action. (GP-4354, Issue #6159)
GUI. Fixed an IllegalArgumentException that occurred when trying to expand data over a selection in the Listing that spanned addresses from multiple address spaces. (GP-701)
GUI. Fixed screen reader support of tooltips by using the lower-case html tag; some readers could not process an upper-case tag. (GP-4296, Issue #6176)
GUI. Fixed Data Types tree broken Cut operation when the tree is filtered. (GP-4373, Issue #6137)
GUI. Fixed Structure Editor exception when searching with some columns removed. (GP-4426)
Headless. Fixed exception looking for extensions when running Headless Ghidra using the single Ghidra Jar mode. (GP-4294, Issue #6178)
Importer. Fixed an uncaught InvalidPathException that could occur when loading libraries during import. (GP-4326, Issue #5894)
Importer:COFF. Fixed an EOFException in the CoffLoader that could occur when parsing symbols. (GP-4344, Issue #6236)
Importer:Mach-O. The dyld_shared_cache loader no longer throws an exception when importing newer versions that use dyld_cache_slide_info5. (GP-4457)
Memory. Fixed an issue with the GUI sometimes showing incorrect file byte offsets for memory blocks that have been joined. (GP-4357)
Processors. Fixed AARCH64 instructions which could overwrite source registers during reads (ldaxp, ldnp, ldp, ldpsw, ldxp). (GP-3851, Issue #5791)
Processors. Fixed 6809 clr instruction not clearing the carry flag. (GP-3889, Issue #5838)
Processors. Fixed several ARM instructions which could potentially overwrite a source register before reading. (GP-3892, Issue #5822)
Processors. Fixed Z80 8-bit INC instructions' setting of the carry flag. (GP-4273, Issue #2247, #2277)
Processors. Improved Tricore calling conventions. (GP-4319, Issue #5757)
Processors. Corrected semantics for Tricore dextr instruction. (GP-4418, Issue #5756, #6303)
Processors. Fixed semantics of PowerPC lwax instruction. (GP-4419)
Version Tracking. Fixed broken Version Tracking tag filter. (GP-4336)
Version Tracking. Fixed MemoryAccessException in Version Tracking Data Correlator when data is partially contained in uninitialized memory. (GP-4339, Issue #6238)

New in Ghidra 11.0.1 (Jan 31, 2024)

Improvements:
BSim. The make-postgresql.sh script now uses the uname command instead of the arch command to increase system compatibility. (GP-4174, Issue #6051)
Decompiler. The Decompiler has been improved to recognize a broader class of boolean expressions when identifying and collapsing duplicate predicates. An emphasis was given to ARM executables for this change. (GP-3941, Issue #5611)
Bugs:
Analysis. Fixed IndexOutOfBoundsException when decompiling AARCH64 functions with empty structure parameters. (GP-4169, Issue #6047, #6068, #6120)
BSim. Modified bsim and bsim_ctl command line option specification to use the form --option value or --option=value instead of option=value. Also corrected some bugs associated with command processing. (GP-4173, Issue #6054)
Data. Corrected default reference creation for pointers added to byte-mapped memory blocks when a valid address can be produced. (GP-4203, Issue #6081)
Debugger:Agents. Trace RMI clients are now included in the distribution. (GP-4198)
Debugger:Listing. Fixed NullPointerException in TraceDisassembleCommand. (GP-4257)
Decompiler. Fixed rare bug that could cause the Decompiler to crash during construction of Static Single Assignment (SSA) form. (GP-4201, Issue #6034)
Function. Corrected issues related to Function custom storage transition when auto-void-return-storage is used. This situation can occur when the Rust calling convention spec-extension is used. (GP-4234)
Function Compare. Fixed bug causing an IndexOutOfBoundsException in the Decompiler Diff View panel when comparing functions. (GP-4253)
Importer:ELF. Corrected x86-64 ELF GOT allocation for object module import for R_X86_64_GOTPCRELX and R_X86_64_REX_GOTPCRELX relocations. (GP-4228)
Importer:ELF. Corrected ELF x86-64 import error affecting *.o files with the reported error "GLOBAL_OFFSET_TABLE already allocated". (GP-4265)
Importer:PE. The PE loader can now loader PE files with an OptionalHeader.Magic value of 0. (GP-4215, Issue #6093)
Processors. Fixed issues with HC05/HC08 processors including invalid registers and addressing modes. (GP-3181, Issue #4444)
Processors. Fixed issue with PowerPC VLE branch instructions not displaying the cr register used. (GP-3787, Issue #5246)
Processors. Fixed issue with PowerPC VLE load/store instructions showing incorrect index. (GP-3788, Issue #5245)
Processors. Moved several PowerPC 4xx instructions to 4xx-only processor module. (GP-3789, Issue #5243)
Processors. Corrected address calculation for HCS12 call instructions referencing the PPAGE register. (GP-4104)
Processors. Added support for the x86 MOVDIR64B instruction. (GP-4105, Issue #5997)
Processors. Corrected Loongarch CSR register list and added csr77. (GP-4163, Issue #6033)
Processors. Fixed addresses for Tricore TC176x CAN_MO registers. (GP-4204, Issue #5712)
Processors. Renamed pcodeops for x86 fbstp and fbld instructions. (GP-4249, Issue #2426)
Version Tracking. Fixed NullPointerException in Auto Version Tracking implied-match creation. (GP-4268)

New in Ghidra 11.0 (Dec 23, 2023)

Ghidra 11.0 is fully backward compatible with project data from previous releases. However, programs and data type archives which are created or modified in 11.0 will not be useable by an earlier Ghidra version.
This distribution requires JDK 17 to run, and provides Linux x86-64, Windows x86-64, and macOS x86-64 native components. If you have another platform or wish to use a newer JDK, please see the Ghidra Installation Guide for additional information.
BSim:
A major new feature called BSim has been added. BSim can find structurally similar functions in (potentially large) collections of binaries or object files. BSim is based on Ghidra's decompiler and can find matches across compilers used, architectures, and/or small changes to source code.
As you've reverse engineered software, you've likely asked the following questions:
Which libraries were statically linked into this executable, and possibly what version of the library?
Does this executable share some code with another executable that I've analyzed?
What are the differences between version 1 and version 2 of a given executable?
Does this executable share code with another executable in a large collection of binaries?
Was this function pulled from an open-source library?
BSim is intended to help with these questions (and others) by providing a way to search collections of binaries for similar, but not necessarily identical, functions.
BSim can compare functions within a binary, within a collection of binaries or object files in a project on a local system, or within a large collection of binaries utilizing a PostgreSQL or an Elasticsearch server. Using BSim locally does not require setting up a PostgreSQL or Elastic server or having administrator access.
There is a BSim tutorial that walks through use of BSim locally. Using BSim locally and the tutorial is the best way to try out BSim before deciding if you need to set up a server.
GhidraGo:
GhidraGo is an experimental feature that adds integration support for Ghidra URL's and Ghidra Tools. The main use of GhidraGo is embedding hyperlinks within web pages to pre-ingested programs within a Ghidra multi-user repository. Clicking on the hyperlink causes Ghidra to display the previously ingested program. No data other than the Ghidra URL is transferred to Ghidra, and no socket is open within Ghidra listening for commands. GhidraGo must be enabled by installing a plugin in the Ghidra project manager, and must also be configured as a protocol handler in your web browser. GhidraGo is not setup or enabled by default. For details on setting up GhidraGo, please see the included GhidraGoREADME.html or search for GhidraGo within help.
Version Tracking:
Auto Version Tracking has been sped up, made customizable, and improved to find more matches. The mechanism to identify good matches from duplicate match sets has been improved and sped up. Implied matches are now created and will be applied if the vote minimum and conflict maximum limits are met. In addition, the ability to choose which correlators are run as well as setting the options of most correlators has been added. The Auto Version Tracking script has been updated to prompt for all options in a single dialog. The script now works in headless mode and an example prescript to allow setting of options in headless mode is included.
Version Tracking can also use the new BSim function matching capability in a new correlator called the BSim Correlator. Auto Version Tracking does not use the new BSim Correlator yet.
Function Comparison Window:
The function comparison window, used by Version Tracking and BSim, has been overhauled a bit:
A help topic for Function Comparison has been added.
Token matching, scrolling to matches, and difference highlighting is much improved using an algorithm based on BSim function matching. The colors used for the token matching highlights are configurable.
From the comparison window, users can click on called functions that have corresponding matches to bring up a new function comparison window showing those functions. The action is currently not available within version tracking.
The functions can be displayed side by side vertically or horizontally.
The function signature from a function in the function comparison window can be applied to include name only, a skeleton signature, or the entire signature including all referenced data types. Applying only the skeleton function signature can be useful if there is any question of differences in the data structure composition used by the function signature between the two programs.
Scripting:
A new multi-option script dialog has been added to the scripting API that can present and get all user inputs a script needs in one dialog. The askValues() scripting method replaces the cumbersome process of prompting the user for each input separately.
Rust:
Initial support for Rust compiled binaries, mainly demangling of Rust method names and Rust in DWARF information, has been added. In addition, Rust strings are marked up so that the decompiler will display Rust strings correctly. There is more work to do, especially with mapping Rust parameter passing. Custom storage may be required in some instances.
Golang:
Golang reverse engineering within Ghidra is much improved by:
A new Golang String Analyzer which finds and marks up Golang strings so they display correctly in the decompiler
Type and interface method markup improvements
Better function parameter recovery
Using package information to organize type and symbol elements into namespaces
Using run time type information to override the types of objects that are created by calls to malloc-like built-in functions
Search for Encoded Strings:
A new action in the Search menu, Search -> For Encoded Strings..., can help find and create strings encoded in alternate character sets and alphabets. Valid strings are based on runs of bytes that would be valid in a particular character set and alphabet. There are currently no additional models for defining valid words within other languages.
Import / Export:
The CaRT file format is now supported. The CaRT format is used to store and transfer malware along with metadata about the malware in a neutered form such that it cannot be executed. It is encrypted so anti-virus software will not flag the file under analysis.
Headless importing of binaries from container files, such as .zip files, with multiple embedded files is now possible. This includes loading referenced .dll and .so files also found within the container file.
The Headless Analyzer can now recurse into supported GFileSystem container files when a recursion depth of one or more is specified on the command line.
Mach-O Improvements:
Support for the Mach-O binary file format has continued to receive updates. Improvements have been made to library linking and loading, as well as thunk creation. Additionally, dyld_shared_cache components extracted from Ghidra's DyldCacheFileSystem can now be added together on-demand with the Add To Program feature. Broken references can be automatically resolved by right-clicking on them and clicking References -> Add To Program.
PDB:
The PDB data types processing has been changed to use a resolve-as-you-go model. The change eliminates the dependency graph and reduces the memory footprint required to load all PDB types. The change allows larger PDB's to load successfully and improves the accuracy of some data types.
Overlays with Multiple Memory Blocks:
Overlay spaces now support multiple memory blocks in the same overlay. After creating the initial memory block as an overlay, the new overlay memory space will become available when adding new memory blocks. All overlay memory blocks can be manipulated in the same way as normal memory blocks. The new feature is useful when analyzing binaries meant to run on multiple processors with tasks running on each processor in their own overlapped virtual memory space such as an RTOS.
Processors:
Support for the Loongson processor architecture has been added. All known instructions should disassemble. However semantics for a large number of instructions use pseudoOp calls currently.
New Features:
Analysis. Added initial Rust support, including the handling of mangled names and calling conventions. (GP-2412)
BSim. Introduced BSim support (see docs/GhidraClass/BSim/). (GP-4009)
Calling Conventions. Added support for the Indirect result location register for ARM64 calling conventions. (GP-3938, Issue #951)
CodeBrowser. Added a right-click Copy action in the CodeBrowser's Listing that copies a Local or Shared GhidraURL to the program. The GhidraURL points to the specific address at which the cursor is located within the program. (GP-3626)
Data Types. Added Search -> For Encoded Strings... dialog that simplifies finding and creating strings with various charsets and alphabets. (GP-2628, Issue #1582, #2106)
Debugger:Breakpoints. Added breakpoint indicators to Function Graph when active in Debugger. (GP-2737, Issue #5532)
Debugger:dbgeng.dll. Implemented Trace RMI connector/plugin for the dbgeng.dll. (GP-3754)
Debugger:dbgeng.dll. Introduced Trace RMI launch script for dbgeng.dll. (GP-3823)
Debugger:GDB. Introduced launchers for Debugger targets using new Trace RMI framework. Introduced Trace RMI launch script for GDB. (GP-3818)
Debugger:Targets. API: Added Target interface to abstract TraceRecorder and TraceRmi. (GP-2740)
Debugger:Targets. Created Connections panel for Trace RMI. (GP-3836)
FileSystems. Added a GFileSystem supporting the CaRT file format. (GP-3748, Issue #5568)
GhidraGo. Implemented GhidraGo, an experimental feature that, when enabled, causes Ghidra to listen for GhidraURLs. The only supported GhidraURLs for GhidraGo currently link to a Ghidra DomainFile handled by the CodeBrowser. The readme for GhidraGo includes instructions on setting up a protocol handler for GhidraURLs. GhidraGo will open Ghidra if a Ghidra is not already running, but Ghidra must be configured to listen (i.e., it has the GhidraGo plugin enabled). (GP-2774)
GUI. Added Select -> Create Table From Ranges action to create a table based on the address ranges in a selection. (GP-2297)
GUI. Added a new GTree filter setting that allows users to filter on the node's path. (GP-2419)
Importer:Mach-O. dyld_shared_cache components extracted from Ghidra's DyldCacheFileSystem can now be added together on-demand with the Add To Program feature. Broken references can be automatically resolved by right-clicking on them and clicking References -> Add To Program. (GP-3753, Issue #5023)
Processors. Added support for the Loongson processor architecture. (GP-3211, Issue #5083)
Version Tracking. Added a new Version Tracking correlator based on BSim function similarity. (GP-4076)
Improvements:
Analysis. Golang improvements: Added the Golang String Analyzer that finds and marks up Golang strings. Improved Golang type and interface method markup. Improved Golang function parameter recovery. Using Golang package information to organize Golang type and symbol elements into namespaces. Using Golang run time type information to override the types of objects that are created by calls to malloc-like built-in functions. (GP-2109)
Analysis. Made minor fixes to ARM aggressive instruction finder for stack trace and speed improvement. (GP-3855)
API. Added a program caching system for use by clients that want to open programs, do some work, and then close them without them appearing in the tool. Prior to this, all programs that were opened were kept open by the tool until the user manually closed them. (GP-3979)
API. Updated ApplyFunctionSignatureCmd and FunctionUtility.updateFunction to optionally allow all applied composites to be cleaned (i.e., force to not-yet-defined state) before being applied. In addition, a datatype conflict handler may now be specified which can control how conflicts of applied datatypes should be handled. (GP-4051)
Basic Infrastructure. Upgraded to FlatLaf 3.2.1. (GP-3645, Issue #5539)
Basic Infrastructure. Upgraded Guava to 32.1.3. (GP-4053)
Build. The Ghidra Software Bill of Materials (SBOM) now includes entries for Ghidra's module jars. Jar descriptions are also now provided when available. (GP-3824, Issue #5513)
CodeCompare. The Decompiler Diff View now supports searching via Ctrl-F. (GP-4000)
CodeCompare. Fixed Function Comparison Window to not initially show the same function in both windows. (GP-4005)
Debugger. Introduced a plugin/service that supports proper Terminal Emulation (in contrast to the current Interpreter Panel plugin). (GP-1977)
Debugger. Added process name to Objects display. (GP-3895, Issue #5817)
Debugger. Added console display for exceptions. (GP-3896, Issue #5817)
Debugger:Emulator. Fixed issue starting the Emulator when the PC is in an overlay space. (GP-3904)
Debugger:GDB. Changed Trace RMI plugin for GDB to better obtain module base addresses. (GP-3725)
Debugger:Registers. Go-To actions from Registers panel now honor Force Full View setting from Regions panel. (GP-3886, Issue #5817)
Decompiler. Tokens labeling switch case values in the Decompiler window now support navigation and hovering and can be used to rename or retype the switch variable. (GP-3680, Issue #5286)
Decompiler. Added toggle buttons to quickly change the Eliminate unreachable code and Respect readonly flags Decompiler settings. These settings are local to the Decompiler view and will not persist in the tool. (GP-3919)
Decompiler. Added formatting options for braces, { and }, in Decompiler output. (GP-3965, Issue #1240, #1937, #1938, #4914, #81)
Demangler. Updated the GNU Demangler binary used by Ghidra to version 2.41. (GP-3577)
Demangler. Revised signature source type applied by GNU demanglers to ANALYSIS instead of IMPORTED. (GP-4139)
Exporter. The C/C++ exporter now includes equate definitions if data types are being emitted. (GP-3010, Issue #4878)
Extensions. Added a classpath isolation option for Extensions (settable in launch.properties). (GP-3623)
FileSystems. The dyld_shared_cache filesystem can now extract files for stubs and standalone data. (GP-3860)
GUI. Updated the tool windows to remember when they are fully maximized. (GP-2840, Issue #293, #3788)
GUI. Updated data type tooltips and previews to show size in hex as well as decimal. (GP-3763, Issue #5682)
GUI. Added Collapse and Expand actions to trees. (GP-3812, Issue #5731)
GUI. Added askValues() method to GhidraScripts which allows the script to show a dialog for entering multiple values with a single dialog. (GP-3924)
GUI. Fixed issue with program graph issuing location events in response to receiving location events. (GP-4021)
Importer. Improved library-import log messages. (GP-3910)
Importer:ELF. Completed additional changes to ELF Header code to eliminate unsupported mutability. (GP-3620)
Importer:Mach-O. When loading System Libraries From Disk on macOS, the dyld_shared_cache will be searched for in more default locations. (GP-3909)
Importer:Mach-O. The MachoLoader now uses binding information (if present) to associate libraries with imported symbol name without the need for those libraries to be already present/loaded in the project. (GP-3912)
Importer:Mach-O. The MachoLoader can now load binaries with obfuscated segment and section names. (GP-3926, Issue #3876)
Languages. Removed use of PC as having a valid value in SuperH and M68000. (GP-4049, Issue #5891)
Listing. Added options for disabling various EOL Auto-Comments. (GP-3531)
Listing. Corrected operand markup of offcut instruction references which failed to respect the Display Namespace operand field option. (GP-3985, Issue #5886)
Memory. Updated overlay address space support to allow multiple memory blocks to reside within a single overlay space. (GP-3903)
PDB. Changed the PDB data types processing to use a resolve-as-you-go model, eliminating the dependency graph and the need for holding onto the PDB types within the processing model. The benefits of this change are being made available by other improvements. In addition, changes have been made to improve the accuracy of some data types. (GP-3715)
PDB. In order to reduce memory consumption, modified PdbReader to load certain components and data structures only when needed and provided some iterators to consumers such as PDB Universal Analyzer. (GP-3995)
Processors. Added language module for the Tensilica Xtensa processor. (GP-1062, Issue #1407, #5442)
SARIF. Added support for SARIF data export/import. (GP-3832)
Version Tracking. Updated AutoVersionTrackingScript to create implied matches if option is chosen by the user. (GP-3765)
Version Tracking. Improved and sped up the AutoVersionTracking algorithm to determine and apply good matches from the possible matches returned from the DuplicateFunctionMatchCorrelator. (GP-3854, Issue #5857)
Version Tracking. Added numerous options to Auto Version Tracking that can change which correlators are used and control their individual options. (GP-3934)
Version Tracking. Auto Version Tracking now applies implied matches if the minimum number of votes and maximum number of conflicts conditions are met, as determined by the chosen options. (GP-3953)
Version Tracking. Updated Auto Version Tracking to check related associations for already-accepted matches before accepting new matches. (GP-4008, Issue #4875)
Version Tracking. Improved default Version Tracking session name generated by new session wizard. (GP-4091)
Bugs:
Analysis. Fixed StackOverflowError encountered when processing self-referencing Golang slices. (GP-3906, Issue #5847)
Analysis. Fixed function body computation for functions with instructions that branch into delay slots; for example, the Fujitsu FR processor. This affects both function creation and the computation of an Undefined Function for the Decompiler when no function is currently defined. (GP-3962, Issue #5866)
Analysis. Fixed evaluator check before using it in constant analysis. (GP-3970)
Build. Fixed nodepJar task dependencies for Gradle 8. (GP-3977, Issue #5902)
Data Types. Corrected self-referencing data type resolution issue for function definitions which could result in datatype errors. (GP-4078, Issue #5927)
Debugger. Fixed when Control Target can be selected. (GP-4099)
Debugger:Agents. Fixed GADP agent launch scripts to pass arguments through. (GP-4132, Issue #6016)
Debugger:dbgeng.dll. Fixed an error that resulted in quotes being stripped from command-line arguments for dbgeng/dbgmodel. (GP-3846, Issue #5789)
Debugger:dbgeng.dll. Created better updating strategy for dbgeng/model memory. (GP-3899, Issue #5817)
Debugger:Emulator. Fixed issue with resuming after performing p-code steps in the Emulator. (GP-3706)
Debugger:GDB. Made fixes in preparation for changes coming in gdb-14. (GP-3690)
Debugger:GDB. Fixed line ending for Cygwin GDB. (GP-3825, Issue #5755)
Debugger:Objects. Fixed Elements table in Model provider to display array contents. (GP-3932)
Debugger:Registers. Fixed copied values from Registers panel to conform to display settings. (GP-3874, Issue #5820)
Decompiler. Fixed bug in conditional constant propagation that could affect switch recovery. (GP-3840, Issue #5514)
Decompiler. Fixed improper rendering of expressions involving pointer-to-array data-types in Decompiler output. (GP-3842, Issue #5591)
Decompiler. Fixed bug causing "Could not finish collapsing block structure" exceptions. (GP-3911)
Decompiler. Fixed "<unionfacetsymbol> does not have a union type" exception caused by deleting a union data-type. (GP-3942, Issue #5636)
Decompiler. Fixed bug in the brace-highlighting action for the Decompiler window that could cause it not to be able to find matching braces. (GP-3945, Issue #5643)
Decompiler. Fixed bug in Decompiler that could cause crashes when analyzing NaN operations. (GP-3981)
Decompiler. Fixed a bug that causes the Decompiler to fail on some systems with a "Datatype must have a valid id" exception. (GP-4020)
Decompiler. Fixed an infinite loop in the Decompiler caused by small parameters getting passed to subfunctions via larger registers containing stale values in their upper bytes. (GP-4102, Issue #5934)
Decompiler. Fixed a bug that could cause the Decompiler to crash when printing pieces of a dynamic symbol. (GP-4119, Issue #6005)
Demangler. Fixed GNU Demangler analysis live-lock issue. (GP-4071, Issue #5987)
Documentation. Fixed field constraint example in the Sleigh documentation. (GP-4046, Issue #5933)
Eclipse Integration. Ghidra can now launch Eclipse Ubuntu snap installations from the Script Manager. (GP-3473)
Eclipse Integration. The GhidraDev Eclipse plugin now prevents unsupported versions of PyDev from being used. Supported versions are 6.3.1 - 9.3.0. PyDev 10.0 and later no longer support Python 2. (GP-4062, Issue #5980)
Eclipse Integration. The GhidraDev Eclipse plugin no longer throws an IOException when performing a Link Ghidra action on a Ghidra project whose original Ghidra installation moved. (GP-4063, Issue #5981)
Exporter. Proper C-syntax is now used on structs exported to a header file when they contain a pointer to an array field. (GP-3608, Issue #5248)
GUI. Fixed the Data Types Exact Match filter to not include the archive name. (GP-3764, Issue #5685)
GUI. Updated GTableHeaderRenderer to fix an incorrect cast to Component. (GP-3819, Issue #5539)
GUI. Fixed bug in the Find Dialog that caused incorrect text to be selected when pressing Enter for a previous match. (GP-3856)
GUI. Fixed JTextArea not responding to theme font changes. (GP-3908)
GUI. Fixed incorrect Version Tracking foreground color in the Markup Items Table. (GP-3933, Issue #5865)
GUI. Updated how the tool saves window size information to allow better toggling between full-screen modes. (GP-3958, Issue #5879, #5890)
GUI. Fixed the Listing's Auto Comment color for the CDE/Motif theme. (GP-3959, Issue #5903)
GUI. Fixed Structure Editor bugs. Also updated the search to use the default field name as part of the search-matching. (GP-3967, Issue #5715)
GUI. Fixed an issue in the Function Editor dialog that caused incorrect parameter values to be assigned when cancelling an edit. (GP-4041)
GUI. Updated the Note Bookmark dialog to allow users to press Enter to close the dialog when the Category field is focused. (GP-4048, Issue #5962)
GUI. Fixed an issue that caused importing a file via drag-and-drop to silently fail on some Linux distributions. (GP-4066)
GUI. Fixed an IndexOutOfBoundsException that sometimes occurred while adding new entries to the Bundle Manager table or while opening a CodeBrowser tool that included an open Bundle Manager window. (GP-4075, Issue #5956)
Headless. The Headless Analyzer can now recurse into supported GFileSystem container files when a recursion depth of one or more is specified on the command line. (GP-3273, Issue #5167)
Importer. Importing libraries that are referenced by absolute path (such as with Mach-O) now get saved to the project with their folder structure intact. This fixes a potential DuplicateKeyException that could occur when using a Recursive Library Load Depth greater than 1, and removes any ambiguity that could occur when linking a program to its libraries. (GP-3922)
Importer. Fixed an uncaught InvalidPathException that could occur when loading libraries during import. (GP-4050, Issue #5894)
Importer:ELF. Corrected ELF object module GOT allocation for x86-64 object modules during relocation processing. (GP-4118, Issue #5961)
Importer:Mach-O. The MachoLoader now creates thunks on stubs. (GP-3248, Issue #3146)
Importer:PE. Fixed an exception that could sometimes occur when parsing PE files containing debug line number information. (GP-3963, Issue #5899)
Languages. Corrected MIPS pcode for di and ei instructions. (GP-3875)
Languages. Corrected stack pointer update in alloca_probe x64 windows callfixup. (GP-3915, Issue #5844)
Languages. Updated x86 register addressing for ST and MM registers to achieve proper overlap. The upper 16-bits of the ST registers still remain unaffected by MMX instructions which write to the MM registers. (GP-3956)
Multi-User. Corrected potential NullPointerException in Ghidra Server command proceesor. (GP-4056, Issue #5974)
PDB. Fixed memory performance issue created in 10.4. (GP-3890)
Processors. Implemented x86 FINTRZ instruction. (GP-3387, Issue #5205)
Processors. Corrected x86 POP instructions with operands that use the stack pointer. (GP-3677, Issue #4282)
Processors. Fixed missing ARM cbz instruction in the manual index file. (GP-3724)
Processors. Added test-register support back into the x86 processor module. (GP-3784, Issue #5662)
Processors. Fixed issue with 6x09 processor module STU instruction storing the X register instead of the U register. (GP-3786, Issue #5671)
Processors. Added ELF relocation support to Loongarch processor module (GP-3804)
Processors. Replaced or implemented count-leading-zeroes and count-leading-ones instructions with proper pcode operator in several languages. (GP-3879, Issue #5790)
Processors. Changed MIPS TEQ zero, zero into a trap, always-goto flow. (GP-3948)
Processors. Several fixes for some PowerPC VLE instructions (GP-3999, Issue #2843)
Processors. Added the x86 MMX register MXCSR to the compiler global list so that manipulations persist in the decompiled output. (GP-4018)
Processors. Fixed RISC-V custom-0 instruction patterns. (GP-4047, Issue #5932)
Processors. Fixed PIC24 DOEND register offset (GP-4054, Issue #5213)
Processors. Minor fix for the AVR8 DES instruction semantics. (GP-4055, Issue #5235)
Project. Corrected issue with ProjectLocator when using projects located in root directory. (GP-3914, Issue #5802)
Scripting. FixOldSTVariableStorageScript.java Ghidra script has been made available for users to run against x86 Programs created prior to Ghidra 10.0.3. This script will fixup ST0... ST7 variable storage addresses which were not properly migrated during an x86 language revision. (GP-3949, Issue #5640)
Search. Fixed incorrect template implementation of GenericByteSequencePattern. (GP-4024)
Sleigh. Fixed a bug in the Sleigh compiler preventing the declaration of bit-range symbols when their size was not a multiple of 8 bits. (GP-8, Issue #1144, #660)
Sleigh. Added pure 32-bit PowerPC e500mc processor variant (GP-3068)
Sleigh. Fixed stacktrace when a pcode pseudoOp has more than eight parameters. (GP-3986)
Version Tracking. Fixed Version Tracking Undo issue where running a correlator and accepting matches then undoing the results and then rerunning the correlator resulted in incorrectly blocked matches. (GP-3827)
Version Tracking. Fixed bug in Version Tracking matches table that prevented saved filters from being applied. (GP-3901)

New in Ghidra 10.4 (Sep 29, 2023)

New Features:
Analysis. Swift Type Metadata is now marked up. (GP-2085)
FileSystems. Added cramfs support. (GP-3328)
FileSystems. The File System Browser now supports the Add To Program action. (GP-3730)
Importer. Created parsers and analyzers for Device Tree Blob (DTB) and Flattened Device Tree (FDT) binaries. (GP-1436)
Listing. Added ability to reduce an instructions length to facilitate overlapping instructions. This can now be accomplished by specifying an instruction length override on the first instruction and disassembling the bytes which follow it. The need for this has been observed with x86 where there may be a flow around a LOCK prefix byte. (GP-3256)
Improvements:
Analysis. Added support for Golang 1.17 binaries. (GP-3288)
Analysis. Added call fixups for GCC's spectre-mitigating thunks in x86 and x64. (GP-3320, Issue #299)
Analysis. Added support for Golang 1.19 and 1.20. (GP-3504)
Analysis. Developed additional ARM function start/end patterns. (GP-3805)
Analysis. Fixed PPC Analyzer to create the correct size undefined data type for a read/write reference. (GP-3845, Issue #5425)
API. Undo/Redo now show lists of transactions that can be undone or redone. (GP-3521)
Build. Fixed the buildHelp gradle task to correctly check for up-to-date inputs. (GP-3430)
Data Types. Added ability to establish source archive association when non-sourced data type dependencies get copied into an archive during a commit operation. (GP-3796, Issue #5675)
Debugger. Fixed Copy Into New Program action to use Dynamic Listing for its default context. This means the Dynamic Listing does not have to have focus for those actions to be enabled. (GP-1528)
Debugger:Modules. Changed mapper to use proper local ghidra:// URLs. No more "!" in them. (GP-3695)
Debugger:Trace. Removed the TraceFunction part of the Trace API. (GP-3351)
Decompiler. Removed the limitation preventing the Decompiler from analyzing functions where the this parameter refers to a placeholder class structure. (GP-3590, Issue #5403, #5475)
Decompiler. Added Decompiler support for return value storage at an explicit stack offset relative to the callee's stack pointer. (GP-3613, Issue #1962)
Decompiler. Added a callfixup for __RTC_CheckEsp in x86win.cspec and updated GraphASTScript.java. (GP-3752, Issue #5657)
FileSystems. Libraries extracted from the dyld_shared_cache filesystem now have chained fixups applied. (GP-1574)
FileSystems. Libraries extracted from the dyld_shared_cache filesystem now contain an optimized __LINKEDIT segment, resulting in a significantly smaller binary. (GP-3587, Issue #4175)
FileSystems. Libraries extracted from the dyld_shared_cache filesystem now contain local symbol information, which reduces the occurrence of <redacted> primary symbols. (GP-3728)
GUI. Added accessibility support to the FieldPanel component, which is the base component for the Listing, Byte Viewer, and Decompiler. (GP-2129)
GUI. Simplified the Listing's Plate Field word wrapping. (GP-3425, Issue #5299)
GUI. Added the Address w/ Offset Copy Special action. (GP-3515, Issue #5364)
GUI. Added a filter for the Memory Map provider table. (GP-3755)
Importer:ELF. Added support for ELF R_AARCH64_MOVW_UABS_Gn relocations. (GP-3435, Issue #3545, #3546, #5292)
Importer:Mach-O. Libraries can now be loaded from both local directories and GFileSystems. This enables loading, for example, Mach-O libraries directly from within the dyld_shared_cache file(s). (GP-2277, Issue #4162)
Importer:Mach-O. Improved markup for Mach-O load command data. (GP-3565)
Importer:Mach-O. Added more options to the DyldCacheLoader so its performance can be better controlled by the user. (GP-3566)
Importer:Mach-O. The MachoLoader now supports threaded binding (BIND_OPCODE_THREADED). (GP-3701, Issue #5558)
Languages. Updating the PowerPC index to reference the latest manuals. (GP-3296)
PDB. Improved disassembly and function creation in presence of non-returning functions. (GP-3604)
Processors. Added instruction manual indices for ColdFire instructions. (GP-3327)
Processors. Addressed unnecessary x86 LOAD ops preventing certain decompiler transformations. (GP-3822, Issue #5433)
Scripting. Updated RecoverClassesFromRTTIScript to improve class structure creation for GCC programs. (GP-3464, Issue #5642)
Scripting. Updated RecoverClassesFromRTTIScript to make sure all class thiscall functions are using the class structure created by the script. (GP-3777)
Sleigh. Replaced implementations of _fxsave and _fxsave64 with defined p-code ops in ia.sinc. (GP-3733, Issue #5208)
Version Tracking. Changed Auto Version Tracking duplicate function match to not process overly large duplicate match sets that can be extremely time-consuming. (GP-3527)
Bugs:
Analysis. Changed function body creation when functions overlap to favor contiguous functions. Previously, overlapping functions bodies were arbitrary based on order of creation. (GP-2823)
Analysis. Allow values that have the low bit set to be pointers if they are at the top of a function on ARM and MIPS. (GP-3766)
API. Added Function body restrictions to ensure it is contained within a single address space. (GP-567, Issue #2577, #5051)
API. Fixed issue where front end plugins were not having their dispose methods called when exiting Ghidra (GP-3343)
Data Types. Fixed alignment of 8-byte datatypes for 32-bit Windows data organization. (GP-3449)
Data Types. Eliminated use of data type aligned-length when adding components to a non-packed structure. This should allow arbitrary component placement when packing is disabled. (GP-3726, Issue #5602)
Data Types. Corrected problem with the decode of subnormal floating point values. (GP-3775, Issue #5647)
Decompiler. The Decompiler no longer automatically simplifies away code performing NaN tests. (GP-3019, Issue #4588)
Decompiler. Fixed a bug in the Decompiler where assignments to local variables on the stack could be incorrectly reordered before calls. (GP-3429, Issue #5237)
Decompiler. Fixed variable merging bug in the Decompiler that could cause "Unable to merge address forced indirect" exceptions. (GP-3682, Issue #5588)
Decompiler. Fixed bug causing segmentation faults in the Decompiler triggered by Golang binaries. (GP-3783)
Demangler. Fixed minor GNU Demangler parsing bug that caused && to get added to function pointers. (GP-3650)
Eclipse Integration. Exporting a Ghidra Module Extension with the GhidraDev Eclipse plugin produces an intermediate build directory within the project. This build directory now gets automatically cleaned up to avoid Ghidra runtime/debugging issues. (GP-3523, Issue #5327)
Eclipse Integration. The Ghidra Front-End GUI now prevents installation of extension source (unbuilt) directories. (GP-3852)
Framework. Fixed issue preventing Enum Editor actions from appearing in the Key Bindings options. (GP-3708, Issue #5638, #5639)
Graphing. Changed graph DOT exporter to rename our Name attribute to a label attribute, which is what DOT graphs use for display. Also, cleaned up vertex label display when in compact mode and added the vertex id in the tooltip. (GP-3779, Issue #5678)
GUI. The Comments dialog now uses the selected comment text when adding a new annotation. (GP-3560, Issue #5439)
Importer. User can now correctly Add To Program with Microsoft Module-definition (.def) files. Several parsing bugs with this file format were also fixed. (GP-3826, Issue #5676)
Importer:ELF. Made significant improvements to ELF RISCV relocation support. (GP-3707, Issue #3816)
Importer:ELF. Corrected ELF R_RISCV_RVC_BRANCH relocation processing. (GP-3792, Issue #5701)
Importer:ELF. Updated ELF Loader to convert non-displayable ASCII symbol name characters to ASCII Control Characters (e.g., ^A) instead of discarding symbol with an error. Import log will report use of modified name when this occurs. (GP-3793, Issue #5619)
Importer:Mach-O. Improved support for loading Apple watchOS binaries. (GP-3630)
Misc. Fixed bug in table sorting where data could be corrupted if the sort was cancelled before it completed. (GP-3685)
Processors. Fixed issue with M68000 reading from memory multiple times per instruction. (GP-3219, Issue #2492)
Processors. Fixed mnemonic for PowerPC VLE e_sthu instruction. (GP-3434, Issue #5247)
ProgramDB. Data may now be created in a Byte-Mapped Memory Block using a Dynamic datatype. This was previously disallowed due to an ambiguous initialized-memory check. (GP-3208)
Project. Changed project data store close/dispose behavior to resolve issues with open programs getting disconnected by closing of associated project store. Changed GhidraScript.askProgram to always require proper use of Program.release(Object consumer) by scripts which use it. Script's failure to release a program will prevent proper resource disposal. (GP-3697)
Scripting. Fixed ShowConstUse script back-tracking through MultiEqual pcode operations to handle multiple inputs to the same location. (GP-3503, Issue #5242)
Search. Fixed findBytes() to honor the search limit when used regular expressions. (GP-3797, Issue #5672)

New in Ghidra 10.3.3 (Aug 30, 2023)

The not-so-fine print: Please Read!
Ghidra 10.3 is fully backward compatible with project data from previous releases. However, programs and data type archives which are created or modified in 10.3 will not be useable by an earlier Ghidra version.
This release includes many new features and capabilities, performance improvements, quite a few bug fixes, and many pull-request contributions. Thanks to all those who have contributed their time, thoughts, and code. The Ghidra user community thanks you too!
IMPORTANT: Ghidra requires Java 17 JDK to run. A newer version of Java may be acceptable but has not been fully tested. Please see the Ghidra Installation Guide for additional information.
NOTE: Please note that any programs imported with a Ghidra beta versions or code built directly from source outside of a release tag may not be compatible and may have flaws that won't be corrected by using this new release. Any programs analyzed from a beta or other local master source build should be considered experimental and re-imported and analyzed with a release version. As an example, Ghidra 10.1 beta had an import flaw affecting symbol demangling that was not correctable. Programs imported with previous release versions should upgrade correctly through various automatic upgrade mechanisms. Any program you will continue to reverse engineer should be imported fresh with a release version or a build you trust with the latest code fixes.
NOTE: Ghidra Server: The Ghidra 10.3 server is compatible with Ghidra 9.2 and later Ghidra clients. Ghidra 10.3 clients are compatible with all 10.x and 9.x servers. Although, due to potential Java version differences, it is recommended that Ghidra Server installations older than 10.2 be upgraded. Those using 10.2 and newer should not need a server upgrade.
NOTE: Platform-specific native executables can be built directly from a release distribution. The distribution currently provides Linux 64-bit, Windows 64-bit, and MacOS x86 binaries. If you have another platform, for example a MacOS M1 based system or a Linux variant, the support/buildNatives script can build the Decompiler, demangler, and legacy PDB executables for your plaform. Please see "Building Ghidra Native Components" section in the the Ghidra Installation Guide for additional information.
Dark Mode / Theming:
Ghidra now supports UI theming, which allows for full customization of colors, fonts, and icons used consistently throughout the application. Ghidra themes are built on top of the various Java Look and Feel classes. Included are standard themes for all the supported Look and Feels. The most notable is the Flat Dark theme, which is built using the FlatLaf, a modern open-source flat Look and Feel library. Additionally, Ghidra includes various tools for editing and creating custom themes.
Also, all the main display windows (Listing, Decompiler, and Bytes Viewer) support quickly changing the font size via <Ctrl>+ or <Ctrl>-.
See the Ghidra Help pages for full details on the theming feature.
Debugger:
Perhaps the most exciting debugger change is the addition of new training course materials for the Debugger. The materials are written in Markdown so they display right on GitHub, but they can also be rendered to nice HTML pages by Pandoc for offline viewing. They are suitable both for self-paced learning and classroom environments. Even if you have used our Debugger before, we highly recommend reading these materials. They are in the docs/GhidraClass directory with the other course materials.
There are several changes to improve the user experience with the Emulator:
There is a dedicated Emulator tool. Previously, it was not apparent an Emulator GUI even existed in the Debugger tool. Most only accessed it via scripting. The Emulator tool is the same as the Debugger tool, but without the back-end debugger management plugins. This both showcases the Emulator and makes it safer to access, e.g., when examining malware. The launch buttons are removed, nearly eliminating the risk of accidental detonation.
The control actions (step, suspend, resume, etc.) have been moved to the main toolbar. When toggled to control the emulator, it is now possible to emulate to the next breakpoint. Before, it was only possible to step. If you were savvy, you could use the Go To Time action to run many steps, but you had to predict precisely how many steps. These controls present the Emulator as a more traditional trap-and-trace debugger and retain support for time travel.
Breakpoints are now applied to the Emulator. They also support injecting custom Sleigh semantics into the Emulator. This makes it possible, e.g., to stub out external function calls. Breakpoints are now displayed in the Decompiler margin, too.
Regarding uninitialized/undefined memory, the Emulator will still treat undefined bytes as zeros. When decoding an instruction; however, it will now interrupt if when encounters undefined bytes. Previously, it would just decode them as if zeros, which was never useful.
Nascent support for stack unwinding has been added. Up to now, we have relied on the back-end debugger to unwind the stack, which ruled out displaying accurate stack frames during emulation. There is still more work for full UI integration, but you can unwind a stack (whether on target or emulated) using the Debugger -> Analysis menu and view the results by navigating the Dynamic Listing to stack space. Please understand it may not work in most situations, yet.
Several miscellaneous actions have been added: To invalidate the Emulator cache, use the Debugger -> Configure Emulator menu. Use this whenever the Emulator seems to be ignoring configuration changes, especially when modifying custom Sleigh breakpoints. To display all bytes (not just changed ones) in the Dynamic Listing, choose Load Bytes from Emulator in the Auto-Read drop-down. To manually add or remove memory regions, e.g., to create and initialize a heap for emulation, use the new actions in the Regions window
There are several Debugger UI improvements:
The control actions are duplicated in the main toolbar. Previously, these were only in the Objects window. (They remain there for back-end connector/model development, troubleshooting, and diagnostics.) The actions in the main toolbar can be toggled to control a live target or the Emulator. The Emulator stepping actions have been removed from the Threads panel. (They never really made sense there.) Toggling these actions to the Emulator effectively forks an emulator from the target's live state, i.e., for extrapolation, just as the old emulator stepping actions did.
The current program counter is now displayed in the top right corner of the Dynamic Listing (or whatever the listing is configured to track). It will display in red if the address cannot be shown in the listing, e.g., because it is not mapped in memory. This provides better feedback when the listings seem to be out of sync.
GDB's advance command has been added to the Listing context menus as well as the equivalent actions for other debuggers. (More generally, any command provided by a back-end connector that takes a single address parameter is presented in context menus where an address is available.)
The Go To dialog in the Dynamic Listing can now take simple addresses in hexadecimal. Previously, it only took Sleigh expressions, which are powerful, but made the common case too complicated. It still accepts Sleigh expressions, and those expressions can now refer to labels (symbols) from any mapped program database (static image).
A new kind of hover has been added for displayed variables. If there is a debugger target (live or emulated) mapped to the current program, the hover will display the variable's current value. This applies to Listings and the Decompiler window.
You can now select a different thread, frame, or snapshot without activating it. Single-click to select. Double-click to activate.
There are a few small improvements to back-end debugger integration:
You can now set the working directory when launching a Windows target.
GADP agents now accept a single connection and automatically terminate when Ghidra disconnects.
Launch scripts have been added for starting a GADP agent from the command line.
There is now a script to build the Java bindings needed for the LLDB connector.
Decompiler:
Support has been added for expanding assignment statements on structures or arrays, where multiple fields or elements are moved as a group by a single instruction. This is especially helpful for analyzing structure initialization code and stack strings.
Support continues to improve for structures that are either stored across multiple registers or in a single register that is accessed in pieces. Data types associated with the component fields are propagated more fully throughout the function, and assignments to fields are displayed simply.
Data Types:
Data Type Archives may now optionally target a specific architecture as specified by a processor and associated compiler specification such as data organization. This has the advantage of better conveying datatype details for a desired architecture and preserving aspects which may change when resolved into a program. In the future, this will also allow function definitions to retain architecture-specific details.
Function definition data types have been improved to preserve calling convention names which may differ from the predefined generic calling convention names to include those which may have originated from an extended compiler specification. In addition, function definitions now support the noreturn attribute.
Enum handling has been improved in the data type manager when creating new enums from an existing set of enum values, for example define_ enums parsed from header files. Enum values will be automatically sized to fit all the values contained in the enum. Setting the size of an Enum will check if the values will fit within the new size. In addition, define_ values created as enums with a single value are sized to the minimum size to fit the value. Parsed enums from header files are sized based on the declared size of an int from the data organization used to parse. A future version will have a setting to size all parsed enums to the smallest size that will fit all the values.
C Header File Parsing:
The C-Parser GUI has been refactored to remove include paths from the Options section done as -D define lines, to a new Include section. This should make it easier to configure paths to the include files and has the added benefit of coloring the include file entries red if they are not found within any include path. You may find creating and using a Ghidra Script instead of the GUI an easier repeatable process. There are several included examples scripts, including ones to parse AVR8 header files, and Visual Studio version 22 files.
All supplied data type archive GDT files, except macOS, have been re-parsed to include the new processor architecture.
Mach-O Binary Import:
Mach-O binary analysis continues to improve. Support has been added for new file formats introduced in iOS 16 and macOS 13. Improvements have also been made to function identification, symbol detection, and Objective-C support.
Analysis:
New ApplyDataArchives analyzer settings enable use of locally created GDT data type archive files or project archives in the analysis pipeline. Used in conjunction with analysis options settings saved to a named analysis configuration you can easily switch to using a new GDT file and associated analysis options for a given type of binary. For example, if you are working with AVR8 binaries and have an associated AVR8.gdt file, create an AVR8 configuration and it will be used as the default analysis options configuration until you change to a new configuration.
Constant Propagation now deals with constants passed as stack parameters. In addition, there are several new settings which can better control when a constant is considered to be an address. For example, processors with small memory spaces, the setting Require pointer param data type, will only create a reference if the parameter is declared with a data type that would be a pointer. This can be useful for Harvard architectures with multiple address spaces used in conjunction with the PointerTypedef to specify the address space of the pointer. Currently, once you change the parameter of a called function to be a pointer, you will need to re-run analysis to get the constants passed to the function to be turned into a reference. This will be automated in the near future.
By default, pointer-to-pointer analysis is turned off for ARM binaries in the Operand and Data Reference analyzers. This can result in fewer references created and can be turned back on if your ARM binaries use pointers data stored in memory instead of offset values from the current PC to calculate all references.
Added support for PE MinGW pseudo-relocation processing.
Shared Projects:
Folder and file links to contents of another shared project repository may now be added to a Ghidra Project. This could allow a team to include a program or subfolder that resides in another project rather than copying the program into your project for easy access. The linked files are opened for read-only viewing.
Processors:
Improvements and bug fixes have been made to many processors since 10.2 to include: AARCH64, ARM, Coldfire, HCS12 MIPS X86, PowerPC, RISCV SPARC, SuperH, TriCore, V850, Z80, 6x09, 68K, and 8051.
Two new user-submitted processors, eBPF and BPF, add support for two variants of Berkeley Packet Filter binaries.
A user-submitted refactoring of X86 LOCK/UNLOCK decoding and semantics has been committed. There are currently some issues with the Decompiler re-arranging code outside of the LOCK/UNLOCK which will be addressed with an upcoming patch. If your analysis depends on the LOCK/UNLOCK semantics, please be aware of the issue.
A new leading zeroes count operator, called lzcount, has been added to p-code, and it can now be used by SLEIGH developers to model processor instructions. The Decompiler can simplify common code idioms using these instructions, and emulation is supported.
User Interface Improvements:
Diff can now be performed between two open programs which may include remote files previously opened via a Ghidra-URL.
GoLang 1.18 Support:
An importer, Analyzer, and Internal changes have been made to support GoLang. Currently, only version 1.18 is supported; however slightly older or newer versions may work. There are still some Decompiler issues with multiple return parameters to be worked out, however the implementation was thought complete enough for initial real use. Please consider the feature an evolving initial implementation.
Ghidra Startup:
Ghidra now remembers the last location of a program when it is closed. When that program is later re-opened, Ghidra will position the program to that location. Also, there are options for where Ghidra should start for new programs and optionally when Ghidra completes the initial analysis.
Template Simplification:
Ghidra now has options for simplifying the display of symbol names, in both the Listing and Decompiler, with complex template information embedded in them. The simplification should result in a much less busy display when dealing with templates.
Additional Bug Fixes and Enhancements:
Numerous other bug fixes and improvements are fully listed in the ChangeHistory file.

New in Ghidra 10.3.2 (Jul 12, 2023)

Improvements:
Debugger:Emulator. Fixed bug when starting the Emulator for processors having small memory spaces. (GP-3437, Issue #5331)
Extensions. Updated Extension installation to allow users to bypass the version compatibility check. (GP-3466, Issue #1193)
Importer:Mach-O. The MachoLoader now supports the __chain_starts section. (GP-3568)
PDB. Updated PDB maximum page size to 8 KB. (GP-3603)
Scripting. Added askPassword method to GhidraScript API. (GP-3295)
Bugs:
Analysis. Corrected an issue which could result in a duplicated imported symbol within the EXTERNAL memory block for what should be a default thunk function. (GP-3302)
Analysis. Fixed problem with Branch/Return analysis infinite loop waffling on some ARM binaries. (GP-3582)
Analysis. Fixed creation of incorrect function bodies which included addresses with data from flow into non-disassembled code. Also fixed PowerPC disassembly from computed flow in certain circumstances. (GP-3599, Issue #5441)
Analysis. Very large functions that run out of address space IDs used for tracking constants will now only log one error message. (GP-3605)
API. Corrected CreateFunctionCmd issue which could fail with the "Function body must contain the entrypoint" error. (GP-3591, Issue #5412)
CParser. Allow pragma keyword in more places, allow parentheses in #pragma, and fixed silent parse failures. (GP-2808, Issue #4692, #5454)
CParser. Fixed CParser to handle multi-line #pragma directives. (GP-3611, Issue #5524)
CParser. When using the CParser to parse header files directly into a program, the program's processor architecture is now used. (GP-3612, Issue #5502)
Debugger. Cleaned up old Troubleshooting entries in Help. (GP-3468)
Debugger:Listing. Fixed regression in dynamic disassembly of WoW64 targets. (GP-3583)
Debugger:Stack. Fixed various stability and error reporting issues with stack unwinding and runtime value hovers. (GP-3407, Issue #5332)
Debugger:Stack. Fixed several issues in Debugger/Emulator GUIs when using/emulating an architecture with a memory-mapped PC register. (GP-3572, Issue #5410)
Debugger:Stack. Fixed NullPointerException when varnode has no high variable during stack unwinding. (GP-3576, Issue #5487)
Debugger:Watches. Fixed restoration of Watch DataType when it comes from the restored Trace. (GP-3588)
Decompiler. Fixed a bug in the Decompiler where combined constant assignments to an array or structure were incorrectly split out on big endian architectures. (GP-3609, Issue #5424)
Emulator. Fixed issue in Emulator's instruction decoder regarding context. (GP-3571)
GUI. Fixed exception when performing the Convert to Class action in the Symbol Tree while the tree had a filter applied. (GP-3589, Issue #5480)
Importer:ELF. Fixed incorrect error message during import regarding ELF build-ID length. (GP-3546)
Importer:ELF. Corrected exception and ELF GOT allocation issue which could prevent import of X86-64 object modules which contain GOT-based relocations (e.g., R_X86_64_GOTPCREL). (GP-3610, Issue #5519)
Importer:Mach-O. Fixed a regression in the Mach-O Loader that was causing incorrect DYLD_CHAINED_PTR_64_KERNEL_CACHE fixups. (GP-3598)
Importer:PE. Fixed a timestamp encoding bug that caused PE symbol .exports files to not get matched and applied in some circumstances. (GP-3552, Issue #5351)
Importer:PE. Failing to parse PE ExceptionDataDirectory no longer prevents the import from finishing. (GP-3584, Issue #5483, #5496)
Processors. Fixed ARM Neon Thumb vdup instruction, which was using the wrong bits for register value. (GP-3524, Issue #5420)
Processors. Fixed 6x09 leax and leay instructions to update zero flag. (GP-3525, Issue #5414)
Processors. Corrected 6809 macros compare flags and two-byte push/pops in big endian architecture variant. (GP-3606, Issue #5508)
Processors. Fixed flags for the 6809 processor left-shift instructions. (GP-3621, Issue #5523)

New in Ghidra 10.3.1 (Jun 16, 2023)

Improvements:
Debugger:LLDB. Upgraded SWIG-generated Java (plus docs) to LLVM/lldb 16.x. (GP-3442, Issue #5359)
Decompiler. Added an option to the Decompiler, controlling the maximum size of jumptable that can be recovered. (GP-3266)
Decompiler. Improved Decompiler function call-override to consider calling convention when differentiating function signatures. (GP-3268, Issue #5335)
Decompiler. The Decompiler now respects tool options for shortening template strings within symbol names. (GP-3369)
Importer:ELF. Added Max Zero-Segment Discard Size import option to ELF Loader. Value was previously hard-coded to 255 bytes. (GP-3428, Issue #5273)
Importer:Mach-O. Restored Mach-O indirect symbol creation when binding information is not present, such as when importing a DYLIB extracted from a dyld_shared_cache. (GP-3526)
Languages. Added windows__stdcall calling convention as an alias to the default calling convention for aarch64 and x86-64. (GP-3472)
Scripting. Improved the RecoverClassesFromRTTIScript recognition of special vtables when they are in memory blocks not tied to imported file bytes. (GP-3463)
Scripting. Mitigated a RecoverClassesFromRTTIScript issue where mangled typeinfo names were not always getting extracted from memory when more than one bad data type was created over the memory containing the mangled string. (GP-3467)
Bugs:
Analysis. Fixed regression when functions are set as inline that can cause lockups: during analysis, with use of stack depth field, and for Set Stack Depth Change action. (GP-3499, Issue #5378, #5400, #5401)
CParser. Fixed C header file parsing of pragma lines when a comma is found outside of parentheses. (GP-3541, Issue #5427)
Data Types. Corrected issues related to data organization retention and upgrade for data types. (GP-3506)
Debugger:GDB. Reduced frenetic queries for module info at launch time. Fixed 00000000 values in module ranges. (GP-3448, Issue #4456, #5357)
Decompiler. Fixed bug that could cause errors in constant calculations involving 128-bit or larger registers. (GP-3426, Issue #3492)
Decompiler. Fixed a bug that could prevent recovery of a switch if the variable is written indirectly through a pointer alias. (GP-3441, Issue #5307)
Decompiler. Corrected 10.3 regression when Edit Function Signature is invoked from Decompiler, which may ignore the calling convention used with current function decompilation. (GP-3454, Issue #5367)
Decompiler. Fixed hashing bug causing inconsistent results with Force Field action in the Decompiler. (GP-3508, Issue #5372)
Documentation. Fixed missing return in termmines.c exercise file. (GP-3444, Issue #5343)
Exporter. Fixed a regression in the Original File exporter that prevented it from working when unapplied relocations were present in the relocation table. (GP-3446, Issue #5346)
GUI. Fixed bug where Ghidra did not prompt to save GUI Theme changes when exiting via a menu versus the window X (Close Window) button. (GP-3477, Issue #5377)
GUI. Updated the Python Interpreter prompt to use less space. (GP-3509, Issue #5379)
GUI. Fixed issue with menu bar colors on Mac system when using Mac Aqua Look and Feel while in dark mode. (GP-3528, Issue #4454)
Importer. Fixed an exception that occurred when the MzLoader tried to split the HEADER overlay block. (GP-3447, Issue #5320)
Importer:ELF. Corrected potential exception when processing invalid ELF PT_NOTE program header. (GP-3493, Issue #5384)
Importer:ELF. Corrected bugs in ELF Android packed relocation processing and rendering of sleb128 data type. (GP-3543)
Importer:Mach-O. Fixed a regression in the Mach-O Loader that was causing incorrect DYLD_CHAINED_PTR_X86_64_KERNEL_CACHE fixups. (GP-3474)
Importer:Mach-O. Fixed an AddressOutOfBoundsException that could sometimes occur when importing the exports section of dyld_shared_cache files. (GP-3505, Issue #5392)
Importer:PE. Fixed an IllegalStateException that could occur if both Load Local Libraries From Disk and Load System Libraries From Disk options are used during import and the same library is found in both local and system directories. (GP-3445)
Importer:PE. Fixed a bug that caused PE symbol .exports files to always get deleted after import. (GP-3519, Issue #5348)
Languages. Adjusted handling of PowerPC e500 small data area pointer. (GP-3480)
Processors. Fixed operand count mismatch in some M68000 instructions. (GP-2779, Issue #4807, #4808)
Processors. Corrected issue with M68000 pea instruction with address based on SP. (GP-2955, Issue #4795)
Processors. Fixed flag issue in 6502 TSX instruction. (GP-2963, Issue #4838)
Processors. Addressed multiple issues with 8048, including fixing the movp, movp3, and jmpp instructions and correcting the implementation of the memory bank selection. (GP-3009, Issue #2423, #4825)
Processors. Fixed decoding of x86-64 popf and pushf instructions. (GP-3102, Issue #4980)
Processors. Corrected pcode for PowerPC e_stmvsprw instruction. (GP-3325, Issue #4886)
Processors. Fixed PowerPC instruction eieio decode for all valid variants. (GP-3432, Issue #4887)
Processors. Fixed issue with AARCH64 mla instruction using erroneous registers. (GP-3478)
Processors. Restored original M68000 calling convention to only use stack, and added an additional .cspec file for the optional Register ABI calling convention for ColdFire. Also added bonus function start patterns identified during testing. (GP-3532, Issue #5390)
Sleigh. Fixed SleighEditor to allow 2 to n arguments in CPOOL Sleigh operator. (GP-3534, Issue #2148)

New in Ghidra 10.3 (May 11, 2023)

New Features:
Analysis. Initial Golang binary analysis for Go 1.18. (GP-2114, Issue #2327)
Debugger. Added breakpoint indicators to the Decompiler's margin, when used in the Debugger. (GP-1280)
Debugger. Added Debugger control actions to global toolbar. (GP-1595, Issue #3742)
Debugger. Created new independent launchers for Debugger agents. (GP-1999)
Debugger. Added ability to set node timeout. (GP-2502)
Debugger. Added class materials for the Debugger. (GP-2641)
Debugger. Added hover tooltips for variable values in the Static Listing, Decompiler, and Dynamic Listing. Added Unwind Stack action. (GP-2834, Issue #4732)
Debugger. Added ability to set initial directory and other parameters. (GP-2839, Issue #4732)
Debugger. Added a dedicated Emulator tool. (GP-3074, Issue #4931)
Debugger. Added ability to export/serve symbols and types as Volatility ISF JSON. (GP-3222)
Debugger:Emulator. Added Invalidate Emulator Cache action. (GP-2970)
Debugger:Emulator. Added Add Region and Delete Regions actions to the Regions window. (GP-3357)
Debugger:Objects. Added commands Advance to GDB, Step/Trace to Address to dbgeng/model, and Run to Address to LLDB in address context menus. (GP-1808, Issue #4056)
DWARF. Added support for some Apple-specific DWARF tags. (GP-3175)
GUI. Added theming support to Ghidra, including a dark theme. (GP-1981, Issue #4145)
GUI. By default, programs will now open to their location when last closed. (GP-2939, Issue #1196)
Pcode. Support for a new p-code operator lzcount has been introduced into SLEIGH, the Decompiler, emulation, etc. It returns the count of leading zero bits in its operand. (GP-3155, Issue #2810)
Processors. Added eBPF and BPF processors. (GP-2257, Issue #4258, #4378)
Project. Added Restore Previous Project option to the Front End Tool that controls whether or not the previously opened project is automatically restored on startup. (GP-2695, Issue #4650)
Scripting. Created AssociateExternalPELibrariesScript that associates imported library files for PE programs in order to fix up external references from the program to the libraries. This is useful for users who forgot to load the libraries on program import and want to fix up the references after the fact. (GP-3098)
Version Tracking. Updated the Version Tracking API to make extension of correlators easier. (GP-3199, Issue #4950)
Improvements:
Analysis. Added support for pointer Typedef values passed as parameters to functions. (GP-2160)
Analysis. Added identification and side-effect fixes for windows AARCH64 __security_push_cookie to fix poor Decompiler and stack reference results. (GP-3124, Issue #5018)
Analysis. Added support for processing PE MinGW pseudo-relocations during auto-analysis immediately after import. (GP-3236, Issue #5155)
API. Added ability to associate a specific program architecture with a datatype archive. This allows associated types to preserve proper type sizing and alignment characteristics based upon a designated architecture. Delivered archives will reflect the architecture they were created with instead of utilizing the default data organization. (GP-1633, Issue #4898)
API. Changed FunctionDefinition and FunctionSignature to use calling convention names as strings instead of being limited to GenericCallingConvention. Also added noreturn support to these interfaces. (GP-2308, Issue #3267, #4537)
API. Added methods to TaskMonitor to address spelling inconsistencies. (GP-2982, Issue #4870)
API. Revised program Relocation table to include status and a more accurate length of affected bytes when applied. (GP-3013)
API. Added by-name index method SymbolTable.scanSymbolsByName(String startName). This has been utilized by the assembler UI to resolve a hang on large programs. (GP-3015, Issue #2630)
Basic Infrastructure. Upgraded dependencies to guava 31.1-jre (from 19.0), baksmali 2.5.2 (from 1.4.0), and dex2jar 2.1 (from 2.0). (GP-3154)
Basic Infrastructure. Improved error handling of module directories not being readable during launch. (GP-3347, Issue #5244)
Build. Added support for building with Gradle 8. (GP-2476, Issue #3527, #5003)
Build. The build now enforces a maximum-supported Gradle version. The current supported versions are Gradle 7.3 or later. (GP-3111)
Build. Ghidra can now run from development/repository mode using Gradle's compiled jars, instead of just relying on Eclipse's compilation output. (GP-3140)
C Parsing. Provided GDT archives have been updated to include new ProgramArchitecture settings for processor, data organization, and endianess. (GP-1377)
CParser. Removed unnecessary -D defines related to wchar_t from CParser prf files and GDT parsing scripts. (GP-3294, Issue #5196)
Data Types. Function definitions can now be applied from selected Category instead of only from an entire Archive. (GP-199)
Data Types. Changed Structure/Union editor to show numbers in hex format by default. Also added Shift-H keybinding action for toggling hex/decimal view. (GP-2943)
Data Types. Improved DataTypeParser to handle type names which include the :: namespace delimiter. (GP-3003, Issue #4841)
Data Types. Changed Apply Data Archives analyzer to allow user to choose a data type archive to apply to their binary during analysis. (GP-3344, Issue #5184)
Debugger. Added option to memorize a program-module association when confirming mapped modules. (GP-1527, Issue #3641, #3675)
Debugger. Improved the Go To... dialog. It now accepts simple addresses or Sleigh expressions. (GP-1539)
Debugger. Removed Guava from Debugger's dependencies. (GP-1542)
Debugger. Replaced Guava's Cache. (GP-1545)
Debugger. Improvements to allow dbgmodel kernel debugging. (GP-1768)
Debugger. Upgraded protobuf to 3.21.8. (GP-2302, Issue #4415, #4540)
Debugger. Improved default connector selection, based on current program and last successful connection. (GP-2623)
Debugger. Added remote connectivity for LLDB. (GP-2709)
Debugger. Made modifications in support of iPhone work. (GP-2870)
Debugger. Better instructions for LLDB/Swig. (GP-3055, Issue #4774)
Debugger. Made LLDB-related improvements in support of iPhone work. (GP-3063)
Debugger. Changed refresh option from boolean to RefreshBehavior enum to allow opportunistic use of caches. (GP-3142)
Debugger. Providing convenience script for LLDB builds. (GP-3247, Issue #5061)
Debugger. Changed Go To Time action to use the Time selection dialog. (GP-3317)
Debugger:Agents. Limited debug agents to accept a single GADP connection and to terminate automatically when disconnected. (GP-1976)
Debugger:Agents. API: Removed TargetObject.add/removeListener() in favor of DebuggerObjectModel.add/removeModelListener(). (GP-2752)
Debugger:Agents. Enable opportunistic uses of caching. (GP-3162)
Debugger:Breakpoints. Breakpoints window can now interact with the integrated emulator. It also supports custom Sleigh injections or conditions. (GP-2676)
Debugger:Emulator. Dynamic views can now show (lazily) loaded bytes for pure emulation. (GP-2989)
Debugger:Emulator. Moved new Emulator into its own module. (GP-3071)
Debugger:Listing. Added visual indicator when PC (or other tracked location) is not located in the listing. (GP-2750)
Debugger:Registers. Changed Registers and Watches to use pointer typedefs. This allows a user to specify the target space of a pointer, especially in Harvard architectures. (GP-2653)
Debugger:Registers. Added consideration for aliases when matching target registers to Ghidra registers. (GP-2966)
Debugger:Threads. Changed Threads, Stack, and Time panes to require double-click to activate the selection in the rest of the UI. (GP-3018)
Debugger:Trace. Replaced Range<T> with Lifespan, ULongSpan, KeySpan, FieldSpan, etc. (GP-1543)
Decompiler. Compiler specification (cspec) files allow more flexibility when describing overlapping parameter-passing storage locations. (GP-2544, Issue #4568)
Decompiler. Decompiler analysis of functions with multiple switch statements is substantially faster in many cases. (GP-2560, Issue #4558)
Decompiler. The Decompiler can now split a copy operation that simultaneously moves multiple fields in a structure or multiple elements of an array. (GP-2563, Issue #3884)
Decompiler. The Decompiler propagates constants, in more situations, into blocks that are executed conditionally. (GP-2603, Issue #4527)
Decompiler. Added DecompilerStackProblemsFinderScript, which searches the decompiled code for certain local variables that can be indicators of stack analysis issues. (GP-2697)
Decompiler. Added Decompiler actions to convert constants to Double and Float. (GP-3001, Issue #3689)
Decompiler. The Decompiler's Rename actions now allow the user to reclaim an automatically generated name on another symbol. (GP-3224, Issue #4863)
Diff. Added ability to initiate a Program Diff with another program selected from a list of compatible open programs already open in the tool. (GP-2897)
DWARF. Added support for ELF-compressed sections. (GP-2363, Issue #3659, #4460)
Eclipse Integration. Eclipse now recognizes test source folders. (GP-3130)
ELF. Added support for tagging ELF informational sections. Added support for Golang metadata in ELF binaries. (GP-2111)
Exporter. The PE and ELF exporters have been replaced by a new Original File Exporter that will work on all programs that store original file bytes. The Original File Exporter has an option to export both user-modified bytes as well as original bytes. (GP-2770)
Graphing. Upgraded jungrapht-visualization and jungrapht-layout to version 1.4. (GP-3249, Issue #5156)
GUI. Improved support for Ghidra URLs and their use in comment annotations. (GP-2509)
GUI. Updated the Navigation History Plugin's maximum history limit. (GP-2843)
GUI. Improved table-sorting performance. (GP-2908, Issue #4782)
GUI. Updated the Structure Editor to maintain the table selection during external updates. (GP-2945, Issue #4820)
GUI. Added new feature where programs can automatically go to a newly discovered start symbol (e.g., "main") after analysis completes. If the user has navigated to another program location before analysis completes, a popup dialog will appear asking if the user would like to go to the new symbol. Both of these behaviors can be turned off via the Navigation tool options. (GP-3064)
GUI. Added ability for default tool launch (e.g., project file double-click) to reuse existing tool instead of always launching a new tool. This behavior controlled via Project Window Default Tool Launch Mode option. (GP-3080)
GUI. Updated the Memory Map table to use a fixed-width font for the Start, End, and Length columns. (GP-3103)
GUI. Updated Create Enums From Selection action to handle duplicate-named enum entries when merging selected enums together into a new enum. (GP-3204, Issue #5036)
GUI. Added a Front End tool option to disable application-wide tooltip popups. (GP-3254, Issue #5095)
GUI. Fixed several issues with enums and the GUI for editing them. The API supported both unsigned and signed enums, but the GUI only supported unsigned enums. Also added extra checking so that enums can't support negative values and large unsigned values at the same time. (GP-3255, Issue #3806)
GUI. Clicking a sound icon in the Listing will now stop any currently playing sound. (GP-3393, Issue #5278)
Importer. Headless Ghidra and the AutoImporter API now support loading more than one program, such as when importing a program results in additional libraries getting loaded. (GP-2877, Issue #4929)
Importer. The OMF Loader now handles LPUBDEF symbols. (GP-2976, Issue #4854)
Importer. The OMF Loader now handles unsupported/unknown record types more gracefully. (GP-2997, Issue #4856, #4857)
Importer. Improved GZF/GDT import and export to allow unforced upgrade of older files. This is particularly important when a user has a version-sensitive issue and needs to have the project file triaged. (GP-3034)
Importer. The OMF Loader now handles CEXTDEF symbols. Known functions are now also created by the OMF loader to improve analysis. (GP-3117, Issue #4912)
Importer. Made improvements to the OMF Loader's relocation handler. (GP-3141, Issue #4909)
Importer. Improved support for loading old-style DOS MZ binaries. (GP-3353, Issue #5229)
Importer:ELF. Eliminated the public mutability and writing of ELF Headers whose implementation is not well suited for this in the absence of any ELF Linker support or related processor extension API. (GP-3152)
Importer:Mach-O. Mach-O external libraries are now linked during analysis. (GP-2602)
Importer:PE. The PE Loader has been updated to correctly recognize and mark the program compiler ID for MinGW programs. GNU Demangler has been updated to recognize and run on programs with GCC compiler option. (GP-1851, Issue #2208, #4513, #4514, #4520, #4906, #5155)
Importer:PE. The PE Loader can now load sections that extend beyond the end of the imported file without error. (GP-2826, Issue #4705)
Importer:PE. The PE Loader no longer rebases images to 0x10000 when the preferred image base is very large. (GP-2827, Issue #2361, #4710)
Importer:PE. Improved PE header parsing so binaries with corrupt symbol/string tables do not prevent Ghidra from recognizing them as PE. (GP-2973)
Jython. Improved Python interpreter code-completion behavior. (GP-2759, Issue #4678, #4699)
Languages. Reverted disassembly of x86 two-byte xchg ax,ax back to nop. (GP-3372)
Listing. Added Simplify Template Names option (on by default) to simplify symbol and datatype names with complex template info as part of their name. This only affects the Listing display and doesn't affect the actual symbol or datatype name. (GP-388)
Listing. Added options for the starting location of a program when it is opened, which will move the location to a specific function or label. See Preferred Symbol Name under the Navigation tool options. (GP-2141, Issue #4267)
Listing. Changed overlapping markers to blend rather than occlude. (GP-2723)
Multi-User. The Ghidra Server's temp directory can now be controlled by setting the WRAPPER_TMPDIR variable in ghidraSvr(.bat). (GP-3053, Issue #4925)
Multi-User. Upgraded YAJSW to 13.09. (GP-3119)
Processors. Corrected treatment of x86 LOCK prefix. (GP-2487, Issue #4336)
Processors. Added support for ARM v4T and v5T bl lr and blx lr pseudo-instructions. (GP-2872, Issue #4320)
Project. Added support for Ghidra-URL-linked project files and folders. Copy/Paste-Link actions are added to project file tree when copying from viewed repository or another project. (GP-2644)
Prototypes. PrototypeModel.getReturnAddress() now returns the default return address of the compiler spec when a prototype does not define its own. (GP-2612, Issue #4611)
Scripting. The RecoverClassesFromRTTIScript has been updated to recognize and process Windows PE programs compiled with GCC (i.e., MinGW, Cygwin programs). (GP-1856)
Scripting. The RecoverClassesFromRTTIScript has a few improvements for GCC-compiled programs. (GP-2679, Issue #4414)
Scripting. Added the RTTI Found RTTI Analyzer option to the program information, which is used to determine whether to rerun the analyzer and also to decide whether to run the RTTI script. (GP-3293)
Sleigh. Improved Sleigh compiler warning and error messages. (GP-2913, Issue #4595)
Bugs:
Analysis. Removed check for instruction falling into a location being considered for a shared return function. (GP-3044)
Analysis. Added support for stack parameter tracking, PointerTypedef parameters, restrictions of parameter values to known pointer parameters, and a prototype-setting for propagation of pointer parameter types to memory. (GP-3077)
Analysis. Fixed deadlock in Arm Analyzer waffling between overriding the return instruction as a return and branch. (GP-3150)
Analysis. Removed duplicate references placed on different operands of instructions. (GP-3214)
Analysis. Fixed issues related to analysis flag and how it affects asking the user to analyze a new program. (GP-3282)
Analysis. By default, pointer-to-pointer analysis is turned off for ARM binaries in the Operand and Data Reference analyzers. This can result in fewer references created, and can be turned back on if your binaries use pointer data in memory instead of offset values from the current PC. (GP-3335)
API. Fixed bug on pinned symbols when changing image base. (GP-3178, Issue #4290)
API. Revised ApplyFunctionSignatureCmd to allow use where function should not get renamed when signature applied. (GP-3350)
Byte Viewer. Fixed bug in Byte Viewer where the last byte in a block could not be selected if the field group size was larger than 1. (GP-1593)
CParser. Fixed parsing of Windows wdm.h header file with multi-line strings passed as arguments to a macro. (GP-2809, Issue #4690)
CParser. CParser.parse(String) method no longer throws an exception, and, when parsing a structure as a string, the return type will be the structure—not the last member of the structure. (GP-3183, Issue #4903)
CParser. Removed wchar_t as a keyword when parsing header files. wchar_t will always use the built-in wchar_t datatype even if defined with a typedef within a header file. (GP-3215, Issue #5108)
CParser. Fixed issue with CParser creating #define enum values if unsigned long is specified with parentheses around the value; for example, #define X (4ul). (GP-3216, Issue #5069)
CParser. Pressing Cancel during parsing of header files is now more responsive. (GP-3284, Issue #5181)
CParser. Enum constants are now created by the CParser when #define expressions ending in ULL, LLU, LL, and LU are found in parentheses. (GP-3285, Issue #5161)
CParser. Fixed expansion of #define statements embedded in #include files and parsing of constants with UL/LL size specifications. (GP-3310, Issue #5207)
CParser. Fixed CParser issues with forward-declared Enums and typedefs used within the body of functions. (GP-3371, Issue #3526, #5271)
CParser. Enum sizes are now set to the size of an int for the processor (formerly 4), and enums from #defines are set to the the smallest enum size that will fit the number (formerly 8). Future change will add packed enum sizes. (GP-3385)
Data. Corrected handling of zero-length components in the form of Listing DataComponent CodeUnits. These were incorrectly reporting a length of 0 instead 1; all Listing Data, including DataComponents, must report a positive non-zero length. (GP-3314)
Data Types. Automatically created class structures now respect the Preferred Root Namespace Category property. (GP-1123, Issue #3196)
Data Types. Added support for floating-point data types to parse decimal string representation. A significant refactor of FloatFormat and BigFloat was completed. BigFloat is now used as the value class for all float data types. Introduced DataType.getAlignedLength() method which was needed to differentiate between the raw encoding size and the aligned (i.e., padded) size used by a compiler when allocating storage (i.e., sizeof). Example: for x86-32 gcc, 80-bit float has an aligned-length of 12-bytes which reflects compiler's sizeof(long double). (GP-1379)
Data Types. Corrected 80-bit floating point support to include decode, encode, and computation via the FloatFormat and BigFloat support classes. (GP-3022, Issue #4853)
Debugger. Fixed issue with default renaming of traces when auto-saving with conflicting names. (GP-1484)
Debugger. Fixed bug in refresh logic. (GP-1884)
Debugger. Fixed various errors in breakpoint logic for dbgeng/model. (GP-2177)
Debugger. Fixed occasional stack trace in auto-saving traces when closing Debugger. (GP-2732)
Debugger. Miscellaneous fixes for LLDB agent. (GP-2781)
Debugger. Provided greater flexibility with library load error messages. (GP-3012)
Debugger. Emulate Program and Map Identically actions now exclude EXTERNAL block. (GP-3087)
Debugger. Removed Tool Options: Colors sections from Debugger help. (GP-3218)
Debugger:Agents. Fixed some issues with GADP agent no-dep jars. (GP-1007, Issue #3076)
Debugger:Agents. Fixed a NullPointerException in GadpValueUtils. (GP-2915, Issue #4791)
Debugger:Agents. Fixed GADP connectors to use the same JRE/JDK as Ghidra. (GP-2979)
Debugger:dbgeng.dll. A register modification now updates the Stack and other windows. (GP-2636)
Debugger:Emulator. The emulator will now halt when trying to decode an instruction from uninitialized memory. (GP-1529)
Debugger:Emulator. Fixed Emulator for processors that use crossbuild. (GP-1904)
Debugger:Emulator. Removed 4 unnecessary classes in emulator: RequireHasKnownTraceCachedWriteBytesPcodeExecutorState, RequireHasKnownTraceCachedWriteBytesPcodeExecutorStatePiece, RequireIsKnownTraceCachedWriteBytesPcodeExecutorState, and RequireIsKnownTraceCachedWriteBytesPcodeExecutorStatePiece. (GP-3280)
Debugger:GDB. Fixed missing stack frames when single-stepping. (GP-1470)
Debugger:GDB. Fixed unnecessary error popup when user rejects HostKey while connecting to GDB via SSH. (GP-1710)
Debugger:GDB. Fixed Erase In Line ANSI escape decoding issue for GDB on Windows. (GP-3135, Issue #3562, #5026)
Debugger:GDB. Fixed issue launching binaries in GDB with spaces in the path. (GP-3311, Issue #5203)
Debugger:Listing. Fixed a bug where closing a cloned Dynamic Listing resulted in an extraneous stale PC marker in the Static Listing. (GP-2991)
Debugger:Mappings. Map Identically and Map Manually actions will now refuse to overwrite existing mappings. (GP-3086)
Debugger:Trace. Fixed a bug that allowed the user to undo a trace's initial transaction. This would lead to a subsequent NullPointerException. (GP-3213)
Debugger:Trace. Fixed issue with Undo not being effective immediately. (GP-3358)
Decompiler. Fixed a Decompiler decoding error that occurred when a pre-comment contained a null character. (GP-3002, Issue #4836)
Decompiler. Line breaks in Decompiler output can no longer disable a comment annotation. (GP-3029)
Demangler. Fixed missing use of wchar_t, wchar16, and wchar32 primitives in Demanglers. (GP-3184, Issue #5080)
Documentation. Made minor fixes and improvements to the Advanced Ghidra training class documentation. (GP-2944)
ELF. Corrected ELF MIPS Relocation processing for R_MIPS_32. Added support for R_MIPS_PC21_S2 and R_MIPS_PC26_S2. (GP-3260, Issue #5160)
Exporter. Corrected operand formatting issues with ProgramTextWriter, which affected HTML/ASCII exports. (GP-1868, Issue #793)
Framework. Fixed an IllegalStateException that occurred while refreshing the Bundle Manager after the Code Browser tool had been closed. (GP-2711, Issue #4656)
Graphing. Changed default Call Graph action to always use the isolated entry block model, which will give the best results most of the time. (GP-3250, Issue #5157)
Graphing. Fixed stack trace when reusing graphs. (GP-3399)
GUI. Updated tables to correctly take focus when pressing F2 to start an edit. (GP-366)
GUI. Fixed issue where add/edit label dialog would grow ridiculously large. (GP-543)
GUI. Improved function-signature-parsing within Function Editor dialog to handled sized pointers. (GP-1100, Issue #3178)
GUI. Fixed bug where symbol tree category nodes could not be closed when there was a filter in place. (GP-2187)
GUI. Updated the Data Type Manager tree to maintain the tree selection when opening an archive for editing. (GP-2423)
GUI. Fixed the Enum Editor to allow sorting on the Comments column. (GP-2776, Issue #4693)
GUI. Updated the Equates Table to allow multiple selection. (GP-2887, Issue #4771)
GUI. Added rapid Ghidra Server timeout during initial connection to avoid lengthy connection delay when the server system is offline. (GP-2935)
GUI. Added support for HTML rendering in TableChooserDialog. (GP-2996, Issue #4880)
GUI. Fixed bug that prevented editing of function variable data types in the Edit Function dialog. (GP-3115, Issue #4970)
GUI. Updated the Function Signature dialog to allow editing the parameter table using only the keyboard. (GP-3173, Issue #3561)
GUI. Fixed bug where scroll bar didn't appear when the view size was just slightly smaller than the actual text to be displayed. This affected the Listing, Bytes, and Decompiler views. (GP-3202, Issue #3938)
GUI. Added the ability to copy details from the Missing Processor Manual dialog. (GP-3205, Issue #4218)
GUI. Fixed issue where opening multiple file datatype archives with the same name would not appear in the Datatypes tree. (GP-3281)
GUI. Changed function custom storage editor to permit larger storage to be specified. Undefined datatype size will expand to match storage size up to 8 bytes. (GP-3286, Issue #4983)
GUI. Fixed bug in Plate Comment that caused truncation during word wrapping. (GP-3403, Issue #5297, #5298)
Headless. Fixed a bug that caused a program to have an invalid Executable Location property when the program was imported headlessly from a relative path. (GP-3054)
Importer. The OMF Loader now parses COMMENT_CLASS_LIB correctly. (GP-3118, Issue #5016)
Importer. Fixed an issue that could cause the Importer to not respect the Load System Libraries From Disk and Load Local Libraries From Disk options if the Perform Library Ordinal Lookup option was used. (GP-3272, Issue #4849)
Importer:ELF. Corrected ELF Loader issue which could improperly set memory blocks as read-only. (GP-2730)
Importer:ELF. Added support for ELF X86-64 GOTPCREL relocation processing. Revised ELF relocation processing context API to utilize a single instance per import instead of one per relocation table. (GP-2984, Issue #4859)
Importer:ELF. Corrected ELF Loader issue with INIT/FINI array processing when entries have relocations applied. (GP-3176, Issue #5039)
Importer:ELF. Changed ELF relocation processing to avoid creating offset-pointers in memory blocks whch have execute permission or for section based relocations. (GP-3339, Issue #5238)
Importer:Mach-O. Fixed Mach-O external symbol namespace issues that prevented demangling. (GP-2511)
Importer:Mach-O. Fixed an exception that could occur while parsing DYLD chained fixups in some Mach-O binaries. (GP-3151)
Importer:Mach-O. Fixed a bug that prevented the Mach-O loader from finding and loading libraries that reside in a Universal Binary file. (GP-3167)
Importer:Mach-O. The Mach-O Loader now correctly handles DYLD_CHAINED_PTR_64_OFFSET fixups. (GP-3194, Issue #4986)
Importer:Mach-O. Fixed an exception that occurred when importing Mach-O PowerPC binaries with relocations. (GP-3259)
Importer:PE. Added a PE Loader Show Debug Line Number Comments option to show/hide debug line number comments. (GP-714, Issue #1184)
Importer:PE. Fixed some issues with parsing Windows Dialog resources. (GP-2821, Issue #3807, #3808)
Languages. Added the HALT instruction to the Coldfire processor. (GP-3326, Issue #5194)
Multi-User. Corrected issue where shared project creation would retain canonical server name instead of the original, specified hostname. (GP-3050, Issue #4924, #4928)
Multi-User. Corrected issue which disallowed Ghidra Server user IDs starting with a 0–9 digit. (GP-3121)
PDB. Overriding overzealous thunk detection on function creation when PDB knows better. (GP-3127)
PDB. Stubbed in some structures to represent class Member Pointers. Details need to be determined with future research. (GP-3171, Issue #5055)
PDB. A function is now created for a global label only if there are function indicators; otherwise, only a label is applied. Reverts the forced-function creation part of GP-2505. (GP-3200)
PDB. Fixed PDB handling of same-named __unnamed anonymous data types with different definitions used within a common structure. These could be emitted by VS 2005. (GP-3279)
Processors. Fixed issues with M68000 shift and rotate instruction behavior. (GP-2013, Issue #4217)
Processors. Added missing x87 FDESI, FENI, FNDESI, and FNENI instructions. (GP-2093, Issue #4262)
Processors. Added support for SuperH fsrra, fsca, and movua.l instructions. (GP-2374, Issue #4210)
Processors. Added extended floating point instructions to V850 processor. (GP-2565, Issue #4453, #4481)
Processors. Corrected 6809 and H6309 processors Jump address calculations and fixed issue with Extended Address bit-pattern disassembly. (GP-2650, Issue #4630)
Processors. Corrected addresses for ARM Cortex interrupt vectors. (GP-2706, Issue #4638)
Processors. Added support for MIPS DSP instructions. (GP-2775, Issue #4526)
Processors. Fixed operand ordering for M68000 abcd and sbcd instructions. (GP-2880, Issue #4183, #4189)
Processors. Fixed regression in x86 with disassembling the pause instruction. (GP-2892)
Processors. Corrected semantics for TriCore nor.t instruction. (GP-2895, Issue #4775)
Processors. Corrected issues in the SPARC language involving delay slots and ordering. (GP-2932, Issue #4805)
Processors. Corrected implementation of PowerPC fsel instruction. (GP-2937, Issue #4664)
Processors. Fixed semantics of 65C02 TRB and TSB instructions. (GP-3039, Issue #4921)
Processors. Fixed operand parsing of ARM Neon vld and vst instructions. (GP-3043, Issue #4814)
Processors. Corrected x86 MOV REX, MOFFS64 disassembly with address size prefix. (GP-3078, Issue #4942)
Processors. Corrected x86 FBLD instruction semantics. (GP-3079, Issue #2427)
Processors. Fixed ARM neon VMOV.U16 instruction decode. (GP-3096)
Processors. Fixed issue with ARM Thumb push {register_list} not disassembling when the last two registers in the list are r2 and r3. (GP-3132, Issue #5024)
Processors. Supplied additional register field support to AARCH64 MSR instruction. (GP-3156)
Processors. Fixed issue with ARM Thumb Neon vqdmull instruction not disassembling. (GP-3157, Issue #5053)
Processors. Fixed issue with HCS12 TSTA instruction not clearing carry flag. (GP-3169, Issue #5067)
Processors. Fixed issue with M68000 processor having a varnode of zero size. (GP-3187, Issue #5093, #5094)
Processors. Corrected RISC-V jal/jalr instructions to be a call instead of goto, when link register is T0. (GP-3217, Issue #5092)
Processors. Fixed PowerPC branch-conditional-and-link semantics for assigning LR register. (GP-3341, Issue #5218)
Processors. Fixed stack alignment in x86 far call instructions (GP-3398, Issue #1715, #1723)
Scripting. Fixed an issue that prevented the default script log file from getting used in the user's .ghidra directory. (GP-2936)
Scripting. Fixed a bug in FlatProgramAPI.getLastInstruction(). (GP-3198, Issue #5090)
Scripting. Improved how the interactive Python interpreter handles transactions. This fixed an uncaught exception that occurred when GhidraScript.openProgram() was called. (GP-3321, Issue #5215)
Search. Increased performance related to Search Results table markers. (GP-2828)
Search. Fixed exceptions in ReferenceUtils when searching for structure members with no size. (GP-3283)
Search. Fixed bug that caused search highlights to sometimes disappear from the Listing when the user moves the cursor. (GP-3329)
Sleigh. Addressed a bug in the SLEIGH compiler that allowed inconsistent exporting of sizeless varnodes. (GP-3186)

New in Ghidra 10.2.3 (Feb 9, 2023)

Improvements:
Basic Infrastructure. Addressed CVE-2023-22671 by removing eval usage from launch.sh. (GP-2987, Issue #4869, #4872)
Build. Ghidra's Windows native binaries can now be built using Microsoft C++ Build Tools. (GP-2786, Issue #1733, #4647)
Build. Providing better error reporting when a supported version of Visual Studio (2017+) cannot be found. (GP-2928)
Decompiler. Added fail-fast logic to improve efficiency of switch analysis for software breakpoints. (GP-2866)
Decompiler. Updated the limit of the Auto Fill in Structure action to take the larger of 0x1000 and the size of the structure. (GP-3020, Issue #4879)
GUI. Updated the Front End Project Table to allow users to change selected rows by clicking any already-selected row. (GP-3051)
Processors. Added ColdFire EMAC instruction variants. (GP-2197)
Processors. Added volatile and size attributes to individual default_symbols/symbol elements in pspec files. Symbols with these volatile and size attributes are treated as volatile by the Decompiler. (GP-2606)
Bugs:
Analysis. Corrected RISC-V function start patterns. The values of totalbits and postbits were set such that no patterns would ever match. Call instructions split into call/jump based on return addressing saving in RA. (GP-2878)
Analysis. Corrected potentially bad constant propagation where the subtraction two unknown values can result in the placement of an erroneous memory reference. (GP-3066)
Assembler. Fixed parsing of 64-bit unsigned immediates. (GP-2789, Issue #4688)
Assembler. Fixed display and assembly of THUMB tbb [pc, rm] instruction. (GP-2946, Issue #4824)
Debugger:Watches. Fixed endless read loop in Watches pane when read results in error. (GP-2815)
Decompiler. Fixed Decompiler bug that can cause Symbols... assigned to the same variable exceptions. (GP-2859)
Decompiler. Fixed regression in handling of spacebase register values that cause a stack trace in the Decompiler for RISC-V. Removed unnecessary spacebase settings in TriCore, MIPS, RISC-V. (GP-2905)
Decompiler. Fixed bug preventing some format conversions of negative constants in the Decompiler window. (GP-2927, Issue #3747)
Decompiler. Fixed error in dynamic hash algorithm which could cause the rename/retype actions in the Decompiler to fail. (GP-3014, Issue #193)
Decompiler. Fixed Decompiler marshaling parsing error for function prototypes with an unknown stack purge. (GP-3065)
Decompiler. Fixed bug causing switch analysis on x86 16-bit executables to fail. (GP-3075)
Decompiler. Fixed bug causing Expecting unsigned integer attribute exceptions when decompiling for architectures with a word size greater than 1 byte. (GP-3088)
DWARF. Fixed issue with DWARF not marking object-oriented methods as a __thiscall. (GP-2904)
Exporter:XML. Corrected XML export bug that improperly output custom property values, such as Analysis Times, which was causing failure at time of subsequent import. (GP-1453)
GUI. Updated the Structure Editor's Create Structure from Selection action to work around a focus issue experienced by some users. (GP-3069, Issue #4066)
Importer. Improved support for loading old-style DOS MZ binaries. (GP-2210, Issue #1876, #1892, #254, #4318)
Importer:PE. Fixed an issue that prevented PE ordinal symbols from getting their true names resolved during headless mode import. (GP-2947, Issue #4821)
Importer:PE. Fixed an issue with label addresses in the PeLoader that occurred when sections had an uninitialized padding block appended to their initialized block. (GP-2948, Issue #4815)
Multi-User. Fixed svrAdmin to handle projects that contain a space character in the name. (GP-2852, Issue #4750)
PDB. Corrected a PDB Universal analysis regression error in Ghidra 10.2.2 that caused an internal anonymous function definition name to be set on a function instead of the function symbol name. (GP-2864, Issue #4842)
Processors. Fixed pcode for the PowerPC mtmsr instruction. (GP-2245)
Processors. Corrected flag updates for the z80 adc instruction. (GP-2882, Issue #4553)
Processors. Set 8051 bit-mapped SFR register range to volatile. (GP-2910, Issue #3061)
Processors. Fixed issue with x86 VEX prefix colliding with the LDS instruction. (GP-2959, Issue #4832)
Processors. Corrected implementations of x86 SHUFPS and PSHUFD instructions in ia.sinc. (GP-3023, Issue #4868)
Processors. Fixed ARM Thumb issues with ldr instructions disassembling as incorrect variants. (GP-3083, Issue #4959)
Version Tracking. Fixed ArrayIndexOutOfBoundsException encountered when using HashedFunctionAddressCorrelation for version tracking. (GP-2758, Issue #4683)

New in Ghidra 10.2.2 (Nov 15, 2022)

New in Ghidra 10.2.1 (Nov 13, 2022)

New in Ghidra 10.2 (Nov 3, 2022)

New Features:
Basic Infrastructure. Ghidra now requires JDK 17 to run. (GP-2132, Issue #4316)
Build. A CycloneDX Software Bill of Materials (SBOM) is now included with a Ghidra distribution. (GP-1782)
Data Types. Added getSelectedDatatypes() method to DataTypeManagerService to get a list of selected data types in the data type tree. (GP-1631)
Debugger. Added a basic Frida debugger connector. (GP-1681, Issue #3134)
Debugger. Added cursor header to Plot columns in Debugger's experimental Model window. (GP-2067)
Debugger. Added Choose Platform actions to Debugger. (GP-2163)
Debugger. Enabled debugging using Frida on USB/remote devices. (GP-2312)
Debugger. Added Map Manually action to Modules window. (GP-2474)
Debugger:Emulator. Userops can be defined using Sleigh or Structured Sleigh. (GP-1205)
Debugger:Emulator. Added Linux x86 (64- and 32-bit) read, write, open, close, exit, and exit_group syscalls to the emulation API. (GP-1208)
Debugger:Emulator. Added Taint Analyzer (development prototype). (GP-1230)
Debugger:Emulator. Added a skip instruction button to the emulator (Threads pane). (GP-2062)
Debugger:Emulator. Added prototype EmuDeskCheckScript to emulate and produce a table of expression values for each step. (GP-2289)
Debugger:Listing. Added toggle to automatically synchronize static and dynamic program selections; added actions to manually transfer selections between static and dynamic listings. (GP-1451)
Debugger:Listing. Can now have the Dynamic Listing and Memory windows follow the address of a watch. (GP-2581)
Debugger:Trace. Added Objects Manager to Trace API. (GP-1386)
Debugger:Trace. Added API for user-defined property maps on traces. (GP-2191)
Debugger:Watches. Added data type settings to Registers and Watches windows. (GP-1984)
Decompiler. A new Decompiler highlight service has been added, allowing clients to create highlights in the form of background colors for the syntax tokens in the Decompiler UI. Highlights apply to a full token and not strings of text. To highlight a token, you create a CTokenHighlightMatcher and pass it to the createHighlighter() method of the highlighter service. There is no limit to the number of highlighters that may be installed, and if multiple highlights overlap, their colors will blend. (GP-1435, Issue #2313)
Decompiler. The Decompiler now fully supports union data-types. (GP-1518)
Decompiler. A new Create Relative Pointer action is available from the main Decompiler pop-up menu. It creates pointers that have an offset relative to another data-type—typically a structure. Applying the action, the Decompiler can then follow and label accesses into the structure. (GP-1645)
Decompiler. The Format setting on a Typedef of an integer data-type now affects the display of constants in Decompiler output. A non-default setting forces the format for displaying constants of that data-type. (GP-1652, Issue #3004)
Decompiler. Decompiler line number margin now has fixed horizontal position. (GP-2446)
Extensions. A MachineLearning extension has been added. This contains a plugin for finding code and functions in a binary by training on functions which have already been found. (GP-2204)
Importer. Updated support for Android version 12.x (S): OAT v199, Vendor Boot Image v4, and FPBK v2. (GP-1461)
Importer. Created new Dump File Loader for Windows dump file formats. (GP-1864)
Importer. Added support for APPORT-style crash dumps (Ubuntu) to Dump File Loader. (GP-2049)
Importer. Added support for Android formats (ART, OAT, ODEX, DEX, CDEX, VDEX) and Dalvik VM Sleigh modules for each major Android release up to version 13.x (T). (GP-2060)
Listing. Added right-click menu Patch Data action for modifying bytes in the listing according to the unit's data type. (GP-1684)
Scripting. Added FlatDebuggerAPI interface for GhidraScripts to more easily access the Debugger's API. (GP-2189)
Improvements:
Analysis. Added detection of pop to the PC as a return in ARM binaries. (GP-634)
Analysis. PointerTypedefs are now used for Relative Pointers in the Objective_C2 small method data structures. Previously, the value was a DWORD and did not resolve to an address. (GP-1427)
Analysis. The Variadic Function Signature Override Analyzer now handles offcut references to format strings. (GP-2048, Issue #4256)
Analysis. Added to the list of known non-returning windows functions. (GP-2069, Issue #4181)
Analysis. Improved branch-through-a-register return pattern for ARM processor thunk creation. (GP-2391)
Analysis. Enabled Assume Contiguous Functions Only option in Shared Return Calls analyzer. Disabled by default for ARM processors because of use of BL for long jumps in Thumb mode. (GP-2534, Issue #4573, #678)
API. Added the ability to search for enum member usage. (GP-1514, Issue #1967)
API. Added recursive form of Function.getFunctionThunkAddresses() method. (GP-1692)
API. Improved namespace-based data type searching. Also added ability to specify a preferred root category for such searches on the Program API, which can be manipulated via the Program Information options panel. (GP-1994)
API. Eliminated methods from AddressMap interface which are intended for internal use only. (GP-2002)
API. Removed deprecated methods from ProgramPlugin. (GP-2663)
Basic Infrastructure. Updated Gson to 2.9.0. (GP-1909, Issue #3992)
Basic Infrastructure. Updated commons-compress to 1.21. (GP-1910)
Basic Infrastructure. Updated commons-io to 2.11.0. (GP-1911)
Basic Infrastructure. Upgraded commons-text to 1.10.0 and commons-lang3 to 3.12.0. (GP-2753)
C Parsing. Any open archives in the data type manager will be searched for any missing data types during parsing. In addition when parsing header files with open archives there are new options to Use, Don't Use, or Cancel parsing. (GP-1336, Issue #2119, #2885, #716)
Data Types. Updated the Data Types view Paste action to work when pasting on a data type node. (GP-1627, Issue #3568)
Data Types. Added a Home action to the Structure Editor to allow users to show the structure data type in the Data Types tree. Added the Show In Data Type Manager action to the data type nodes in the Data Types tree to allow users to associate types with an archive. (GP-1913)
Data Types. Modified DataType.clone(DatatypeManager) method implementations for StructureDB, UnionDB, FunctionDefinitionDB, and EnumDB to adhere to method documentation which states that a datatype will return the instance itself if its DataTypeManager is the same as the parameter specified. (GP-2236)
DB. Added persistent Name column to Breakpoints table. (GP-1559, Issue #3679)
Debugger. Added GDB connector support for Windows (tested with GDB 11.1 on msys64). (GP-869, Issue #2908)
Debugger. Debugger and Python Interpreter windows now support ANSI colors and styles. (GP-887, Issue #4176)
Debugger. Revised Debugger icons for visual contrast and action clarity. (GP-1538)
Debugger. Added Watch action to Listing, Memory, and Registers context menus. (GP-1560, Issue #3680)
Debugger. Dynamic Listing, Bytes, Registers, and Watches windows all now support editing the machine state. Edits can be directed to the Target, the Trace, or the Emulator. (GP-1584)
Debugger. Upgraded SWIG to match lldb v14. (GP-1760)
Debugger. Added Symbol column to Watches window. (GP-1773)
Debugger. Reworked the breakpoint state system and icons. (GP-1821)
Debugger. Improved breakpoint initialization. (GP-1824)
Debugger. Updated program user data to preserve command-line arguments. (GP-1886)
Debugger. Minimized the number of registers read for dbgeng; eliminated error messages. (GP-1898)
Debugger. Fixed issues with Debugger when dbgeng/dbgmodel connectors load/debug crash dumps. (GP-2023)
Debugger. Improved launcher logic for detecting and remedying trace recording and module mapping failures. (GP-2036)
Debugger. Added remote options to IN-VM dbgeng and dbgmodel connectors, like those for the GADP variants. (GP-2135)
Debugger. Added Track Program Counter (by Stack) and Track Program Counter (by Register) options to Dynamic Listing and Dynamic Memory. (GP-2462)
Debugger:Breakpoints. Improved error feedback for some failures in toggling/enabling (unmappable) breakpoints. (GP-2243)
Debugger:Emulator. Userop library callbacks can now receive more context via annotated parameters. (GP-1203)
Debugger:Emulator. Changed the display of the PcodeStepper window to look like the PCode field in the Listing windows. (GP-1535)
Debugger:GDB. Updated the GDB connector to support version 12.1. Now parses flags for memory map. (GP-2089, Issue #4297)
Debugger:GDB. Added GDB scripts for getting memory map of remote Wine win32 targets. (GP-2495, Issue #4546)
Debugger:GDB. Ported GDB connector to use JNA. (GP-2619)
Debugger:Listing. Added marker margin and overview to the Dynamic Listing window. (GP-1433)
Debugger:Listing. Changed priority so that PC highlights are over breakpoint highlights. (GP-2294)
Debugger:Mappings. Added Map Regions actions to Debugger. (GP-1231)
Debugger:Objects. Creating fewer unsolicited error popups in Debugger by logging these errors to the console. (GP-1329, Issue #3452)
Debugger:Trace. Made address encoding in traces more compact. (GP-2437)
Debugger:Trace. Handling Trace version exceptions more gracefully. Presents a clearer error dialog. (GP-2452)
Debugger:Trace. Simplified Trace database API: Register spaces are no longer a special interface. (GP-2479)
Debugger:Trace. Optimized trace memory access for Dynamic Listing and Memory windows. (GP-2593)
Debugger:Trace. Fixed a possible deadlock in the Trace database. (GP-2595)
Debugger:Watches. Repr column is now modifiable in Registers and Watches windows for supported data types. (GP-1881)
Decompiler. A prototype model, as defined by the tag in a compiler specification, can now be assigned multiple names. The names can be used interchangeably when assigning a calling convention to a function. (GP-1653)
Decompiler. The Decompiler now uses proper syntax when extracting small fields from packed structures. (GP-1683)
Decompiler. Added Decompiler support for the address space attribute on pointer typedefs. (GP-1932)
Decompiler. Updated windows calling convention on x64 to properly handle functions with both floating-point and integer/pointer arguments. Users should re-import and analyze programs with such functions. (GP-1954, Issue #1480, #2952)
Decompiler. The Decompiler better simplifies multi-part boolean expressions that are built using a status register. (GP-2281, Issue #620)
Decompiler. The Decompiler now supports simplification of more forms of optimized modulo/remainder calculations. (GP-2292, Issue #4322)
Decompiler. The Decompiler now uses a new, more efficient protocol to communicate with the rest of Ghidra. (GP-2358)
Decompiler. Auto-generated stack variable names in the Decompiler now show offsets in hexadecimal format. (GP-2486, Issue #4442)
Decompiler. Changed the Decompiler Rename Function action so that if applied to a thunk, the underlying thunked function is renamed instead of the thunk itself. In most cases the rename should be applied to the thunked-function instead of the thunk itself. (GP-2520, Issue #4566)
Decompiler. The Decompiler now displays reads from or writes to volatile variables using simple assignment syntax instead of functional syntax. (GP-2578)
Decompiler. Improved handling of _guard_dispatch_icall and other functions that inject an indirect call into the Decompiler. (GP-2601, Issue #1719, #4591)
Demangler. Added second-pass processing for non-standard Microsoft Demangler forms found in LLVM mangling scheme. (GP-1725, Issue #1162)
Demangler. Improved post-analysis pop-up error messaging. (GP-2429)
Demangler. Changed symbol demanglers to place anonymous function definitions into the /Demangler/!_anon_funcs_ category using a revised naming convention consistent with PDB with a _func_ name prefix. Changed DWARF to use this same anonymous function definition name prefix. (GP-2557)
Demangler. Improved demangling after File -> Load PDB File... task by kicking off standard demangler analyzer instead of the DemanglerCmd. This should improve consistency in Demangler output across a program. (GP-2648)
DWARF. Relaxed DWARF analyzer's requirement of a register-mapping file in order to allow attempted import of function definitions when missing. (GP-1833)
DWARF. Added support for compressed DWARF sections. (GP-2106)
DWARF. Improve DWARFs handling of explicitly sized data types (e.g., int32_t). Added Try To Pack Structs option to DWARF analyzer to enable packing of structure/union data types created by the analyzer. (GP-2526)
Eclipse Integration. The GhidraDev Eclipse plugin now requires Java 17 and Eclipse 2021-12 4.22 or later. (GP-2398, Issue #4496)
Exporter. Updated IDA Pro plugins compatibility for python 3. The plugins remain compatible with python 2. (GP-2567, Issue #1327, #1618, #2642)
Graphing. Created Graph Data Flow action in Decompiler window menu and renamed existing graph action from Graph AST to Graph Control Flow. (GP-1704)
GUI. Fixed dialog text and icon clipping seen on some Linux distributions. (GP-1534, Issue #1506)
GUI. Updated Enum Editor to scroll while using the arrow keys when in edit mode. (GP-1553, Issue #3669)
GUI. Fixed ordering of automatic comments in the Listing. (GP-1568, Issue #3648)
GUI. Updated the UI to allow for setting equate values when an enum has more than one name mapped to a particular value. (GP-1572, Issue #3618)
GUI. Add Shift-key modifier to Previous/Next toolbar buttons that invert the action to jump the cursor to functions, labels, data items, etc. (GP-1578)
GUI. Updated the GTree to allow new nodes to be created while a filter is applied. (GP-1615)
GUI. Added new Mark and Select action that allows users to create selections in a two-step process. The first time the action is invoked, the current location is marked. The next time the action is invoked, a selection is created from the marked location to the current location. (GP-1616)
GUI. The Go To... dialog now supports navigating to file offsets with a file(n) search string, and a new File Offset field has been added to the Listing (disabled by default). (GP-1756)
GUI. Created the new Script Quick Launcher Dialog. (GP-1826)
GUI. Selecting nodes in the ProjectDataTreePanel was made more efficient. This is only noticeable when there is a very large number of programs in a project. (GP-1931)
GUI. Added the Offset table column to the Structure Editor. This column is hidden by default, but can be added by right-clicking on the table's column header. (GP-1943, Issue #3850)
GUI. To reduce memory consumption, revised Symbol Table GUI to avoid hanging onto symbol objects. In some cases this may reduce the speed with which the symbol table updates. (GP-2030)
GUI. Changed Structure Editor Duplicate Component and Duplicate Multiple of Component... actions to select the last component; this allows for repeated uses of the action via key-binding. (GP-2095, Issue #4229)
GUI. Updated the Data Type Manager's right-click menu Replace... action on a selected data type to have a clearer purpose by prompting the user to confirm the replace action. (GP-2405, Issue #4463)
GUI. Updated popup menu key event processing to not apply to combo boxes. (GP-2491, Issue #4545)
GUI. Added the new Does Not Match Regex table column filter to allow clients to show table rows that do not match the given regular expression. (GP-2582, Issue #4608)
GUI. Added the TableChooserExecutor.executeInBulk() method to allow script writers to process multiple selected table rows themselves instead of one at a time. (GP-2583, Issue #4609)
GUI. Updated the XRefs Dialog to allow users to show xrefs to thunk functions. (GP-2594, Issue #3851)
GUI. Updated the Search Memory Dialog to allow users to paste hex values that begin with 0x. (GP-2622, Issue #4623)
GUI. Updated the Instruction Info window to allow users to select and copy cells from the table. (GP-2631, Issue #4626)
GUI. Updated the Component Providers' drop-down button to allow users to add a keybinding to show the popup menu. (GP-2637, Issue #4625)
Importer. Added support for Android Multi-DEX. Created new Android APK loader to load all DEX files at one time and link the method_lookup sections using external references. The APK loader uses the manifest file to determine the Android version. (GP-275, Issue #4276)
Importer. Permanently removed the ContinuesInterceptor, which had allowed the import process to proceed past uncaught exceptions that could be encountered while parsing corrupted headers. (GP-1907)
Importer. The NeLoader now creates memory blocks using the FileBytes API which enables the file offset Listing field and lookup in the Goto dialog. (GP-2521, Issue #4565, #4570)
Importer. Redesigned the Importer's load library option set. The user now has finer-grained control over where libraries are loaded from, as well as how many libraries are loaded. (GP-2541)
Importer. Redesigned the Importer's load library option set. The user now has finer-grained control over where already-imported libraries are searched for in the project, as well as where newly imported libraries are saved to in the project. (GP-2604)
Importer:ELF. Added ELF import-processing of symbols defined in the .gnu_debugdata section. (GP-1592, Issue #1659)
Importer:ELF. Improved ELF import-processing and logging of missing/truncated headers. (GP-1605, Issue #3507)
Importer:ELF. Improved ELF Importer to handle extended program and section header counts (e_phnum, e_shnum) which may be encountered for large core/memory dump files in ELF format. (GP-1936, Issue #4149)
Importer:Mach-O. We now discover more Mach-O functions via the LC_FUNCTION_STARTS load command. (GP-1460, Issue #3586, #3668)
Importer:Mach-O. Improved symbols and exports in Mach-O and DYLD shared cache files. (GP-2008, Issue #2932)
Importer:Mach-O. Improved the Program Tree for Mach-O, DYLD shared cache, and PRELINK files. (GP-2019)
Importer:Mach-O. The Objective-C Class Analyzer now works with dyld_shared_cache files. (GP-2113)
Importer:Mach-O. Improved processing to support changes in iOS 16 and macOS 13 dyld_shared_cache format. (GP-2176, Issue #4346, #4406)
Importer:PE. The Thread Environment Block (TEB) is now automatically populated by an analyzer for PE format programs on x86. (GP-527)
Importer:PE. Added label for _tls_index. (GP-2166, Issue #4285)
Jython. Upgraded Jython to 2.7.3. (GP-2324, Issue #107)
Listing. Added trailing comma on global arrays display. (GP-2165, Issue #4261, #4287)
Multi-User. Improved svrAdmin command for controlling repository access. Eliminated -admin option while adding -grant and -revoke options. (GP-394, Issue #1703, #2467)
Multi-User. Eliminated use of ganymed-ssh2 library in favor of Bouncy Castle library suite. Improved Ghidra Server SSH authentication error reporting. (GP-1769)
Multi-User. The svrAdmin(.bat) script will now run under a JRE in addition to a JDK. (GP-2301, Issue #4394)
Multi-User. Improved Edit Shared Project Information capability which now handles case where user may have checked-out files and is unable to checkin or terminate them when unable to connect to old server (e.g., server name or IP address has changed). (GP-2496)
Multi-User. Upgraded Ghidra Server service wrapper (YAJSW) to 13.05. (GP-2754)
PDB. Crafted additional mechanisms for determining segment addresses. (GP-1777, Issue #3993)
PDB. When PDB has no type information, changed processing order so that mangled symbols become primary symbols, encouraging recovery of their limited type information. (GP-2385, Issue #4489)
PDB. Improved PDB Universal function creation, to include unknown calling convention when a custom calling convention is indicated and noreturn when indicated for a function. Also added initial support for some MIPS and IA64 processors called out in PDB. (GP-2505)
Processors. Implemented semantics for x86/64 POPCNT instruction. (GP-1780)
Processors. Updated ARM Processor specification to V9.3. (GP-1790, Issue #4655)
Processors. Added conditional assignment macro to x86 processor module. (GP-1819)
Processors. Implemented Coldfire bitrev, byterev, and ff1 instructions. (GP-2195, Issue #4270)
Processors. Generalized the 6502 processor spec file. (GP-2332, Issue #1533, #3434)
Processors. Added SLEIGH support for inst_next2, which can be used to implement conditional skip-next-instruction cases in the language spec. (GP-2480)
Processors. Added mips-eabi compiler specification. (GP-2734, Issue #3633, #3634)
References. Added support for use of Pointer-Typedef with Offset setting to signal creation of an OffsetReference. Modified ELF relocation handler to create such pointers for certain relocation types known to be associated which offset-data pointers. Improved Listing operand markup for rendering of OffsetReferences. Took special measures for such data references into the EXTERNAL memory block to remedy XRef and navigation issues. (GP-1036)
References. Reference-finding actions in the Decompiler now work properly when applied to global variables. (GP-1880)
References. CALLOTHER_OVERRIDE_CALL references now cause the inputs of the original CALLOTHER op to be discarded. (GP-2206, Issue #3665, #3936)
Scripting. Upgraded Apache Felix to 7.0.3. (GP-1326, Issue #3450)
Scripting. Improved class recovery discovery mechanisms for determining deleting destructors and clones. (GP-1581)
Scripting. ApplyClassFunctionDefinitionUpdatesScript has been improved to allow users to choose function definition(s) from the Data Type Manager to apply updates from. Previously, users had to put a cursor somewhere in the related class and possibly get possibly unwanted updates from unchanged definitions in selected class(es). (GP-1660)
Scripting. Added a search filter to RunYARAFromGhidra.py to include .yara files. (GP-1794)
Scripting. RecoverClassesFromRTTIScript has been updated to make use of the new shifted pointer data types where applicable. (GP-1947)
Scripting. Updated RecoverClassesFromRTTIScript to prevent it from running more than once on the same program. (GP-1962)
Scripting. Added FixElfExternalOffsetDataRelocationScript to be used in updating EXTERNAL offset data relocations flagged by an ELF Relocation ERROR bookmark. These locations now support the use of an offset pointer-typedef and a resulting offset-reference. (GP-1963)
Scripting. The RecoverClassesFromRTTIScript has been updated to make use of the new program setting allowing use of a preferred data type category for class structure assignment. Due to this change, there is no longer any need to remove existing class structures in order to use those created by this script, so all code related to replacing, other class structures, has been removed. (GP-2010)
Scripting. Added CallotherCensusScript, which determines the most frequent instructions with (partially) unimplemented semantics in a single program or across an entire repository. (GP-2072)
Scripting. Improved RecoverClassesFromRTTIScript to distinguish between and name deleting destructors as either scalar or vector ones or both in Windows programs. (GP-2075)
Scripting. Updated the Script Manager to not close dialogs when the manager is closed. (GP-2216, Issue #4363)
Scripting. Added createNamespace and createClass methods to FlatProgramAPI for Ghidra script use. (GP-2482, Issue #4446)
Search. Added the ability to search for structure fields by offset. (GP-1556)
Search. Added Navigate to Matching Byte Values action to the main toolbar to find the next matching byte value of the item under the cursor. (GP-1679)
Testing. Upgraded hamcrest to 2.2. (GP-1993)
Testing. Upgraded pcodetest build scripts to python 3. (GP-2138, Issue #4307)
Testing. Upgraded Jacoco to 0.8.8. (GP-2208)
Bugs:
Analysis. Fixed Windows x86 PE RTTI Analyzer to not duplicate labels on type_info vftables when PDB is present. (GP-854)
Analysis. Fixed long-standing issue with incorrectly named RTTI Type Descriptor symbols; also added correct class namespace. (GP-1703)
Analysis. Fixed issue where, when opening an non-analyzed program with one tool and that tool is connected to another tool, multiple ask-to-analyze dialogs would appear. (GP-1860)
Analysis. The Java Analyzer now parses MethodParameters attributes and gracefully handles unknown or unsupported attributes instead of throwing a RuntimeException. (GP-2012, Issue #4089)
Analysis. The Variadic Function Signature Override analyzer now handles wide-character format strings which are not defined data. (GP-2016, Issue #4165)
Analysis. Improved heuristics used to find strings in the Variadic Function Signature Override analyzer. (GP-2070, Issue #4154, #4281)
Analysis. Improved forced thunk creation from function start patterns files and fixed NullPointerException when thunk analysis got ahead of disassembly. (GP-2378, Issue #4369)
Analysis. Fixed bug in Variadic Function Signature Override analyzer involving examining too many function arguments. (GP-2384, Issue #4478)
Analysis. Changed Analysis to not mark class methods as noreturn unless they are included in the non returning function list as a mangled name. (GP-2471, Issue #2130, #4531)
Analysis. Added switching function identification for ARM RealView compiler. (GP-2504)
Analysis. Fixed an IllegalStateException in the FunctionStartAnalyzer that could occur for ARM thumb binaries. (GP-2543)
Analysis. Corrected Decompiler Switch Analysis issue which could prevent proper function body fixup to include switch code. (GP-2554)
Analysis. Fixed code to use the functions calling convention when computing the stack purge. X86 16-bit binaries now correctly display the correct value in the stack depth listing field. (GP-2683, Issue #4294)
API. Fixed issue where storing a register context across the entire address space had issues if the image base was a non-zero value. There were also numerous other issues that were uncovered, related to this context/image-base issue change, that were also fixed. (GP-1778)
API. Corrected improper instruction context read which could cause issues with delay-slot instructions that rely on context. (GP-2094, Issue #4259)
Assembler. Fixed issue with assembler referring to external functions via the IAT or PLT. (GP-615, Issue #2670)
Assembler. Refactored Assembler. Fixed issue assembling for x64 in 32-bit compatibility mode. (GP-1426)
Assembler. Made Assembler fields obey Listing Display font settings. (GP-1664)
Basic Infrastructure. Fixed an IllegalArgumentException that occurred when initializing 1-byte uninitialized memory blocks. (GP-2523)
C Parsing. Fixed numerous errors in C-Parser, including updated C specification syntax, macros with varargs, anonymous arrays of function pointers, and array definitions. Also providing better error handling. In addition data types in open archives can be used during parsing. (GP-1979, Issue #1455, #1784, #1940, #3908, #3996, #4184, #4377, #4491, #4517)
CParser. C-Parser handles arrays of function pointers and anonymous function signatures correctly. (GP-2258, Issue #3908, #4351)
CParser. C-Parser now accepts static_assert keyword in more places, such as within structure definitions. (GP-2273, Issue #4401)
CParser. C-Parser grammar fixed to parse #pragma keyword in more places such as within enum declarations. (GP-2646, Issue #4628)
CParser. C-Parser now defines a placeholder structure name early in parsing. (GP-2692, Issue #3505)
CParser. Fixed expansion of macros with missing arguments, concatenated string constants, const after type specification, and #pragma found in function calls. (GP-2746, Issue #2896, #4660, #4676, #4677)
Data Types. Added support for pointer typedefs with various settings. (GP-1403)
Data Types. Corrected issues within structure/union editor when specifying a component whose datatype is a pointer to the edited structure (i.e., pointer-to-self). (GP-2134, Issue #3721)
Data Types. Added validation to EnumDataType.setLength(). (GP-2689, Issue #4654)
DB. Corrected JVM shutdown issue which could cause database recovery files to be discarded. (GP-1787, Issue #3994)
Debugger. Fixed occasional, spurious goto-PC when navigating in Debugger listing. (GP-385)
Debugger. Eliminated redundant calls to startRecording. (GP-1443, Issue #3559)
Debugger. Fixed compatibility issue with GDB 11 regarding module and section list. (GP-1666)
Debugger. Corrected Debugger address space mismatch and NullPointerException errors. (GP-1757, Issue #4022, #4023, #4024, #4025)
Debugger. Fixed for numerous failures in dbgeng. (GP-1812, Issue #4059)
Debugger. Fixed problem with memory refresh in dbgeng/dbgmodel targets. (GP-1852, Issue #4059)
Debugger. Fixed a DomainObject deadlock. (GP-1859)
Debugger. Fixed consistency issues when saving/loading target-launch command-line options. (GP-1866, Issue #4106)
Debugger. Fixed bug when refreshing target memory in dbgeng/dbgmodel connectors. (GP-1893, Issue #4112)
Debugger. Fixed register-update failures. (GP-1971)
Debugger. Fixed several bugs in the debug launch target monitor dialog. (GP-2102)
Debugger. Made miscellaneous fixes for errors in the JDI debugger. (GP-2253)
Debugger. Fixed a NullPointerException that occurred when closing the Debugger tool. (GP-2387)
Debugger. Fixed issue with Debugger module list when connected to GDB 10.1 on Debian Bullseye. (GP-2533, Issue #4583)
Debugger. Fixed issue in module list with gdb-11 and later. (GP-2727)
Debugger:Breakpoints. Fixed a bug that caused unexpected behavior when toggling a breakpoint while the cursor is in the Bytes field of the Listing. (GP-2725)
Debugger:Breakpoints. Fix address of watchpoints in GDB. (GP-2726)
Debugger:Emulator. Fixed spurious Emulate read from uninitialized state warnings when P-Code Stepper window is active. (GP-1650)
Debugger:Emulator. Fixed display of internal p-code labels in Pcode Stepper window. (GP-1883)
Debugger:Emulator. Fixed NullPointerException that occurred when adjusting the register-tracking setting on the Dynamic Listing window. (GP-1905)
Debugger:Emulator. Fix bug in Taint analyzer with INT_ZEXT and INT_SEXT. (GP-2489)
Debugger:Emulator. Fixed issue with emulator writing values at space's max address. (GP-2490)
Debugger:GDB. Fixed GDB connector, making it properly parse escaped strings. (GP-1953, Issue #4169)
Debugger:GDB. Fixed AddressOutOfRange issues when GDB's info proc mappings fails on 32-bit and smaller targets. (GP-2241, Issue #4345)
Debugger:GDB. Fixed GDB model so that patching PC updates the listing highlight. (GP-2635)
Debugger:Mappings. Fixed address/range arithmetic in Static Mapping service. (GP-2011)
Debugger:Memory. Fixed font coloring in Dynamic Memory window to indicate changes in the same manner as other Debugger windows. (GP-1890)
Debugger:Memory. Fixed auto-read-memory to work with the Force Full View toggle. (GP-2033)
Debugger:Objects. Fixed NullPointerException in ObjectTree. (GP-2004, Issue #4221)
Debugger:Trace. Fixed Trace API to handle NO_ADDRESS. (GP-2430)
Decompiler. Fixed stack trace sporadically encountered when clicking Decompiler brace tokens. (GP-1602)
Decompiler. Fixed issue with re-data-typing a variable via the Decompiler window in a big-endian binary. (GP-1673, Issue #2809, #3776)
Decompiler. Refactored handling of overlays in the Decompiler to address issues causing it to lose references and enumerations. (GP-1818, Issue #2680, #3900)
Decompiler. Decompiler now appends a size suffix to integer tokens when necessary. (GP-1922, Issue #3592)
Decompiler. The Decompiler now prevents over-propagation of register values that could misleadingly cause global variable assignments to be reordered. (GP-1997)
Decompiler. Fixed a bug in the Decompiler variable hashing system that caused Rename and Retype actions in the Decompiler window to fail. (GP-2006)
Decompiler. Fixed bug causing Bad storage node error when using the Split Out As New Variable action on register pairs. (GP-2027, Issue #4186)
Decompiler. Added key bindings to allow users to navigate to enclosing braces in the Decompiler. See the Decompiler tool options for details. (GP-2090, Issue #4264)
Decompiler. Improved switch analysis, specifically for when constants are stored on the stack. (GP-2359)
Decompiler. Patched comparison error that could cause the Decompiler to crash during variable merging. (GP-2466, Issue #4450)
Decompiler. Fixed bug preventing the Decompiler from seeing certain pointer aliases on to the stack in segmented architectures. (GP-2515, Issue #4529)
Demangler. Fixed issue where changes to the Microsoft Demangler Apply Function Calling Conventions option were not being honored. (GP-2542, Issue #4590)
Diff. Corrected Program Diff to properly ignore ordering differences of non-primary labels at a given address. (GP-2558)
Disassembly. Fixed issue with disassembling an instruction that contains a delay slot that is at the end of an address space. (GP-1668, Issue #3840)
Documentation. Renamed ReloadSleighLangauge.java script to ReloadSleighLanguage.java. (GP-1772)
DWARF. Improved naming of DWARF anonymous structures and unions to fix .conflict-matching issues. (GP-1500)
DWARF. Fixed bad ordering of function parameters when importing DWARF info. (GP-1682, Issue #3874)
DWARF. Fixed DWARF analyzer to support Mach-O .o binaries. (GP-2698, Issue #4659)
Eclipse Integration. Fixed an issue in the GhidraDev Eclipse plugin that could cause old extensions to incorrectly remain on the Ghidra project classpath after performing a Link Ghidra operation. (GP-1733)
FileSystems. Enhanced Ghidra's zip file system to fall back to Java's built-in zip file support when 7-Zip's native libraries fail to load. (GP-1697, Issue #3904)
FileSystems. Fixed issue with 7-Zip native library extraction during initialization that caused core dumps in other Ghidra processes running on the same host. (GP-1770)
FileSystems. Fixed issue handling zip files that contain a file with a blank name. (GP-1944, Issue #4128)
FileSystems. Fixed a hash has changed IOException that would sometimes occur when extracting .dylib files from a dyld_shared_cache file system. (GP-1986, Issue #4208)
FileSystems. By disabling free space checking, fixed problem that occurred when trying to query the available free disk space when in a Linux/Unix chroot environment. (GP-2078, Issue #4291)
Graphing. Updated the Function Call Graph to only save graph view information when visible. (GP-2514, Issue #4564)
Graphing. Corrected potential HTML injection vulnerability for the Graph Service vertex labeling. (GP-2716)
GUI. Fixed GUI lag issues on Windows in the file chooser that occurred when resizing the dialog in a directory with a large number of files. (GP-1634)
GUI. Fixed Ghidra's file chooser to allow refreshing the root locations in My Computer. (GP-1635)
GUI. Fixed bug that triggered a tool Save Tool - Possible Conflict dialog when using multiple tools. (GP-1637)
GUI. Updated the Choose Program dialog to focus the filter field by default so users can start filtering when the dialog opens. (GP-1745)
GUI. Updated the field at the bottom of the tool that displays the current instruction. Now, when the cursor is on a data item, the field shows the current datatype and size instead of being blank. (GP-1803)
GUI. Fixed issue where newly opened programs didn't have their datatypes tree apply any existing filter. (GP-1897)
GUI. Added Ctrl-C/V/X key bindings to the Motif Look and Feel text widgets. (GP-1972)
GUI. Corrected bad action description in the Log Viewer window. (GP-1975, Issue #4198)
GUI. Fixed NullPointerException that occurred when making a selection in the Table Chooser Dialog. (GP-1982, Issue #4204)
GUI. Fixed bug in IntegerTextField when pasting text that doesn't pass internal validation. This could result in an internal corrupted state. (GP-2000)
GUI. Improved the file chooser to not hang the GUI if there are slow file system root locations (drive letters) present. (GP-2059)
GUI. Updated tree and table filters to support undo/redo via Ctrl-Z and Ctrl-Y. (GP-2186)
GUI. Fixed rare exception seen while closing the tool just after a long reference search. (GP-2265)
GUI. Fixed an issue that prevented the One Shot analyzers from being enabled when the Listing did not have focus. (GP-2318, Issue #4589)
GUI. Fixed an IndexOutOfBoundsException in the Listing when the XREF Group by Function option is toggled on and Maximum Number of XREFs to Display is set to 1. (GP-2328, Issue #4445)
GUI. Fixed a NullPointerException that occurred when using the Go To dialog. (GP-2388)
GUI. Corrected Function Editor's Custom Storage editor dialog issues that prevented proper editing behavior. (GP-2483, Issue #4492)
GUI. Fixed a NullPointerException in the Patch action's auto-complete text field. (GP-2616, Issue #4604)
Headless. Fixed analyzeHeadless.bat reporting that Maximum setlocal recursion level reached when a large number of command line arguments were specified. (GP-1735)
Headless. Fixed wildcard '*' path expansion not working properly when calling headless from Linux/macOS. (GP-2209, Issue #3409, #4500)
Help. Fixed issue of help window not opening when help was missing. (GP-2409)
Importer. Fixed NullPointerException in GzfLoader encountered when importing a GZF embedded in a ZIP file. (GP-1667)
Importer. Fixed infinite loop in import dialog that occurred when verifying filename with leading tilde (~) character. (GP-1849, Issue #4034)
Importer. When importing a file, the internal program name has been changed to reflect the name of the imported file and not the user-selected file name where Ghidra stores the program in the project. Ghidra programs have two names; the internal name and the file storage name. The file storage name must be unique within a project. The internal name can be retrieved using program.getName() and the storage name can be retrieved using program.getDomainFile().getName(). (GP-1876)
Importer. External library links produced by the NeLoader are now working correctly. Libraries can now be discovered when loaders specify that library filename extensions are optional. (GP-2497, Issue #2063, #2233)
Importer. Case-insensitive library lookup now works for already-imported libraries. (GP-2498, Issue #906)
Importer. Libraries are now properly recursively imported. (GP-2510, Issue #110)
Importer. Fixed OMF comment record parsing. (GP-2528, Issue #3780, #4560)
Importer:ELF. Added -applyArmElfRelocPCBias import option for relative relocation processing to account for differences in how tool-chains factor in the bias value. (GP-2041)
Importer:ELF. Corrected processing of ELF REL type relocations for R_ARM_JUMP24, R_ARM_CALL and R_ARM_PLT32. (GP-2350, Issue #4455)
Importer:ELF. Fixed problem reading Elf32 binaries that were missing certain sections. (GP-2577, Issue #4605)
Importer:ELF. Corrected MIPS ELF .plt.got markup error which could prevent import. (GP-2592, Issue #4602)
Importer:ELF. Corrected ELF MIPS-64 bit data relocation processing issue for R_MIPS_REL32 and R_MIPS_32. (GP-2678, Issue #4633)
Importer:ELF. Corrected ELF relocation table processing to handle statically linked binaries. (GP-2703)
Importer:ELF. Corrected ELF Import processing of symbol table when associated string table is missing. Previously caused exception. (GP-2744, Issue #4680)
Importer:ELF. Added support for ELF DT_GNU_XHASH symbol hash table. (GP-2749, Issue #4649)
Importer:PE. Fixed several bugs in the PE menu resource parser. (GP-1806, Issue #4017, #4018, #4020, #4021)
Importer:PE. Fixed incorrect PE driver COFF symbol offsets. (GP-1933, Issue #3564, #4139, #4168)
Importer:PE. Changed PE loader to label values found in PE header as PE Property[propertyname] instead of just bare propertyname when inserting the information into the program info list. (GP-2343, Issue #4452)
Importer:PE. Fixed an issue in the PeLoader that sometimes prevented symbols imported by ordinal from getting correctly labeled with their name. (GP-2422, Issue #4474)
Importer:PE. Fixed PE Header PdbInfo structure creation to have correct PDB pathname length. (GP-2428, Issue #4501)
Importer:PE. PE DebugDirectory entries with type IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS are now supported. (GP-2453, Issue #4502)
Importer:PE. Removed setting of TMode in PELoader for ARM PE files. Relying on the default setting of TMode from language variant selection at time of import. (GP-2525)
Listing. Fixed bug that showed incorrect references when double-clicking the XREF text in the Listing. (GP-1891)
Listing. Updated the Go To dialog to respect the tool option that restricts searches to the current program. (GP-2296)
Multi-User. Corrected ConcurrentModificationException condition on Ghidra Server when cleaning-up stale connection registrations. (GP-2441)
PDB. Fixed PDB Universal static local variable processing. (GP-1023)
PDB. Fixed calculation of number of files contributing to a module. (GP-1775)
PDB. Fixed a NullPointerException that would occur when a PDB did not have DebugInfo. (GP-1827)
Processors. Added support for ELF PowerPC R_PPC_EMB_SDA21 relocation and implemented lq instruction pcode. (GP-713, Issue #890)
Processors. Corrected issue with avr32 abs instruction using the floating-point abs pcode operator. (GP-1165)
Processors. Corrected semantics for ARM vcvt instruction. (GP-1503, Issue #3418)
Processors. Fixed TriCore jl instruction semantics. (GP-1638, Issue #3552)
Processors. Corrected carry flag semantics for the M68000 addx instruction. (GP-1644, Issue #3818)
Processors. Reduced complexity of several PA-RISC floating-point instructions. (GP-1656)
Processors. Corrected semantics for x86 FST instruction. (GP-1694, Issue #3894, #3895)
Processors. Corrected missing register definition in V850 processor. (GP-1701, Issue #3865)
Processors. Corrected register operand list for ARM vsub instruction. (GP-1712, Issue #3943, #3944)
Processors. Added undocumented x86 ffreep instruction. (GP-1722, Issue #3883)
Processors. Corrected ARM Neon vraddhn disassembly. (GP-1736, Issue #3978)
Processors. Simplified the TriCore st.t instruction semantics. (GP-1746, Issue #2326)
Processors. Fixed minor issue with TriCore sleigh file missing closing endif statement. (GP-1762, Issue #4029)
Processors. Corrected semantics of ARM bfi instruction. (GP-1763, Issue #4011)
Processors. Fixed some bugs involving JVM switch instructions and JVM switch analysis. (GP-1774, Issue #3980, #3981)
Processors. Included VPFv4 instructions in the ARM language. (GP-1817, Issue #2498, #3222)
Processors. Fixed punctuation consistency issue for ARM instructions with register lists. (GP-1837)
Processors. Fixed disassembly of M68000 fmod caused by manual typo. (GP-1946, Issue #4131)
Processors. Implemented previously unimplemented M68000 pack and unpk instructions. (GP-2014, Issue #4223)
Processors. Fixed an issue with the RISC-V pattern constraints filename. (GP-2046, Issue #4002, #4003)
Processors. Fixed incrementing of the stack pointer in 6502 PLP instruction. (GP-2092, Issue #4249)
Processors. Fixed Coldfire tpf instruction to not consume trailing bytes, which may be valid instructions. (GP-2104)
Processors. Fixed the TI MSP430 RPT instruction to use correct operand types. (GP-2112)
Processors. Fixed RISCV 64-bit long datatype size and alignment. (GP-2161, Issue #2590)
Processors. Fixed register zero reads in microMIPS and MIPS16. (GP-2162)
Processors. Fixed x86 SLEIGH issues that caused disassembly errors in various instructions. (GP-2196, Issue #4344)
Processors. Corrected semantics for SuperH trapa instruction to properly dereference the vector address. (GP-2344, Issue #4396, #4477)
Processors. Renamed avr8 W register to R25R24. (GP-2499, Issue #4516)
Processors. Corrected issue with ARM ldrht, ldrsbt, ldrsht, and strht not disassembling. (GP-2536, Issue #4582)
Processors. Corrected port addresses in ATmega256 for MAFCR0 and MAFPA2L. (GP-2538, Issue #4592)
Processors. Corrected error in 6809 extended-address bit pattern. (GP-2562, Issue #4600)
Processors. Corrected missing S bit in ARM thumb BIC instruction. (GP-2696)
Processors. Added missing parentheses in 6502 indirect JMP instruction. (GP-2701, Issue #783)
Processors. Corrected several instances of ARM instruction parse conflicts. (GP-2718)
References. References in Byte-Mapped memory blocks will now be created correctly. (GP-2420)
Scripting. Added the script setReusePreviousChoices(boolean) method to allow script writers to not reuse the last-entered values in the various ask dialogs. (GP-1743, Issue #3937)
Scripting. Improved script error handling during load and initialization. (GP-2618)
Sleigh. Fixed a bug causing incorrect p-code to be generated when implementing the behavior of a SLEIGH bitrange operator applied to a dynamic symbol. (GP-1583, Issue #3716)
Testing. Fixed issue with pcodetest generation when test directory does not exist. (GP-2091, Issue #4239)
Version Tracking. Fixed a bug in Version Tracking where calling conventions were no longer being applied when applying function signature markup from the source to the destination program. (GP-1045)

New in Ghidra 10.1.5 (Jul 27, 2022)

Improvements:
Analysis. Changed disassembly of interrupt vectors with pointers to be consistent with interrupt vectors with code, specifically for ARM-cortex-embedded binary disassembly. (GP-2080, Issue #4263)
Processors. Added HC-12 processor support with a Flat 16-bit memory model by splitting HCS12X into HC-12, HCS-12, and HCS-12X processors. (GP-1716, Issue #1570, #4016)
Processors. Added ability to specify byte-mapped and overlay memory blocks from processor specification (*.pspec). (GP-2133, Issue #2703)
Processors. Added PowerPC e500 processor variant. (GP-2272)
Processors. Added support for AARCH64 ilp32 variant. (GP-2355)
Bugs:
Analysis. Fixed function purge setting for x86 16-bit functions using RETF to return. (GP-2103, Issue #4293)
Analysis. Protected use of tmodeReg value in ArmAggressiveInstructionFinderAnalyzer when processor does not have a TMode register. (GP-2122)
Analysis. Fixed constant reference analysis bug introduced from refactoring that would not use the Speculative reference min analyzer setting. (GP-2365, Issue #4257)
CParser. Added support for the C11 _Noreturn keyword. (GP-2275, Issue #4273)
Debugger:Trace. Fixed event type numbering issue in Traces, which was causing enormous resource waste. (GP-2153)
Decompiler. Fixed bug that could cause the Decompiler to mislabel a switch case as default. (GP-2082, Issue #4268)
Decompiler. Fixed exception in Decompiler when making a selection on a wrapped line. (GP-2097, Issue #4309)
Decompiler. Fixed a memory error in the decompiler associated with data-types defined as a typedef of a structure. (GP-2178, Issue #4328)
Decompiler. The Decompiler now further simplifies expressions involving return values, parameters, or other variables that are explicitly marked as boolean. (GP-2212, Issue #4338)
Decompiler. Fixed a bug that could cause the Decompiler to crash in the hash method used to map Equate information and other dynamic annotations onto variables. (GP-2288, Issue #4410)
GUI. Fixed GTree rendering bug exhibited on some Linux platforms. (GP-2047, Issue #4260)
GUI. Fixed incorrect error message when pasting bytes. (GP-2164)
GUI. Fixed exception in table column filters. (GP-2317)
Importer:ELF. Corrected ELF import issue which could fail to create an uninitialized block for a SHT_NOBITS section with invalid file offsets. (GP-2098, Issue #4095)
Importer:ELF. Corrected ELF issues related to treatment of absolute symbols (SHN_ABS). (GP-2330)
Importer:PE. Fixed an issue with PE symbol table offset validation that prevented some binaries from being recognized as PE files. (GP-2322)
Multi-User:Merge. Corrected long-standing regression bug affecting datatype merge, which was introduced in Ghidra 9.2. This severe error could surface during a datatype conflict merge with a shared project and could prevent a check-in to a Ghidra Server repository. (GP-2066)
Processors. Refactored AVR8 to handle 24-bit memory and to correctly index the code address space as a byte or word. (GP-2213, Issue #4333)
Processors. ELF PLT import processing changed to avoid static disassembly for ARM/MIPS due to possibility of alternative instruction set. Now relies on disassembly during analysis for such cases. (GP-2256)
Scripting. Creating a new script via the Script Manager now properly handles the situation where the $HOME/ghidra_scripts directory does not exist. (GP-2282)
Sleigh. Fixed a Sleigh Parser threading issue that could cause incorrect p-code generation for languages that use delay slots. (GP-2235, Issue #4332)

New in Ghidra 10.1.3 (Apr 21, 2022)

Improvements:
API. Added the getActiveGraphDisplay() API method to GraphDisplayProvider to get the active graph. (GP-1804, Issue #4060)
Debugger. Created better comment in Dynamic Listing Go To dialog so users don't default to *:4 EAX syntax. (GP-1820)
Debugger. Created new navigation methods for Objects representing addresses. (GP-1822)
Debugger. Switched to DomainFile name in Debugger dialogs to avoid confusion. (GP-1872)
Debugger:Trace. Improved performance of trace database. (GP-1727)
FID. Updated stale signatures in the FID database files. (GP-1853, Issue #2877)
Importer:ELF. Added support for additional ELF ARM-32 relocations not previously handled (R_ARM_THM_JUMP8, R_ARM_THM_JUMP11, R_ARM_THM_MOVW_ABS_NC, R_ARM_THM_MOVT_ABS, R_ARM_THM_MOVW_PREL_NC, R_ARM_THM_MOVT_PREL, R_ARM_THM_MOVW_BREL_NC, R_ARM_THM_MOVW_BREL, R_ARM_THM_MOVT_BREL). (GP-1742, Issue #2794)
Processors. Refactored the 6805/6809 processor to better allow variants of MC6800 processor line. (GP-1695, Issue #3673)
Processors. Added 16-byte return values for AARCH64 in X0, X1. (GP-1739)
Scripting. Improved RecoverClassesFromRTTIScript's method to validate GCC programs. (GP-1832)
Bugs:
Analysis. Fixed FID Analyzer to run only once on programs with call-fixups or identified non-returning flow. (GP-1502)
Analysis. Corrected the creation of Objective-C structures when structures collided with existing generic pointers laid down by chained-pointer processing during import. (GP-1841)
Analysis. Corrected stack reference creation and the display of current instruction stack depth in the stack-depth browser field for MIPS 64-bit language processor with 32-bit addressing. (GP-1862)
Analysis. Fixed placement of constant references when a parent register's value is built up using the smaller sub-registers (hi/low). This is common on MIPS and other 8-bit processors such as AVR8. This would occasionally cause a reference to be placed incorrectly on a previous function call. (GP-1942)
Basic Infrastructure. Fixed a NoClassDefFoundError that occurred when launching Ghidra in single-jar mode. (GP-1741, Issue #3961)
C Parsing. CParser fixes for pragma(push), re-included header files, #if/defined() tests on define values, unicode BOM files, and full evaluation of macro expansion. Added more information to the CParserPlugin.out file prefixed with /// comments which should enable easier diagnosis of parsing issues. Reparsed current standard data archives with correct 64/32 data organizations. Fixed issue where many data types had incorrect pack() values in Windows archives, such as WNDCLASSEXW. To make use of the corrected data types, programs data types will need to be re-synchronized if they depend on the included Windows or clib data type archives. Windows VS2022 and Windows 11 SDK header files can now parse and will be included in the next feature release. (GP-1744, Issue #3756)
Data Types. Corrected UnsupportedOperationException error which could occur when dragging a datatype from one archive to another. (GP-1758)
Data Types. Fixed Data Types filter not being applied when using the various Find actions. (GP-1799)
Debugger. Fixed the defaults for log4j file locations; template patterns for empty values were crashing the process on Windows. (GP-1731, Issue #3965)
Debugger. Fixed NullPointerException caused by Debugger Console's preferred height. (GP-1766)
Debugger. Fixed race condition on right-click of non-selected tree node. (GP-1845, Issue #4093)
Debugger. Fixed missing eflags in Register View for dbgeng. (GP-1873)
Debugger. Fixed IllegalArgumentException in TraceObjectManager. (GP-1874)
Debugger:Breakpoints. Fixed issue with toggling breakpoints from within the Dynamic Listing. (GP-1706)
Debugger:Memory. Fixed timing issue where Debugger Memory view may have incorrect location label. (GP-1882)
Debugger:Trace. Fixed issue with StringDataType null terminators in stale trace ranges. (GP-1737)
Decompiler. Updated the Decompiler Find dialog's default text when showing the dialog with comment text selected. (GP-1721, Issue #3946)
Decompiler. Fixed the Decompiler Find dialog's sometimes incorrect result highlighting. (GP-1765, Issue #3928)
Decompiler. Fixed a bug in the Decompiler preventing prototype overrides from being applied to calls produced by Call-Fixup injection. (GP-1792, Issue #3319)
Decompiler. Updated the Decompiler hover for structure fields to show the parent name and the offset in the parent. (GP-1793, Issue #3920)
Decompiler. Eliminated infinite loop in the Decompiler encountered when applying convert/equate. (GP-1924, Issue #4121)
FID. Fixed bug causing Program ... has different compiler spec... exception when populating FID signatures. (GP-1839, Issue #4042)
FileSystems. Fixed problem opening files in paths that start with a UNC location (\locationpath). (GP-1696, Issue #3912)
Framework. Fixed bug that could cause a NullPointerException when removing custom Compiler Specification extensions from a Program. (GP-1715, Issue #3906)
GUI. Fixed default function Plate Comment formatting. (GP-1717)
GUI. Fixed the Search Memory Dialog buttons to re-enable after closing a long-running search results table. (GP-1753, Issue #4014)
GUI. Updated Symbol Edit dialog to not allow namespaces editing with a blank name. (GP-1754, Issue #4015)
GUI. Fixed table CSV export of boolean values. (GP-1764, Issue #3947, #4026)
Headless. Corrected potential NullPointerException for Headless Analyzer when a specified filename to process does not exist in a searched project folder. (GP-1916)
Help. Fixed Help Viewer Find feature, clearing search result highlights when the search dialog is closed. (GP-1718)
Importer:ELF. Corrected MIPS type 5/6 relocation calculation. Previously, the LO16 value, extracted as an addend from the instruction, was not sign-extended. (GP-1834)
Importer:PE. Fixed a bug that prevented certain types of PE files from being recognized by the PeLoader. (GP-1713, Issue #3830, #3902)
Importer:PE. Detect .NET managed code in mixed Native/MangedCode binaries and only disassemble the correct x86 or CLR routines based on the current processor. (GP-1938, Issue #4159)
Processors. ARM BL conditional call instruction, which calls to the next instruction, has been changed to a branch instead of a call. Calling the next instruction on ARM is generally only to get the LR register loaded for PIC code. (GP-1752)
Processors. Fix bug in MIPS rdhwr instruction to use correct hardware registers. (GP-1879)
Scripting. Fixed the Bytes table column rendering in the scripting TableChooserDialog. (GP-1714)
Scripting. Fixed two bugs in RecoverClassesFromRTTIScript.java encountered when creating class structures. (GP-1781)
Scripting. OSGI jar bundles now correctly load on Windows. (GP-1846, Issue #3995)
Sleigh. Fixed bug preventing prototype model extensions with p-code from being imported. (GP-1915)

New in Ghidra 10.1.2 (Jan 26, 2022)

Improvements:
Basic Infrastructure. Upgraded Gson to 2.8.9. (GP-1632, Issue #3802)
Basic Infrastructure. Upgraded log4j to 2.17.1. (GP-1641)
Build. Increased minimum supported Gradle version from 6.4 to 6.8. (GP-1680)
Debugger:Emulator. Emulator's PcodeStepper now displays the decoded instruction. (GP-1474)
Debugger:Watches. Double-clicking a pointer value in the Watches window navigates to the pointer rather than its address. (GP-1469)
Listing. Updated the Listing Operands field to support word-wrapping for enum data types. (GP-1665, Issue #3812)
Scripting. Improved the RecoverClassesFromRTTIScript to create function definitions for multi-inheritance and single virtual inheritance classes in the correct ancestor class data type folders. (GP-1663)
Scripting. Updated RecoverClassesFromRTTI script for GCC programs to only create typeinfo structures in non-executable memory. (GP-1686)
Bugs:
Analysis. Fixed another bug with recovering Objective-C method names. (GP-1642, Issue #3817)
Analysis. Certain switch cases using the AARCH64 CSEL instruction will now recover correctly. Previously internal CBRANCH instructions could cause switch flow recovery failure in the decompiler switch analyzer. (GP-1687)
Analysis. Fixed unused Microsoft Demangler options. (GP-1688, Issue #3892)
Analysis. (U) Reverted change (GP-1575) introduced with Ghidra 10.1 which improperly factored image-base into analysis of ELF LSDA Gcc exception records. (GP-1702)
Build. Fixed gradle buildGhidra issue where a second build doesn't include all the files. This issue appears to be a bug introduced in Gradle 7. (GP-1648, Issue #3827)
Data Types. Fixed display of multiple Enum values. (GP-1657, Issue #3810)
Debugger. Now invalidating caches for dbgeng/dbgmodel in the GADP variants so the memory is not left stale. (GP-846)
Debugger. Fixed exception when cancelling password entry for GDBOverSSH. (GP-1655, Issue #3578)
Debugger:Memory. Fixed Debugger Memory background colors during emulation. (GP-1590)
Debugger:Trace. Fixed issue where emulated state leaked into recorded state. (GP-1620)
Debugger:Trace. Fixed NullPointerException when disassembling stale memory. (GP-1646)
Decompiler. Fixed the Decompiler Retype Field action to not rename the field. (GP-1654, Issue #3783)
Decompiler. Decompiler now recovers jump tables that use PIC mechanisms or other forms relying on injected p-code. (GP-1659)
Demangler. Fixed demangling bug that produced incorrect types such as unsigned_short. (GP-1662)
GUI. Fixed incorrect tool option reference in the Create Table From Selection action. (GP-1676, Issue #3858)
GUI. Fixed the Decompiler Find Text dialog's auto-complete feature to not change the default text entry added to the dialog. (GP-1685, Issue #3890)
Importer:Mach-O. Fixed an IllegalArgumentException that occurred when loading some kernelcache images. (GP-1675, Issue #2487)
Importer:PE. Fixed an exception that occurred when re-parsing PE programs with a .pdata section from memory. (GP-1636, Issue #3347, #3800, #3805)
PDB. Fixed incorrect bounds on item type iteration; one effect of the fix is that the user might notice more unsupported PDB data type messages in the log. (GP-1677)
Processors. Fixed issue with Motorola 6809 immediate operands being set to zero. (GP-1611, Issue #2116, #3755)
Processors. Corrected PowerPC efscmp* and efstst* instructions condition register usage. (GP-1639, Issue #2528)
Processors. Fixed the target of JUMP and JSR for the 6809 to use [target] instead of jumping directly to target which incorrectly jumped to the address of the unique variable. Also fixed a compile issue in the half-finished 6309 EXG and TFR instructions. (GP-1690, Issue #3825)
Scripting. Fixed the ApplyClassFunctionDefinitionUpdatesScript and the ApplyClassFunctionSignatureUpdatesScript to work correctly with the recent RecoverClassesForRTTI changes to function definitions. (GP-1601)
Scripting. Fixed bug in a class recovery helper class that was causing an exception in some cases when trying to replace a component in a structure. (GP-1670)
Scripting. Removed a misplaced space character in the name passed to setLabel in RecoverClassesForRTTIScript. (GP-1671)
Sleigh. Fixed bug that could cause erroneous decompilation of functions in overlays. (GP-1661, Issue #3828)

New in Ghidra 10.1.1 (Dec 21, 2021)

New in Ghidra 10.1 (Dec 11, 2021)

New Features:
Build. Ghidra now builds on 64-bit Linux ARM and macOS M1 platforms. (GP-1106, Issue #3197)
Build. Native binaries for the current platform can now be built/rebuilt from within a release using the support/buildNatives(.bat) script. Please see the "Building Ghidra Native Components" section of the Installation Guide for additional information. (GP-1209, Issue #3387)
Data Types. DataType API: Added encodeValue and encodeRepresentation methods which facilitate patching. (GP-1265)
Debugger. Added Memory view (raw bytes) to the Debugger. (GP-80)
Debugger. Added new agent for LLDB on macOS and Linux. (GP-1005, Issue #2591, #2967)
Debugger. Added Copy Into Current Program and Copy Into New Program actions to Debugger. (GP-1214)
Debugger. Added Compare action to Dynamic Listing to compare points in time. (GP-1222)
Debugger. Added Events/Exceptions to Objects View. (GP-1288, Issue #3049)
Debugger:Emulator. Added Emulate Program and Add Emulated Thread actions for loading a program into a purely emulated trace. (GP-660)
Decompiler. Added support for else if syntax in Decompiler output. (GP-1172, Issue #1609)
Importer. Added support for Android formats (ART, OAT, ODEX, DEX, CDEX, VDEX) and Dalvik VM Sleigh modules for each major Android release up to version 12.x (S). (GP-1247)
Scripting. Created RunYARAFromGhidra.py to map YARA rules to Ghidra comments. (GP-1199)
Improvements:
Analysis. The called ___chkstk_ms() function is now properly recognized and handled with a call fixup for windows x86-64. (GP-1347, Issue #1888, #1889)
Analysis. Added support for Objective-C small methods. (GP-1397, Issue #2719, #2732)
Analysis. Fixed several memory usage issues with constant propagation for very large functions, resulting in an average 10-20 percent time savings for constant propagation and stack analysis. (GP-1418, Issue #3508)
API. Updated API methods of the DataTypeChooserDialog. (GP-1349, Issue #3140)
Basic Infrastructure. Symbol performance in Ghidra was significantly improved. Specifically, new database indexes were created to improve finding primary symbols as well as improving lookups by combinations of name, namespace, and address. (GP-1082)
Basic Infrastructure. Added optional columns in the Functions table for several boolean-valued function attributes. (GP-1393)
Basic Infrastructure. Upgraded log4j dependency from 2.12.1 to 2.15.0 to resolve a security vulnerability. (GP-1588)
Build. Extension builds can now declare jar dependencies from standard Gradle repositories such as Maven Central. (GP-1144, Issue #2219, #2226)
Build. Increased minimum supported Gradle version from 6.0 to 6.4. (GP-1521, Issue #3650)
Data Types. Added support for zero-element arrays and zero-length components within structures and unions. Eliminated flex-array API methods and added/improved other Structure methods to handle multiple components which share the same offset. (GP-943)
Data Types. Added the ability to set comments on enum values. (GP-1316, Issue #1680, #2421)
Data Types. Updated Windows and generic clib data type archives to take advantage of improved CParser including changes to handle sizeof() correctly. (GP-1551, Issue #615)
Debugger. Respond to CLI-driven memory changes in dbgeng. (GP-853)
Debugger. User can now override the Debugger's processor selection when manually activating the Record (R) action. (GP-1233)
Debugger. User can now double-click in Listing margin to toggle breakpoints. (GP-1395)
Debugger. Adjusted alignment of Description tag in Debugger's Connect dialog. (GP-1416)
Debugger:Emulator. Added more accessor methods to PcodeThread, Machine, Executor, and similar classes. (GP-1223)
Debugger:Emulator. Added more accessor methods to PairedCodeArithmetic, ExecutorState, ExecutorStatePiece, and similar classes. (GP-1224)
Debugger:Emulator. Emulator now responds better to memory and register edits. (GP-1486)
Debugger:Emulator. Registers window can now modify emulated register values. (GP-1530)
Debugger:GDB. GDB manager handles =cmd-param-changed events. (GP-1330)
Debugger:GDB. Ported GDB's SSH connector to JSch. (GP-1387)
Debugger:LLDB. Improved build scripts for LLDB Java language bindings. (GP-1477)
Debugger:Memory. Added Force Full View override toggle to Debugger's Regions window. (GP-1447)
Debugger:Stack. Fixed various NullPointerExceptions among the Debugger Stack and Threads windows. (GP-1475)
Debugger:Trace. Trace API now supports Overlay spaces. (GP-484)
Decompiler. Added the Rename Label Decompiler action to allow label name editing. (GP-1195, Issue #1751)
Decompiler. The Decompiler now recognizes typedef relationships between data-types when determining if casts are necessary. (GP-1297, Issue #2393, #3249)
Decompiler. Improved the Decompiler's analysis of pointer calculations affected by common subexpression elimination. (GP-1312)
Decompiler. Added methods to ClangTokenGroup to facilitate iteration and filtering over the Decompiler's output tokens. (GP-1317, Issue #2040)
DWARF. Relaxed DWARF symbol name mangling to allow colons and forward slashes; changed space mangling to use underscores. (GP-1122, Issue #2014, #2043)
DWARF. Improved DWARF analyzer to handle MIPSPro 64-bit file format oddity. (GP-1171, Issue #3223)
DWARF. Improved DWARF analyzer to import DWARF data from PE binaries. (GP-1192, Issue #1267)
DWARF. Add support for DWARF external debug files. (GP-1286, Issue #3513)
DWARF. Added support for DWARF noreturn function attribute. (GP-1390)
Eclipse Integration. Eclipse Python breakpoints now work when Eclipse installs PyDev in .p2 bundle pool directory. (GP-1338, Issue #3453, #3454)
Exporter. Updated the DataTypeWriter to emit enum comments. Furthermore, the enum data type has been updated to return names sorted by enum value, which is now the order in which enum values will be emitted by the DataTypeWriter. (GP-1374, Issue #1664)
Exporter. The PE Exporter no longer forces files to be saved with a .exe extension. (GP-1385, Issue #3391)
Extensions. Building extensions now fails gracefully if an unsupported Gradle version is used. (GP-1189, Issue #3313)
FileSystems. Temporary files created by GFilesystem implementations are now obfuscated when written to disk. (GP-253)
FileSystems. Added support for opening password-protected zip files. (GP-725, Issue #377)
FileSystems. Add support for opening HFS+ volume images. Improved support for ISO9660 images by using 7-Zip library. (GP-807)
Graphing. Created concept of graph types that define specific vertex and edge types so that color and shape attributes can be assigned indirectly to vertices and edges. Created tool options for setting/changing the display attributes for these types. (GP-773)
GUI. Added new layouts to the Function Graph. Each new layout is using one of the Jungrapht layouts. (GP-926)
GUI. Added option to change the background color of the Function Call Graph. (GP-1014)
GUI. Added menu support for the following navigation keys: Page Up, Page Down, Home, End, and number keys 1-9. (GP-1081, Issue #2811)
GUI. Added an option to group the XRef field in the Listing by function. (GP-1093, Issue #1305)
GUI. Symbol tree has been changed to improve its behavior in the presence of large scale changes such as analysis, loading PDB, etc. It now will auto-close the label or function category if the internal organization becomes too much out of balance. This will also improve the analysis performance when the root category nodes are closed. (GP-1198)
GUI. Improved composite interior selection of components with shared offset such as bit-fields. Previous behavior was forcing selection of multiple components. (GP-1261)
GUI. Fixed ClassCastException due to the Patch action incorrectly being added to the Function Graph context menu. (GP-1334, Issue #3288)
GUI. Updated the Search Memory dialog to allow the user to enter a single wildcard character to search for any byte value. Previously, two consecutive wildcard characters were required. (GP-1358, Issue #3351)
GUI. Updated auto-comments to show user-defined repeatable comments from the reference destination. (GP-1361, Issue #2475)
GUI. Changed the Context column to allow for filtering of special characters in the results table of the Find Uses of action. (GP-1370, Issue #3473)
GUI. Updated the CodeBlockIterator interface to extend Iterable. This allows the iterator to be used in Java's foreach loops. (GP-1381, Issue #3478)
GUI. Added Find Structures by Offset... and Find Structures by Size... actions to the Data Type Manager window. (GP-1382, Issue #759)
GUI. Added the ability to remove a non-default symbol by setting the Edit Label dialog text to the empty string; added an action to the Decompiler to remove non-default labels. (GP-1383, Issue #3285)
GUI. Fixed the Function Editor's Storage Address Editor dialog to ensure that the Cancel button will not allow data type changes to be passed through to the primary editor. (GP-1398, Issue #3490)
GUI. Updated the Comments Dialog to allow the Shift-Enter keystroke to insert a newline at the cursor position. (GP-1428, Issue #3548)
GUI. Updated the Symbol Table to allow users to enter optional namespaces when editing a symbol name. (GP-1430)
GUI. Fixed issue with shared actions across windows sometimes getting the wrong (non-focused) context. This was mostly related to windows with snapshot components. (GP-1440)
GUI. Updated the Data Types context menu to include all actions when showing the menu from the keyboard via Shift-F10. (GP-1566, Issue #3678)
Importer. Added support for new Mach-O load commands and file types. (GP-398, Issue #2487, #3572)
Importer. Added method to Memory to find addresses where a specific byte from a loaded FileBytes object is used in memory. (GP-1166)
Importer:Mach-O. The Mach-O loader now outputs a warning when it encounters encrypted sections. (GP-1406, Issue #1935)
Importer:Mach-O. Added support for the new iOS 15 and macOS Monterey dyld_shared_cache format. (GP-1524, Issue #3345, #3666)
Importer:PE. Added support for long section names (e.g., "/1234" indicates offset into string table where actual section name is found) in PE binaries. (GP-1177, Issue #1267)
Multi-User. Upgraded YAJSW to 13.01-beta. Ghidra Server can now run with JDK 17. (GP-1266, Issue #3406)
PDB. Improved processing time on huge PDBs, especially when many labels are seen at the same address, such as with Identical COMDAT Folding. This change also allows some additional valid labels to be applied at these addresses. (GP-1298)
Processors. Added pcodetests for ARM version 5, which does not support thumb mode. (GP-1078)
Processors. Added 65C02 opcodes to the 6502 processor. (GP-1112, Issue #1261, #3170)
Processors. Made numerous improvements to the SPARC language module. (GP-1135)
Processors. Improved and fixed several issues involving the SuperH4 language module. (GP-1212)
Processors. Updated manual index page numbers for AMD VMX instructions. (GP-1219, Issue #2923)
Processors. Updated x86 and AARCH64 processor manual index files. (GP-1234)
Processors. Added longMode bit to x64 language spec for mixed 32-/64-bit use cases; e.g., WoW64. (GP-1255)
Processors. Made minor improvements to the RISC-V language module. (GP-1409)
Processors. Corrected swap instruction semantics for PIC-24,30,33 processors. (GP-1565, Issue #3670)
Scripting. Improved RecoverClassesFromRTTIScript to better define virtual function data definitions to be more generically used by all related class structures. (GP-1311, Issue #3417)
Scripting. Added options to allow removal of replaced class structure data types when replaced with ones created by RecoverClassesFromRTTIScript. (GP-1315, Issue #3443)
Scripting. Changed class structures created by RecoverClassesfromRTTI so that the vftable pointers are separated from the class data structures inside a derived class. This allows the derived class vftables structures to be accessed correctly by the Decompiler. (GP-1408)
Sleigh. Modeled undocumented encoding of REP prefix for x86 instructions. (GP-1294, Issue #731)
Version Tracking. Updated Version Tracking to address multiple performance issues. (GP-1421, Issue #3221)
Version Tracking. Slightly relaxed score thresholds for the reference correlator portions of auto version tracking to enable discovery of more high scoring matches. (GP-1448)
Bugs:
Analysis. Fixed a bug that would result in the COFF Header Annotation analyzer running on PIC binaries when it was not intended to. (GP-1366, Issue #3386)
Analysis. The Objective-C analyzer no longer crashes when encountering categories with an implementation in an external binary. (GP-1413, Issue #3510)
Analysis. Fixed a stack overflow in the Objective-C 2 Class analyzer. (GP-1420, Issue #2378)
Analysis. Fixed a bug with recovering Objective-C method names. (GP-1548, Issue #3611)
Analysis. Corrected a potential infinite loop in stack analysis and constant propagation due to recurring call-fixup injection to the same location. (GP-1554, Issue #3683)
Analysis. Fixed certain ELF exception records in ELF binaries marked as DW_EH_PE_absptr that are not relocated correctly when the binary is loaded in an alternate image base. (GP-1575)
API. Fixed issues related to moving memory blocks where the source and/or destination have pinned symbols. This could have resulted in addresses with symbols where no symbol is primary or having multiple symbols at an address that are primary. It could also have resulted in pinned symbols being moved from the destination to the source address range. (GP-1103)
API. Fixed an issue with the SymbolManager method getClassNamespaces() where it was only returning class namespaces in the global namespace. (GP-1346)
API. Critical Ghidra 10.1-BETA Issue: Corrected external function bug introduced in Ghidra 10.1-BETA which caused new functions to not be marked as primary. This is a critical bug which could impact most programs imported with 10.1-BETA. Such imports should be re-imported with this fix in place. (GP-1525)
C Parsing. Several issues parsing C header files have been fixed including ternary macro expression evaluation, #line preprocessor markup within functions and structures, far/near recognized as a keyword, and handling of __asm syntax. (GP-1335, Issue #1069, #1082, #2667, #464, #929)
Debugger. Fixed program actions (Save, Close, Undo, etc.) to work properly in the Debugger. (GP-508)
Debugger. Fixed issue getting registers on ARM targets with GDB where command exceeded 4096 characters. (GP-1356, Issue #3297, #3509)
Debugger. Fixed several issues with the GDB connector's use existing session option. (GP-1365)
Debugger. Fixed a NullPointerException from canceling a debug launch. (GP-1442)
Debugger. Fixed Select Addresses button for Debugger Modules pane. (GP-1450)
Debugger. Fixed issue with duplicate selection actions in the Debugger tool. (GP-1452)
Debugger. Fixed a bug in emulation where read/write ranges include the max address. (GP-1493)
Debugger. Fixed exception behavior for toggled Continue/Handled options. (GP-1558, Issue #3049)
Debugger:Emulator. Fixed Debugger integration and trace emulation for WoW64. (GP-1245)
Debugger:Emulator. Relaxed and corrected some logging of UNKNOWN/uninitialized values during emulation. (GP-1488)
Debugger:Emulator. Fixed several issues in Emulator with respect to Harvard architectures, memory-mapped registers, and word-addressable systems. (GP-1540)
Debugger:GDB. Fixed issue with GDB/GADP hang in development mode. (GP-1360)
Debugger:GDB. Fixed issue interrupting GDB targets launched without temporary breakpoint on main. (GP-1362)
Debugger:GDB. Fixed issues parsing and displaying various types of GDB breakpoints. (GP-1364)
Debugger:GDB. Fixed problem passing arguments to GDB in IN-VM and SSH modes. (GP-1368)
Debugger:GDB. Fixed a NullPointerException when terminating GDB. Changed PtySession API to prevent future occurrence. (GP-1399, Issue #3487)
Debugger:Listing. Fixed stack trace when switching to trace of a different processor language. (GP-1547)
Debugger:Trace. Fixed 'ram' not in this trace/language error. (GP-1411, Issue #3509)
Decompiler. Fixed a corner case in the manipulation of integer ranges by the Decompiler. (GP-1243, Issue #3064)
Decompiler. Fixed a bug in the Decompiler's renaming algorithm that could cause memory corruption in rare cases. (GP-1380, Issue #3429)
Demangler. Fixed GNU Demangling bug encountered when Address Table types have spaces in the parent namespace name. (GP-1051)
DWARF. Fixed check for invalid function addresses. (GP-1573)
Eclipse Integration. Fixed an exception in the GhidraDev Eclipse plugin that occurred when performing a Link Ghidra operation on projects that use a Gradle classpath container. (GP-1149, Issue #3087, #3088)
Exporter. IDA exporter no longer fails when function stack variables have comments. (GP-1190, Issue #2350, #3309, #748)
Exporter. Fixed an issue with the ElfExporter not correctly undoing relocations when they spanned partially file-backed memory blocks. (GP-1570, Issue #3696)
FileSystems. Fixed Ext4 handling of longer symlink paths and added support for inline data. (GP-1088)
FileSystems. Fixed Ext4 file system to handle volumes with blocksize 1024 and a first data block value of 1. Also added support for old style block maps. (GP-1094, Issue #1877)
Framework. Fixed error causing exception in the Specification Extensions panel when importing a new callotherfixup. (GP-1414, Issue #3502)
GUI. Fixed potential infinite loop in Function Graph edge painting. (GP-1019, Issue #2114)
GUI. Fixed minor memory leak encountered when using Search -> For Address Tables. (GP-1030, Issue #3013)
GUI. Fixed bug that prevented the Decompiler scalar hover tooltip from showing. (GP-1071, Issue #3142)
GUI. Fixed NullPointerException in File System Browser when closing the current project. (GP-1096, Issue #3179)
GUI. Fixed the script console to not lock the GUI when a large amount of text is being written. (GP-1148, Issue #3251)
GUI. Fixed long GUI hang when attempting to Set External Program on an import within in a large Ghidra project. (GP-1155, Issue #3245)
GUI. Fixed UI freeze when connecting to a large remote project. (GP-1200, Issue #3305)
GUI. Tweaked enablement of several search actions so that instead of being disabled when on a restricted view provider (e.g., Decompiler, FunctionGraph), they instead are enabled, but apply to the global listing provider. (GP-1259)
GUI. Fixed stack trace in the Function Call Graph when using the Show Incoming Level Edges action. (GP-1302, Issue #3327)
GUI. Fixed the Search Memory dialog issue that caused odd resize behavior when using the Advanced button. (GP-1333, Issue #3158)
GUI. Fixed tracking of Favorite data types when switching between multiple open programs. (GP-1391)
GUI. Fixed user list scrollbar in shared project dialog when there is a large number of users. (GP-1410)
GUI. Fixed bug that cause a structure field name to change when using the Retype Field action without picking a new data type. (GP-1429, Issue #3483)
GUI. Fixed issue when attempting to rename a datatype that has the same name as a category in the same parent cateogory. The rename would attempt to rename the category instead of the datatype. (GP-1445)
Importer. Fixed issue with Extract and Import action trying to create invalid filenames. (GP-1024, Issue #3114)
Importer. Fixed Extract and Import action when highlighting bytes in the debugger view. (GP-1449)
Importer:ELF. Corrected ELF importer error which could occur when processing memory section overlay blocks caused by AddressOutOfBoundsException exception. (GP-1052, Issue #3128)
Importer:ELF. Corrected various markup issues related to packed ELF Android relocations. Added missing ELF Arm 32-bit RELR relocation support. (GP-1352, Issue #3462)
PDB. Fixed short timeout values when downloading PDB files. (GP-1105, Issue #3184)
PDB. Fixed the Load PDB dialog to better handle missing or incomplete metadata. (GP-1180, Issue #3289)
PDB. Fixed NullPointerException encountered for a particular array of enums scenario where the enum definition processing had not completed. (GP-1456, Issue #3484)
Processors. Corrected return type for MIPS32 JIC instruction. (GP-938, Issue #3022)
Processors. Corrected pcode for ARM/ARM-Thumb adcs and sbcs carry and overflow flag updates. (GP-1043)
Processors. Corrected flag handling for some 6502 instructions. (GP-1054, Issue #3096)
Processors. Fixed issues with PPC register overwrites. (GP-1075, Issue #1672)
Processors. Fixed 6502 bit instruction semantics. (GP-1115, Issue #2558, #3095)
Processors. Fixed MIPS 32-bit little endian floating point register ordering. (GP-1129, Issue #3212)
Processors. Corrected PowerPC ISA instruction manual index page numbers. (GP-1218, Issue #2927)
Processors. Updated Tricore manual index file to match correct page numbers. (GP-1220, Issue #2926)
Processors. Fixed bug in SuperH moveml.l instruction which caused a load instead of store register. (GP-1263, Issue #3379)
Processors. Corrected semantics for MIPS INS instruction. (GP-1290, Issue #3405)
Processors. Corrected MIPS64 DINS instruction semantics. (GP-1291, Issue #2232)
Processors. Corrected semantics of PA-RISC shift conditions, which was incorrectly using the register size in bytes, as opposed to bits. (GP-1292)
Processors. Corrected ARM neon vmrs instruction disassembly. (GP-1322, Issue #3446)
Processors. Corrected SuperH bld and movemu instruction semantics. (GP-1331, Issue #3449)
Processors. Removed deprecated ARM condition code 15. (GP-1332)
Processors. Corrected issue with x86 call instructions when stack pointer is used as a reference. (GP-1357, Issue #3455)
Processors. Corrected MIPS pcodeop error in tlbr instruction. (GP-1363, Issue #3463)
Processors. Corrected ARM Thumb conditional instruction it to allow the al (always) conditional. (GP-1402, Issue #3499)
Processors. Removed extraneous sb from ARM ldrsb instruction. (GP-1412, Issue #3522)
Processors. Implemented M68000 CHK, CHK2, and CMP2 instructions. (GP-1478, Issue #2856, #3616)
Processors. Corrected SuperH trapa instruction to use a call p-code op instead of a goto. (GP-1504, Issue #3600)
Processors. Corrected x86 instruction parse and semantics for RDRAND and RDSEED. (GP-1564)
ProgramDB. Corrected language upgrade issue which could result in lost memory reference due to RefType change. (GP-1392)
Scripting. RecoverClassesFromRTTIScript now consistently applies its class structures in programs that have PDB information applied. Also, an option was added so users can decide whether to replace existing class data in thiscall functions regardless of whether they originated as PDB or not. (GP-1464)
Scripting. Fixed an issue where some GhidraScript print methods were not getting output to the script log file. (GP-1541, Issue #3657)
Sleigh. Corrected sleigh-language endian-mismatch error-message formatting. (GP-1132, Issue #3215)
Sleigh. Made numerous fixes to the PowerPC SLEIGH language module. Note: minor language version upgrade. (GP-1250)
Version Tracking. Fixed UnsupportedOperationException in Version Tracking when attempting to find references to register or stack addresses. (GP-1084, Issue #1152)
Version Tracking. Fixed Version Tracking Swap button to not trigger the reloading of programs. (GP-1183)

New in Ghidra 10.1 Beta (Nov 17, 2021)

New Features:
BuildGhidra now builds on 64-bit Linux ARM and macOS M1 platforms(GP-1106, Issue #3197)
BuildNative binaries for the current platform can now be built/rebuilt from within a release using the support/buildNatives(.bat) scriptPlease see the "Building Ghidra Native Components" section of the Installation Guide for additional information(GP-1209, Issue #3387)
Data TypesAdded encoding methods to DataType(GP-1265)
DebuggerAdded Memory view (raw bytes) to the Debugger(GP-80)
DebuggerAdded new agent for lldb on macOS and Linux(GP-1005, Issue #2591, #2967)
DebuggerAdded Events/Exceptions to Objects View(GP-1288, Issue #3049)
Debugger:EmulatorAdded Emulate Program and Add Emulated Thread actions for loading a program into a purely emulated trace(GP-660)
DecompilerAdded support for else if syntax in Decompiler output(GP-1172, Issue #1609)
ImporterAdded support for Android formats (ART, OAT, ODEX, DEX, CDEX, VDEX) and Dalvik VM Sleigh modules for each major Android release up to version 12.x (S)(GP-1247)
ScriptingCreated RunYARAFromGhidra.py to map YARA rules to Ghidra comments(GP-1199)
Improvements:
AnalysisThe ___chkstk_ms() function is now properly recognized and handled(GP-1347, Issue #1888, #1889)
AnalysisAdded support for Objective-C small methods(GP-1397, Issue #2719, #2732)
AnalysisSeveral memory usage issues with constant propagation for very large functions have been fixedThese fixes have also resulted in an average 10-20 percent time savings for constant propagation and stack analysis(GP-1418, Issue #3508)
APIUpdated API methods of the DataTypeChooserDialog(GP-1349, Issue #3140)
Basic InfrastructureSymbol performance in Ghidra was significantly improvedSpecifically, new database indexes were created to improve finding primary symbols as well as improving lookups by combinations of name, namespace, and address(GP-1082)
Basic InfrastructureAdded optional columns in the Functions table for several boolean-valued function attributes(GP-1393)
BuildExtension builds can now declare jar dependencies from standard Gradle repositories such as Maven Central(GP-1144, Issue #2219, #2226)
Data TypesAdded support for zero-element arrays and zero-length components within structures and unionsEliminated flex-array API methods and added/improved other Structure methods to handle multiple components which share the same offset(GP-943)
Data TypesAdded the ability to set comments on enum values(GP-1316, Issue #1680, #2421)
DebuggerRespond to CLI-driven memory changes in dbgeng(GP-853)
DebuggerUser can now override the Debugger's processor selection when manually activating the Record (R) action(GP-1233)
DebuggerUser can now double-click in Listing margin to toggle breakpoints(GP-1395)
DebuggerAdjusted alignment of Description tag in Debugger's Connect dialog(GP-1416)
Debugger:EmulatorAdded more accessor methods to PcodeThread, Machine, Executor, and similar classes(GP-1223)
Debugger:EmulatorAdded more accessor methods to PairedCodeArithmetic, ExecutorState, ExecutorStatePiece, and similar classes(GP-1224)
Debugger:GDBGDB manager handles =cmd-param-changed events(GP-1330)
Debugger:GDBPorted GDB's SSH connector to JSch(GP-1387)
Debugger:StackFixed various NullPointerExceptions among the Debugger Stack and Threads windows(GP-1475)
Debugger:TraceTrace API now supports Overlay spaces(GP-484)
DecompilerAdded the Rename Label Decompiler action to allow label name editing(GP-1195, Issue #1751)
DecompilerThe Decompiler now recognizes typedef relationships between data-types when determining if casts are necessary(GP-1297, Issue #2393, #3249)
DecompilerImproved the Decompiler's analysis of pointer calculations affected by common subexpression elimination(GP-1312)
DecompilerAdded methods to ClangTokenGroup to facilitate iteration and filtering over the Decompiler's output tokens(GP-1317, Issue #2040)
DWARFRelaxed DWARF symbol name mangling to allow colons and forward slashes; changed space mangling to use underscores(GP-1122, Issue #2014, #2043)
DWARFImproved DWARF analyzer to handle MIPSPro 64-bit file format oddity(GP-1171, Issue #3223)
DWARFImproved DWARF analyzer to import DWARF data from PE binaries(GP-1192, Issue #1267)
DWARFAdd support for DWARF external debug files(GP-1286, Issue #3513)
DWARFAdded support for DWARF noreturn function attribute(GP-1390)
Eclipse IntegrationEclipse Python breakpoints now work when Eclipse installs PyDev in .p2 bundle pool directory(GP-1338, Issue #3453, #3454)
ExporterUpdated the DataTypeWriter to emit enum commentsFurthermore, the enum data type has been updated to return names sorted by enum value, which is now the order in which enum values will be emitted by the DataTypeWriter(GP-1374, Issue #1664)
ExporterThe PE Exporter no longer forces files to be saved with a .exe extension(GP-1385, Issue #3391)
ExtensionsBuilding extensions now fails gracefully if an unsupported Gradle version is used(GP-1189, Issue #3313)
FileSystemsTemporary files created by GFilesystem implementations are now obfuscated when written to disk(GP-253)
FileSystemsAdded support for opening password-protected zip files(GP-725, Issue #377)
FileSystemsAdd support for opening HFS+ volume imagesImproved support for ISO9660 images by using 7-Zip library(GP-807)
GraphingCreated concept of graph types that define specific vertex and edge types so that color and shape attributes can be assigned indirectly to vertices and edgesCreated tool options for setting/changing the display attributes for these types(GP-773)
GUIAdded new layouts to the Function GraphEach new layout is using one of the Jungrapht layouts(GP-926)
GUIAdded option to change the background color of the Function Call Graph(GP-1014)
GUIAdded menu support for the following navigation keys: Page Up, Page Down, Home, End, and number keys 1-9(GP-1081, Issue #2811)
GUIAdded an option to group the XRef field in the Listing by function(GP-1093, Issue #1305)
GUISymbol tree has been changed to improve its behavior in the presence of large scale changes such as analysis, loading PDB, etcIt now will auto-close the label or function category if the internal organization becomes too much out of balanceThis will also improve the analysis performance when the root category nodes are closed(GP-1198)
GUIImproved composite interior selection of components with shared offset such as bit-fieldsPrevious behavior was forcing selection of multiple components(GP-1261)
GUIFixed exception due to the Patch action incorrectly being added to the Function Graph context menu(GP-1334, Issue #3288)
GUIUpdated the Search Memory dialog to allow the user to enter a single wildcard character to search for any byte valuePreviously, two consecutive wildcard characters were required(GP-1358, Issue #3351)
GUIUpdated auto-comments to show user-defined repeatable comments from the reference destination(GP-1361, Issue #2475)
GUIChanged the Context column to allow for filtering of special characters in the results table of the Find Uses of action(GP-1370, Issue #3473)
GUIUpdated the CodeBlockIterator interface to extend IterableThis allows the iterator to be used in Java's foreach loops(GP-1381, Issue #3478)
GUIAdded Find Structures by Offset..and Find Structures by Size..actions to the Data Type Manager window(GP-1382, Issue #759)
GUIAdded the ability to remove a non-default symbol by setting the Edit Label dialog text to the empty string; added an action to the Decompiler to remove non-default labels(GP-1383, Issue #3285)
GUIFixed the Function Editor's Storage Address Editor dialog to ensure that the Cancel button will not allow data type changes to be passed through to the primary editor(GP-1398, Issue #3490)
GUIUpdated the Comments Dialog to allow the Shift-Enter keystroke to insert a newline at the cursor position(GP-1428, Issue #3548)
GUIUpdated the Symbol Table to allow users to enter optional namespaces when editing a symbol name(GP-1430)
GUIFixed issue with shared actions across windows sometimes getting the wrong (non-focused) contextThis was mostly related to windows with snapshot components(GP-1440)
GUIFixed issue when attempting to rename a datatype that has the same name as a category in the same parent cateogoryThe rename would attempt to rename the category instead of the datatype(GP-1445)
ImporterAdded support for new Mach-O load commands and file types(GP-398, Issue #2487, #3572)
ImporterAdded method to Memory to find addresses where a specific byte from a loaded FileBytes object is used in memory(GP-1166)
Importer:Mach-OThe Mach-O loader now outputs a warning when it encounters encrypted sections(GP-1406, Issue #1935)
Importer:PEAdded support for long section names (e.g., "/1234" as offset in the string table) in PE binaries(GP-1177, Issue #1267)
Multi-UserUpgraded YAJSW to 13.01Ghidra Server can now run with JDK 17(GP-1266, Issue #3406)
PDBImproved processing time on huge PDBs, especially when many labels are seen at the same address, such as with Identical COMDAT FoldingThis change also allows some additional valid labels to be applied at these addresses(GP-1298)
ProcessorsAdded pcodetests for ARM version 5, which does not support thumb mode(GP-1078)
ProcessorsAdded 65C02 opcodes to the 6502 processor(GP-1112, Issue #1261, #3170)
ProcessorsMade numerous improvements to the SPARC language module(GP-1135)
ProcessorsImproved and fixed several issues involving the SuperH4 language module(GP-1212)
ProcessorsUpdated manual index page numbers for AMD VMX instructions(GP-1219, Issue #2923)
ProcessorsUpdated x86 and AARCH64 processor manual index files(GP-1234)
ProcessorsAdded longMode bit to x64 language spec for mixed 32-/64-bit use cases; e.g., WoW64(GP-1255)
ProcessorsMade minor improvements to the RISC-V language module(GP-1409)
ScriptingImproved RecoverClassesFromRTTIScript to better define virtual function data definitions to be more generically used by all related class structures(GP-1311, Issue #3417)
ScriptingAdded options to allow removal of replaced class structure data types when replaced with ones created by RecoverClassesFromRTTIScript(GP-1315, Issue #3443)
ScriptingChanged class structures created by RecoverClassesfromRTTI so that the vftable pointers are separated from the class data structures inside a derived classThis allows the derived class vftables structures to be accessed correctly by the Decompiler(GP-1408)
SleighModeled undocumented encoding of REP prefix for x86 instructions(GP-1294, Issue #731)
Version TrackingSlightly relaxed score thresholds for the reference correlator portions of auto version tracking to enable discovery of more high scoring matches(GP-1448)
Bugs:
AnalysisFixed a bug that would result in the COFF Header Annotation analyzer from running on PIC binaries when it was not intended to(GP-1366, Issue #3386)
AnalysisThe Objective-C analyzer no longer crashes when encountering categories with an implementation in an external binary(GP-1413, Issue #3510)
AnalysisFixed a stack overflow in the Objective-C 2 Class analyzer(GP-1420, Issue #2378)
APIFixed issues related to moving memory blocks where the source and/or destination have pinned symbolsThis could have resulted in addresses with symbols where no symbol is primary or having multiple symbols at an address that are primaryIt could also have resulted in pinned symbols being moved from the destination to the source address range(GP-1103)
APIFixed an issue with the SymbolManager method getClassNamespaces() where it was only returning class namespaces in the global namespace(GP-1346)
C ParsingSeveral issues parsing C header files have been fixed including ternary macro expression evaluation, #line preprocessor markup within functions and structures, far/near recognized as a keyword, and handling of __asm syntax(GP-1335, Issue #1069, #1082, #2667, #464, #929)
DebuggerFixed program actions (Save, Close, Undo, etc.) to work properly in the Debugger(GP-508)
DebuggerFixed issue getting registers on ARM targets with GDB where command exceeded 4096 characters(GP-1356, Issue #3297, #3509)
DebuggerFixed several issues with the GDB connector's use existing session option(GP-1365)
DebuggerFixed a NullPointerException from canceling a debug launch(GP-1442)
DebuggerFixed Select Addresses button for Debugger Modules pane(GP-1450)
DebuggerFixed issue with duplicate selection actions in the debugger tool(GP-1452)
Debugger:EmulatorFixed Debugger integration and trace emulation for WoW64(GP-1245)
Debugger:GDBFixed issue with GDB/GADP hang in development mode(GP-1360)
Debugger:GDBFixed issue interrupting GDB targets launched without temporary breakpoint on main(GP-1362)
Debugger:GDBFixed issues parsing and displaying various types of GDB breakpoints(GP-1364)
Debugger:GDBFixed problem passing arguments to GDB in IN-VM and SSH modes(GP-1368)
Debugger:GDBFixed a NullPointerException when terminating GDBChanged PtySession API to prevent future occurrence(GP-1399, Issue #3487)
Debugger:TraceFixed ram not in this trace/language error(GP-1411, Issue #3509)
DecompilerFixed a corner case in the manipulation of integer ranges by the Decompiler(GP-1243, Issue #3064)
DecompilerFixed a bug in the Decompiler's renaming algorithm that could cause memory corruption in rare cases(GP-1380, Issue #3429)
DemanglerFixed GNU Demangling bug encountered when Address Table types have spaces in the parent namespace name(GP-1051)
Eclipse IntegrationFixed an exception in the GhidraDev Eclipse plugin that occurred when performing a Link Ghidra operation on projects that use a Gradle classpath container(GP-1149, Issue #3087, #3088)
ExporterIDA exporter no longer fails when function stack variables have comments(GP-1190, Issue #2350, #3309, #748)
FileSystemsFixed Ext4 handling of longer symlink paths and added support for inline data(GP-1088)
FileSystemsFixed Ext4 file system to handle volumes with blocksize 1024 and a first data block value of 1Also added support for old style block maps(GP-1094, Issue #1877)
FrameworkFixed error causing exception in the Specification Extensions panel, when importing a new callotherfixup(GP-1414, Issue #3502)
GUIFixed potential infinite loop in Function Graph edge painting(GP-1019, Issue #2114)
GUIFixed minor memory leak encountered when using Search -> For Address Tables(GP-1030, Issue #3013)
GUIFixed bug that prevented the Decompiler scalar hover tooltip from showing(GP-1071, Issue #3142)
GUIFixed NullPointerException in File System Browser when closing the current project(GP-1096, Issue #3179)
GUIFixed the script console to not lock the GUI when a large amount of text is being written(GP-1148, Issue #3251)
GUIFixed long GUI hang when attempting to Set External Program on an import within in a large Ghidra project(GP-1155, Issue #3245)
GUIFixed UI freeze when connecting to a large remote project(GP-1200, Issue #3305)
GUITweaked enablement of several search actions so that instead of being disabled when on a restricted view provider (e.g., Decompiler, FunctionGraph), they instead are enabled, but apply to the global listing provider(GP-1259)
GUIFixed stack trace in the Function Call Graph when using the Show Incoming Level Edges action(GP-1302, Issue #3327)
GUIFixed the Search Memory dialog issue that caused odd resize behavior when using the Advanced button(GP-1333, Issue #3158)
GUIFixed tracking of Favorite data types when switching between multiple open programs(GP-1391)
GUIFix user list scrollbar in shared project dialog when there is a large number of users(GP-1410)
GUIFixed bug that cause a structure field name to change when using the Retype Field action without picking a new data type(GP-1429, Issue #3483)
ImporterFixed issue with Extract and Import action trying to create invalid filenames(GP-1024, Issue #3114)
ImporterFixed Extract and Import action when highlighting bytes in the debugger view(GP-1449)
Importer:ELFCorrected ELF importer error which could occur when processing memory section overlay blocks caused by AddressOutOfBoundsException exception(GP-1052, Issue #3128)
Importer:ELFCorrected various markup issues related to packed ELF Android relocationsAdded missing ELF Arm 32-bit RELR relocation support(GP-1352, Issue #3462)
PDBFixed short timeout values when downloading PDB files(GP-1105, Issue #3184)
PDBFixed the Load PDB dialog to better handle missing or incomplete metadata(GP-1180, Issue #3289)
PDBFixed NullPointerException encountered for a particular array of enums scenario where the enum definition processing had not completed(GP-1456, Issue #3484)
ProcessorsCorrected return type for MIPS32 JIC instruction(GP-938, Issue #3022)
ProcessorsCorrected pcode for ARM/ARM-Thumb adcs and sbcs carry and overflow flag updates(GP-1043)
ProcessorsCorrected flag handling for some 6502 instructions(GP-1054, Issue #3096)
ProcessorsFixed issues with PPC register overwrites(GP-1075, Issue #1672)
ProcessorsFixed MIPS 32-bit little endian floating point register ordering(GP-1129, Issue #3212)
ProcessorsCorrected PowerPC ISA instruction manual index page numbers(GP-1218, Issue #2927)
ProcessorsUpdated Tricore manual index file to match correct page numbers(GP-1220, Issue #2926)
ProcessorsFixed bug in SuperH moveml.l instruction which caused a load instead of store register(GP-1263, Issue #3379)
ProcessorsCorrected semantics for MIPS INS instruction(GP-1290, Issue #3405)
ProcessorsCorrected MIPS64 DINS instruction semantics(GP-1291, Issue #2232)
ProcessorsCorrected semantics of PA-RISC shift conditions, which was incorrectly using the register size in bytes, as opposed to bits(GP-1292)
ProcessorsCorrected ARM neon vmrs instruction disassembly(GP-1322, Issue #3446)
ProcessorsCorrected SuperH bld and movemu instruction semantics(GP-1331, Issue #3449)
ProcessorsRemoved deprecated ARM condition code 15(GP-1332)
ProcessorsCorrected issue with x86 call instructions when stack pointer is used as a reference(GP-1357, Issue #3455)
ProcessorsCorrected MIPS pcodeop error in tlbr instruction(GP-1363, Issue #3463)
ProcessorsCorrected ARM Thumb conditional instruction it to allow the al (always) conditional(GP-1402, Issue #3499)
ProcessorsRemoved extraneous sb from ARM ldrsb instruction(GP-1412, Issue #3522)
ProgramDBCorrected language upgrade issue which could result in lost memory reference due to RefType change(GP-1392)
ScriptingRecoverClassesFromRTTIScript now consistently applies its class structures in programs that have PDB information appliedAlso, an option was added so users can decide whether to replace existing class data in thiscall functions regardless of whether they originated as PDB or not(GP-1464)
SleighCorrected sleigh-language endian-mismatch error-message formatting(GP-1132, Issue #3215)
Version TrackingFixed UnsupportedOperationException in Version Tracking when attempting to find references to register or stack addresses(GP-1084, Issue #1152)
Version TrackingFixed Version Tracking Swap button to not trigger the reloading of programs(GP-1183)

New in Ghidra 10.0.4 (Oct 1, 2021)

New in Ghidra 10.0.2 (Aug 6, 2021)

New Features:
Scripting. Created an example script which demonstrates how to use the FileBytes class to do a binary export of the current program. (GP-1157)
Improvements:
Data Types. When creating a substructure from existing components, the new structure will adopt the pack setting of the parent structure from which it was created. Note that a packed structure may still move based upon component alignment rules. (GP-1111, Issue #3193)
Decompiler. Added E key binding to the Decompiler's Equate action. (GP-1146, Issue #3195)
GUI. Added Apply button to analysis options dialog. Also added a last chance save/cancel dialog that is shown when a user cancels an options dialog that has unsaved changes. (GP-1169, Issue #3274)
Scripting. For stripped gcc binaries, improved prototype RecoverClassesFromRTTIScript identification of vtables and simple class data, constructors, and destructors. (GP-1055, Issue #3266)
Bugs:
Basic Infrastructure. Fixed regression that prevented Ghidra from launching on Windows when its path contained spaces. (GP-1113, Issue #3201, #3205)
Data Types. Fixed IllegalArgumentException error message when adding a duplicate enumerate name for EnumDataType. (GP-1173, Issue #3246)
Debugger. Changed diagnostics to write GDB.log to user directory, not installation. Clarified an error message. (GP-1133, Issue #3218)
Debugger. Improved error reporting when failing to start a Debugger GADP agent. (GP-1136, Issue #3175)
Debugger. Added system property to toggle alternative icons/colors for breakpoints. (GP-1139, Issue #3204)
Debugger. Applying a default everything memory map for GDB targets if info proc mappings fails or produces an empty list. (GP-1142, Issue #3071, #3074, #3161, #3169)
Debugger. Fixed issue with Debugger ignoring JAVA_HOME when launching child JVM. (GP-1143, Issue #3231)
Debugger. Fixed command-reply matching issue when using GDB via SSH. (GP-1153, Issue #3238)
Debugger:Emulator. Fixed bug in Trace Emulation causing ArrayIndexOutOfBoundsExceptions. (GP-1058)
Decompiler. Fixed issue causing Offset must be between... AddressOutOfBoundsException, when decompiling real-mode x86 programs. (GP-1163, Issue #239, #2948)
Decompiler. The decompiler now shows results when a HighGlobal has no associated symbol reference in the program. (GP-1184)
DWARF. Changed processing to ignore incomplete DWARF parameter lists in Rust binaries. (GP-1121, Issue #3060)
Exporter. The C/C++ Exporter now emits semicolons after function prototypes when using the Create Header File option. (GP-1145, Issue #1644)
Framework. Corrected address comparison for 64-bit signed address spaces (e.g., stack space, constant space) which could produce non-transitive comparison results. (GP-1178, Issue #3302)
Graphing. Corrected graph magnification behavior when using a high resolution mouse wheel. (GP-1181, Issue #3281, #3284)
GUI. Fixed NullPointerException when Hovering in Decompiler over a function that is not in memory. (GP-1131)
GUI. Fixed bug in Find References to search results that prevented '<' characters from being rendered. (GP-1137, Issue #3217)
GUI. Fixed issue where duplicate label names could cause the symbol tree to become unstable, evidenced by broken display and scrolling actions. Also, improved grouping algorithm. (GP-1159, Issue #3263)
GUI. Fixed Enter key in Set Equates dialog to choose the selected table row. Updated the Function Signature Editor dialog to allow the Cancel key to close the dialog when the focus is in the top text editor. (GP-1162, Issue #3235)
Headless. Fixed a regression in analyzeHeadless.bat that prevented the headless analyzer from running on Windows in some cases. (GP-1156, Issue #3261)
Importer. The MzLoader now populates the relocation table when relocations are performed. (GP-1160)
Importer:ELF. Corrected dynamic GOT/PLT markup problem for images which do not contain section headers. In cases where image does not define symbols within the PLT, analysis may be relied upon for its disassembly. ELF Importer's goal is to migrate symbols which may be defined within the PLT to the External symbol space. (GP-1110, Issue #3198)
Importer:Mach-O. The Mach-O importer now correctly interprets indirect symbols as references to symbols within another .dylib. (GP-1120)
Importer:PE. Improved ControlFlowGuard markup and creation of functions (GP-1179, Issue #1547, #1565)
Processors. Fixed bug in SuperH4 fmov.s pcode. (GP-1152)
Processors. The ARM instruction semantics for the mulitple-single-element forms of the vld1/vst1 vector instructions have been corrected. (GP-1167)
Sleigh. Fixed a string formatting error in the sleigh compiler. (GP-1124, Issue #3168)

New in Ghidra 10.0.1 (Jul 16, 2021)

New Features:
Decompiler. The Decompiler now supports conversion (hex, dec, bin, oct, char) and equate actions directly on constant tokens in the Decompiler window. To the extent possible, these actions also affect matching scalar operands in the listing. (GP-1053, Issue #21)
Improvements:
Basic Infrastructure. Ghidra now gracefully fails to launch when its path contains an exclamation point. (GP-1057, Issue #1817)
FileSystems. Can now handle multi-level Ext4 extent nodes when reading a file. (GP-1070)
Bugs:
Build. No longer building and distributing the Debugger native test binaries. (GP-1080, Issue #3160, #3177)
Debugger. Corrected potential deadlock condition within Debugger which could occur under some circumstances during a breakpoint or while stepping. (GP-1072)
Decompiler. Fixed a bug in the Decompiler causing Overriding symbol with different type size exceptions. (GP-1041)
Exporter. PE and ELF exporters no longer error out when processing non-file-backed relocations. (GP-1091)
FileSystems. Corrected problem mounting Ext4 file systems when the container file is larger than the file system. (GP-1067)
Importer:ELF. Corrected ELF relocation error reporting, including error bookmarks, when relocation handler extension is missing. (GP-1097)
Jython. Added __file__ attribute support in Jython scripts. (GP-1099, Issue #3181)
PDB. Fixed bug that prevented constructor signatures from being created properly. (GP-1086)
PDB. Fixed bug in PDB CLI processing that could kill analysis for binaries imported with older versions of Ghidra. (GP-1104)
Processors. Added ELF Relocation handler for SuperH processors. Only a few common relocation types have been added. (GP-1090)
Scripting. Fixed a potential NullPointerException that could occur when trying to run a script that doesn't exist. (GP-1074, Issue #2742)
Scripting. Improved graphing of class hierarchy in RecoverClassesFromRTTIScript and the GraphClassesScript to handle duplicate class names, class namespace delimiters, and to make better vertex descriptions. (GP-1095)
Scripting. Fixed a flaw in the RecoverClassesFromRTTIScript that was not using PDB information to create data member names in class data structures. (GP-1101)

New in Ghidra 10.0 (Jul 16, 2021)

New Features:
Debugger. Introduced the Debugger, along with GDB and dbgeng.dll connectors for debugging user-mode applications on Linux and Windows, respectively. The UI includes threads, timeline, modules, memory, registers, watches, etc., for examining and controlling debug targets. See Help -> Contents -> What's New for more details. (GP-986)
Exporter. For programs imported with the PE and ELF loaders, new exporters are available that write back to the original file layout. Any file-backed bytes that were modified by the user in the program database will be reflected in the written file (except on relocations). Writing back a modified Memory Map is not supported. (GP-786, Issue #1501, #1505, #19)
Graphing. Added Graph -> Data actions to the Code Browser, allowing visualization of specified pointer relationships in a graph. (GP-194)
Scripting. Added prototype RecoverClassesFromRTTIScript and that uses RTTI information to enhance Ghidra's knowledge of class hierarchy, class member function types (constructors, destructors, deleting destructors, clones) and class member data. The script will label and put member functions into correct class namespace and apply new class structures created either using PDB information, if available, or Decompiler pcode information. (GP-339)
Scripting. Added an example script, LocateMemoryAddressForFileOffset, to demonstrate mapping of a location in the original imported file to the program memory address. Useful for cases where the original file offset is known; for example, a YARA rule match. (GP-782)
Scripting. Created a script to allow users to search for image base offsets to the current cursor location in 32-bit and 64-bit programs. (GP-863)
Improvements:
Analysis. Function signatures, including return types and argument data types, are now decoded from CLI Metadata for .NET binaries. (GP-327)
Analysis. Switched #Strings table processing from ASCII to UTF-8 for CIL binaries. (GP-330, Issue #423)
Analysis. Added Constant, Assembly, and AssemblyRef blob processing for CIL binaries. (GP-465)
Analysis. Added the Variadic Function Signature Override analyzer, which identifies functions that take a format string as a parameter and applies the correct signature override at each call site. (GP-516)
Analysis. Added ability to save and easily reuse analysis options in customer-defined configurations. (GP-544, Issue #2182, #312)
Analysis. Ghidra analysis is now aware of more PE/Windows non-returning functions. (GP-733, Issue #2111)
Analysis. ResolveX86orX64LinuxSyscallsScript now properly marks non-returning syscalls. (GP-868, Issue #2761)
API. Revised Structure and Union API, and associated editor, to eliminate the use of the terms Unaligned/Aligned in favor of a packing enablement designation. Also corrected various change notification issues which may improve archive synchronization and merge behavior. (GP-862, Issue #2681)
API. Renamed Datatype.isDynamicallySized() to DataType.hasLanguageDependantLength() to avoid confusion. This method is used internally to differentiate between fixed-length types and those whose length is determined by the compiler specification's data organization (e.g., pointers). (GP-932)
Basic Infrastructure. Improved error reporting when trying to launch Ghidra from the git repo without Eclipse having compiled it. (GP-815, Issue #2872)
Build. Command gradle -I gradle/support/fetchDependencies.gradle init now downloads the Function ID datasets from the ghidra-data GitHub repository so they will be automatically included in development mode and custom builds. (GP-678, Issue #1007)
Build. Performing a gradle clean no longer deletes downloaded dependencies. The top-level flatRepo directory has been replaced with the dependencies directory. (GP-811, Issue #1663)
Build. Ghidra now requires Gradle 6.0 or later to build. Gradle 7.x is now supported. (GP-849, Issue #2949)
Build. Made changes to gradle code to remove warnings. (GP-993, Issue #3039)
Data Types. Added support for hexadecimal byte offset display within composite bitfield view. (GP-910, Issue #2959)
Decompiler. Decompiler analysis now automatically identifies and displays loop variables using standard for-loop syntax. When a loop variable is discovered, a condition, iteration, and optional initializer statement are displayed at the top of the loop. (GP-565)
Decompiler. Added the Max Instructions per Function Decompiler tool option, specifying the maximum number of instructions the Decompiler will decode in a single function before throwing an exception. Previously, this had been a hard-coded limit. (GP-767, Issue #2557)
Decompiler. The Decompiler now propagates datatypes across signed comparison operations, so constant integer and enum values display correctly. (GP-802, Issue #2565)
Demangler. Updated the GNU Demangler Analyzer options to provide a list of available formats from which to choose. (GP-94, Issue #2214)
Demangler. Updated the GNU Demangler's Namespace-building to improve analysis performance. (GP-706, Issue #2509)
Demangler. Improved Demangler error checking and reporting to give underlying cause of failure. (GP-850)
Documentation. Added basic instructions on how to install, build, and develop Ghidra to README.md. (GP-847)
DWARF. Improved speed and memory usage when importing large DWARF binaries. (GP-419)
DWARF. Added M68000/SVR4 DWARF register mappings. (GP-556, Issue #1610)
DWARF. Improved handling of zero-length structure components during DWARF processing. (GP-851, Issue #2191)
Exporter. Made various improvements and bug fixes and to the IDA Pro exporter. (GP-831, Issue #1897, #2788, #2882, #2891)
FileSystems. Added support for recognizing unencrypted DMG files. (GP-845)
Framework. Added support for program-specific extensions to a compiler specification. Users can now define their own calling conventions and call-fixups to integrate into decompilation and other analysis (see help for Specification Extensions). (GP-653)
Graphing. Added capability to collapse and expand nodes in the default graph display. (GP-371)
Graphing. Upgraded jungrapht to version 1.1. (GP-377)
Graphing. Refactored graph exporters into a more extensible framework. (GP-440)
Graphing. Graph layout algorithms can now be chosen programmatically. (GP-551)
Graphing. Created additional modified versions of the MinCross layout algorithms, all named to start with Vertical Hierarchical Min-Cross, so that they accept a favoredEdge predicate. When an edge is favored, a pass though the graph layers attempts to align those edges vertically. (GP-625)
Graphing. Added an option to change the background color of the Function Graph window. (GP-760, Issue #1324)
Graphing. Updated Function Graph edge routing when applying the Use Condensed Layout option to reduce edges being clipped by vertices. (GP-768)
Graphing. Added option to disable the lightening of edges in the Function Graph. (GP-769, Issue #1106)
Graphing. Added a distinct visual edge highlight beyond just a different color for graph edge selection. (GP-793, Issue #2953)
Graphing. Added Display as Graph action to the Data Type Manager, allowing visualization of embedded and referenced types of the selected types. (GP-808)
Graphing. Fixed function graph bug that prevented the satellite view from showing the primary view lens. Fixed a layout bug that allowed some vertices to get clipped when condensing the graph. (GP-940)
Graphing. Added graph API method to set descriptions (tooltips) on vertices and edges. (GP-949)
Graphing. Added Vertex and Edge attributes to GraphML export format. (GP-957, Issue #2958)
GUI. Added new Copy Special actions: Python Byte String, Python List, and C Array. (GP-210, Issue #744)
GUI. Updated the Listing to allow structure members to display Plate Comments. (GP-421, Issue #2091)
GUI. Copy/Pasting and Dragging data types now uses a progress monitor. (GP-422, Issue #2379)
GUI. Added right-click menu Data -> Save Image action to allow user to export embedded graphic resource images. (GP-426)
GUI. Changed Symbol Comment Annotation to use the existing symbol when available. This allows for the direct navigation of that symbol's address instead of using the search feature of the Go To Service. (GP-675)
GUI. Added the Shift-F10 keybinding to allow users to show the popup context menu over the currently focused item. The Menu Key can also be used on supporting keyboards. (GP-732, Issue #2790)
GUI. Fixed/Improved the behavior of global menu items and toolbar items with respect to which windows they appear in. These actions can now easily be configured to be either 1) only in menu bar and tool bar of the main window, 2) in the menu bar and tool bar of all windows, or 3) only in the windows that have components that generate the type of context that the action consumes. Added methods to the ActionBuilder class to support these three options. Also, updated numerous actions to make sure they appear in the appropriate windows. (GP-759)
GUI. Improved overall UI responsiveness when performing analysis with the Symbol Table open. (GP-788)
GUI. Updated the Function Tags table column so that it may be used in most Ghidra tables. (GP-816, Issue #2873)
GUI. Updated the Defined Strings view to reload less frequently during auto-analysis. (GP-835, Issue #2889)
GUI. Updated function hovering in the Decompiler to find the correct function tooltip when multiple functions exist with the same name. (GP-959, Issue #2604)
Importer:ELF. Added markup to ELF import for .note.gnu.build-id and .gnu_debuglink sections. (GP-468)
Importer:ELF. Added ELF import support for SHN_MIPS_TEXT and SHN_MIPS_DATA symbol section index values and provided ability for other processor-specific ELF extensions to resolve ELF symbol memory addresses. (GP-664)
Importer:ELF. Changed various ELF relocations to detect and mark unsupported data relocations which refer to the EXTERNAL block. Applied EXTERNAL data relocations, which have a non-zero offset from the external symbol, will still be incorrect but will have an error bookmark to flag the condition. The relocation addend will not be applied in this case to avoid references to a completely irrelevant symbol in the EXTERNAL block. (GP-1029)
Importer:Mach-O. Improved support for Mach-O object files. (GP-700)
Importer:PE. CustomAttrib blobs in CLI/.NET metadata are now decoded. (GP-414)
Importer:PE. Created proper external references for PE Delay Load Imports. (GP-674, Issue #2554, #2623)
Importer:PE. PeLoader can now read and interpret the .pdata section of PE files that include exception handling data. (GP-729)
Importer:PE. Added .exports XML files for the mfc71.dll and mfc71u.dll libraries. Having them allows Ghidra to translate ordinal imports from applications compiled against MFC 7.1 (from Visual Studio .NET 2003) to class and function names with parameters. (GP-1010, Issue #3051)
Listing. Improved Listing view performance, especially noticeable on functions with excessively large stack frames. (GP-268, Issue #109, #2351)
Listing. Added a tool option to hide function auto-comments that appear, trailing a function call in the Listing. (GP-752)
PDB. Improved Ghidra's ability to find and pull PDB files from symbol servers and symbol storage locations. (GP-42)
Processors. Simplified PIC24 return instruction semantics. (GP-647)
Processors. Added support for register alias specification within processor spec (*.pspec). Added WREG register aliases for PIC24 processor variants. (GP-901, Issue #2956)
Processors. Fixed issue with the PPAGE register not being properly restored after CALL instructions in the HCS12 processor. (GP-920, Issue #1099)
Processors. Fixed HCS12 IDX1 addressing with negative immediate values. (GP-937, Issue #3008)
Processors. Fixed V850 multiply-by-immediate calculation that produced an incorrect value when the fifth bit was set. (GP-939, Issue #2970)
References. Improved performance of reference management for special cases when large a number of references from the same address exist (e.g., entry point designation). (GP-696)
Scripting. ExportImageScript now exports all images within a user-selected region to files within a user-selected folder. (GP-231)
Scripting. Improved TableChooserDialog, allowing multiple rows to be processed at once. (GP-676)
Scripting. Updated the TableChooserDialog to allow clients to set the default column sort. (GP-792)
Scripting. Added Python script comment block support. (GP-843, Issue #1484, #2846)
Scripting. Added ApplyClassFunctionSignatureUpdatesScript and ApplyClassFunctionDefinitionUpdatesScript fix-up scripts that can be applied if a user makes changes to a virtual function recovered by the RecoverClassesFromRTTIScript. Both scripts identify differences between Function Signatures in the Listing and Function Definitions in the Data Type Manager, but the first script fixes all changes to match the signature and the second to match the definition. (GP-973, Issue #3081)
Sleigh. Debug info for Sleigh constructors now includes source file names. (GP-233)
Sleigh. The Sleigh compiler now issues a warning if it generates a temporary varnode which might be large enough to overlap another temporary varnode. (GP-520)
Sleigh. While register names should remain case-sensitive within a Sleigh spec during compilation/parse, register names must not duplicate in a case-insensitive manner since the Program API provides a case-insensitive register lookup by name. The Sleigh Compiler now enforces this. (GP-927)
Bugs:
Analysis. Fixed how managed code entry points in .NET binaries with CIL entry points are detected and labeled. (GP-319)
Analysis. Can now process implementation-specific data structures for Microsoft CIL compilers. (GP-461)
Analysis. Corrected processing for pointers, function pointers, custom modifiers, ValueTypes, static methods, MethodRefs, MethodDefs, and PInvokes found in .NET mixed binaries. (GP-656)
Analysis. Improved constant analysis speed when processing large binaries with a large amount of code not in defined functions, such as exception handlers. (GP-746, Issue #2509)
Analysis. When OverlayAddressSpace was refactored and Decompiler made aware of it for Ghidra 9.2, the VarnodeContext was not aware of the overlays. This was fixed and should eliminate the NullPointerException caused when the Symbolic Propagator calls the Varnode constructor. (GP-751, Issue #2785, #2787)
Assembler. Fixed assembler issue with delay-slotted instructions. (GP-587)
Assembler. Fixed assemble Patch Instruction action to work on listings other than the primary static listing. (GP-623)
Assembler. Modified assembler Patch Instruction action to ignore external symbols which produced bad offsets for instructions. (GP-645)
Basic Infrastructure. Fixed an issue with Ghidra and its supporting launch scripts not being able to run correctly on Windows when an ampersand was in the path. Also fixed an issue with svrAdmin.bat and buildGhidraJar.bat not working if the Ghidra path contained a space. (GP-693, Issue #1726, #1728)
Basic Infrastructure. Corrected "LaunchSupport expected 2 to 4 arguments but got 1" error when starting Ghidra on Windows. (GP-1050, Issue #2176, #3122)
Build. Building of pdb.exe on Windows now works if the path to the Ghidra repository contains a space. (GP-916, Issue #2998)
Build. Corrected GPL DMG module build to properly utilize the jar dependencies included within the repository and distribution. (GP-934)
Build. Corrected an issue with gradle prepDev when the Ghidra repository is on a different drive than the user's home directory on Windows OS. (GP-970, Issue #3047, #3062)
Build. Fixed a bug that prevented Ghidra from launching in Single Jar Mode when its path contained a space. (GP-1039)
C Parsing. The C-Parser bitfield parsing has been relaxed to allow declared bitfield sizes to exceed the base datatype size. The effective bitfield size may be clamped based upon the current data organization while preserving the declared size. (GP-558)
Data Types. Fixed a NullPointerException that occurred when trying to edit a function datatype in a datatype archive when there was no open program in the tool. (GP-356, Issue #2407)
Data Types. Corrected the retention of datatype archive search paths, which did not properly remember disabled paths. (GP-639)
Data Types. Fixed potential deadlock encountered when working with the DataTypes tree. (GP-774, Issue #2832)
Decompiler. Fixed endianess issue for joined, two-register returns of longlong values for MIPS 32-bit little endian variants. (GP-513)
Decompiler. The Decompiler no longer emits comments in the middle of conditional expressions. (GP-621, Issue #1670)
Decompiler. Fixed Redefinition of structure... exceptions in the Decompiler caused by a PNG Image and other opaque datatypes. (GP-820, Issue #2734)
Decompiler. Fixed infinite loop in the Decompiler when analyzing return values. (GP-821, Issue #2851)
Decompiler. Fixed bug in the Decompiler's handling of enumerated datatypes causing Shared type id exceptions. (GP-895, Issue #2909)
DWARF. Fixed and consolidated DEX and DWARF implementations of LEB128. (GP-444, Issue #2512)
DWARF. Fixed unnecessary ELF header parsing when DWARF analyzer checks if it needs to run. Improved DWARF analyzer's run-once logic. (GP-695)
DWARF. Fixed issue with DWARF data type importing that could omit the definition of a structure. (GP-929)
Eclipse Integration. Fixed a GhidraDev bug that prevented Ghidra projects from recognizing extensions installed in the user's ~/.ghidra/.ghidra_<version>/Extensions directory. (GP-873)
Extensions. Changed classpath configuration to not contain paths of removed extension libraries. (GP-522, Issue #2637)
FileSystems. Fixed several issues with extracting and importing DYLIB files contained within a DYLD file system. (GP-719, Issue #2934, #682)
FileSystems. Fixed SevenZipFileSystem to correctly fail when opening password-protected archives. (GP-730)
FileSystems. Fixed Ext4 file system to correctly handle sparse files. (GP-871)
Graphing. Fixed IllegalArgumentException when showing a graph popup window after the source component was hidden. (GP-756, Issue #1643)
Graphing. Fixed bug that caused all address in a function graph node to be colored when only the entry point address had a color applied. (GP-757, Issue #1080)
Graphing. Fixed bug in graph dominance algorithm that could cause the Select -> Scoped Flow actions to go into an infinite loop. (GP-776, Issue #2836)
GUI. Fixed UI lock-up issue related to the Function Tags table. (GP-266, Issue #2366)
GUI. Fixed missing spaces in Front End multi-line log messages. (GP-463, Issue #2534)
GUI. Fixed the following modal dialog issues: z-order changing when showing a modal dialog over a detached window; focusing the incorrect window after showing a modal dialog; script progress dialog not getting placed behind input dialog; script dialogs appearing over different windows. (GP-628, Issue #2398, #2480)
GUI. Fixed NullPointerException encountered when creating a new category in the Data Types tree while the tree is filtered. (GP-745, Issue #2799)
GUI. Fixed Right Alt key that did not work for Ghidra actions on some Windows systems. (GP-747, Issue #2008)
GUI. Fixed Function Graph bug that caused some vertex text to get clipped when using wide address format width. (GP-755, Issue #1008)
GUI. Fixed bug in the Listing scroll bar that caused some screen reader software to deadlock. (GP-772, Issue #2820)
GUI. Fixed bug that caused the UI to freeze when clicking in the Program Tree UI. The bug manifested depending upon the contents of the system clipboard. (GP-775)
GUI. Updated tooltip code to limit data types name length and updated formatting to place pertinent information at the top of the tooltip. (GP-836, Issue #2029)
GUI. Fixed exception triggered when the Bookmarks table failed to remove a deleted symbol. (GP-989, Issue #3066)
GUI. Fixed exception encountered when double-clicking a structure in an archive in the closed for edit state. (GP-998)
GUI. Fixed Function Graph stack trace encountered when changing the graph's background color option after showing and then closing the graph. (GP-1013, Issue #3058)
Importer:ELF. Added support for additional PIC30 ELF relocations (4, 5, 6) and improved register symbol resolution and markup. (GP-710, Issue #2792)
Importer:ELF. Changed processing of ELF absolute symbols (section ID 0xfff1) to treat them as constants by defining equates instead of memory symbols. (GP-902)
Importer:ELF. Corrected EXTERNAL symbol alignment for PIC24, PIC30, PIC33 during ELF import. The improperly aligned symbol addresses would cause incorrect external symbol references to appear on instructions (e.g., RCALL). (GP-906)
Importer:PE. Fixed error when importing a PE file with an uninitialized .textbss section. (GP-397, Issue #2496)
Importer:PE. Fixed a bug processing RUNTIME_INFO structures that caused a failure to load PE files under certain conditions when the list is empty. (GP-924, Issue #2995)
Importer:PE. Fixed an issue in the PeLoader that prevented PE files with 0 data directories from being imported. (GP-997, Issue #2858)
Installation. Renamed database db.Record class to db.DBRecord to avoid naming conflict with java.lang.Record class and potential import issues. (GP-193)
Jython. Fixed pasting multi-line strings into the Python interpreter panel. (GP-487, Issue #2456)
Listing. A default thunk function now reflects the namespace of the thunked function similar to the way it reflects its name. This change also allows thunk functions of a this_call to have the correct this pointer parameter. Symbol table queries based upon name and/or namespace will always exclude default thunk functions. (GP-17)
Listing. Fixed #US table processing to correctly interpret the string as UTF-16LE for CIL binaries. (GP-318)
Listing. Fixed a sporadic listing operand hover stacktrace bug. (GP-987)
PDB. Escaped more character strings in MSDIA pdb.exe XML output. (GP-578, Issue #1690)
Processors. Fixed various issues pertaining to x86 instruction prefixes. (GP-220, Issue #2286, #2297)
Processors. Refactored PPC interrupt returns to include return pcode statement. (GP-703)
Processors. Fixed issue with ARM VMRS instruction parsing in thumb. (GP-735, Issue #2750)
Processors. Corrected issue with M68000 floating point dynamic k-factor instruction semantics. (GP-736, Issue #2754)
Processors. Fixed instruction semantics for x86 MOVUPS instruction. (GP-744, Issue #2789)
Processors. Simplified SuperH div1 instruction. Corrected several SuperH instructions to set flags properly around the delay slot. (GP-753, Issue #2863, #2864)
Processors. Corrected issue with ARM co-processor registers and the MCR instruction. (GP-761, Issue #2451)
Processors. Fixed issued with x86 INSx.rep and OUTSx.rep pcode ordering. (GP-766, Issue #2829)
Processors. Corrected addresses for PIC24 TBLPAG and PSVPAG registers. (GP-798, Issue #2844, #2855)
Processors. Corrected decoding of some MODR/M opcode bytes in x86. (GP-800, Issue #2504)
Processors. Updated 8085 processor definition to disassemble XRA HL instruction. (GP-818, Issue #2447)
Processors. Corrected missing optional rex.w prefix for x86 conditional jump instructions. (GP-837, Issue #1163)
Processors. Added CALLW, ASRF, LSLF, and LSRF instructions to PIC16 language. (GP-841, Issue #1362)
Processors. Fixed ARM Thumb instructions which update the status flags to now correctly append an s to the instruction mnemonic. (GP-881)
Processors. Made corrections to wr instruction for SPARC which in some cases did not write to the appropriate ASR register. (GP-928)
Processors. Corrected issue with x86-64 CALL and RET instructions with 0x67 prefix pushing/popping the wrong address size from the stack. (GP-954, Issue #2976)
Processors. Fixed issue with delay slots modifying some instructions in SuperH processor. (GP-969, Issue #2863)
Processors. Corrected pcode for x86-64 RDMSR instruction. (GP-982, Issue #3046)
Processors. Corrected size of 20-bit signed immediate value in PPC VLE e_li instruction. (GP-1060)
Scripting. Fixed scripting bug where showing a TableChooserDialog while having AnalysisMode.DISABLED in use caused the dialog to be closed. (GP-1018, Issue #3103)
Sleigh. Fixed multiple errors in x64 vector operation semantics. (GP-799)