ghidra-emotionengine icon indicating copy to clipboard operation
ghidra-emotionengine copied to clipboard
verified publisher icon beardypig

[Feature Request] Syscall support (or only arguments)

Open VelocityRa opened this issue 5 years ago • 2 comments

  • By "only arguments" I mean the feature of being able to at least have syscall calls in the decompiler show arguments. Ghidra doesn't let you re-define that syscall function (I assume it's a special kind of func defined somewhere), I'm not sure how to go about it from the GUI. But I assume that the extension is able to, somehow? I'd be useful to re-define it as syscall(void *arg1, void *arg2, void *arg3) etc to at least aid with capturing arguments passed into it.

  • By "syscall support" I mean the more fully-fledged feature of having a hardcoded list of the syscalls in the extension (ID -> syscall proto), and on each syscall instruction the right one recognized from the value loaded in v1 and communicated with the decompiler to show it as the correct function (name + signature).

VelocityRa avatar Sep 19 '20 14:09 VelocityRa

Note: I'm aware there's already pattern matching for the syscalls, but

  • That's only for the wrappers, it does not apply to stray syscalls that aren't in these specific wrappers
  • There are no syscall function signatures, just the names

VelocityRa avatar Sep 19 '20 15:09 VelocityRa

I think this should be possible by making the syscall instruction a call and then utilizing call fixup. I know there is a script in the ghidra repo to do this for linux syscalls.

astrelsky avatar Oct 06 '20 22:10 astrelsky