search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
51.61k stars 5.87k forks source link

Add indirect call in code block reference #5465

Open dingiso opened 1 year ago

dingiso commented 1 year ago

Is your feature request related to a problem? Please describe. The analysis of the code block is incorrect because the CodeBlockReference does not include the indirect call.

Describe the solution you'd like I would like to propose a solution by adding a boolean indicator, "indirect," to the FlowType in order to address this issue. When encountering an indirect call, the code blocks should be segmented. A code block reference should be added with the FlowType set as "Indirect & Call," and the destination block should currrently be set to null, and add more information with additional analysis.

Alternative Solution Regard a CodeBlockReference with no destination block and FlowType "isCall" set to true , as an indication of an indirect call.

Additional context I have initially implemented this solution. If it is acceptable as a new feature, I would be willing to submit a pull request (PR).

emteere commented 1 year ago

The INDIRECT reference really was meant to handle a single case where the CALL instruction in x86 had both a read of a location and then a call to that location. It allowed the read reference to display in the call graph of block graph. I don't think it should have been added originally.

However there are many more cases, where a prior instruction has loaded the call target which would not get an INDIRECT reference. Something like: MOV EAX, [0x12345] CALL [EAX] This is indirect, but much more analysis would need to be done to call this INDIRECT. CALL [0x12345] Would be the only case where the INDIRECT location would ever show up in the CALL Graph.

Are you using the CallBlockModel or SimpleBlock model?

I would expect the SimpleBlock model to break the block at the call location even if the reference is unknown. If it isn't breaking end the block at the call, that is a bug.

For the call blocks, I could see a stand in block or some sort of artificial CodeBlockReference where the destination CodeBlock is null. The flow should still be CALL, or what ever the normal reference would be for a COMPUTED_CALL where the destination is known. I wouldn't use INDIRECT, as that was really meant for flow through a data location. In my mind it really doesn't matter how the computed call was computed as it could be done in many ways.

One issue is the block-models cache the information, so if the call is figured out the CodeBlockReference would be stale.