|
ROSE
0.9.10.103
|
Disassembly and partitioning utilities for PE files.
Classes | |
| class | PeDescrambler |
| Callback to restore PEScrambler function call edges. More... | |
Typedefs | |
| typedef Sawyer::Container::Map< rose_addr_t, SgAsmPEImportItem * > | ImportIndex |
| Index for PE import addresses. More... | |
Functions | |
| std::string | systemFunctionName (const std::string &) |
| Convert function name to system representation. More... | |
| void | rebaseImportAddressTables (Partitioner &partitioner, const ImportIndex &index) |
| Update import address tables to reflect addresses of imported functions. More... | |
| void | nameImportThunks (const Partitioner &, SgAsmInterpretation *) |
| Names functions that look like they're thunks for imports. More... | |
| void | buildMayReturnLists (Partitioner &) |
| Build may-return white and black lists. More... | |
| std::vector< Function::Ptr > | findExportFunctions (const Partitioner &, SgAsmPEFileHeader *) |
| Reads PE export sections to find functions. More... | |
| std::vector< Function::Ptr > | findExportFunctions (const Partitioner &, SgAsmInterpretation *) |
| Reads PE export sections to find functions. More... | |
| size_t | findExportFunctions (const Partitioner &, SgAsmInterpretation *, std::vector< Function::Ptr > &) |
| Reads PE export sections to find functions. More... | |
| std::vector< Function::Ptr > | findImportFunctions (const Partitioner &, SgAsmPEFileHeader *) |
| Reads PE import sections to find functions. More... | |
| std::vector< Function::Ptr > | findImportFunctions (const Partitioner &, SgAsmInterpretation *) |
| Reads PE import sections to find functions. More... | |
| size_t | findImportFunctions (const Partitioner &, SgAsmPEFileHeader *, const ImportIndex &, std::vector< Function::Ptr > &) |
| Reads PE import sections to find functions. More... | |
| ImportIndex | getImportIndex (const Partitioner &, SgAsmPEFileHeader *) |
| Scans PE import sections to build an index. | |
| ImportIndex | getImportIndex (const Partitioner &, SgAsmInterpretation *) |
| Scans PE import sections to build an index. | |
| size_t | getImportIndex (const Partitioner &, SgAsmPEFileHeader *, ImportIndex &) |
| Scans PE import sections to build an index. | |
| typedef Sawyer::Container::Map<rose_addr_t, SgAsmPEImportItem*> Rose::BinaryAnalysis::Partitioner2::ModulesPe::ImportIndex |
Index for PE import addresses.
This is a map from possible import addresses to the item in the Import Address Table (IAT) that describes the function that will be imported to that address. The map probably contains at least two addresses per function, the absolute address and a relative address, because we're not sure which is contained in the IAT – it depends on whether a linker has run.
Definition at line 29 of file ModulesPe.h.
| std::string Rose::BinaryAnalysis::Partitioner2::ModulesPe::systemFunctionName | ( | const std::string & | ) |
Convert function name to system representation.
ROSE always stores library function names as "function@library", and this function rewrites such names to be similar to the way thy're typically presented on a particular operating system. For instance, "EncodePointer@KERNEL32.dll" will be rewritten to "KERNEL32.dll:EncodePointer" since that's how it typically appears in Windows tools.
| std::vector<Function::Ptr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions | ( | const Partitioner & | , |
| SgAsmPEFileHeader * | |||
| ) |
Reads PE export sections to find functions.
Scans all PE export sections under the specified PE file header to obtain names and addresses for functions. Returns a list of new, unique functions sorted by entry address.
| std::vector<Function::Ptr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions | ( | const Partitioner & | , |
| SgAsmInterpretation * | |||
| ) |
Reads PE export sections to find functions.
Scans all PE export sections under the specified PE file header to obtain names and addresses for functions. Returns a list of new, unique functions sorted by entry address.
| size_t Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions | ( | const Partitioner & | , |
| SgAsmInterpretation * | , | ||
| std::vector< Function::Ptr > & | |||
| ) |
Reads PE export sections to find functions.
Scans all PE export sections under the specified PE file header to obtain names and addresses for functions. Returns a list of new, unique functions sorted by entry address.
| std::vector<Function::Ptr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions | ( | const Partitioner & | , |
| SgAsmPEFileHeader * | |||
| ) |
Reads PE import sections to find functions.
Scans all PE import sections in the specified interpretation to obtain addresses where imported functions will be mapped or have been mapped, depending on whether a dynamic linker has run. The return value is a list of new, unique functions sorted by entry address.
| std::vector<Function::Ptr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions | ( | const Partitioner & | , |
| SgAsmInterpretation * | |||
| ) |
Reads PE import sections to find functions.
Scans all PE import sections in the specified interpretation to obtain addresses where imported functions will be mapped or have been mapped, depending on whether a dynamic linker has run. The return value is a list of new, unique functions sorted by entry address.
| size_t Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions | ( | const Partitioner & | , |
| SgAsmPEFileHeader * | , | ||
| const ImportIndex & | , | ||
| std::vector< Function::Ptr > & | |||
| ) |
Reads PE import sections to find functions.
Scans all PE import sections in the specified interpretation to obtain addresses where imported functions will be mapped or have been mapped, depending on whether a dynamic linker has run. The return value is a list of new, unique functions sorted by entry address.
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::rebaseImportAddressTables | ( | Partitioner & | partitioner, |
| const ImportIndex & | index | ||
| ) |
Update import address tables to reflect addresses of imported functions.
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::nameImportThunks | ( | const Partitioner & | , |
| SgAsmInterpretation * | |||
| ) |
Names functions that look like they're thunks for imports.
An import thunk is an indirect unconditional jump through a read-only import address table to a virtual address where an external function will be dynamically linked. The dynamic linking will have already taken place if a linker was used prior to disassembly.
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::buildMayReturnLists | ( | Partitioner & | ) |
Build may-return white and black lists.
1.8.10