API to know whether an opened elf is in (Thumb or Compressed) mode of ARM or Riscv

[F1o0T]

Hi,

ARM has an instruction encoding that is called thumb2, that encodes some instructions in 2 bytes among the 4 bytes instructions, and RISCV also has similar instruction encoding called compressesd.

Is there an API call/method that Ghidra provides to tell if the current opened program is in Thumb2 or Compressed mode? The way I currently do it, I check the length of the current instruction at the current address, but I don't know a way to judge the whole executable, I always depend on the length of the current instruction.

Thanks in advance for your help.

[pelrun]

You can't know for an entire ARM binary because it's a dynamic setting; unless your elf is for a specific processor that only supports Thumb instructions it's highly likely your binary will have a mix.

You can however tell for a specific function by looking at the branches to the code in question; the LSB of the destination address in a BLX is actually the Thumb instruction set bit. Which is why branches to thumb code are always odd. Ghidra will end up showing these as (Label+1) if you have a function or label defined.

[F1o0T]

My question was more about determining whether an ARM binary has only 32 bit instructions or mix of 32 and 16 bits instructions. Is there any API function for that?

On Fri 12. May 2023 at 07:22, James Churchill ***@***.***> wrote: You can't know for an *entire* ARM binary because it's a dynamic setting; unless your elf is for a specific processor that *only* supports Thumb instructions it's highly likely your binary will have a mix. You can however tell for a specific function by looking at the branches to the code in question; the LSB of the destination address in a BLX is actually the Thumb instruction set bit. Which is why branches to thumb code are always odd. Ghidra will end up showing these as (Label+1) if you have a function or label defined. — Reply to this email directly, view it on GitHub <#5103 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHYJNBAXNSPU2NDUFTIYWZTXFXCI7ANCNFSM6AAAAAAV4ZM27M> . You are receiving this because you authored the thread.Message ID: <NationalSecurityAgency/ghidra/repo-discussions/5103/comments/5880813@ github.com>

--

[pelrun]

No, I don't see how you could. You'd have to have the entire binary analyzed and all the code sections correctly identified and marked already, at which point you already know.

[hippietrail]

No, I don't see how you could. You'd have to have the entire binary analyzed and all the code sections correctly identified and marked already, at which point you already know.

Not necessarily. You could have a three-way result returning what the system the binary for supports. Some do not support Thumb. Some, I think, are specifically in Thumb. (I might be wrong on that but I think I've seen that stated somewhere). And some allow switching in and out of Thumb mode.

But I would think each Loader is going to know this about its platform. Again I could be wrong about that.

[pelrun]

The question is specifically "what mode is the binary in", not the platform the binary runs on - that's a different question that is answered in documentation, not in the ELF. And while you might have a loader for your specific platform that declares everything is Thumb-only by fiat, most of the time on ARM you're just using the generic elf or raw binary loader.

It's precisely because it's possible for a given binary to interwork between ARM and Thumb that there's no single flag to query at the top level - either you bring that information in yourself ("I know the platform it runs on is Thumb-only"), you quickly find examples of both ARM and Thumb code so you know it's both, or you audit the entire code base if you need to prove it's all in one mode (of course that's usually not a question you need to answer definitively.)