Patternconstraints Files: Can I add them without editing CPU files and can I specify alignment constraints?

[fmagin]

I have a binary from some weird compiler (probably Go), where Ghidra completely fails to find functions. With manual inspection it's clear that a reliable pattern to identify function starts is "int3 (0xcc) instructions before a 32 byte aligned address implies function start". But the actual first byte of a function isn't reliable, so I don't see how I could encode this in a _patterns.xml file. Skimming the existing ones I could not find anything about alignment constraints in general, so my first question is: How would I specify a pattern like this?

The second question that derives from this scenario is: How can I add those patterns without having to edit the processor files in a Ghidra fork, i.e. how could I ship these in an extension? SpecExtension doesn't seem to include such patterns, and I think that these patterns are not a feature of the processor, but of a compiler and a processor, but I don't know what the implications would be to make that possible.

[dev747368]

I have no advice regarding patterns, if it does turn out to be a go binary and the go analyzer is failing, please start a issue for that.

[fmagin]

It's a fairly mangled binary, potentially just a memory dump, so I'm not surprised that the regular Go analyzer doesn't trigger, and I'm not sure if it would work either. I see it as a comparative limitation to e.g. Binary Ninja which does manage to find the functions, but I don't know how they do it.

[emteere]

Usually int3 (0xcc) are filler bytes if the function start isn't aligned. There is the ability to specify that the patterns must be aligned. Also that the pattern can start after the matched bytes, in this case a 0xCC. Having such a loose pattern is fairly dangerous and can find alot of bad code.

Does Ghidra find any code at all?
Are the memory blocks marked executable?

There currently isn't a local pattern file extension mechanism. We tend to try and use the pattern files only for very strong function end/start patterns.

[fmagin]

Are the memory blocks marked executable?
They aren't by default, but changing them to executable and re-triggering the auto analysis does not produce many functions either. Only the first function directly at the entry-point is found, but this function obfuscates its control flow, and relies on segments that aren't actually present (Binary Ninja also fails to find those segments, so it's most likely a general issue with the binary).

Overall, it's definitely a heuristic that's prone to false positives, but in the context where this came up false positives for code are acceptable and have a near zero-cost. That's why it IMO makes sense to have this as an extra pattern and not run by default, and definitely not part of upstream Ghidra.

I can make the pattern more stringent because many functions also start with a quite similar prologue, but at the end of the day, this will be part of an internal Ghidra fork, and I'm not considering this an issue with Ghidra (otherwise I would have opened this as an issue), this is explicitly a Q&A question for how I can specify the alignment as part of a pattern. Would you mind pointing me to an existing example?

[ReversingWithMe]

I think best answer to this may be just adapting FindUndefinedFunctionsScript.java?

It seems like for your use case trying to do it the formal way through CPU files is overkill? You could adapt this to take some of those same normal patterns, but it looks like you would have all the gadgets you need to just define your patterns there or through new data files you could keep an internal stash for that are more portable (Json/Gson or xml), and probably easy enough to switch to python for even more customizability.