Interface INativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Type Parameters:
InsnType
-
- All Known Subinterfaces:
INativeCodeAnalyzerExtensionsManager<InsnType>
- All Known Implementing Classes:
AbstractAnalyzerExtension
analyzer
extensions. A collection of heuristics to
improve the generic code analyzer. Clients should inherit from AbstractAnalyzerExtension
,
which provides default implementations, and implement only the needed methods.-
Method Summary
Modifier and TypeMethodDescriptionCustomize an instruction item just after its creation by the code analyzer.determinePotentialPointers
(long address, InsnType insn, List<Pointer> values) Determine pointers (addresses to data or code) contained in the provided instruction, to let the code analyzer enqueue them for additional analysis.determinePotentialPointersInProtoBlock
(IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values) Determine additional pointers to be analyzed (addresses to data or code) that may be inferred from the analysis of the provided basic block skeleton (proto-basic block).determineRoutineStackPointerDelta
(CFG<InsnType> routine) Determine (heuristically) the stack pointer delta generated by the execution of a routine.determineSwitchInformation
(long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks) Determine (heuristically) the information related to a switch-like statement, i.e.getPossiblePaddingSize
(long address, long addressMax) Determine if a given memory area looks like (could be) starting with padding, and provides the size of the padding looking area, if any.Determine whichNativeDecompilationStage
should be used byINativeCodeAdvancedAnalyzer
for the given routine.getPreferredBreakingFlow
(long address, InsnType insn) Provide alternate/custom breaking-flow information.getPrimitiveSizes
(SubsystemType subsystemType, CompilerType compilerType) This method is called by the code unit to retrieve primitive type information.getProbableEntryPoints
(long address, long addressMax) Get the likely entry points in the given memory area.getPrologueLooking
(long address, long addressMax) Determine if a given memory area looks like (could be) the beginning of a routine.ChainedOperationResult<? extends Pointer>
getTrampolineTarget
(CFG<InsnType> routine) Get the location targeted by a trampoline routine -- a routine that only branches to another location --, if any.getUnit()
Get the code unit managingINativeCodeAnalyzer
.void
initialize
(INativeCodeAnalyzer<InsnType> analyzer) Implementors will receive a reference to the main analyzer.isCandidateSwitchDispatcher
(long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock) Determine (heuristically) if the provided branching instruction (jump/call/...) could be the dispatcher of a switch-like statement.isNonReturningRoutine
(INativeMethodItem routine) Determine if the given routine is non-returning.postprocessImage
(int passIndex) This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).preprocessImage
(int passIndex) This method is called before an analysis pass is performed.shouldForceRoutineEnd
(long address, InsnType insn) Determine if the address is the last instruction of a routine.sigMatchingPostProcess
(int passIndex) This method is called after signatures matching was performed.void
typeManagerInitialized
(ITypeManager typeman) This method is called by the code unit right after it created a type manager suitable for processing.verifyGapRoutineCandidate
(long address) Determine whether a candidate routine in a gap should be considered as valid.
-
Method Details
-
getUnit
INativeCodeUnit<InsnType> getUnit()Get the code unit managingINativeCodeAnalyzer
. This method allows extensions to easily retrieve properties of the managing code unit.Important: no guarantee is given on the unit's state; this method should be used preferably to retrieve static features (eg, unit's properties).
- Returns:
- code unit
-
getPrimitiveSizes
This method is called by the code unit to retrieve primitive type information.- Parameters:
subsystemType
- optional hintcompilerType
- optional hint- Returns:
- if null is returned, the code unit will attempt to generate the most appropriate primitive type sizes
-
typeManagerInitialized
This method is called by the code unit right after it created a type manager suitable for processing. This happens before the code analysis starts. Implementors are free to customize the type manager, e.g. by adding types that will be required when further processing takes place.- Parameters:
typeman
-
-
initialize
Implementors will receive a reference to the main analyzer. This method is not to be called by third-party code. It will be called by the GCA when the extension object (this object) is being initialized.- Parameters:
analyzer
-
-
preprocessImage
This method is called before an analysis pass is performed.- Parameters:
passIndex
- 0-based analysis pass index- Returns:
- true if some processing
-
postprocessImage
This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).- Parameters:
passIndex
- 0-based analysis pass index- Returns:
- true if some processing
-
sigMatchingPostProcess
This method is called after signatures matching was performed.- Parameters:
passIndex
- 0-based analysis pass index- Returns:
- true if some processing
-
getTrampolineTarget
Get the location targeted by a trampoline routine -- a routine that only branches to another location --, if any.Note: the target might be indirectly retrieved (i.e. through a memory/register indirection).
- Parameters:
routine
-- Returns:
- a
Pointer
inChainedOperationResult.getResult()
for the target, null if none (i.e. routine is not a trampoline, or target could not be retrieved) (the return value is not the target itself, but a pointer to the target)
-
getPrologueLooking
Determine if a given memory area looks like (could be) the beginning of a routine.- Parameters:
address
- address to be examined (inclusive)addressMax
- end address to be examined (exclusive)- Returns:
- an
CodePointer
inChainedOperationResult.getResult()
if a prologue was found, possibly at a different address than address parameter, null if no prologue was found.
-
verifyGapRoutineCandidate
Determine whether a candidate routine in a gap should be considered as valid.- Parameters:
address
- routine start address- Returns:
- true or false (no nulls)
-
getPossiblePaddingSize
Determine if a given memory area looks like (could be) starting with padding, and provides the size of the padding looking area, if any.- Parameters:
address
- address to be examined (inclusive)addressMax
- end address to be examined (exclusive)- Returns:
- a Long in
ChainedOperationResult.getResult()
; the size of the padding-like area from address, 0L if it does not look like padding
-
getProbableEntryPoints
Get the likely entry points in the given memory area. It might provide several entry points (with different modes) ordered by their likelihood.This method is not guaranteed to give the correct result, and should be considered an heuristic. It is intended to be used before the actual disassembly of code; it may provide a hint on the entry point to disassemble with.
- Parameters:
address
-addressMax
-- Returns:
- a list of Integer representing entry points in
ChainedOperationResult.getResult()
, ordered from the most probable to the least probable. The list will be empty if none could be determined
-
determineRoutineStackPointerDelta
Determine (heuristically) the stack pointer delta generated by the execution of a routine.- Parameters:
routine
-- Returns:
- an Integer in
ChainedOperationResult.getResult()
, null if the routine failed to determine the stack pointer delta
-
determinePotentialPointers
ChainedOperationResult<Boolean> determinePotentialPointers(long address, InsnType insn, List<Pointer> values) Determine pointers (addresses to data or code) contained in the provided instruction, to let the code analyzer enqueue them for additional analysis. This method is called by theINativeCodeAnalyzer
on non breaking flow instructions before it tries to determine such additions itself.- Parameters:
address
- address of the instructioninsn
- instruction to be examinedvalues
- output collection of pointers- Returns:
- a Boolean in
ChainedOperationResult.getResult()
; false to let the code analyzer proceed with its own (generic) pointer discovery algorithm; true to instruct it to skip it
-
determinePotentialPointersInProtoBlock
ChainedOperationResult<Boolean> determinePotentialPointersInProtoBlock(IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values) Determine additional pointers to be analyzed (addresses to data or code) that may be inferred from the analysis of the provided basic block skeleton (proto-basic block). This method is called by theINativeCodeAnalyzer
after a basic block is preliminary terminated.- Parameters:
blk
- preliminary basic block to be examinedvalues
- output collection of pointers- Returns:
- N/A
-
shouldForceRoutineEnd
Determine if the address is the last instruction of a routine. If true, the basic block containing the provided instruction will be closed, i.e. it will be as if the instruction breaks the flow to nothing.When working with delay slots, this method will indicate routine end for the jump instruction that precedes the delay slot(s), not for the delay slot.
- Parameters:
address
-insn
- parsed instruction at the provided address- Returns:
- a Boolean in
ChainedOperationResult.getResult()
; true if the address should be considered a routine termination, false otherwise
-
isNonReturningRoutine
Determine if the given routine is non-returning.- Parameters:
routine
-- Returns:
- a Boolean in
ChainedOperationResult.getResult()
; true if the routine does not return, false otherwise, null when no determination could be made
-
getPreferredAdvancedAnalysisStage
ChainedOperationResult<NativeDecompilationStage> getPreferredAdvancedAnalysisStage(INativeMethodItem routine) Determine whichNativeDecompilationStage
should be used byINativeCodeAdvancedAnalyzer
for the given routine.The default implementation returns
NativeDecompilationStage.SIMULATION
- Parameters:
routine
-- Returns:
NativeDecompilationStage
inChainedOperationResult.getResult()
-
isCandidateSwitchDispatcher
ChainedOperationResult<Boolean> isCandidateSwitchDispatcher(long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock) Determine (heuristically) if the provided branching instruction (jump/call/...) could be the dispatcher of a switch-like statement.This method is intended to be a fast check, and candidates will then be processed by
determineSwitchInformation(long, IBasicBlockSkeleton, List)
.- Parameters:
branchInstructionAddress
-branchInstruction
-branchInstructionBlock
-- Returns:
- a boolean in
ChainedOperationResult.getResult()
; true if the instruction might correspond to a switch-like statement, false otherwise
-
determineSwitchInformation
ChainedOperationResult<SwitchInformation> determineSwitchInformation(long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks) Determine (heuristically) the information related to a switch-like statement, i.e. the list of reachableCodePointer
(case handlers) and the jump table addresses (if any).This method works on not-yet-built routines, i.e. using
IBasicBlockSkeleton
.- Parameters:
branchInstructionAddress
-branchInstructionBlock
-knownBlocks
-- Returns:
SwitchInformation
inChainedOperationResult.getResult()
(might be empty), null if the routine failed
-
getPreferredBreakingFlow
Provide alternate/custom breaking-flow information. If no custom information is to be provided, the implementation should return a null object. Upon a null return, it is the responsibility of the caller to retrieve the standard breaking-flow information (IInstruction.getBreakingFlow(long)
).- Parameters:
address
-insn
-- Returns:
- a custom flow-information object or null
-
customizeInstructionItem
Customize an instruction item just after its creation by the code analyzer.- Parameters:
item
-- Returns:
-