Ghidra: How to edit bytes in .data?
When I am disassembling a dll written in c++, there are a number of variables / data that are going to be resolved during run time. An example looks like this in the decompiler:
foo((int) &DAT_10073ed8);
The DAT_10073ed8 is the variable being resolved in run time. It points to .data section. The content in that address is a bunch of ??. I managed to figure out the bytes using a debugger, where the pointed address consists of some bytes of data.
My question is how do I add those bytes into Ghidra?
I assume I can create a structure with loads of Byte, set each one of them to the bytes I found and set the pointed address to be of that struct type, but that sounds awful and I am not sure about the actual data types yet.
What I have tried is setting the first byte to be of data type "Byte", going to the Bytes window, clicking the "Enable editing of bytes in Byte Viewer panels" on the top right corner, edit the first byte and an error says "Editing not allowed: Attempted to read from uninitialized block".
In this particular example, I am pretty sure the variable is a this pointer because of the use of ECX. However I am not sure about the types of attributes yet. I hope this helps.
Thanks.
henryfung3a27
All 4 comments
You need to convert the memory block to an initialized one. To do this you can open the python interpreter and while the cursor is at an address within the memory block run the following:
currentProgram.getMemory().convertToInitialized​(getMemoryBlock(currentAddress), 0)
astrelsky
on 17 Nov 2019
Alternatively you could split the section accordingly in the Memory Map. (Make small snippets of initialized data entries and have the other parts still uninitialized)
Check the "Split a block" button in the top right corner of the Memory Map view.
SektorROM
on 18 Nov 2019
Just tried them both. I think the currentProgram.getMemory().convertToInitialized​(getMemoryBlock(currentAddress), 0) is a bit overkilling. After all, I only need to initialise 24 bytes. The split of memory works better in my case. Anyway, thanks!
henryfung3a27
on 18 Nov 2019
I just wrote a script in python and I thought I should better share it. It initialises the block of memory from a start address to end address with data value. The code is here. The script does the job by splitting the memory block and initialising the whole block. It works fine on my project so in case anyone is interested just grab and go. There isn't any error checking so use in caution. To use, I think one can simply go to Script Manager, Create New Script, copy-and-paste the code, save and run. (Or put the script in a directory which I'm not sure where) The script will be under CustomScript category after saving.
Once it's being run, input start and end address in the form of 10074000. There is no need to type 0x. For bytes to insert after splitting, input it in the form of deadbeef1234. There shouldn't be spaces in it. Also, make sure the length of the bytes will fit in the new block. It can be empty, in which case all bytes will be 0 in the block.
:) Happy RE
henryfung3a27
on 18 Nov 2019
Related issues
forkoz
·
3Comments
toor-de-force
·
3Comments
gemini00
·
3Comments
huettenhain
·
3Comments
lab313ru
·
3Comments
Most helpful comment
You need to convert the memory block to an initialized one. To do this you can open the python interpreter and while the cursor is at an address within the memory block run the following:
currentProgram.getMemory().convertToInitialized​(getMemoryBlock(currentAddress), 0)