Ghidra: MapLoader "Add To Program" not working + parse errors

I believe if you go to File->Add To Program... from your your PE file's Code Browser window you can load the corresponding map file. Please let me know if that works or not.

Just retried, it doesn't work. I chose the Code Browser window after loading the exe, then File->Add to program. The extension .MAP doesn't show up in the type list. If I choose All Files I can select the map file, but then I can't choose the MAP format, only Raw Binary present. And in fact it loads it as a binary

Ok I'll investigate...thanks!

There are a couple of issues here:

1. The MapLoader was not declaring that is supports loading into an existing program.
2. The parsing of the .map file failed for the simple samples I produced.

I am going to change this to a bug. I believe I have it fixed...I just need to do more testing to verify.

Does the MAP importer also take the FIXUPS: section into account?
I mean, stuff like this:

FIXUPS: 16b87c 16 b 36 16 3f b 4f 19 35 16 b 75 b 30 f 96 44 68 3a 68 1ceb
FIXUPS: 16d994 d ffffff5f f 20 2e ffffd904 38 14 50 14 61 50 b 36 16 3f
FIXUPS: 16b463 4f 33 33 b 5f 2f 13 33 b 9d 1a 1a 3f 1a 20 16 10 b b5 15
FIXUPS: 16c240 39 1f 53 fffffd5e 64 68 80 1f 52 8 fffffd32 c4 13 8 fffffd5a
FIXUPS: 16bdb4 74 34 1f 5e 14 fffff17c 3a 34 11 bc 2a 2d 14 31 19 2562

No, it's just doing symbols. If you think that would add value feel free to make a new enhancement request.

This still happens to me on Ghidra v9.1.2...

Just retried, it doesn't work. I chose the Code Browser window after loading the exe, then File->Add to program. The extension .MAP doesn't show up in the type list. If I choose All Files I can select the map file, but then I can't choose the MAP format, only Raw Binary present. And in fact it loads it as a binary

You are not getting MapLoader as a choice?

Yes. I have the v9.1.2 release, which is currently the latest on the download page.

Can you post your map file?

I would rather not post it here; is it fine if I send it by email?

Sure, this will be good for 10 minutes: [email protected]

That time limit caught me off-guard, haha.
Hoping I made it in time...

Hmm I didn't get it...not sure if it will come through.

The MapLoader only cares about a couple of things to determine if it can load a file. First, the filename has to end in .map. Second, there has to be a line that reads Publics by Value. Following that line has to be lines with at least 3 tokens, the 3rd of which is an address.

Does your file meet those requirements?

Does not seem like it.

This is what it looks for:

/**
 * A {@link Loader} for processing Microsoft MAP files.
 * <p>
 * Sample .map file section we parse to extract symbol information:
 * <pre>
 *   ...
 *   ...
 *   ...
 *
 *   Address         Publics by Value              Rva+Base               Lib:Object
 *   
 *  0000:00000000       ___safe_se_handler_table   0000000000000000     &lt;absolute&gt;
 *  0000:00000000       ___safe_se_handler_count   0000000000000000     &lt;absolute&gt;
 *  0000:00000000       __ImageBase                0000000140000000     &lt;linker-defined&gt;
 *  0001:00000040       foo                        0000000140001040 f   foo.obj
 *  0001:000000c0       bar                        00000001400010c0 f   foo.obj
 *  
 *  ...
 *  ...
 *  ...
 *  </pre>
 */

Yeah, it doesn't match.
I haven't tried making Python plugins for Ghidra yet, but maybe I can make one to parse this special format.

There may be other parts of the map file that the MapLoader doesn't know how to make use of, so it doesn't even present as an option. For example, #767. Maybe that's your situation too. If so, you could create a new ticket asking for the new feature to be added.

The layout of the map file I have differs greatly from the one you showed, so it isn't a simple matter of new features.
Thanks for the help; I will see if I can make a plugin to parse it.