Why Gemfury?
Push, build, and install
RubyGems
npm packages
Python packages
Maven artifacts
PHP packages
Go Modules
Debian packages
RPM packages
NuGet packages
Repository URL to install this package:
|
Version:
9.1~250226-1.fc41 ▾
|
// Patfind plugin options
// The base directory where the XML pattern files are stored.
// The directory structure maps the Ghidra directory structure, i.e.
// PATTERN_SEARCH_DIR/<processor>/data/patterns/<patternfile>.XML
// When empty in this config file, the default dir is IDADIR/cfg/ghidra_patterns
PATTERN_SEARCH_DIR = "";
// Auto-run mode for the plugin.
// 0: Auto-run is off
// 1: Binary-like only. The patfind plugin will only be called when the input file is a binary-like file (raw binary or hex file).
// 2: All. The patfind plugin will be called for any input file.
// Default is 1, binary-like only.
AUTO_RUN = 1
// The setting can be overridden using a command-line option.
// For example: -Opatfind:auto_run=2
// ---------------------------------------------------------------------------------------------------------------------------------
// Explanation of the XML pattern files.
//
// Enabling Patfind for not yet supported processors is fairly easy, by adding an XML pattern file
// in the corresponding directory (with the same name as the processor name in IDA) should be enough.
//
//
// The Patfind plugin supports the Ghidra pattern file format with some optional features, explained below.
//
//
// First addition concerns the endianness of the patterns. This allows to reuse the same pattern file for both LE and BE if desired.
// In order to do so, we need to specify the endianness in which the patterns are defined. A new attribute, "endianness",
// was introduced for the "patternlist" tag.
//
// ex.
// <patternlist endianness="le">
//
// It's impossible to assume a default, so if not defined, the patterns are used "as is".
//
// Some more information is needed to be able to reverse patterns. The attribute "itemsize" for patternpairs must also be defined.
//
// ex.
// <patternpairs itemsize="16">
//
// This means that the patterns inside the "data" tags will be reversed to another endianness for each 16 bits (2 bytes).
//
// ex.
// The byte sequence in data here,
//
// <patternpairs itemsize="16">
// <data>0x.. 0x68 ....0000 0xb5</data>
//
// will become "0x68 0x.. 0xb5 ....0000" after reversing
//
// If the processor has besides 2 byte intructions also 4 bytes instructions, it's advisable to define two different patternpairs,
// one with itemsize="16" and another with itemsize="32"
//
// But even then, it can happen that some instructions in the same pattern have a different size or a 4 byte instruction needs to be reversed per 2 bytes.
// Therefore, the "data" tag can have one or more "items"
// When an <item> tag is used, the entire pattern within that tag will be reversed.
//
// ex.
// <patternpairs itemsize="16">
// ...
// <data><item>0xbde8 ........ 1.......</item></data>
//
// After reversing, the byte sequence will be "1....... ........ e8 bd"
//
// another example:
//
// <patternpairs itemsize="32">
// <data><item>0x7847</item><item>0x00a0</item></data>
//
// After reversing the byte sequence will be "47 78 a0 00"
//
// When item tags are used within a data tag, the entire pattern must be defined using item tags,
// since there is no way of knowing anymore what the default itemsize is.
//
//
// Second addition to the Ghidra format is the "alignment" attribute on "patternpairs".
//
// ex.
// <patternpairs alignment="4">
//
// "alignment" specifies the alignment of function start addresses. For example, if the aligment is "4",
// functions can only start at an address that is a multiple of 4.
// If not defined, alignment="1' is assumed.
//
//
// Third addition is the tag "optional_post".
//
// ex.
//
// <optional_post>
// <data> 0x.. 0x0. 0x9f 0x.5 </data>
// </optional_post>
//
// It's defined under patternpairs just like prepatterns and postpatterns.
// "optional_post" are patterns that can occur before a postpattern and if so the function will start at the address of the matching optional_post pattern.
// Sometimes compilers insert instructions before the commonly observed postpatterns: a mov, another push, etc... Adding all possibilities to the postpatterns
// would make that list very long.
//