|
ROSE
0.11.131.0
|
Disassembly and partitioning utilities for PE files.
Classes | |
| class | PeDescrambler |
| Callback to restore PEScrambler function call edges. More... | |
Typedefs | |
| typedef Sawyer::Container::Map< rose_addr_t, SgAsmPEImportItem * > | ImportIndex |
| Index for PE import addresses. More... | |
Functions | |
| std::string | systemFunctionName (const std::string &) |
| Convert function name to system representation. More... | |
| void | rebaseImportAddressTables (const PartitionerPtr &partitioner, const ImportIndex &index) |
| Update import address tables to reflect addresses of imported functions. More... | |
| void | nameImportThunks (const PartitionerConstPtr &, SgAsmInterpretation *) |
| Names functions that look like they're thunks for imports. More... | |
| void | buildMayReturnLists (const PartitionerPtr &) |
| Build may-return white and black lists. More... | |
| std::vector< FunctionPtr > | findExportFunctions (const PartitionerConstPtr &, SgAsmPEFileHeader *) |
| Reads PE export sections to find functions. More... | |
| std::vector< FunctionPtr > | findExportFunctions (const PartitionerConstPtr &, SgAsmInterpretation *) |
| Reads PE export sections to find functions. More... | |
| size_t | findExportFunctions (const PartitionerConstPtr &, SgAsmInterpretation *, std::vector< FunctionPtr > &) |
| Reads PE export sections to find functions. More... | |
| std::vector< FunctionPtr > | findImportFunctions (const PartitionerConstPtr &, SgAsmPEFileHeader *) |
| Reads PE import sections to find functions. More... | |
| std::vector< FunctionPtr > | findImportFunctions (const PartitionerConstPtr &, SgAsmInterpretation *) |
| Reads PE import sections to find functions. More... | |
| size_t | findImportFunctions (const PartitionerConstPtr &, SgAsmPEFileHeader *, const ImportIndex &, std::vector< FunctionPtr > &) |
| Reads PE import sections to find functions. More... | |
| ImportIndex | getImportIndex (const PartitionerConstPtr &, SgAsmPEFileHeader *) |
| Scans PE import sections to build an index. | |
| ImportIndex | getImportIndex (const PartitionerConstPtr &, SgAsmInterpretation *) |
| Scans PE import sections to build an index. | |
| size_t | getImportIndex (const PartitionerConstPtr &, SgAsmPEFileHeader *, ImportIndex &) |
| Scans PE import sections to build an index. | |
| typedef Sawyer::Container::Map<rose_addr_t, SgAsmPEImportItem*> Rose::BinaryAnalysis::Partitioner2::ModulesPe::ImportIndex |
Index for PE import addresses.
This is a map from possible import addresses to the item in the Import Address Table (IAT) that describes the function that will be imported to that address. The map probably contains at least two addresses per function, the absolute address and a relative address, because we're not sure which is contained in the IAT – it depends on whether a linker has run.
Definition at line 31 of file ModulesPe.h.
| std::string Rose::BinaryAnalysis::Partitioner2::ModulesPe::systemFunctionName | ( | const std::string & | ) |
Convert function name to system representation.
ROSE always stores library function names as "function@library", and this function rewrites such names to be similar to the way thy're typically presented on a particular operating system. For instance, "EncodePointer@KERNEL32.dll" will be rewritten to "KERNEL32.dll:EncodePointer" since that's how it typically appears in Windows tools.
| std::vector<FunctionPtr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions | ( | const PartitionerConstPtr & | , |
| SgAsmPEFileHeader * | |||
| ) |
Reads PE export sections to find functions.
Scans all PE export sections under the specified PE file header to obtain names and addresses for functions. Returns a list of new, unique functions sorted by entry address.
| std::vector<FunctionPtr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions | ( | const PartitionerConstPtr & | , |
| SgAsmInterpretation * | |||
| ) |
Reads PE export sections to find functions.
Scans all PE export sections under the specified PE file header to obtain names and addresses for functions. Returns a list of new, unique functions sorted by entry address.
| size_t Rose::BinaryAnalysis::Partitioner2::ModulesPe::findExportFunctions | ( | const PartitionerConstPtr & | , |
| SgAsmInterpretation * | , | ||
| std::vector< FunctionPtr > & | |||
| ) |
Reads PE export sections to find functions.
Scans all PE export sections under the specified PE file header to obtain names and addresses for functions. Returns a list of new, unique functions sorted by entry address.
| std::vector<FunctionPtr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions | ( | const PartitionerConstPtr & | , |
| SgAsmPEFileHeader * | |||
| ) |
Reads PE import sections to find functions.
Scans all PE import sections in the specified interpretation to obtain addresses where imported functions will be mapped or have been mapped, depending on whether a dynamic linker has run. The return value is a list of new, unique functions sorted by entry address.
| std::vector<FunctionPtr> Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions | ( | const PartitionerConstPtr & | , |
| SgAsmInterpretation * | |||
| ) |
Reads PE import sections to find functions.
Scans all PE import sections in the specified interpretation to obtain addresses where imported functions will be mapped or have been mapped, depending on whether a dynamic linker has run. The return value is a list of new, unique functions sorted by entry address.
| size_t Rose::BinaryAnalysis::Partitioner2::ModulesPe::findImportFunctions | ( | const PartitionerConstPtr & | , |
| SgAsmPEFileHeader * | , | ||
| const ImportIndex & | , | ||
| std::vector< FunctionPtr > & | |||
| ) |
Reads PE import sections to find functions.
Scans all PE import sections in the specified interpretation to obtain addresses where imported functions will be mapped or have been mapped, depending on whether a dynamic linker has run. The return value is a list of new, unique functions sorted by entry address.
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::rebaseImportAddressTables | ( | const PartitionerPtr & | partitioner, |
| const ImportIndex & | index | ||
| ) |
Update import address tables to reflect addresses of imported functions.
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::nameImportThunks | ( | const PartitionerConstPtr & | , |
| SgAsmInterpretation * | |||
| ) |
Names functions that look like they're thunks for imports.
An import thunk is an indirect unconditional jump through a read-only import address table to a virtual address where an external function will be dynamically linked. The dynamic linking will have already taken place if a linker was used prior to disassembly.
| void Rose::BinaryAnalysis::Partitioner2::ModulesPe::buildMayReturnLists | ( | const PartitionerPtr & | ) |
Build may-return white and black lists.
1.8.10