Description
Callback to restore PEScrambler function call edges.
This basic block callback is invoked each time the partitioner discovers a new instruction. It looks at the instruction's successors, and if the only successor is the PEScrambler dispatch function (as specified during callback construction) then the successor edge is replace with the edge to the original callee as if PEScrambler's dispatcher did the replacement.
Definition at line 82 of file ModulesPe.h.
#include <Rose/BinaryAnalysis/Partitioner2/ModulesPe.h>
Classes | |
| struct | DispatchEntry |
| One dispatch table entry in native format. More... | |
Public Types | |
| typedef Sawyer::SharedPointer< PeDescrambler > | Ptr |
| Shared-ownership pointer to a PeDescrambler. | |
| typedef std::vector< DispatchEntry > | DispatchTable |
| The function dispatch table. | |
 Public Types inherited from Rose::BinaryAnalysis::Partitioner2::BasicBlockCallback | |
| enum | Termination { CONTINUE_DISCOVERY , TERMINATE_NOW , TERMINATE_PRIOR } |
| Whether to terminate a basic block. More... | |
| using | Ptr = BasicBlockCallbackPtr |
| Shared-ownership pointer to a BasicBlockCallback. | |
Public Member Functions | |
| void | nameKeyAddresses (const PartitionerPtr &) |
| Name certain addresses in the specimen. | |
| Address | dispatcherVa () const |
| Virtual address of PEScrambler dispatch function. | |
| Address | dispatchTableVa () const |
| Virtual address of PEScrambler dispatch table. | |
| virtual bool | operator() (bool chain, const Args &) override |
| Callback method. | |
| const DispatchTable & | dispatchTable () const |
| Dispatch table. | |
| DispatchTable & | dispatchTable () |
| Dispatch table. | |
| Public Member Functions inherited from Sawyer::SharedObject | |
| SharedObject () | |
| Default constructor. | |
| SharedObject (const SharedObject &) | |
| Copy constructor. | |
| virtual | ~SharedObject () |
| Virtual destructor. | |
| SharedObject & | operator= (const SharedObject &) |
| Assignment. | |
Static Public Member Functions | |
| static Ptr | instance (Address dispatcherVa, Address dispatchTableVa) |
| Construct a new PeDescrambler. | |
| static Ptr | instance (Address dispatcherVa) |
| Construct a new PeDescrambler. | |
Protected Member Functions | |
| PeDescrambler (Address dispatcherVa, Address dispatchTableVa) | |
Member Typedef Documentation
◆ Ptr
| typedef Sawyer::SharedPointer<PeDescrambler> Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::Ptr |
Shared-ownership pointer to a PeDescrambler.
See Shared ownership.
Definition at line 85 of file ModulesPe.h.
◆ DispatchTable
| typedef std::vector<DispatchEntry> Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::DispatchTable |
The function dispatch table.
The first part of the table, up to and including the first zero-valued returnVa, has calleeVa values which are function addresses. The second part of the table's calleeVa values are addresses containing the address of a function (i.e., an extra level of indirection).
Definition at line 100 of file ModulesPe.h.
Constructor & Destructor Documentation
◆ PeDescrambler()
|
inlineprotected |
Definition at line 113 of file ModulesPe.h.
Member Function Documentation
◆ instance() [1/2]
|
inlinestatic |
Construct a new PeDescrambler.
The dispatcherVa is the virtual address of the PEScrambler dispatch function. One can easily find it by looking at the call graph since it will be the function that probably has many more callers than any other function. The dispatchTableVa is the address of the PEScrambler dispatch table, which normally starts at the first byte past the end of the dispatch function.
Definition at line 124 of file ModulesPe.h.
References dispatcherVa(), and dispatchTableVa().
◆ instance() [2/2]
|
inlinestatic |
Construct a new PeDescrambler.
This is the same as the two-argument constructor, but the dispatch table address is assumed to be at a fixed offset from the dispatch function.
Definition at line 132 of file ModulesPe.h.
References dispatcherVa().
◆ nameKeyAddresses()
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::PeDescrambler::nameKeyAddresses | ( | const PartitionerPtr & | ) |
Name certain addresses in the specimen.
Names the PEScrambler dispatch address and dispatch table address if they don't have names yet.
◆ dispatcherVa()
|
inline |
Virtual address of PEScrambler dispatch function.
Definition at line 142 of file ModulesPe.h.
Referenced by instance(), and instance().
◆ dispatchTableVa()
|
inline |
Virtual address of PEScrambler dispatch table.
Definition at line 145 of file ModulesPe.h.
Referenced by instance().
◆ dispatchTable() [1/2]
|
inline |
Dispatch table.
Returns a reference to the dispatch table as it currently exists in this callback. The callback extends the table only as needed in order to locate a return address, and the table is extended in arbitrary sized chunks (so it may contain data that isn't actually part of the table as far as the specimen is concerned). The caller is free to modify the table. See DispatchTable for more information.
Definition at line 155 of file ModulesPe.h.
◆ dispatchTable() [2/2]
|
inline |
Dispatch table.
Returns a reference to the dispatch table as it currently exists in this callback. The callback extends the table only as needed in order to locate a return address, and the table is extended in arbitrary sized chunks (so it may contain data that isn't actually part of the table as far as the specimen is concerned). The caller is free to modify the table. See DispatchTable for more information.
Definition at line 156 of file ModulesPe.h.
◆ operator()()
|
overridevirtual |
Callback method.
This is the method invoked for the callback. The chain argument is the return value from the previous callback in the list (true for the first callback). The successor callbacks use chain to indicate whether subsequent callbacks should do anything.
Implements Rose::BinaryAnalysis::Partitioner2::BasicBlockCallback.
The documentation for this class was generated from the following file:
