sei-eschwartz
commented
3 years ago Looking at 0x5436a0, Ghidra does not detect the stack parameter. Looking at the facts file:
[eschwartz@pd4 heroes]$ cat heroes4h.exe.facts.new | fgrep 0x5436a0
returnsSelf(0x5436a0).
noCallsBefore(0x5436a0).
noCallsAfter(0x5436a0).
insnCallsDelete(0x5436b2, 0x5436a0, sv_12338242822627251453).
funcOffset(0x5436b2, 0x5436a0, 0x8dbd90, 0).
methodMemberAccess(0x5436a9, 0x5436a0, 0, 0x4).
possibleVFTableWrite(0x5436a9, 0x5436a0, 0, 0x97b338).
initialMemory(0x97b338, 0x5436a0).
callingConvention(0x5436a0, '__thiscall').
callingConvention(0x5436a0, '__fastcall').
callingConvention(0x5436a0, '__vectorcall').
funcParameter(0x5436a0, ecx, sv_12338242822627251453).
funcParameter(0x5436a0, 0x1, sv_10048289801303828325).
funcReturn(0x5436a0, eax, sv_12338242822627251453).
callParameter(0x5436b2, 0x5436a0, 0, sv_12338242822627251453).
callReturn(0x5436b2, 0x5436a0, eax, sv_11991620075944868195).
callTarget(0x5436b2, 0x5436a0, 0x8dbd90).OOAnalyzer does detect the stack parameter, namely funcParameter(0x5436a0, 0x1, sv_10048289801303828325)..
Unfortunately, we don't export this information to either the results file, or the json file. So naturally the Ghidra plugin does not use it to correct the call parameters.
So this is more of a feature request than a bug. I do think it is a worthwhile feature, but I know I won't be able to get to it immediately.
Issue was reported here at first: https://github.com/cmu-sei/pharos/issues/150#issuecomment-762829289
Many stack parameters are missing for recovered methods after loading into ghidra. In almost 80% of the recovered methods, at least one parameter is missing and needs to be added manually to the function signature. There are lots of cases, not only with destructors, but here is an example:
here are some addresses where we can see this: