ROSE_HTML_Reference/ModulesPe_8h_source.html

#ifndef ROSE_BinaryAnalysis_Partitioner2_ModulesPe_H

#define ROSE_BinaryAnalysis_Partitioner2_ModulesPe_H

#include <featureTests.h>

#ifdef ROSE_ENABLE_BINARY_ANALYSIS

#include <Rose/BinaryAnalysis/Partitioner2/BasicTypes.h>


#include <Rose/BinaryAnalysis/Partitioner2/Modules.h>

#include <Sawyer/Map.h>


namespace Rose {

namespace BinaryAnalysis {

namespace Partitioner2 {


namespace ModulesPe {


std::string systemFunctionName(const std::string&);


typedef Sawyer::Container::Map<Address, SgAsmPEImportItem*> ImportIndex;


std::vector<FunctionPtr> findExportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*);

std::vector<FunctionPtr> findExportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*);

size_t findExportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*, std::vector<FunctionPtr>&);

std::vector<FunctionPtr> findImportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*);

std::vector<FunctionPtr> findImportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*);

size_t findImportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*, const ImportIndex&, std::vector<FunctionPtr>&);

ImportIndex getImportIndex(const PartitionerConstPtr&, SgAsmPEFileHeader*);

ImportIndex getImportIndex(const PartitionerConstPtr&, SgAsmInterpretation*);

size_t getImportIndex(const PartitionerConstPtr&, SgAsmPEFileHeader*, ImportIndex&);

void rebaseImportAddressTables(const PartitionerPtr &partitioner, const ImportIndex &index);


void nameImportThunks(const PartitionerConstPtr&, SgAsmInterpretation*);


void buildMayReturnLists(const PartitionerPtr&);


class PeDescrambler: public BasicBlockCallback {

public:

    typedef Sawyer::SharedPointer<PeDescrambler> Ptr;


    struct DispatchEntry {                              // one entry of PEScrambler's dispatch table

        uint32_t returnVa;                              // return address for dispatcher call

        uint32_t calleeVa;                              // address if function that should have been called

        DispatchEntry(): returnVa(0), calleeVa(0) {}

        DispatchEntry(uint32_t returnVa, uint32_t calleeVa): returnVa(returnVa), calleeVa(calleeVa) {}

    };


    typedef std::vector<DispatchEntry> DispatchTable;


private:

    Address dispatcherVa_;                              // address of PEScrambler's indirection decoder and dispatcher

    Address dispatchTableVa_;                           // address of PEScrambler's dispatch table

    bool reachedEndOfTable_;                            // true when we cannot read any more table entries

    bool checkedPreconditions_;                         // true after we did some first-call precondition checking

    static const size_t sizeofDispatcherFunction = 65;  // default size of PEscrambler dispatcher function in bytes

    static const size_t bitsPerWord = 32;               // this callback only works for 32-bit specimens

    DispatchTable dispatchTable_;                       // the entire dispatch table (and possibly more)


protected:

    // Non-subclass users: please use the instance() method instead; these objects are reference counted.

    PeDescrambler(Address dispatcherVa, Address dispatchTableVa)

        : dispatcherVa_(dispatcherVa), dispatchTableVa_(dispatchTableVa), reachedEndOfTable_(false),

          checkedPreconditions_(false) {}


public:


    static Ptr instance(Address dispatcherVa, Address dispatchTableVa) {

        return Ptr(new PeDescrambler(dispatcherVa, dispatchTableVa));

    }


    static Ptr instance(Address dispatcherVa) {

        return Ptr(new PeDescrambler(dispatcherVa, dispatcherVa + sizeofDispatcherFunction));

    }


    void nameKeyAddresses(const PartitionerPtr&);


    Address dispatcherVa() const { return dispatcherVa_; }


    Address dispatchTableVa() const { return dispatchTableVa_; }


    const DispatchTable& dispatchTable() const { return dispatchTable_; }

    DispatchTable& dispatchTable() { return dispatchTable_; }

    // Callback invoked by the partitioner each time an instruction is appended to a basic block.

    virtual bool operator()(bool chain, const Args&) override;


private:

    // True if the only CFG successor for the specified block is the PEScrambler dispatcher and the block ends with a CALL

    // instruction.

    bool basicBlockCallsDispatcher(const PartitionerConstPtr&, const BasicBlockPtr&);


    // Look up the return address in the PEScrambler dispatch table as if we were the dispatcher and return it if found.

    Sawyer::Optional<Address> findCalleeAddress(const PartitionerConstPtr&, Address returnVa);

};


} // namespace


} // namespace

} // namespace

} // namespace


#endif

#endif

Rose::BinaryAnalysis::Partitioner2::BasicBlockCallback
Base class for adjusting basic blocks during discovery.
Definition Modules.h:39

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler
Callback to restore PEScrambler function call edges.
Definition ModulesPe.h:82

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::nameKeyAddresses
void nameKeyAddresses(const PartitionerPtr &)
Name certain addresses in the specimen.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::Ptr
Sawyer::SharedPointer< PeDescrambler > Ptr
Shared-ownership pointer to a PeDescrambler.
Definition ModulesPe.h:85

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::operator()
virtual bool operator()(bool chain, const Args &) override
Callback method.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchTable
std::vector< DispatchEntry > DispatchTable
The function dispatch table.
Definition ModulesPe.h:100

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::instance
static Ptr instance(Address dispatcherVa)
Construct a new PeDescrambler.
Definition ModulesPe.h:132

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTableVa
Address dispatchTableVa() const
Virtual address of PEScrambler dispatch table.
Definition ModulesPe.h:145

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::instance
static Ptr instance(Address dispatcherVa, Address dispatchTableVa)
Construct a new PeDescrambler.
Definition ModulesPe.h:124

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatcherVa
Address dispatcherVa() const
Virtual address of PEScrambler dispatch function.
Definition ModulesPe.h:142

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTable
const DispatchTable & dispatchTable() const
Dispatch table.
Definition ModulesPe.h:155

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::dispatchTable
DispatchTable & dispatchTable()
Dispatch table.
Definition ModulesPe.h:156

Sawyer::Container::Map
Container associating values with keys.
Definition Sawyer/Map.h:72

Sawyer::Optional
Holds a value or nothing.
Definition Optional.h:54

Sawyer::SharedPointer< const Partitioner >

SgAsmInterpretation
Represents an interpretation of a binary container.
Definition binaryInstruction.C:15186

SgAsmPEFileHeader
Windows PE file header.
Definition binaryInstruction.C:3737

Rose::BinaryAnalysis::Partitioner2::ModulesPe::nameImportThunks
void nameImportThunks(const PartitionerConstPtr &, SgAsmInterpretation *)
Names functions that look like they're thunks for imports.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::rebaseImportAddressTables
void rebaseImportAddressTables(const PartitionerPtr &partitioner, const ImportIndex &index)
Update import address tables to reflect addresses of imported functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::systemFunctionName
std::string systemFunctionName(const std::string &)
Convert function name to system representation.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions
std::vector< FunctionPtr > findImportFunctions(const PartitionerConstPtr &, SgAsmPEFileHeader *)
Reads PE import sections to find functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions
std::vector< FunctionPtr > findExportFunctions(const PartitionerConstPtr &, SgAsmPEFileHeader *)
Reads PE export sections to find functions.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::buildMayReturnLists
void buildMayReturnLists(const PartitionerPtr &)
Build may-return white and black lists.

Rose::BinaryAnalysis::Partitioner2::ModulesPe::ImportIndex
Sawyer::Container::Map< Address, SgAsmPEImportItem * > ImportIndex
Index for PE import addresses.
Definition ModulesPe.h:31

Rose::BinaryAnalysis::Partitioner2::ModulesPe::getImportIndex
ImportIndex getImportIndex(const PartitionerConstPtr &, SgAsmPEFileHeader *)
Scans PE import sections to build an index.

Rose::BinaryAnalysis::Address
std::uint64_t Address
Address.
Definition Address.h:11

Rose
The ROSE library.
Definition BinaryTutorial.dox:3

Rose::BinaryAnalysis::Partitioner2::BasicBlockCallback::Args
Arguments passed to the callback.
Definition Modules.h:58

Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchEntry
One dispatch table entry in native format.
Definition ModulesPe.h:88