C# Класс Reko.Scanning.Scanner

Scans the binary, locating and creating procedures and basic blocks by following calls, jumps, and branches. Simple data type analysis is done as well: for instance, pointers to code are located, as are global data pointers.

Callers feed the scanner by calling EnqueueXXX methods before calling ProcessQueue(). ProcessQueue() then processes the queues.

Наследование: IScanner, IRewriterHost

Показать файл Открыть проект Примеры использования класса

Открытые методы

Метод	Описание
AddBlock ( Address addr, Procedure proc, string blockName ) : Reko.Core.Block	Adds a new basic block to the procedure proc.
CreateBlockWorkItem ( Address addrStart, Procedure proc, ProcessorState stateOnEntry ) : BlockWorkitem	Creates a work item which will process code starting at the address addrStart. The resulting block will belong to the procedure proc.
CreateCallRetThunk ( Address addrFrom, Procedure procOld, Procedure procNew ) : Reko.Core.Block	Creates a small basic block, consisting solely of a 'call' followed by a 'return' instruction.
CreatePromoteWorkItem ( Address addrStart, Reko.Core.Block block, Procedure procNew ) : Reko.Scanning.PromoteBlockWorkItem
CreateReader ( Address addr ) : Reko.Core.ImageReader
EnqueueImageSymbol ( Reko.Core.ImageSymbol sym, bool isEntryPoint ) : void
EnqueueJumpTarget ( Address addrSrc, Address addrDest, Procedure proc, ProcessorState state ) : Reko.Core.Block
EnqueueProcedure ( Address addr ) : void
EnqueueUserGlobalData ( Address addr, DataType dt ) : void
EnqueueUserProcedure ( Address addr, FunctionType sig ) : void
EnqueueUserProcedure ( Procedure_v1 sp ) : void
EnsurePseudoProcedure ( string name, DataType returnType, int arity ) : PseudoProcedure
Error ( Address addr, string message ) : void
FindContainingBlock ( Address address ) : Reko.Core.Block
FindExactBlock ( Address address ) : Reko.Core.Block
GetCallSignatureAtAddress ( Address addrCallInstruction ) : FunctionType
GetImportedGlobal ( Address addrImportThunk, Address addrInstruction ) : Identifier
GetImportedProcedure ( Address addrImportThunk, Address addrInstruction ) : Reko.Core.ExternalProcedure	If addrImportThunk is the known address of an import thunk / trampoline, return the imported function as an ExternaProcedure. Otherwise, check to see if the call is an intercepted call.
GetInterceptedCall ( Address addrImportThunk ) : Reko.Core.ExternalProcedure	This method is used to detect if a trampoline (call [foo] where foo: jmp bar) is jumping into the body of a procedure that was loaded with GetProcAddress or the like.
GetTrace ( Address addrStart, ProcessorState state, Frame frame ) : IEnumerable
GetTrampoline ( Address addr ) : Reko.Core.ProcedureBase	Tries to determine if the instruction at addr is a trampoline instruction. If so, we return a call to the imported function directly. procedure. A trampoline is a procedure whose only contents is an indirect JUMP to a location that contains the address of an imported function. Because these trampolines may take on different appearances depending on the processor architecture, we have to call out to the architecture to assist in matching them.
InjectProcedureEntryInstructions ( Address addr, Procedure proc ) : void	Inject statements into the starting block that establish the frame, and if the procedure has been given a valid signature already, copy the input arguments into their local counterparts.
IsBlockLinearProcedureExit ( Reko.Core.Block block ) : bool
IsLinearReturning ( Reko.Core.Block block ) : bool	Determines whether a block is a linear sequence of assignments followed by a return statement.
PseudoProcedure ( string name, DataType returnType ) : Expression
PseudoProcedure ( string name, ProcedureCharacteristics c, DataType returnType ) : Expression
ScanImage ( ) : void	Performs the work of scanning the image and resolving any cross procedure jumps after the scan is done.
ScanImageHeuristically ( ) : void	Uses the HeuristicScanner to try to located code heuristically.
ScanImageSymbol ( Program program, ImageSymbol sym, bool isEntryPoint ) : void
ScanProcedure ( Address addr, string procedureName, ProcessorState state ) : ProcedureBase	Performs a scan of the blocks that constitute a procedure named procedureName
Scanner ( Program program, IImportResolver importResolver, IServiceProvider services ) : Reko.Analysis
SetAssumedRegisterValues ( Address addr, ProcessorState st ) : void
SetProcedureReturnAddressBytes ( Procedure proc, int returnAddressBytes, Address address ) : void
SplitBlock ( Block blockToSplit, Address addr ) : Block	Splits the given block at the specified address, yielding two blocks. The first block is the original block, now truncated, with a single out edge to the new block. The second block receives the out edges of the first block.
TerminateBlock ( Block block, Address addr ) : void	Terminates the block at
Warn ( Address addr, string message ) : void

Приватные методы

Метод	Описание
CloneBlockIntoOtherProcedure ( Reko.Core.Block block, Procedure proc ) : Reko.Core.Block
Dump ( string title, IEnumerable blocks ) : void
EnsureProcedure ( Address addr, string procedureName ) : Procedure
EstablishInitialState ( Address addr, ProcessorState st, Procedure proc ) : void	Before processing the body of a procedure, perform housekeeping tasks.
IsNoDecompiledProcedure ( Address addr ) : bool
ProcessQueue ( ) : void
TerminateAnyBlockAt ( Address addr ) : void
TryGetNoDecompiledParsedProcedure ( Address addr, Procedure_v1 &parsedProc ) : bool
TryGetNoDecompiledProcedure ( Address addr, ExternalProcedure &ep ) : bool
TryGetNoDecompiledProcedure ( Address addr, Procedure_v1 &sProc ) : bool

Описание методов

AddBlock() публичный Метод

Adds a new basic block to the procedure proc.

public AddBlock ( Address addr, Procedure proc, string blockName ) : Reko.Core.Block
addr	Address
proc	Procedure
blockName	string
Результат	Reko.Core.Block

CreateBlockWorkItem() публичный Метод

Creates a work item which will process code starting at the address addrStart. The resulting block will belong to the procedure proc.

public CreateBlockWorkItem ( Address addrStart, Procedure proc, ProcessorState stateOnEntry ) : BlockWorkitem
addrStart	Address
proc	Procedure
stateOnEntry	Reko.Core.ProcessorState
Результат	BlockWorkitem

CreateCallRetThunk() публичный Метод

Creates a small basic block, consisting solely of a 'call' followed by a 'return' instruction.

public CreateCallRetThunk ( Address addrFrom, Procedure procOld, Procedure procNew ) : Reko.Core.Block
addrFrom	Address
procOld	Procedure
procNew	Procedure
Результат	Reko.Core.Block

CreatePromoteWorkItem() публичный Метод

public CreatePromoteWorkItem ( Address addrStart, Reko.Core.Block block, Procedure procNew ) : Reko.Scanning.PromoteBlockWorkItem
addrStart	Address
block	Reko.Core.Block
procNew	Procedure
Результат	Reko.Scanning.PromoteBlockWorkItem

CreateReader() публичный Метод

public CreateReader ( Address addr ) : Reko.Core.ImageReader
addr	Address
Результат	Reko.Core.ImageReader

EnqueueImageSymbol() публичный Метод

public EnqueueImageSymbol ( Reko.Core.ImageSymbol sym, bool isEntryPoint ) : void
sym	Reko.Core.ImageSymbol
isEntryPoint	bool
Результат	void

EnqueueJumpTarget() публичный Метод

public EnqueueJumpTarget ( Address addrSrc, Address addrDest, Procedure proc, ProcessorState state ) : Reko.Core.Block
addrSrc	Address
addrDest	Address
proc	Procedure
state	Reko.Core.ProcessorState
Результат	Reko.Core.Block

EnqueueProcedure() публичный Метод

public EnqueueProcedure ( Address addr ) : void
addr	Address
Результат	void

EnqueueUserGlobalData() публичный Метод

public EnqueueUserGlobalData ( Address addr, DataType dt ) : void
addr	Address
dt	DataType
Результат	void

EnqueueUserProcedure() публичный Метод

public EnqueueUserProcedure ( Address addr, FunctionType sig ) : void
addr	Address
sig	FunctionType
Результат	void

EnqueueUserProcedure() публичный Метод

public EnqueueUserProcedure ( Procedure_v1 sp ) : void
sp	Reko.Core.Serialization.Procedure_v1
Результат	void

EnsurePseudoProcedure() публичный Метод

public EnsurePseudoProcedure ( string name, DataType returnType, int arity ) : PseudoProcedure
name	string
returnType	DataType
arity	int
Результат	Reko.Core.PseudoProcedure

Error() публичный Метод

public Error ( Address addr, string message ) : void
addr	Address
message	string
Результат	void

FindContainingBlock() публичный Метод

public FindContainingBlock ( Address address ) : Reko.Core.Block
address	Address
Результат	Reko.Core.Block

FindExactBlock() публичный Метод

public FindExactBlock ( Address address ) : Reko.Core.Block
address	Address
Результат	Reko.Core.Block

GetCallSignatureAtAddress() публичный Метод

public GetCallSignatureAtAddress ( Address addrCallInstruction ) : FunctionType
addrCallInstruction	Address
Результат	FunctionType

GetImportedGlobal() публичный Метод

public GetImportedGlobal ( Address addrImportThunk, Address addrInstruction ) : Identifier
addrImportThunk	Address
addrInstruction	Address
Результат	Identifier

GetImportedProcedure() публичный Метод

If addrImportThunk is the known address of an import thunk / trampoline, return the imported function as an ExternaProcedure. Otherwise, check to see if the call is an intercepted call.

public GetImportedProcedure ( Address addrImportThunk, Address addrInstruction ) : Reko.Core.ExternalProcedure
addrImportThunk	Address
addrInstruction	Address	Used to display diagnostics.
Результат	Reko.Core.ExternalProcedure

GetInterceptedCall() публичный Метод

This method is used to detect if a trampoline (call [foo] where foo: jmp bar) is jumping into the body of a procedure that was loaded with GetProcAddress or the like.

public GetInterceptedCall ( Address addrImportThunk ) : Reko.Core.ExternalProcedure
addrImportThunk	Address
Результат	Reko.Core.ExternalProcedure

GetTrace() публичный Метод

public GetTrace ( Address addrStart, ProcessorState state, Frame frame ) : IEnumerable
addrStart	Address
state	Reko.Core.ProcessorState
frame	Reko.Core.Frame
Результат	IEnumerable

GetTrampoline() публичный Метод

Tries to determine if the instruction at addr is a trampoline instruction. If so, we return a call to the imported function directly. procedure.

A trampoline is a procedure whose only contents is an indirect JUMP to a location that contains the address of an imported function. Because these trampolines may take on different appearances depending on the processor architecture, we have to call out to the architecture to assist in matching them.

public GetTrampoline ( Address addr ) : Reko.Core.ProcedureBase
addr	Address
Результат	Reko.Core.ProcedureBase

InjectProcedureEntryInstructions() публичный Метод

Inject statements into the starting block that establish the frame, and if the procedure has been given a valid signature already, copy the input arguments into their local counterparts.

public InjectProcedureEntryInstructions ( Address addr, Procedure proc ) : void
addr	Address
proc	Procedure
Результат	void

IsBlockLinearProcedureExit() публичный Метод

public IsBlockLinearProcedureExit ( Reko.Core.Block block ) : bool
block	Reko.Core.Block
Результат	bool

IsLinearReturning() публичный Метод

Determines whether a block is a linear sequence of assignments followed by a return statement.

public IsLinearReturning ( Reko.Core.Block block ) : bool
block	Reko.Core.Block
Результат	bool

PseudoProcedure() публичный Метод

public PseudoProcedure ( string name, DataType returnType ) : Expression
name	string
returnType	DataType
Результат	Expression

PseudoProcedure() публичный Метод

public PseudoProcedure ( string name, ProcedureCharacteristics c, DataType returnType ) : Expression
name	string
c	ProcedureCharacteristics
returnType	DataType
Результат	Expression

ScanImage() публичный Метод

Performs the work of scanning the image and resolving any cross procedure jumps after the scan is done.

public ScanImage ( ) : void
Результат	void

ScanImageHeuristically() публичный Метод

Uses the HeuristicScanner to try to located code heuristically.

public ScanImageHeuristically ( ) : void
Результат	void

ScanImageSymbol() публичный Метод

public ScanImageSymbol ( Program program, ImageSymbol sym, bool isEntryPoint ) : void
program	Program
sym	ImageSymbol
isEntryPoint	bool
Результат	void

ScanProcedure() публичный Метод

Performs a scan of the blocks that constitute a procedure named procedureName

public ScanProcedure ( Address addr, string procedureName, ProcessorState state ) : ProcedureBase
addr	Address	Address of the code from which we will start scanning.
procedureName	string
state	ProcessorState
Результат	ProcedureBase

Scanner() публичный Метод

public Scanner ( Program program, IImportResolver importResolver, IServiceProvider services ) : Reko.Analysis
program	Program
importResolver	IImportResolver
services	IServiceProvider
Результат	Reko.Analysis

SetAssumedRegisterValues() публичный Метод

public SetAssumedRegisterValues ( Address addr, ProcessorState st ) : void
addr	Address
st	ProcessorState
Результат	void

SetProcedureReturnAddressBytes() публичный Метод

public SetProcedureReturnAddressBytes ( Procedure proc, int returnAddressBytes, Address address ) : void
proc	Procedure
returnAddressBytes	int
address	Address
Результат	void

SplitBlock() публичный Метод

Splits the given block at the specified address, yielding two blocks. The first block is the original block, now truncated, with a single out edge to the new block. The second block receives the out edges of the first block.

public SplitBlock ( Block blockToSplit, Address addr ) : Block
blockToSplit	Block
addr	Address
Результат	Block

TerminateBlock() публичный Метод

Terminates the block at

public TerminateBlock ( Block block, Address addr ) : void
block	Block
addr	Address
Результат	void

Warn() публичный Метод

public Warn ( Address addr, string message ) : void
addr	Address
message	string
Результат	void