search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
51.28k stars 5.84k forks source link

Apply Function Signatures to renamed Labels which match windows API call's #5234

Closed irfan-eternal closed 1 year ago

irfan-eternal commented 1 year ago

Is your feature request related to a problem? Please describe. An other Paid decompiler has this very useful feature i.e. when a function name matches a windows API it automatically applies it's function signature. I searched in the web if Ghidra has something like this. But I was not able to find. If this feature is there, It will help in many ways like identifying stack depth, stack variable reuse, better decompiled code etc..

Describe the solution you'd like If a function name matches a windows API Ghidra should automatically apply it's function signature. image Above image is an Example here the Label GetSecurityInfo is a Windows API. it will be great if we can apply Function Signature for this

Describe alternatives you've considered I checked if this Feature is already existing using Multiple Search Engines and also posted in Reddit's Ghidra community. But i was not able to find an answer. Which let me here to post it as a feature request

Additional context Another Example image

astrelsky commented 1 year ago

Set the type of GetSecurityInfo to GetSecurityInfo *

irfan-eternal commented 1 year ago

Thanks @astrelsky that was a great tip GetSecurityInfo Now the parameters of the Windows API functions are correctly identified and correctly typed.

I have one more concern which is resolving the Stack Depth change for calls to Windows API's which leads into not identifying Stack variable reuse stack_variable_reuse in the above image you can see [ESP + 0xb4] is being identified as 2 separate Stack Variables due to the stack depth Change

I know that we Can change stack depth by going to Function > Set Stack Depth Change image but here there are a lot of Windows API call using Registers. Changing Stack Depth at the every Windows API call using Registers is not a viable solution. Is there a way to resolve this?

irfan-eternal commented 1 year ago

@astrelsky Sorry I know that my comment was too long. What I need now in short is indirect calls to Windows API using registers in Disassembly should use __stdcall calling convention. so that the stack depth are changed automatically

astrelsky commented 1 year ago

@astrelsky Sorry I know that my comment was too long. What I need now in short is indirect calls to Windows API using registers in Disassembly should use __stdcall calling convention. so that the stack depth are changed automatically

This should already occur automatically. Usually when I see this the issue is elsewhere.

irfan-eternal commented 1 year ago

Thanks @astrelsky . My Decompiled code is much better now