capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Ghidra: backend may identify functions as labels

Open colton-gabertan opened this issue 1 year ago • 1 comments

Description

One Ghidra backend limitation found during testing is that it may identify what should be a function as a label during its analysis.

Steps to Reproduce

See mimikatz.exe_:0x40e5c2

image

Expected behavior:

Should be identified as a function (FUN_0040e5c2)

Actual behavior:

Ghidra identifies this address as a label instead (LAB_0040e5c2)

Versions

Ghidra 10.3.2
capa 6.0.0

colton-gabertan avatar Aug 22 '23 17:08 colton-gabertan

This issue may raise concern for the Ghidra developers, and on the capa side, we may be needing to tailor the unit testing to accommodate for this difference. Specifically, this would affect the current FEATURE_COUNT_TESTS.

colton-gabertan avatar Aug 22 '23 17:08 colton-gabertan