From 1bf79da6aaf21c473e72754a6153fa52efebee63 Mon Sep 17 00:00:00 2001 From: rdmmf Date: Thu, 26 Feb 2026 09:39:20 +0100 Subject: [PATCH 1/2] new: [ghidra-function] Added object --- objects/ghidra-function/definition.json | 122 ++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 objects/ghidra-function/definition.json diff --git a/objects/ghidra-function/definition.json b/objects/ghidra-function/definition.json new file mode 100644 index 00000000..ecdd4d51 --- /dev/null +++ b/objects/ghidra-function/definition.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "function-name":{ + "description": "function name", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true + }, + "label": { + "description": "ghidra symbol label(s) associated with the function", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "multiple": true + }, + "function-scope": { + "description": "ghidra function scope (export, import, internal)", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "export", + "import", + "internal" + ] + }, + "is-thunk": { + "description": "identifies a thunk function", + "misp-attribute": "boolean", + "ui-priority": 0, + "disable_correlation": true + }, + "external-library": { + "description": "external library name if the function is an import", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "entrypoint-address": { + "description": "function entrypoint address (integer in a text for consistency with the entrypoint-address in ELF/PE/Mach-O Objects)", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "instruction-count": { + "description": "Instruction count", + "misp-attribute": "integer", + "ui-priority": 0, + "disable_correlation": true + }, + "bsim-vector": { + "description": "comma separated BSIM Feature Vector", + "misp-attribute": "text", + "ui-priority": 0 + }, + "bsim-signature": { + "description": "BSIM signature of the vector", + "misp-attribute": "hex", + "ui-priority": 0 + }, + "fid-fh-hash": { + "description": "Function ID FH Function hash", + "misp-attribute": "hex", + "ui-priority": 0 + }, + "fid-fx-hash": { + "description": "Function ID FX Extended hash", + "misp-attribute": "hex", + "ui-priority": 0 + }, + "flirt-hash": { + "description": "IDA pro FLIRT hash", + "misp-attribute": "hex", + "ui-priority": 0 + }, + "decompiled-function": { + "description": "Ghidra decompiled function", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "function-signature": { + "description": "Function signature", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "return-type": { + "description": "The data type returned by the function", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "calling-convention": { + "description": "The calling convention used by the function (e.g., cdecl, stdcall)", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "language-id": { + "description": "Language id of the program (architecture, compiler, etc.)", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "decompiler-id": { + "description": "ghidra's decompiler version used to generate the FID and BSIM hashes.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + } + }, + "description": "ghidra function", + "meta-category": "ghidra", + "name": "ghidra-function", + "required": [ + "function-name", + "decompiler-id" + ], + "uuid": "4679fa5b-a9b4-463a-aaec-1ca563abedde", + "version": 1 +} \ No newline at end of file From f65f9b80aee66fb17ea331ba63982b60d18db633 Mon Sep 17 00:00:00 2001 From: rdmmf Date: Thu, 26 Feb 2026 10:59:25 +0100 Subject: [PATCH 2/2] fix: [ghidra-function] fixed metacategory --- objects/ghidra-function/definition.json | 132 ++++++++++++------------ 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/objects/ghidra-function/definition.json b/objects/ghidra-function/definition.json index ecdd4d51..0fabde98 100644 --- a/objects/ghidra-function/definition.json +++ b/objects/ghidra-function/definition.json @@ -1,61 +1,43 @@ { "attributes": { - "function-name":{ - "description": "function name", - "misp-attribute": "text", - "ui-priority": 1, - "disable_correlation": true + "bsim-signature": { + "description": "BSIM signature of the vector", + "misp-attribute": "hex", + "ui-priority": 0 }, - "label": { - "description": "ghidra symbol label(s) associated with the function", + "bsim-vector": { + "description": "comma separated BSIM Feature Vector", "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true, - "multiple": true + "ui-priority": 0 }, - "function-scope": { - "description": "ghidra function scope (export, import, internal)", - "misp-attribute": "text", - "ui-priority": 0, + "calling-convention": { + "description": "The calling convention used by the function (e.g., cdecl, stdcall)", "disable_correlation": true, - "sane_default": [ - "export", - "import", - "internal" - ] + "misp-attribute": "text", + "ui-priority": 0 }, - "is-thunk": { - "description": "identifies a thunk function", - "misp-attribute": "boolean", - "ui-priority": 0, - "disable_correlation": true + "decompiled-function": { + "description": "Ghidra decompiled function", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 }, - "external-library": { - "description": "external library name if the function is an import", + "decompiler-id": { + "description": "ghidra's decompiler version used to generate the FID and BSIM hashes.", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "ui-priority": 0 }, "entrypoint-address": { "description": "function entrypoint address (integer in a text for consistency with the entrypoint-address in ELF/PE/Mach-O Objects)", - "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true - }, - "instruction-count": { - "description": "Instruction count", - "misp-attribute": "integer", - "ui-priority": 0, - "disable_correlation": true - }, - "bsim-vector": { - "description": "comma separated BSIM Feature Vector", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, - "bsim-signature": { - "description": "BSIM signature of the vector", - "misp-attribute": "hex", + "external-library": { + "description": "external library name if the function is an import", + "disable_correlation": true, + "misp-attribute": "text", "ui-priority": 0 }, "fid-fh-hash": { @@ -73,45 +55,63 @@ "misp-attribute": "hex", "ui-priority": 0 }, - "decompiled-function": { - "description": "Ghidra decompiled function", + "function-name": { + "description": "function name", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "function-scope": { + "description": "ghidra function scope (export, import, internal)", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "sane_default": [ + "export", + "import", + "internal" + ], + "ui-priority": 0 }, "function-signature": { "description": "Function signature", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "ui-priority": 0 }, - "return-type": { - "description": "The data type returned by the function", - "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "instruction-count": { + "description": "Instruction count", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 }, - "calling-convention": { - "description": "The calling convention used by the function (e.g., cdecl, stdcall)", + "is-thunk": { + "description": "identifies a thunk function", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "label": { + "description": "ghidra symbol label(s) associated with the function", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "multiple": true, + "ui-priority": 0 }, - "language-id": { + "language-id": { "description": "Language id of the program (architecture, compiler, etc.)", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "ui-priority": 0 }, - "decompiler-id": { - "description": "ghidra's decompiler version used to generate the FID and BSIM hashes.", + "return-type": { + "description": "The data type returned by the function", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 0, - "disable_correlation": true + "ui-priority": 0 } }, "description": "ghidra function", - "meta-category": "ghidra", + "meta-category": "misc", "name": "ghidra-function", "required": [ "function-name",