GP-0 11.4 WhatsNew

emteere · ghidra1 · commit c87e45857cad · 2025-06-17T17:48:34.000-04:00
diff --git a/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md b/Ghidra/Configurations/Public_Release/src/global/docs/WhatsNew.md
@@ -15,17 +15,17 @@ applied Ghidra SRE capabilities to a variety of problems that involve analyzing
 generating deep insights for NSA analysts who seek a better understanding of potential
 vulnerabilities in networks and systems.
 
-# What's New in Ghidra 11.3
+# What's New in Ghidra 11.4
 This release includes new features, enhancements, performance improvements, quite a few bug fixes,
 and many pull-request contributions. Thanks to all those who have contributed their time, thoughts,
 and code. The Ghidra user community thanks you too!
 	
 ### The not-so-fine print: Please Read!
-Ghidra 11.3 is fully backward compatible with project data from previous releases. However, programs
-and data type archives which are created or modified in 11.3 will not be usable by an earlier Ghidra
+Ghidra 11.4 is fully backward compatible with project data from previous releases. However, programs
+and data type archives which are created or modified in 11.4 will not be usable by an earlier Ghidra
 version.
 
-**IMPORTANT:** Ghidra 11.3 requires at minimum JDK 21 to run.
+**IMPORTANT:** Ghidra 11.4 requires at minimum JDK 21 to run.
 
 **IMPORTANT:** To use the Debugger or do a full source distribution build, you will need Python3
 (3.9 to 3.13 supported) installed on your system.
@@ -59,110 +59,79 @@ process that will provide better results than prior Ghidra versions.  You might
 fresh import of any program you will continue to reverse engineer to see if the latest Ghidra 
 provides better results.
 
-## PyGhidra
-The PyGhidra Python library, originally developed by the Department of Defense Cyber Crime Center 
-(DC3) under the name *Pyhidra*, is a Python library that provides direct access to the Ghidra API 
-within a native CPython 3 interpreter using JPype. PyGhidra contains some conveniences for setting 
-up analysis on a given sample and running a Ghidra script locally. It also contains a Ghidra plugin 
-to allow the use of CPython 3 from the Ghidra GUI.
-
-To launch Ghidra in PyGhidra mode, run `./support/pyghidra` (or `support\pyghidra.bat`). See the
-*"PyGhidra Mode"* section of the *Getting Started* document and `Ghidra/Features/PyGhidra/README.html`
-for more information.
-
-## Visual Studio Code
-Ghidra 11.2 introduced a `VSCodeProjectScript.java` GhidraScript to assist in setting up Visual Studio Code
-project folders for Ghidra module development and debugging. This GhidraScript has been replaced in 
-Ghidra 11.3 by 2 new actions, accessible from a *CodeBrowser* tool:
-+ *Tools -> Create VSCode Module Project...*
-+ "*Edit Script with Visual Studio Code*" button in the Script Manager
-
-The "*Create VSCode Module Project...*" action provides the same capability as the old
-`VSCodeProjectScript.java` GhidraScript, creating a Visual Studio Code project folder that contains a
-skeleton module which can be used to build a variety of different Ghidra extension points
-(Plugins, Analyzers, Loaders, etc). Launchers are also provided to run and debug the module in
-Ghidra, as well as a Gradle task to export the module as a distributable Ghidra extension zip file.
-
-The "*Edit Script with Visual Studio Code*" button in the Script Manager enables quick editing and
-debugging of the selected script in a Visual Studio Code workspace that is automatically created
-behind the scenes in Ghidra's user settings directory. This provides a much snappier and modern
-alternative to Eclipse, while maintaining all of the core fuctionality you would expect from an IDE
-(auto complete, hover, navigation, etc).
-
-Ghidra will do its best to automatically locate your Visual Studio Code installation, but if cannot
-find it, it can be set via the Front-End GUI at *Edit -> Tool Options -> Visual Studio Code
-Integration*.
+
+## Search
+
+A new "Search and Replace" feature allows searching for string patterns in a wide variety
+of Ghidra elements and replacing that text with a different text sequence. Using this feature, many different
+Ghidra elements can be renamed all at once including labels, functions, name-spaces, parameters, data-types,
+field names, and enum values. This feature also supports regular expressions (including capture groups).
+After initiating a search and replace, a results table is displayed with a list of items that match the
+search. From this table, the replace actions can be applied in bulk or individually, one item at a time
+as they are reviewed.
+
+## Taint Engine Support
+
+Extended support for using taint engines, particularly CTADL (https://github.com/sandialabs/ctadl)
+and AngryGhidra (https://github.com/Nalen98/AngryGhidra), from the decompiler. Allows users to mark
+pcode varnodes as sources and sinks, displaying paths from sources to sinks as both address selections
+in the disassembly and token selections in the decompiler.
+
+## Dockerized Ghidra
+
+A new capability to build a docker image that demonstrates Ghidra's various entrypoint executions for `headless`,
+`ghidra-server`, `bsim-server`, `bsim`, `pyghidra`, and `gui` within the docker container has been included. The Docker
+image can be used as is, or can be tailored to your workflow needs.   Configuration such as the base
+image (linux distro), additional packages, and more is possible using Docker.
+
+See the `docker/README.md` for information about building a docker image for Ghidra and running within the Ghidra container. 
+
+
+## Binary Formats
+
++ New loaders for the a.out and OMF-51 binary file formats.
++ Support for Mach-O "re-exports".
++ New ability to load Mach-O binaries directly from a Universal Binary without needing to open the File System Browser.
++ DWARF will now load external debug files during analysis as is done for PDB files.
 
 ## Debugger
-The old "IN-VM" and "GADP" launchers and connectors have been removed, as their replacement
-TraceRmi-based implementations have been satisfactorily completed. On that same note, the entire API
-and supporting code base for IN-VM and GADP connectors have been removed.
-
-We've begun to explore more kernel-level debugging. Our lldb connector can now debug the macOS 
-kernel, and our dbgeng connector can now debug a Windows kernel running in a VM via eXDI.
-
-## Emulator
-We have introduced a new accelerated p-code emulator that uses Jit-in-Time translation (JIT). 
-This is *not* currently integrated in the UI but is available for scripting and plugin developers. 
-Its implementation is named `JitPcodeEmulator`, and it's a near drop-in replacement for `PcodeEmulator`. 
-See its javadoc for usage and implementation details. The JIT emulator is very new, so there may 
-still be many bugs.
-
-## Source File Information
-Source file and line information can now be added to Ghidra using a Program's SourceFileManager. 
-The DWARF, PDB, and Go analyzers now record this information by default. Source information can also
-be added programmatically; see the example scripts in the *SourceMapping* script category. 
-Source information can be viewed in the *"Source Map"* Listing Field or the `SourceFilesTablePlugin`, 
-which is accessible from the Code Browser via *Window -> Source Files and Transforms*.
-
-The *"View Source..."* Listing action, enabled on addresses with source file information, opens a 
-source file at the correct line in either Eclipse or Visual Studio Code (there is a *"Source Files 
-and Transforms"* tool option to determine the viewer). The SourceFilesTablePlugin can be used to 
-modify the source file paths stored in the SourceFileManager before sending them to Eclipse or 
-Visual Studio Code.
-
-## Function Graph
-The Function Graph has had a number of improvements:
-+ Added new *"Flow Chart"* layouts
-+ Position of the satellite view can be configured
-+ Ctrl-Space toggles between the Listing and the Function Graph (starting fully zoomed in vs. fully
-  zoomed out is controlled by a Function Graph option)
-
-## String Translation and Text Search
-+ String translation has an additional translator available using the LibreTranslate service.
-  The LibreTranslate project (currently hosted at libretranslate.com) is an independent project
-  that provides an open source translation package that can be self-hosted, meaning you can translate
-  strings without sending them to a second party to translate, using an existing LibreTranslate server.
-  For more information search for LibreTranslate in the online Ghidra help pages.
-  **NOTE:** The LibreTranslate plugin is not enabled by default, and is added in the 
-  *File -> Configure* menu.
-
-+ The ability to search the text of all decompiled functions has been added.  Decompilation during
-  search occurs on the fly, so the latest decompilation results of all functions are used for the
-  search.  The search can take some time depending on the number and size of functions in your binary.
-  The new action can be found at *Search -> Decompiled Text...*.
+
+There have been numerous improvements, extensions for new targets, better launching and configuration, and bug fixes to the debugger.
+
+## Analysis Speed
+
+Constant and Stack analysis time has been greatly decreased through algorithm improvements and better threading.  There has been additional
+work to loosen locking of the program database where possible.  By locking only when necessary, multiple threads can better analyze the program
+and interaction with the GUI during analysis should be more responsive.
+
+## Golang
+
+Golang binary analysis analysis has been improved.
++ Analysis has been improved to model closures, interface methods, and generic functions more accurately.
++ Function signatures for core golang library functions are automatically applied.
++ Decompilation results are improved by filtering some verbose golang garbage collection function logic.
++ Addressed finding the Golang bootstrap information in stripped PE binaries.
+
+## BSim
+
+PostgreSQL for BSim has been updated to version 15.13 and the JDBC driver to 42.7.6.  This resolves issues with building PostgreSQL
+server on newer releases of Linux and compiler toolchains which compile with -std=c23 option by default.  In addition,
+building of PostgreSQL for linux_arm_64 and mac_arm_64 based platforms is supported.
+
++ BSim is now installed in the default Codebrowser tool.
++ Function names now update in BSim search results overview if the name is changed elsewhere in Ghidra.
 
 ## Processors
-+ The x86 EVEX instruction write and read masking has been implemented for all AVX-512 instructions.
-  The handling of the mask is necessary as semantics are added for individual AVX-512 instructions.
-+ TI_MSP430 decompilation has been improved through numerous changes to the processor's compiler
-  specifications file.
-+ Corrected ARM VFPv2 instructions which were not disassembling correctly.
-
-## Other Improvements 
-+ Much of Ghidra's standalone documentation has been modernized to the Markdown format. Generated 
-  HTML versions are provided alongside the Markdown files for convenience. Converting all relevant
-  documents to Markdown remains an ongoing process.  **NOTE:** There are no plans to convert the
-  internal Ghidra help system to Markdown, as the Java Help library does not support it.
-+ Libraries can now be loaded into an already-imported program with the *File -> Load Libraries...*
-  action.
-+ The CParser macro pre-processing will now halt on *"#error"* directives.  This change had a ripple
-  effect and uncovered a myriad of bugs which have been addressed.  In addition, the interim parsing
-  output has been improved to allow easier diagnosis when problems in parsing occur due to incorrect
-  define values or other header file issues.
-+ Finally, a new `CreateUEFIGDTArchivesScript.java` parsing script has been added to parse UEFI header files
-  available from `github.com/tianocore/edk2`.  Using a script vice released pre-parsed GDT files allows the
-  end user to parse the correct version with a configuration fitting their needs.
+
++ Enhanced support for the x86 AVX-512 processor extension with additional instruction support - including the BF16, FP16 and VNNI extensions.
++ Implemented many AARCH64 Neon instruction semantics to improve decompilation.
++ Upgraded pcodetest framework scripts to python3 and improved command-line options.
+
+## Other Improvements
+ + Many calling conventions for various processors/compilers have been improved using the more flexible decompiler rules 
+ when the data types for parameters and return values are known.
+ + Upgraded many 3rd party dependencies to address potential bugs and CVE's, including jars for Bouncy Castle,
+ Apache Commons Compress, Apache Commons Lang3, Apache Commons IO, protobuf, and JUnit.
 
 ## Additional Bug Fixes and Enhancements
 Numerous other new features, improvements, and bug fixes are fully listed in the 
