C# Class Reko.Scanning.Scanner

Scans the binary, locating and creating procedures and basic blocks by following calls, jumps, and branches. Simple data type analysis is done as well: for instance, pointers to code are located, as are global data pointers.

Callers feed the scanner by calling EnqueueXXX methods before calling ProcessQueue(). ProcessQueue() then processes the queues.

Inheritance: IScanner, IRewriterHost

Show file Open project: uxmal/reko Class Usage Examples

Public Methods

Method	Description
AddBlock ( Address addr, Procedure proc, string blockName ) : Reko.Core.Block	Adds a new basic block to the procedure proc.
CreateBlockWorkItem ( Address addrStart, Procedure proc, ProcessorState stateOnEntry ) : BlockWorkitem	Creates a work item which will process code starting at the address addrStart. The resulting block will belong to the procedure proc.
CreateCallRetThunk ( Address addrFrom, Procedure procOld, Procedure procNew ) : Reko.Core.Block	Creates a small basic block, consisting solely of a 'call' followed by a 'return' instruction.
CreatePromoteWorkItem ( Address addrStart, Reko.Core.Block block, Procedure procNew ) : Reko.Scanning.PromoteBlockWorkItem
CreateReader ( Address addr ) : Reko.Core.ImageReader
EnqueueImageSymbol ( Reko.Core.ImageSymbol sym, bool isEntryPoint ) : void
EnqueueJumpTarget ( Address addrSrc, Address addrDest, Procedure proc, ProcessorState state ) : Reko.Core.Block
EnqueueProcedure ( Address addr ) : void
EnqueueUserGlobalData ( Address addr, DataType dt ) : void
EnqueueUserProcedure ( Address addr, FunctionType sig ) : void
EnqueueUserProcedure ( Procedure_v1 sp ) : void
EnsurePseudoProcedure ( string name, DataType returnType, int arity ) : PseudoProcedure
Error ( Address addr, string message ) : void
FindContainingBlock ( Address address ) : Reko.Core.Block
FindExactBlock ( Address address ) : Reko.Core.Block
GetCallSignatureAtAddress ( Address addrCallInstruction ) : FunctionType
GetImportedGlobal ( Address addrImportThunk, Address addrInstruction ) : Identifier
GetImportedProcedure ( Address addrImportThunk, Address addrInstruction ) : Reko.Core.ExternalProcedure	If addrImportThunk is the known address of an import thunk / trampoline, return the imported function as an ExternaProcedure. Otherwise, check to see if the call is an intercepted call.
GetInterceptedCall ( Address addrImportThunk ) : Reko.Core.ExternalProcedure	This method is used to detect if a trampoline (call [foo] where foo: jmp bar) is jumping into the body of a procedure that was loaded with GetProcAddress or the like.
GetTrace ( Address addrStart, ProcessorState state, Frame frame ) : IEnumerable
GetTrampoline ( Address addr ) : Reko.Core.ProcedureBase	Tries to determine if the instruction at addr is a trampoline instruction. If so, we return a call to the imported function directly. procedure. A trampoline is a procedure whose only contents is an indirect JUMP to a location that contains the address of an imported function. Because these trampolines may take on different appearances depending on the processor architecture, we have to call out to the architecture to assist in matching them.
InjectProcedureEntryInstructions ( Address addr, Procedure proc ) : void	Inject statements into the starting block that establish the frame, and if the procedure has been given a valid signature already, copy the input arguments into their local counterparts.
IsBlockLinearProcedureExit ( Reko.Core.Block block ) : bool
IsLinearReturning ( Reko.Core.Block block ) : bool	Determines whether a block is a linear sequence of assignments followed by a return statement.
PseudoProcedure ( string name, DataType returnType ) : Expression
PseudoProcedure ( string name, ProcedureCharacteristics c, DataType returnType ) : Expression
ScanImage ( ) : void	Performs the work of scanning the image and resolving any cross procedure jumps after the scan is done.
ScanImageHeuristically ( ) : void	Uses the HeuristicScanner to try to located code heuristically.
ScanImageSymbol ( Program program, ImageSymbol sym, bool isEntryPoint ) : void
ScanProcedure ( Address addr, string procedureName, ProcessorState state ) : ProcedureBase	Performs a scan of the blocks that constitute a procedure named procedureName
Scanner ( Program program, IImportResolver importResolver, IServiceProvider services ) : Reko.Analysis
SetAssumedRegisterValues ( Address addr, ProcessorState st ) : void
SetProcedureReturnAddressBytes ( Procedure proc, int returnAddressBytes, Address address ) : void
SplitBlock ( Block blockToSplit, Address addr ) : Block	Splits the given block at the specified address, yielding two blocks. The first block is the original block, now truncated, with a single out edge to the new block. The second block receives the out edges of the first block.
TerminateBlock ( Block block, Address addr ) : void	Terminates the block at
Warn ( Address addr, string message ) : void

Private Methods

Method	Description
CloneBlockIntoOtherProcedure ( Reko.Core.Block block, Procedure proc ) : Reko.Core.Block
Dump ( string title, IEnumerable blocks ) : void
EnsureProcedure ( Address addr, string procedureName ) : Procedure
EstablishInitialState ( Address addr, ProcessorState st, Procedure proc ) : void	Before processing the body of a procedure, perform housekeeping tasks.
IsNoDecompiledProcedure ( Address addr ) : bool
ProcessQueue ( ) : void
TerminateAnyBlockAt ( Address addr ) : void
TryGetNoDecompiledParsedProcedure ( Address addr, Procedure_v1 &parsedProc ) : bool
TryGetNoDecompiledProcedure ( Address addr, ExternalProcedure &ep ) : bool
TryGetNoDecompiledProcedure ( Address addr, Procedure_v1 &sProc ) : bool

Method Details

AddBlock() public method

Adds a new basic block to the procedure proc.

public AddBlock ( Address addr, Procedure proc, string blockName ) : Reko.Core.Block
addr	Address
proc	Procedure
blockName	string
return	Reko.Core.Block

CreateBlockWorkItem() public method

Creates a work item which will process code starting at the address addrStart. The resulting block will belong to the procedure proc.

public CreateBlockWorkItem ( Address addrStart, Procedure proc, ProcessorState stateOnEntry ) : BlockWorkitem
addrStart	Address
proc	Procedure
stateOnEntry	Reko.Core.ProcessorState
return	BlockWorkitem

CreateCallRetThunk() public method

Creates a small basic block, consisting solely of a 'call' followed by a 'return' instruction.

public CreateCallRetThunk ( Address addrFrom, Procedure procOld, Procedure procNew ) : Reko.Core.Block
addrFrom	Address
procOld	Procedure
procNew	Procedure
return	Reko.Core.Block

CreatePromoteWorkItem() public method

public CreatePromoteWorkItem ( Address addrStart, Reko.Core.Block block, Procedure procNew ) : Reko.Scanning.PromoteBlockWorkItem
addrStart	Address
block	Reko.Core.Block
procNew	Procedure
return	Reko.Scanning.PromoteBlockWorkItem

CreateReader() public method

public CreateReader ( Address addr ) : Reko.Core.ImageReader
addr	Address
return	Reko.Core.ImageReader

EnqueueImageSymbol() public method

public EnqueueImageSymbol ( Reko.Core.ImageSymbol sym, bool isEntryPoint ) : void
sym	Reko.Core.ImageSymbol
isEntryPoint	bool
return	void

EnqueueJumpTarget() public method

public EnqueueJumpTarget ( Address addrSrc, Address addrDest, Procedure proc, ProcessorState state ) : Reko.Core.Block
addrSrc	Address
addrDest	Address
proc	Procedure
state	Reko.Core.ProcessorState
return	Reko.Core.Block

EnqueueProcedure() public method

public EnqueueProcedure ( Address addr ) : void
addr	Address
return	void

EnqueueUserGlobalData() public method

public EnqueueUserGlobalData ( Address addr, DataType dt ) : void
addr	Address
dt	DataType
return	void

EnqueueUserProcedure() public method

public EnqueueUserProcedure ( Address addr, FunctionType sig ) : void
addr	Address
sig	FunctionType
return	void

EnqueueUserProcedure() public method

public EnqueueUserProcedure ( Procedure_v1 sp ) : void
sp	Reko.Core.Serialization.Procedure_v1
return	void

EnsurePseudoProcedure() public method

public EnsurePseudoProcedure ( string name, DataType returnType, int arity ) : PseudoProcedure
name	string
returnType	DataType
arity	int
return	Reko.Core.PseudoProcedure

Error() public method

public Error ( Address addr, string message ) : void
addr	Address
message	string
return	void

FindContainingBlock() public method

public FindContainingBlock ( Address address ) : Reko.Core.Block
address	Address
return	Reko.Core.Block

FindExactBlock() public method

public FindExactBlock ( Address address ) : Reko.Core.Block
address	Address
return	Reko.Core.Block

GetCallSignatureAtAddress() public method

public GetCallSignatureAtAddress ( Address addrCallInstruction ) : FunctionType
addrCallInstruction	Address
return	FunctionType

GetImportedGlobal() public method

public GetImportedGlobal ( Address addrImportThunk, Address addrInstruction ) : Identifier
addrImportThunk	Address
addrInstruction	Address
return	Identifier

GetImportedProcedure() public method

If addrImportThunk is the known address of an import thunk / trampoline, return the imported function as an ExternaProcedure. Otherwise, check to see if the call is an intercepted call.

public GetImportedProcedure ( Address addrImportThunk, Address addrInstruction ) : Reko.Core.ExternalProcedure
addrImportThunk	Address
addrInstruction	Address	Used to display diagnostics.
return	Reko.Core.ExternalProcedure

GetInterceptedCall() public method

This method is used to detect if a trampoline (call [foo] where foo: jmp bar) is jumping into the body of a procedure that was loaded with GetProcAddress or the like.

public GetInterceptedCall ( Address addrImportThunk ) : Reko.Core.ExternalProcedure
addrImportThunk	Address
return	Reko.Core.ExternalProcedure

GetTrace() public method

public GetTrace ( Address addrStart, ProcessorState state, Frame frame ) : IEnumerable
addrStart	Address
state	Reko.Core.ProcessorState
frame	Reko.Core.Frame
return	IEnumerable

GetTrampoline() public method

Tries to determine if the instruction at addr is a trampoline instruction. If so, we return a call to the imported function directly. procedure.

A trampoline is a procedure whose only contents is an indirect JUMP to a location that contains the address of an imported function. Because these trampolines may take on different appearances depending on the processor architecture, we have to call out to the architecture to assist in matching them.

public GetTrampoline ( Address addr ) : Reko.Core.ProcedureBase
addr	Address
return	Reko.Core.ProcedureBase

InjectProcedureEntryInstructions() public method

Inject statements into the starting block that establish the frame, and if the procedure has been given a valid signature already, copy the input arguments into their local counterparts.

public InjectProcedureEntryInstructions ( Address addr, Procedure proc ) : void
addr	Address
proc	Procedure
return	void

IsBlockLinearProcedureExit() public method

public IsBlockLinearProcedureExit ( Reko.Core.Block block ) : bool
block	Reko.Core.Block
return	bool

IsLinearReturning() public method

Determines whether a block is a linear sequence of assignments followed by a return statement.

public IsLinearReturning ( Reko.Core.Block block ) : bool
block	Reko.Core.Block
return	bool

PseudoProcedure() public method

public PseudoProcedure ( string name, DataType returnType ) : Expression
name	string
returnType	DataType
return	Expression

PseudoProcedure() public method

public PseudoProcedure ( string name, ProcedureCharacteristics c, DataType returnType ) : Expression
name	string
c	ProcedureCharacteristics
returnType	DataType
return	Expression

ScanImage() public method

Performs the work of scanning the image and resolving any cross procedure jumps after the scan is done.

public ScanImage ( ) : void
return	void

ScanImageHeuristically() public method

Uses the HeuristicScanner to try to located code heuristically.

public ScanImageHeuristically ( ) : void
return	void

ScanImageSymbol() public method

public ScanImageSymbol ( Program program, ImageSymbol sym, bool isEntryPoint ) : void
program	Program
sym	ImageSymbol
isEntryPoint	bool
return	void

ScanProcedure() public method

Performs a scan of the blocks that constitute a procedure named procedureName

public ScanProcedure ( Address addr, string procedureName, ProcessorState state ) : ProcedureBase
addr	Address	Address of the code from which we will start scanning.
procedureName	string
state	ProcessorState
return	ProcedureBase

Scanner() public method

public Scanner ( Program program, IImportResolver importResolver, IServiceProvider services ) : Reko.Analysis
program	Program
importResolver	IImportResolver
services	IServiceProvider
return	Reko.Analysis

SetAssumedRegisterValues() public method

public SetAssumedRegisterValues ( Address addr, ProcessorState st ) : void
addr	Address
st	ProcessorState
return	void

SetProcedureReturnAddressBytes() public method

public SetProcedureReturnAddressBytes ( Procedure proc, int returnAddressBytes, Address address ) : void
proc	Procedure
returnAddressBytes	int
address	Address
return	void

SplitBlock() public method

Splits the given block at the specified address, yielding two blocks. The first block is the original block, now truncated, with a single out edge to the new block. The second block receives the out edges of the first block.

public SplitBlock ( Block blockToSplit, Address addr ) : Block
blockToSplit	Block
addr	Address
return	Block

TerminateBlock() public method

Terminates the block at

public TerminateBlock ( Block block, Address addr ) : void
block	Block
addr	Address
return	void

Warn() public method

public Warn ( Address addr, string message ) : void
addr	Address
message	string
return	void