ROSE_HTML_Reference/ModulesPe_8h_source.html

 #ifndef ROSE_BinaryAnalysis_Partitioner2_ModulesPe_H

 #define ROSE_BinaryAnalysis_Partitioner2_ModulesPe_H

 #include <featureTests.h>

 #ifdef ROSE_ENABLE_BINARY_ANALYSIS

 #include <Rose/BinaryAnalysis/Partitioner2/BasicTypes.h>


 #include <Rose/BinaryAnalysis/Partitioner2/Modules.h>

 #include <Sawyer/Map.h>


 namespace Rose {

 namespace BinaryAnalysis {

 namespace Partitioner2 {


 namespace ModulesPe {


 std::string systemFunctionName(const std::string&);


 typedef Sawyer::Container::Map<rose_addr_t, SgAsmPEImportItem*> ImportIndex;


 std::vector<FunctionPtr> findExportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*);

 std::vector<FunctionPtr> findExportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*);

 size_t findExportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*, std::vector<FunctionPtr>&);

 std::vector<FunctionPtr> findImportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*);

 std::vector<FunctionPtr> findImportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*);

 size_t findImportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*, const ImportIndex&, std::vector<FunctionPtr>&);

 ImportIndex getImportIndex(const PartitionerConstPtr&, SgAsmPEFileHeader*);

 ImportIndex getImportIndex(const PartitionerConstPtr&, SgAsmInterpretation*);

 size_t getImportIndex(const PartitionerConstPtr&, SgAsmPEFileHeader*, ImportIndex&);

 void rebaseImportAddressTables(const PartitionerPtr &partitioner, const ImportIndex &index);


 void nameImportThunks(const PartitionerConstPtr&, SgAsmInterpretation*);


 void buildMayReturnLists(const PartitionerPtr&);


 class PeDescrambler: public BasicBlockCallback {

 public:

     typedef Sawyer::SharedPointer<PeDescrambler> Ptr;


     struct DispatchEntry {                              // one entry of PEScrambler's dispatch table

         uint32_t returnVa;                              // return address for dispatcher call

         uint32_t calleeVa;                              // address if function that should have been called

         DispatchEntry(): returnVa(0), calleeVa(0) {}

         DispatchEntry(uint32_t returnVa, uint32_t calleeVa): returnVa(returnVa), calleeVa(calleeVa) {}

     };


     typedef std::vector<DispatchEntry> DispatchTable;


 private:

     rose_addr_t dispatcherVa_;                          // address of PEScrambler's indirection decoder and dispatcher

     rose_addr_t dispatchTableVa_;                       // address of PEScrambler's dispatch table

     bool reachedEndOfTable_;                            // true when we cannot read any more table entries

     bool checkedPreconditions_;                         // true after we did some first-call precondition checking

     static const size_t sizeofDispatcherFunction = 65;  // default size of PEscrambler dispatcher function in bytes

     static const size_t bitsPerWord = 32;               // this callback only works for 32-bit specimens

     DispatchTable dispatchTable_;                       // the entire dispatch table (and possibly more)


 protected:

     // Non-subclass users: please use the instance() method instead; these objects are reference counted.

     PeDescrambler(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa)

         : dispatcherVa_(dispatcherVa), dispatchTableVa_(dispatchTableVa), reachedEndOfTable_(false),

           checkedPreconditions_(false) {}


 public:

     static Ptr instance(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa) {

         return Ptr(new PeDescrambler(dispatcherVa, dispatchTableVa));

     }


     static Ptr instance(rose_addr_t dispatcherVa) {

         return Ptr(new PeDescrambler(dispatcherVa, dispatcherVa + sizeofDispatcherFunction));

     }


     void nameKeyAddresses(const PartitionerPtr&);


     rose_addr_t dispatcherVa() const { return dispatcherVa_; }


     rose_addr_t dispatchTableVa() const { return dispatchTableVa_; }


     const DispatchTable& dispatchTable() const { return dispatchTable_; }

     DispatchTable& dispatchTable() { return dispatchTable_; }

     // Callback invoked by the partitioner each time an instruction is appended to a basic block.

     virtual bool operator()(bool chain, const Args&) override;


 private:

     // True if the only CFG successor for the specified block is the PEScrambler dispatcher and the block ends with a CALL

     // instruction.

     bool basicBlockCallsDispatcher(const PartitionerConstPtr&, const BasicBlockPtr&);


     // Look up the return address in the PEScrambler dispatch table as if we were the dispatcher and return it if found.

     Sawyer::Optional<rose_addr_t> findCalleeAddress(const PartitionerConstPtr&, rose_addr_t returnVa);

 };


 } // namespace

 } // namespace

 } // namespace

 } // namespace


 #endif

 #endif

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatcherVa
rose_addr_t dispatcherVa() const
Virtual address of PEScrambler dispatch function.
Definition: ModulesPe.h:142

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::nameKeyAddresses
void nameKeyAddresses(const PartitionerPtr &)
Name certain addresses in the specimen.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTableVa
rose_addr_t dispatchTableVa() const
Virtual address of PEScrambler dispatch table.
Definition: ModulesPe.h:145

Rose::BinaryAnalysis::Partitioner2::BasicBlockCallback
Base class for adjusting basic blocks during discovery.
Definition: Modules.h:39

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchTable
std::vector< DispatchEntry > DispatchTable
The function dispatch table.
Definition: ModulesPe.h:100

Rose::BinaryAnalysis::Partitioner2::ModulesPe::systemFunctionName
std::string systemFunctionName(const std::string &)
Convert function name to system representation.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::instance
static Ptr instance(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa)
Construct a new PeDescrambler.
Definition: ModulesPe.h:124

Sawyer::Optional< rose_addr_t >

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler
Callback to restore PEScrambler function call edges.
Definition: ModulesPe.h:82

Rose
Main namespace for the ROSE library.
Definition: BinaryTutorial.dox:3

Sawyer::SharedPointer< const Partitioner >

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::Ptr
Sawyer::SharedPointer< PeDescrambler > Ptr
Shared-ownership pointer to a PeDescrambler.
Definition: ModulesPe.h:85

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTable
const DispatchTable & dispatchTable() const
Dispatch table.
Definition: ModulesPe.h:155

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::operator()
virtual bool operator()(bool chain, const Args &) override
Callback method.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTable
DispatchTable & dispatchTable()
Dispatch table.
Definition: ModulesPe.h:156

Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions
std::vector< FunctionPtr > findExportFunctions(const PartitionerConstPtr &, SgAsmPEFileHeader *)
Reads PE export sections to find functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::buildMayReturnLists
void buildMayReturnLists(const PartitionerPtr &)
Build may-return white and black lists.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::instance
static Ptr instance(rose_addr_t dispatcherVa)
Construct a new PeDescrambler.
Definition: ModulesPe.h:132

Rose::BinaryAnalysis::Partitioner2::ModulesPe::ImportIndex
Sawyer::Container::Map< rose_addr_t, SgAsmPEImportItem * > ImportIndex
Index for PE import addresses.
Definition: ModulesPe.h:31

SgAsmPEFileHeader
Windows PE file header.
Definition: binaryInstruction.C:3306

Rose::BinaryAnalysis::Partitioner2::ModulesPe::getImportIndex
ImportIndex getImportIndex(const PartitionerConstPtr &, SgAsmPEFileHeader *)
Scans PE import sections to build an index.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions
std::vector< FunctionPtr > findImportFunctions(const PartitionerConstPtr &, SgAsmPEFileHeader *)
Reads PE import sections to find functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::rebaseImportAddressTables
void rebaseImportAddressTables(const PartitionerPtr &partitioner, const ImportIndex &index)
Update import address tables to reflect addresses of imported functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchEntry
One dispatch table entry in native format.
Definition: ModulesPe.h:88

SgAsmInterpretation
Represents an interpretation of a binary container.
Definition: binaryInstruction.C:11396

Rose::BinaryAnalysis::Partitioner2::ModulesPe::nameImportThunks
void nameImportThunks(const PartitionerConstPtr &, SgAsmInterpretation *)
Names functions that look like they're thunks for imports.

Sawyer::Container::Map
Container associating values with keys.
Definition: Sawyer/Map.h:66