BTIGhidra icon indicating copy to clipboard operation
BTIGhidra copied to clipboard
verified publisher icon trailofbits

ghidra.xml.XmlException: got element group but expected start element [ pentry ]

Open T-RN-R opened this issue 1 year ago • 1 comments

When starting the Type Inference analysis I get the following error message:

(These messages are also written to the application log file)

got element group but expected start element [ pentry ]
ghidra.xml.XmlException: got element group but expected start element [ pentry ]
	at ghidra.xml.AbstractXmlPullParser.start(AbstractXmlPullParser.java:107)
	at internal.ParseCspecContent.parseInput(ParseCspecContent.java:333)
	at internal.ParseCspecContent.getCconvRegister(ParseCspecContent.java:305)
	at internal.ParseCspecContent.parsePrototype(ParseCspecContent.java:279)
	at internal.ParseCspecContent.parseCspecFile(ParseCspecContent.java:256)
	at internal.ParseCspecContent.parseSpecs(ParseCspecContent.java:81)
	at PcodeExtractor.createProject(PcodeExtractor.java:316)
	at PcodeExtractor.run(PcodeExtractor.java:71)
	at ghidra.app.script.GhidraScript.executeNormal(GhidraScript.java:403)
	at ghidra.app.script.GhidraScript.doExecute(GhidraScript.java:258)
	at ghidra.app.script.GhidraScript.execute(GhidraScript.java:236)
	at binary_type_inference.GetBinaryJson.generateJSONIR(GetBinaryJson.java:97)
	at binary_type_inference.BinaryTypeInference.produceArtifacts(BinaryTypeInference.java:283)
	at binary_type_inference.BinaryTypeInference.run(BinaryTypeInference.java:475)
	at binary_type_inference.TypeAnalyzer.added(TypeAnalyzer.java:213)
	at ghidra.app.plugin.core.analysis.OneShotAnalysisCommand.applyTo(OneShotAnalysisCommand.java:48)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager$AnalysisTaskWrapper.run(AutoAnalysisManager.java:686)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:786)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:665)
	at ghidra.app.plugin.core.analysis.AutoAnalysisManager.startAnalysis(AutoAnalysisManager.java:630)
	at ghidra.app.plugin.core.analysis.AnalysisBackgroundCommand.applyTo(AnalysisBackgroundCommand.java:58)
	at ghidra.framework.plugintool.mgr.BackgroundCommandTask.run(BackgroundCommandTask.java:103)
	at ghidra.framework.plugintool.mgr.ToolTaskManager.run(ToolTaskManager.java:334)
	at java.base/java.lang.Thread.run(Thread.java:1623)

I am analyzing a Windows dll, rpcrt4.dll, however I have also tested against other Windows binaries, including kernel drivers. You can download the binary I was using from the Microsoft Symbol Server:

https://msdl.microsoft.com/download/symbols/rpcrt4.dll/1CAF5F33115000/rpcrt4.dll

I'm running this on an M1 Mac, with Ghidra 11.0.1 and BTIGhidra version: 0.0.6.

T-RN-R avatar Jun 15 '24 13:06 T-RN-R

Their fork of cwe_checker stayed far behind and kept the brittle Cspec parser, which was no longer necessary by version 10 of Ghidra as it since has a proper API to retrieve caller convention data.

ElSaico avatar Feb 19 '25 14:02 ElSaico