ModulesPe.h

#ifndef ROSE_BinaryAnalysis_Partitioner2_ModulesPe_H
#define ROSE_BinaryAnalysis_Partitioner2_ModulesPe_H
#include <featureTests.h>
#ifdef ROSE_ENABLE_BINARY_ANALYSIS
#include <Rose/BinaryAnalysis/Partitioner2/BasicTypes.h>
 
#include <Rose/BinaryAnalysis/Partitioner2/Modules.h>
#include <Sawyer/Map.h>
 
namespace Rose {
namespace BinaryAnalysis {
namespace Partitioner2 {
 
namespace ModulesPe {
 
std::string systemFunctionName(const std::string&);
 
typedef Sawyer::Container::Map<rose_addr_t, SgAsmPEImportItem*> ImportIndex;
 
std::vector<FunctionPtr> findExportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*);
std::vector<FunctionPtr> findExportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*);
size_t findExportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*, std::vector<FunctionPtr>&);
std::vector<FunctionPtr> findImportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*);
std::vector<FunctionPtr> findImportFunctions(const PartitionerConstPtr&, SgAsmInterpretation*);
size_t findImportFunctions(const PartitionerConstPtr&, SgAsmPEFileHeader*, const ImportIndex&, std::vector<FunctionPtr>&);
ImportIndex getImportIndex(const PartitionerConstPtr&, SgAsmPEFileHeader*);
ImportIndex getImportIndex(const PartitionerConstPtr&, SgAsmInterpretation*);
size_t getImportIndex(const PartitionerConstPtr&, SgAsmPEFileHeader*, ImportIndex&);
void rebaseImportAddressTables(const PartitionerPtr &partitioner, const ImportIndex &index);
 
void nameImportThunks(const PartitionerConstPtr&, SgAsmInterpretation*);
 
void buildMayReturnLists(const PartitionerPtr&);
 
class PeDescrambler: public BasicBlockCallback {
public:
    typedef Sawyer::SharedPointer<PeDescrambler> Ptr;
 
    struct DispatchEntry {                              // one entry of PEScrambler's dispatch table
        uint32_t returnVa;                              // return address for dispatcher call
        uint32_t calleeVa;                              // address if function that should have been called
        DispatchEntry(): returnVa(0), calleeVa(0) {}
        DispatchEntry(uint32_t returnVa, uint32_t calleeVa): returnVa(returnVa), calleeVa(calleeVa) {}
    };
 
    typedef std::vector<DispatchEntry> DispatchTable;
 
private:
    rose_addr_t dispatcherVa_;                          // address of PEScrambler's indirection decoder and dispatcher
    rose_addr_t dispatchTableVa_;                       // address of PEScrambler's dispatch table
    bool reachedEndOfTable_;                            // true when we cannot read any more table entries
    bool checkedPreconditions_;                         // true after we did some first-call precondition checking
    static const size_t sizeofDispatcherFunction = 65;  // default size of PEscrambler dispatcher function in bytes
    static const size_t bitsPerWord = 32;               // this callback only works for 32-bit specimens
    DispatchTable dispatchTable_;                       // the entire dispatch table (and possibly more)
 
protected:
    // Non-subclass users: please use the instance() method instead; these objects are reference counted.
    PeDescrambler(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa)
        : dispatcherVa_(dispatcherVa), dispatchTableVa_(dispatchTableVa), reachedEndOfTable_(false),
          checkedPreconditions_(false) {}
 
public:
    static Ptr instance(rose_addr_t dispatcherVa, rose_addr_t dispatchTableVa) {
        return Ptr(new PeDescrambler(dispatcherVa, dispatchTableVa));
    }
 
    static Ptr instance(rose_addr_t dispatcherVa) {
        return Ptr(new PeDescrambler(dispatcherVa, dispatcherVa + sizeofDispatcherFunction));
    }
 
    void nameKeyAddresses(const PartitionerPtr&);
 
    rose_addr_t dispatcherVa() const { return dispatcherVa_; }
 
    rose_addr_t dispatchTableVa() const { return dispatchTableVa_; }
 
    const DispatchTable& dispatchTable() const { return dispatchTable_; }
    DispatchTable& dispatchTable() { return dispatchTable_; }
    // Callback invoked by the partitioner each time an instruction is appended to a basic block.
    virtual bool operator()(bool chain, const Args&) override;
 
private:
    // True if the only CFG successor for the specified block is the PEScrambler dispatcher and the block ends with a CALL
    // instruction.
    bool basicBlockCallsDispatcher(const PartitionerConstPtr&, const BasicBlockPtr&);
 
    // Look up the return address in the PEScrambler dispatch table as if we were the dispatcher and return it if found.
    Sawyer::Optional<rose_addr_t> findCalleeAddress(const PartitionerConstPtr&, rose_addr_t returnVa);
};
 
} // namespace
} // namespace
} // namespace
} // namespace
 
#endif
#endif