C# Class Reko.Scanning.Scanner

Scans the binary, locating and creating procedures and basic blocks by following calls, jumps, and branches. Simple data type analysis is done as well: for instance, pointers to code are located, as are global data pointers.

Callers feed the scanner by calling EnqueueXXX methods before calling ProcessQueue(). ProcessQueue() then processes the queues.

Inheritance: IScanner, IRewriterHost

Afficher le fichier Open project: uxmal/reko Class Usage Examples

Méthodes publiques

Méthode	Description
AddBlock ( Address addr, Procedure proc, string blockName ) : Reko.Core.Block	Adds a new basic block to the procedure proc.
CreateBlockWorkItem ( Address addrStart, Procedure proc, ProcessorState stateOnEntry ) : BlockWorkitem	Creates a work item which will process code starting at the address addrStart. The resulting block will belong to the procedure proc.
CreateCallRetThunk ( Address addrFrom, Procedure procOld, Procedure procNew ) : Reko.Core.Block	Creates a small basic block, consisting solely of a 'call' followed by a 'return' instruction.
CreatePromoteWorkItem ( Address addrStart, Reko.Core.Block block, Procedure procNew ) : Reko.Scanning.PromoteBlockWorkItem
CreateReader ( Address addr ) : Reko.Core.ImageReader
EnqueueImageSymbol ( Reko.Core.ImageSymbol sym, bool isEntryPoint ) : void
EnqueueJumpTarget ( Address addrSrc, Address addrDest, Procedure proc, ProcessorState state ) : Reko.Core.Block
EnqueueProcedure ( Address addr ) : void
EnqueueUserGlobalData ( Address addr, DataType dt ) : void
EnqueueUserProcedure ( Address addr, FunctionType sig ) : void
EnqueueUserProcedure ( Procedure_v1 sp ) : void
EnsurePseudoProcedure ( string name, DataType returnType, int arity ) : PseudoProcedure
Error ( Address addr, string message ) : void
FindContainingBlock ( Address address ) : Reko.Core.Block
FindExactBlock ( Address address ) : Reko.Core.Block
GetCallSignatureAtAddress ( Address addrCallInstruction ) : FunctionType
GetImportedGlobal ( Address addrImportThunk, Address addrInstruction ) : Identifier
GetImportedProcedure ( Address addrImportThunk, Address addrInstruction ) : Reko.Core.ExternalProcedure	If addrImportThunk is the known address of an import thunk / trampoline, return the imported function as an ExternaProcedure. Otherwise, check to see if the call is an intercepted call.
GetInterceptedCall ( Address addrImportThunk ) : Reko.Core.ExternalProcedure	This method is used to detect if a trampoline (call [foo] where foo: jmp bar) is jumping into the body of a procedure that was loaded with GetProcAddress or the like.
GetTrace ( Address addrStart, ProcessorState state, Frame frame ) : IEnumerable
GetTrampoline ( Address addr ) : Reko.Core.ProcedureBase	Tries to determine if the instruction at addr is a trampoline instruction. If so, we return a call to the imported function directly. procedure. A trampoline is a procedure whose only contents is an indirect JUMP to a location that contains the address of an imported function. Because these trampolines may take on different appearances depending on the processor architecture, we have to call out to the architecture to assist in matching them.
InjectProcedureEntryInstructions ( Address addr, Procedure proc ) : void	Inject statements into the starting block that establish the frame, and if the procedure has been given a valid signature already, copy the input arguments into their local counterparts.
IsBlockLinearProcedureExit ( Reko.Core.Block block ) : bool
IsLinearReturning ( Reko.Core.Block block ) : bool	Determines whether a block is a linear sequence of assignments followed by a return statement.
PseudoProcedure ( string name, DataType returnType ) : Expression
PseudoProcedure ( string name, ProcedureCharacteristics c, DataType returnType ) : Expression
ScanImage ( ) : void	Performs the work of scanning the image and resolving any cross procedure jumps after the scan is done.
ScanImageHeuristically ( ) : void	Uses the HeuristicScanner to try to located code heuristically.
ScanImageSymbol ( Program program, ImageSymbol sym, bool isEntryPoint ) : void
ScanProcedure ( Address addr, string procedureName, ProcessorState state ) : ProcedureBase	Performs a scan of the blocks that constitute a procedure named procedureName
Scanner ( Program program, IImportResolver importResolver, IServiceProvider services ) : Reko.Analysis
SetAssumedRegisterValues ( Address addr, ProcessorState st ) : void
SetProcedureReturnAddressBytes ( Procedure proc, int returnAddressBytes, Address address ) : void
SplitBlock ( Block blockToSplit, Address addr ) : Block	Splits the given block at the specified address, yielding two blocks. The first block is the original block, now truncated, with a single out edge to the new block. The second block receives the out edges of the first block.
TerminateBlock ( Block block, Address addr ) : void	Terminates the block at
Warn ( Address addr, string message ) : void

Private Methods

Méthode	Description
CloneBlockIntoOtherProcedure ( Reko.Core.Block block, Procedure proc ) : Reko.Core.Block
Dump ( string title, IEnumerable blocks ) : void
EnsureProcedure ( Address addr, string procedureName ) : Procedure
EstablishInitialState ( Address addr, ProcessorState st, Procedure proc ) : void	Before processing the body of a procedure, perform housekeeping tasks.
IsNoDecompiledProcedure ( Address addr ) : bool
ProcessQueue ( ) : void
TerminateAnyBlockAt ( Address addr ) : void
TryGetNoDecompiledParsedProcedure ( Address addr, Procedure_v1 &parsedProc ) : bool
TryGetNoDecompiledProcedure ( Address addr, ExternalProcedure &ep ) : bool
TryGetNoDecompiledProcedure ( Address addr, Procedure_v1 &sProc ) : bool

Method Details

AddBlock() public méthode

Adds a new basic block to the procedure proc.

public AddBlock ( Address addr, Procedure proc, string blockName ) : Reko.Core.Block
addr	Address
proc	Procedure
blockName	string
Résultat	Reko.Core.Block

CreateBlockWorkItem() public méthode

Creates a work item which will process code starting at the address addrStart. The resulting block will belong to the procedure proc.

public CreateBlockWorkItem ( Address addrStart, Procedure proc, ProcessorState stateOnEntry ) : BlockWorkitem
addrStart	Address
proc	Procedure
stateOnEntry	Reko.Core.ProcessorState
Résultat	BlockWorkitem

CreateCallRetThunk() public méthode

Creates a small basic block, consisting solely of a 'call' followed by a 'return' instruction.

public CreateCallRetThunk ( Address addrFrom, Procedure procOld, Procedure procNew ) : Reko.Core.Block
addrFrom	Address
procOld	Procedure
procNew	Procedure
Résultat	Reko.Core.Block

CreatePromoteWorkItem() public méthode

public CreatePromoteWorkItem ( Address addrStart, Reko.Core.Block block, Procedure procNew ) : Reko.Scanning.PromoteBlockWorkItem
addrStart	Address
block	Reko.Core.Block
procNew	Procedure
Résultat	Reko.Scanning.PromoteBlockWorkItem

CreateReader() public méthode

public CreateReader ( Address addr ) : Reko.Core.ImageReader
addr	Address
Résultat	Reko.Core.ImageReader

EnqueueImageSymbol() public méthode

public EnqueueImageSymbol ( Reko.Core.ImageSymbol sym, bool isEntryPoint ) : void
sym	Reko.Core.ImageSymbol
isEntryPoint	bool
Résultat	void

EnqueueJumpTarget() public méthode

public EnqueueJumpTarget ( Address addrSrc, Address addrDest, Procedure proc, ProcessorState state ) : Reko.Core.Block
addrSrc	Address
addrDest	Address
proc	Procedure
state	Reko.Core.ProcessorState
Résultat	Reko.Core.Block

EnqueueProcedure() public méthode

public EnqueueProcedure ( Address addr ) : void
addr	Address
Résultat	void

EnqueueUserGlobalData() public méthode

public EnqueueUserGlobalData ( Address addr, DataType dt ) : void
addr	Address
dt	DataType
Résultat	void

EnqueueUserProcedure() public méthode

public EnqueueUserProcedure ( Address addr, FunctionType sig ) : void
addr	Address
sig	FunctionType
Résultat	void

EnqueueUserProcedure() public méthode

public EnqueueUserProcedure ( Procedure_v1 sp ) : void
sp	Reko.Core.Serialization.Procedure_v1
Résultat	void

EnsurePseudoProcedure() public méthode

public EnsurePseudoProcedure ( string name, DataType returnType, int arity ) : PseudoProcedure
name	string
returnType	DataType
arity	int
Résultat	Reko.Core.PseudoProcedure

Error() public méthode

public Error ( Address addr, string message ) : void
addr	Address
message	string
Résultat	void

FindContainingBlock() public méthode

public FindContainingBlock ( Address address ) : Reko.Core.Block
address	Address
Résultat	Reko.Core.Block

FindExactBlock() public méthode

public FindExactBlock ( Address address ) : Reko.Core.Block
address	Address
Résultat	Reko.Core.Block

GetCallSignatureAtAddress() public méthode

public GetCallSignatureAtAddress ( Address addrCallInstruction ) : FunctionType
addrCallInstruction	Address
Résultat	FunctionType

GetImportedGlobal() public méthode

public GetImportedGlobal ( Address addrImportThunk, Address addrInstruction ) : Identifier
addrImportThunk	Address
addrInstruction	Address
Résultat	Identifier

GetImportedProcedure() public méthode

If addrImportThunk is the known address of an import thunk / trampoline, return the imported function as an ExternaProcedure. Otherwise, check to see if the call is an intercepted call.

public GetImportedProcedure ( Address addrImportThunk, Address addrInstruction ) : Reko.Core.ExternalProcedure
addrImportThunk	Address
addrInstruction	Address	Used to display diagnostics.
Résultat	Reko.Core.ExternalProcedure

GetInterceptedCall() public méthode

This method is used to detect if a trampoline (call [foo] where foo: jmp bar) is jumping into the body of a procedure that was loaded with GetProcAddress or the like.

public GetInterceptedCall ( Address addrImportThunk ) : Reko.Core.ExternalProcedure
addrImportThunk	Address
Résultat	Reko.Core.ExternalProcedure

GetTrace() public méthode

public GetTrace ( Address addrStart, ProcessorState state, Frame frame ) : IEnumerable
addrStart	Address
state	Reko.Core.ProcessorState
frame	Reko.Core.Frame
Résultat	IEnumerable

GetTrampoline() public méthode

Tries to determine if the instruction at addr is a trampoline instruction. If so, we return a call to the imported function directly. procedure.

A trampoline is a procedure whose only contents is an indirect JUMP to a location that contains the address of an imported function. Because these trampolines may take on different appearances depending on the processor architecture, we have to call out to the architecture to assist in matching them.

public GetTrampoline ( Address addr ) : Reko.Core.ProcedureBase
addr	Address
Résultat	Reko.Core.ProcedureBase

InjectProcedureEntryInstructions() public méthode

Inject statements into the starting block that establish the frame, and if the procedure has been given a valid signature already, copy the input arguments into their local counterparts.

public InjectProcedureEntryInstructions ( Address addr, Procedure proc ) : void
addr	Address
proc	Procedure
Résultat	void

IsBlockLinearProcedureExit() public méthode

public IsBlockLinearProcedureExit ( Reko.Core.Block block ) : bool
block	Reko.Core.Block
Résultat	bool

IsLinearReturning() public méthode

Determines whether a block is a linear sequence of assignments followed by a return statement.

public IsLinearReturning ( Reko.Core.Block block ) : bool
block	Reko.Core.Block
Résultat	bool

PseudoProcedure() public méthode

public PseudoProcedure ( string name, DataType returnType ) : Expression
name	string
returnType	DataType
Résultat	Expression

PseudoProcedure() public méthode

public PseudoProcedure ( string name, ProcedureCharacteristics c, DataType returnType ) : Expression
name	string
c	ProcedureCharacteristics
returnType	DataType
Résultat	Expression

ScanImage() public méthode

Performs the work of scanning the image and resolving any cross procedure jumps after the scan is done.

public ScanImage ( ) : void
Résultat	void

ScanImageHeuristically() public méthode

Uses the HeuristicScanner to try to located code heuristically.

public ScanImageHeuristically ( ) : void
Résultat	void

ScanImageSymbol() public méthode

public ScanImageSymbol ( Program program, ImageSymbol sym, bool isEntryPoint ) : void
program	Program
sym	ImageSymbol
isEntryPoint	bool
Résultat	void

ScanProcedure() public méthode

Performs a scan of the blocks that constitute a procedure named procedureName

public ScanProcedure ( Address addr, string procedureName, ProcessorState state ) : ProcedureBase
addr	Address	Address of the code from which we will start scanning.
procedureName	string
state	ProcessorState
Résultat	ProcedureBase

Scanner() public méthode

public Scanner ( Program program, IImportResolver importResolver, IServiceProvider services ) : Reko.Analysis
program	Program
importResolver	IImportResolver
services	IServiceProvider
Résultat	Reko.Analysis

SetAssumedRegisterValues() public méthode

public SetAssumedRegisterValues ( Address addr, ProcessorState st ) : void
addr	Address
st	ProcessorState
Résultat	void

SetProcedureReturnAddressBytes() public méthode

public SetProcedureReturnAddressBytes ( Procedure proc, int returnAddressBytes, Address address ) : void
proc	Procedure
returnAddressBytes	int
address	Address
Résultat	void

SplitBlock() public méthode

Splits the given block at the specified address, yielding two blocks. The first block is the original block, now truncated, with a single out edge to the new block. The second block receives the out edges of the first block.

public SplitBlock ( Block blockToSplit, Address addr ) : Block
blockToSplit	Block
addr	Address
Résultat	Block

TerminateBlock() public méthode

Terminates the block at

public TerminateBlock ( Block block, Address addr ) : void
block	Block
addr	Address
Résultat	void

Warn() public méthode

public Warn ( Address addr, string message ) : void
addr	Address
message	string
Résultat	void