ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

[Analyzer] Add search for non-ASCII strings in the Auto-Analyzer

Open Risae opened this issue 5 years ago • 2 comments

Is your feature request related to a problem? Please describe. I am mostly working with non-ASCII/Unicode encoded files (Japanese SHIFT-JIS in my case). Using the Auto-Analyze function of Ghidra i can find all ASCII Encoded Strings using "ASCII Strings", but as far as i can see a function to search for non-ASCII string does not exist right now. I have to use a HEX Editor, which displays the strings correctly with the right encoding, and manually change the "broken" strings (which are not displayed correctly in Ghidra-ASCII) to the correct encoding so they are actually useable. As far as i can see, this has to be done manually one by one for every string.

Describe the solution you'd like Using the "ASCII Strings" Auto-Analyzer as an example, the Auto-Analyzer could need an additional function which the user can specify which encoding you are searching for.

Describe alternatives you've considered There are some other solutions/scripts available for Ghidra, for example: StringSearcher PascalStringSearcher and AbstractStringSearcher

But the Auto-Analyzer doesn't have a build-in string searcher, in which you can tell Ghidra what exacly to search for.

Additional context Auto-Analyzer "ASCII Strings" function which i mentioned above: https://i.imgur.com/BGwloHP.png "Search for Strings" tab, which only can search for Pascal encoded strings: https://i.imgur.com/XK7fkUI.png StringSearcher: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/src/main/java/ghidra/program/util/string/StringSearcher.java PascalStringSearcher: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/src/main/java/ghidra/program/util/string/PascalStringSearcher.java AbstractStringSearcher: https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Features/Base/src/main/java/ghidra/program/util/string/AbstractStringSearcher.java

Risae avatar Feb 29 '20 18:02 Risae

This would be really useful in Windows, where you'll often have UTF-16/UCS-2 strings

sundhaug92 avatar Jul 31 '20 13:07 sundhaug92

Wishful thinking.

ryu-highabusa avatar Oct 02 '22 13:10 ryu-highabusa

Would be nice to get this back on the radar; working on a blob at the moment that's very euc-jp string heavy and it's slow going - would be a definite time saver.

Wh1terat avatar Dec 21 '22 16:12 Wh1terat

This is in my work queue and I have been playing around with this already. (example binaries welcome)

dev747368 avatar Dec 22 '22 00:12 dev747368

That's excellent to hear, many thanks 😺 Do you have a method for me to send binaries privately?

Wh1terat avatar Dec 22 '22 23:12 Wh1terat

[email protected] works

dev747368 avatar Dec 23 '22 17:12 dev747368

Let me know if you need help debugging this feature!

Risae avatar Sep 10 '23 05:09 Risae

Thank You @ryanmkurtz and @dev747368 !

Risae avatar Dec 04 '23 14:12 Risae