ghidra
ghidra copied to clipboard
NationalSecurityAgency
Add support for PowerPC COFF Relocations
Windows NT 4.0 for PowerPC uses COFF for the bootloader. Vanilla Ghidra 10.4 doesn't want to open these executables without the PPC relocation handler, even though these executables don't even have any relocations.
This code is based on the x86_32 COFF relocation handler and the official Microsoft docs.
VENEER.EXE (PPC default 32-bit LE):
Hello. If possible, can you attach your test binary?
Sure, here are a couple of files that I used for testing. Both are PowerPC, default, 32-bit, Little-endian.
I am not reproducing the issue of Ghidra 10.4 not being to import these files. I am getting the error that there is a missing relocation handler, but the import succeeds and I am able to open/analyze. Was that not your experience?
Oh, that's embarrassing. I was double-clicking on the blue part of the line, and it didn't open the file. Clicking just on the label works. Sorry for wasting your time on that. ☹️
Still, this red message looks ominous, so I guess my commit is not that useless after all. 😄
Yes, not useless...I just wish we had a binary to test the 2 relocations you implemented.
Additionally, testing these files has inspired me to make some quality of life improvements to the CoffLoader. I am going to mark up the COFF header, and at least detect that it's a PowerPC processor to greatly reduce the number of processors you have to filter out to find the right variant. I will take your relocation file, but I might remove those 2 implementations if i don't feel confident in them without testing them.
Ok, i'll wait to hear back from you before I decide on your relocation implementations.
@rndtrash Any luck finding samples?
I did not find a sample yet, but I have some suspicions, it looks like Visual C++ for Power PC might generate a COFF object.