feat: add data type creation, function signatures, and namespace support

.claude/skills/ghidra-cli/SKILL.md

@@ -100,11 +100,19 @@ ghidra function decompile TARGET [QUERY_OPTS]
 ghidra function disasm TARGET [QUERY_OPTS]
 ghidra function calls TARGET [QUERY_OPTS]   # outgoing calls
 ghidra function xrefs TARGET [QUERY_OPTS]   # incoming references
-ghidra function rename OLD NEW [--project P] [--program PROG]
-ghidra function create ADDRESS [NAME] [--project P] [--program PROG]
+ghidra function set-signature TARGET 'SIGNATURE'  # aliases: set-sig, signature
+ghidra function create ADDRESS [NAME]
 ghidra function delete TARGET [QUERY_OPTS]
 ```
 
+`set-signature` parses a C-style function prototype and applies it. Supports `__thiscall`,
+`__cdecl`, `__stdcall`, `__fastcall` calling conventions. The function is also renamed to match
+the signature. Does NOT handle namespaces — use `symbol rename` for that.
+
+```bash
+ghidra function set-signature 0x401000 'void __thiscall Update(float dt, int flags)'
+```
+
 ### Top-level Shortcuts
 
 ```bash
@@ -124,9 +132,20 @@ ghidra strings refs STRING [QUERY_OPTS]     # xrefs to string
 ```bash
 ghidra symbol list [QUERY_OPTS]             # aliases: sym, symbols
 ghidra symbol get NAME [QUERY_OPTS]
-ghidra symbol create ADDRESS NAME [--project P] [--program PROG]
+ghidra symbol create ADDRESS NAME
 ghidra symbol delete NAME [QUERY_OPTS]
-ghidra symbol rename OLD NEW [--project P] [--program PROG]
+ghidra symbol rename TARGET NEW_NAME [--namespace NS]
+```
+
+`symbol rename` accepts an address or name as TARGET. NEW_NAME supports `Namespace::Name`
+syntax to set the namespace. Use `--namespace NS` as an alternative, or `--namespace ''` to
+move to the global namespace.
+
+```bash
+ghidra symbol rename 0x401000 MyClass::MyMethod    # rename + set namespace
+ghidra symbol rename 0x401000 MyMethod --namespace MyClass  # same result
+ghidra symbol rename 0x401000 MyMethod --namespace ''  # move to global
+ghidra symbol rename 0x401000 NewName              # rename only, keep namespace
 ```
 
 ### Memory Operations
@@ -155,6 +174,25 @@ ghidra type list [QUERY_OPTS]               # alias: types
 ghidra type get NAME [QUERY_OPTS]
 ghidra type create DEFINITION [--project P] [--program PROG]
 ghidra type apply ADDRESS TYPE_NAME [--project P] [--program PROG]
+ghidra type import-c 'C_CODE' [--category PATH] [--project P] [--program PROG]  # aliases: import, parse-c
+```
+
+`import-c` parses C type definitions (structs, unions, enums, typedefs including function
+pointers) and imports them into the program's data type manager. Supports bitfields and struct
+inheritance (`: Parent`). Existing types with the same name are overwritten.
+
+Use `--category` to organize types into Ghidra data type categories instead of the root `/`.
+
+```bash
+# Import types to root
+ghidra type import-c 'struct Vec3 { float x; float y; float z; };'
+
+# Import into a category (ideal for vtables, class definitions)
+ghidra type import-c --category /CTimer \
+  'struct CTimer;
+   typedef void (*CTimer_dtor)(CTimer *this, short flags);
+   struct CTimer_vtable { void *rtti0; void *rtti1; CTimer_dtor dtor; };
+   struct CTimer { CTimer_vtable *vtable; int state; float timer; };'
 ```
 
 ### Comment Operations
@@ -382,7 +420,13 @@ ghidra graph callers suspicious_func --depth 3 --project analysis
 ghidra x-ref to 0x401000 --project analysis
 ghidra function disasm 0x401000 --project analysis
 
-# 5. Patch
+# 5. Type recovery
+ghidra type import-c --category /MyClass 'struct MyClass { void* vtable; int state; float timer; };'
+ghidra symbol rename 0x401000 MyClass::Update  # apply namespace
+ghidra function set-signature 0x401000 'void __thiscall Update(float dt, int flags)'
+ghidra decompile 0x401000  # verify improved output
+
+# 6. Patch
 ghidra patch nop 0x401234 --count 3 --project analysis
 ghidra patch export -o patched.exe --project analysis
 ```

README.md

@@ -8,6 +8,9 @@ A high-performance Rust CLI for automating Ghidra reverse engineering tasks, des
 - **Auto-start bridge** - Import/analyze commands automatically start the bridge
 - **Fast queries** - Sub-second response times with Ghidra kept in memory
 - **Comprehensive analysis** - Functions, symbols, types, strings, cross-references
+- **Type recovery** - Create data types with C syntax (structs, enums, typedefs)
+- **Function prototypes** - Adjust function signatures and calling conventions
+- **Symbol management** - Rename symbols and organize namespaces
 - **Binary patching** - Modify bytes, NOP instructions, export patches
 - **Call graphs** - Generate caller/callee graphs, export to DOT format
 - **Search capabilities** - Find strings, bytes, functions, crypto patterns
@@ -99,15 +102,20 @@ ghidra function list                   # List all functions
 ghidra function list --filter "size > 100"  # Filter by size
 ghidra decompile <name-or-addr>        # Decompile function
 ghidra disasm <address> --instructions 20  # Disassemble instructions
+ghidra function set-signature <addr> 'void __thiscall Update(float dt, int flags)'  # Set function prototype
 ```
 
 ### Symbols & Types
 ```bash
-ghidra symbol list                     # List symbols
-ghidra symbol create <addr> <name>     # Create symbol
-ghidra symbol rename <old> <new>       # Rename symbol
-ghidra type list                       # List data types
-ghidra type get <name>                 # Get type details
+ghidra symbol list                     # List symbols
+ghidra symbol create <addr> <name>     # Create symbol
+ghidra symbol rename <target> <new>    # Rename symbol (address or name)
+ghidra symbol rename <target> Ns::Name # Rename + set namespace
+ghidra symbol rename <target> Name --namespace ''  # Move to global namespace
+ghidra type list                       # List data types
+ghidra type get <name>                 # Get type details
+ghidra type import-c 'struct Vec3 { float x; float y; float z; };'
+ghidra type import-c --category /Player 'struct Player { Vec3 pos; int hp; };'
 ```
 
 ### Cross-References
@@ -251,8 +259,12 @@ Example workflow with an AI agent:
 2. `ghidra find interesting` - AI analyzes suspicious patterns
 3. `ghidra decompile <func>` - AI examines specific functions
 4. `ghidra x-ref to <addr>` - AI traces data flow
-5. `ghidra patch nop <addr>` - AI patches anti-debug code
-6. `ghidra patch export -o patched.bin` - Export patched binary
+5. `ghidra type import-c --category /MyClass 'struct MyClass { ... };'` - AI defines recovered types
+6. `ghidra symbol rename <addr> MyClass::Method` - AI assigns names and namespaces
+7. `ghidra function set-signature <addr> 'void __thiscall Method(int arg)'` - AI applies function prototypes
+8. `ghidra decompile <addr>` - AI iterates on decompilation output
+9. `ghidra patch nop <addr>` - AI patches anti-debug code
+10. `ghidra patch export -o patched.bin` - Export patched binary
 
 ## Troubleshooting
 

src/cli.rs

@@ -304,6 +304,9 @@ pub enum FunctionCommands {
     XRefs(FunctionGetArgs),
     /// Rename function
     Rename(RenameArgs),
+    /// Update function signature
+    #[command(alias = "set-sig", alias = "signature")]
+    SetSignature(SetSignatureArgs),
     /// Create function
     Create(CreateFunctionArgs),
     /// Delete function
@@ -333,8 +336,25 @@ impl FunctionGetArgs {
 
 #[derive(Args, Clone, Serialize, Deserialize, Debug)]
 pub struct RenameArgs {
-    pub old_name: String,
+    /// Symbol address or name
+    pub target: String,
+    /// New name ('Name' or 'Namespace::Name')
     pub new_name: String,
+    /// Explicit namespace (overrides '::' parsing; empty string = global)
+    #[arg(long)]
+    pub namespace: Option<String>,
+    #[arg(long)]
+    pub program: Option<String>,
+    #[arg(long)]
+    pub project: Option<String>,
+}
+
+#[derive(Args, Clone, Serialize, Deserialize, Debug)]
+pub struct SetSignatureArgs {
+    /// Function address or name
+    pub target: String,
+    /// C-style function signature (e.g. 'void foo(int a, float b)')
+    pub signature: String,
     #[arg(long)]
     pub program: Option<String>,
     #[arg(long)]
@@ -479,6 +499,9 @@ pub enum TypeCommands {
     Create(CreateTypeArgs),
     /// Apply type to address
     Apply(ApplyTypeArgs),
+    /// Import C type definitions
+    #[command(alias = "import", alias = "parse-c")]
+    ImportC(ImportCArgs),
 }
 
 #[derive(Args, Clone, Serialize, Deserialize, Debug)]
@@ -507,6 +530,19 @@ pub struct ApplyTypeArgs {
     pub project: Option<String>,
 }
 
+#[derive(Args, Clone, Serialize, Deserialize, Debug)]
+pub struct ImportCArgs {
+    /// C code containing type definitions
+    pub code: String,
+    /// Category path to store types in
+    #[arg(long)]
+    pub category: Option<String>,
+    #[arg(long)]
+    pub program: Option<String>,
+    #[arg(long)]
+    pub project: Option<String>,
+}
+
 #[derive(Subcommand, Clone, Serialize, Deserialize, Debug)]
 pub enum CommentCommands {
     /// List all comments