ROSE_HTML_Reference/ModulesPe_8h_source.html

 #ifndef ROSE_Partitioner2_ModulesPe_H

 #define ROSE_Partitioner2_ModulesPe_H


 #include <Partitioner2/Function.h>

 #include <Partitioner2/Modules.h>

 #include <Sawyer/Map.h>


 namespace Rose {

 namespace BinaryAnalysis {

 namespace Partitioner2 {


 namespace ModulesPe {


 std::string systemFunctionName(const std::string&);


 typedef Sawyer::Container::Map<rose_addr_t, SgAsmPEImportItem*> ImportIndex;


 std::vector<Function::Ptr> findExportFunctions(const Partitioner&, SgAsmPEFileHeader*);

 std::vector<Function::Ptr> findExportFunctions(const Partitioner&, SgAsmInterpretation*);

 size_t findExportFunctions(const Partitioner&, SgAsmInterpretation*, std::vector<Function::Ptr>&);

 std::vector<Function::Ptr> findImportFunctions(const Partitioner&, SgAsmPEFileHeader*);

 std::vector<Function::Ptr> findImportFunctions(const Partitioner&, SgAsmInterpretation*);

 size_t findImportFunctions(const Partitioner&, SgAsmPEFileHeader*, const ImportIndex&, std::vector<Function::Ptr>&);

 ImportIndex getImportIndex(const Partitioner&, SgAsmPEFileHeader*);

 ImportIndex getImportIndex(const Partitioner&, SgAsmInterpretation*);

 size_t getImportIndex(const Partitioner&, SgAsmPEFileHeader*, ImportIndex&);

 void rebaseImportAddressTables(Partitioner &partitioner, const ImportIndex &index);


 void nameImportThunks(const Partitioner&, SgAsmInterpretation*);


 void buildMayReturnLists(Partitioner&);


 class PeDescrambler: public BasicBlockCallback {

 public:

     typedef Sawyer::SharedPointer<PeDescrambler> Ptr;


     struct DispatchEntry {                              // one entry of PEScrambler's dispatch table

         uint32_t returnVa;                              // return address for dispatcher call

         uint32_t calleeVa;                              // address if function that should have been called

         DispatchEntry(): returnVa(0), calleeVa(0) {}

         DispatchEntry(uint32_t returnVa, uint32_t calleeVa): returnVa(returnVa), calleeVa(calleeVa) {}

     };


     typedef std::vector<DispatchEntry> DispatchTable;


 private:

     rose_addr_t dispatcherVa_;                          // address of PEScrambler's indirection decoder and dispatcher

     rose_addr_t dispatchTableVa_;                       // address of PEScrambler's dispatch table

     bool reachedEndOfTable_;                            // true when we cannot read any more table entries

     bool checkedPreconditions_;                         // true after we did some first-call precondition checking

     static const size_t sizeofDispatcherFunction = 65;  // default size of PEscrambler dispatcher function in bytes

     static const size_t bitsPerWord = 32;               // this callback only works for 32-bit specimens

     DispatchTable dispatchTable_;                       // the entire dispatch table (and possibly more)


 protected:

     // Non-subclass users: please use the instance() method instead; these objects are reference counted.

     PeDescrambler(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa)

         : dispatcherVa_(dispatcherVa), dispatchTableVa_(dispatchTableVa), reachedEndOfTable_(false),

           checkedPreconditions_(false) {}


 public:

     static Ptr instance(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa) {

         return Ptr(new PeDescrambler(dispatcherVa, dispatchTableVa));

     }


     static Ptr instance(rose_addr_t dispatcherVa) {

         return Ptr(new PeDescrambler(dispatcherVa, dispatcherVa + sizeofDispatcherFunction));

     }


     void nameKeyAddresses(Partitioner&);


     rose_addr_t dispatcherVa() const { return dispatcherVa_; }


     rose_addr_t dispatchTableVa() const { return dispatchTableVa_; }


     const DispatchTable& dispatchTable() const { return dispatchTable_; }

     DispatchTable& dispatchTable() { return dispatchTable_; }

     // Callback invoked by the partitioner each time an instruction is appended to a basic block.

     virtual bool operator()(bool chain, const Args&) ROSE_OVERRIDE;


 private:

     // True if the only CFG successor for the specified block is the PEScrambler dispatcher and the block ends with a CALL

     // instruction.

     bool basicBlockCallsDispatcher(const Partitioner&, const BasicBlock::Ptr&);


     // Look up the return address in the PEScrambler dispatch table as if we were the dispatcher and return it if found.

     Sawyer::Optional<rose_addr_t> findCalleeAddress(const Partitioner&, rose_addr_t returnVa);

 };


 } // namespace

 } // namespace

 } // namespace

 } // namespace


 #endif

Rose::BinaryAnalysis::Partitioner2::ModulesPe::nameImportThunks
void nameImportThunks(const Partitioner &, SgAsmInterpretation *)
Names functions that look like they're thunks for imports.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatcherVa
rose_addr_t dispatcherVa() const
Virtual address of PEScrambler dispatch function.
Definition: ModulesPe.h:140

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTableVa
rose_addr_t dispatchTableVa() const
Virtual address of PEScrambler dispatch table.
Definition: ModulesPe.h:143

Rose::BinaryAnalysis::Partitioner2::BasicBlockCallback
Base class for adjusting basic blocks during discovery.
Definition: Modules.h:38

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchTable
std::vector< DispatchEntry > DispatchTable
The function dispatch table.
Definition: ModulesPe.h:98

Rose::BinaryAnalysis::Partitioner2::ModulesPe::systemFunctionName
std::string systemFunctionName(const std::string &)
Convert function name to system representation.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::instance
static Ptr instance(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa)
Construct a new PeDescrambler.
Definition: ModulesPe.h:122

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler
Callback to restore PEScrambler function call edges.
Definition: ModulesPe.h:80

Rose
Main namespace for the ROSE library.
Definition: BinaryTutorial.dox:3

Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions
std::vector< Function::Ptr > findImportFunctions(const Partitioner &, SgAsmPEFileHeader *)
Reads PE import sections to find functions.

Sawyer::SharedPointer
Reference-counting smart pointer.
Definition: SharedPointer.h:34

Sawyer
Name space for the entire library.
Definition: Access.h:13

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::operator()
virtual bool operator()(bool chain, const Args &) ROSE_OVERRIDE
Callback method.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::nameKeyAddresses
void nameKeyAddresses(Partitioner &)
Name certain addresses in the specimen.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::Ptr
Sawyer::SharedPointer< PeDescrambler > Ptr
Shared-ownership pointer to a PeDescrambler.
Definition: ModulesPe.h:83

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTable
const DispatchTable & dispatchTable() const
Dispatch table.
Definition: ModulesPe.h:153

Rose::BinaryAnalysis::Partitioner2::ModulesPe::buildMayReturnLists
void buildMayReturnLists(Partitioner &)
Build may-return white and black lists.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTable
DispatchTable & dispatchTable()
Dispatch table.
Definition: ModulesPe.h:154

Rose::BinaryAnalysis::Partitioner2::ModulesPe::getImportIndex
ImportIndex getImportIndex(const Partitioner &, SgAsmPEFileHeader *)
Scans PE import sections to build an index.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::rebaseImportAddressTables
void rebaseImportAddressTables(Partitioner &partitioner, const ImportIndex &index)
Update import address tables to reflect addresses of imported functions.

BinaryAnalysis

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::instance
static Ptr instance(rose_addr_t dispatcherVa)
Construct a new PeDescrambler.
Definition: ModulesPe.h:130

Rose::BinaryAnalysis::Partitioner2::ModulesPe::ImportIndex
Sawyer::Container::Map< rose_addr_t, SgAsmPEImportItem * > ImportIndex
Index for PE import addresses.
Definition: ModulesPe.h:29

SgAsmPEFileHeader
Windows PE file header.
Definition: binaryInstruction.C:9471

Rose::BinaryAnalysis::Partitioner2::BasicBlock
Basic block information.
Definition: BasicBlock.h:42

Rose::BinaryAnalysis::Partitioner2::Partitioner
Partitions instructions into basic blocks and functions.
Definition: Partitioner.h:293

Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions
std::vector< Function::Ptr > findExportFunctions(const Partitioner &, SgAsmPEFileHeader *)
Reads PE export sections to find functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchEntry
One dispatch table entry in native format.
Definition: ModulesPe.h:86

SgAsmInterpretation
Represents an interpretation of a binary container.
Definition: binaryInstruction.C:4257

Sawyer::Container::Map
Container associating values with keys.
Definition: Sawyer/Map.h:66