Class AbstractAnalyzerExtension<InsnType extends IInstruction>
java.lang.Object
com.pnfsoftware.jeb.core.units.code.asm.analyzer.AbstractAnalyzerExtension<InsnType>
- Type Parameters:
InsnType
-
- All Implemented Interfaces:
INativeCodeAnalyzerExtension<InsnType>
@Ser
public abstract class AbstractAnalyzerExtension<InsnType extends IInstruction>
extends Object
implements INativeCodeAnalyzerExtension<InsnType>
Extension of the
INativeCodeAnalyzer
.-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected INativeCodeAnalyzer<InsnType>
protected BinaryPatternVerifier
protected BinaryPatternVerifier
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionThe default result (ChainedOperationResult.getResult()
) is false.determinePotentialPointers
(long address, InsnType insn, List<Pointer> values) The default result (ChainedOperationResult.getResult()
) is false.determinePotentialPointersInProtoBlock
(IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values) The default result (ChainedOperationResult.getResult()
) is false.determineRoutineStackPointerDelta
(CFG<InsnType> routine) The default result (ChainedOperationResult.getResult()
) is null.determineSwitchInformation
(long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks) The default result (ChainedOperationResult.getResult()
) is null.getPossiblePaddingSize
(long address, long addressMax) Default implementation checks the patterns stored inpaddingVerifier
.The default result (ChainedOperationResult.getResult()
) isNativeDecompilationStage.SIMULATION
.getPreferredBreakingFlow
(long address, InsnType insn) The default result (ChainedOperationResult.getResult()
) is null.getPrimitiveSizes
(SubsystemType subsystemType, CompilerType compilerType) The default implementation returns null.getProbableEntryPoints
(long address, long addressMax) Get the likely entry points in the given memory area.getPrologueLooking
(long address, long addressMax) Default implementation checks the patterns stored inprologueVerifier
.ChainedOperationResult<? extends Pointer>
getTrampolineTarget
(CFG<InsnType> routine) The default result (ChainedOperationResult.getResult()
) is null.getUnit()
Get the code unit managingINativeCodeAnalyzer
.void
initialize
(INativeCodeAnalyzer<InsnType> analyzer) Must be called by the GCA.protected void
initializePaddingPatterns
(BinaryPatternVerifier paddingVerifier) The default implementation does nothing.protected void
initializeProloguePatterns
(BinaryPatternVerifier prologueVerifier) The default implementation does nothing.isCandidateSwitchDispatcher
(long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock) The default result (ChainedOperationResult.getResult()
) is false.isNonReturningRoutine
(INativeMethodItem routine) Determine if the given routine is non-returning.postprocessImage
(int passIndex) This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).preprocessImage
(int passIndex) This method is called before an analysis pass is performed.shouldForceRoutineEnd
(long address, InsnType insn) The default result (ChainedOperationResult.getResult()
) is false.sigMatchingPostProcess
(int passIndex) This method is called after signatures matching was performed.void
typeManagerInitialized
(ITypeManager typeman) The default implementation does nothing.verifyGapRoutineCandidate
(long address) The default implementation returns true, that is a candidate address for a routine creation in a gap will be authorized by default.
-
Field Details
-
gca
-
prologueVerifier
-
paddingVerifier
-
-
Constructor Details
-
AbstractAnalyzerExtension
public AbstractAnalyzerExtension()
-
-
Method Details
-
initialize
Must be called by the GCA. We cannot use @SerCustomInit here, as the GCA may not exist yet (eg, unprocessed unit).- Specified by:
initialize
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
-
getUnit
Description copied from interface:INativeCodeAnalyzerExtension
Get the code unit managingINativeCodeAnalyzer
. This method allows extensions to easily retrieve properties of the managing code unit.Important: no guarantee is given on the unit's state; this method should be used preferably to retrieve static features (eg, unit's properties).
- Specified by:
getUnit
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- code unit
-
initializeProloguePatterns
The default implementation does nothing. -
getPrimitiveSizes
The default implementation returns null.- Specified by:
getPrimitiveSizes
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
subsystemType
- optional hintcompilerType
- optional hint- Returns:
- if null is returned, the code unit will attempt to generate the most appropriate primitive type sizes
-
typeManagerInitialized
The default implementation does nothing.- Specified by:
typeManagerInitialized
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
-
preprocessImage
Description copied from interface:INativeCodeAnalyzerExtension
This method is called before an analysis pass is performed.- Specified by:
preprocessImage
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
passIndex
- 0-based analysis pass index- Returns:
- true if some processing
-
postprocessImage
Description copied from interface:INativeCodeAnalyzerExtension
This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).- Specified by:
postprocessImage
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
passIndex
- 0-based analysis pass index- Returns:
- true if some processing
-
sigMatchingPostProcess
Description copied from interface:INativeCodeAnalyzerExtension
This method is called after signatures matching was performed.- Specified by:
sigMatchingPostProcess
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
passIndex
- 0-based analysis pass index- Returns:
- true if some processing
-
getPrologueLooking
Default implementation checks the patterns stored inprologueVerifier
. Can be overridden, but sub-class should call super-method first. If nothing is found, result (ChainedOperationResult.getResult()
) is null.- Specified by:
getPrologueLooking
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
address
- address to be examined (inclusive)addressMax
- end address to be examined (exclusive)- Returns:
- an
CodePointer
inChainedOperationResult.getResult()
if a prologue was found, possibly at a different address than address parameter, null if no prologue was found.
-
verifyGapRoutineCandidate
The default implementation returns true, that is a candidate address for a routine creation in a gap will be authorized by default. Extensions that need to perform additional checks can override this method.- Specified by:
verifyGapRoutineCandidate
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
address
- routine start address- Returns:
- true or false (no nulls)
-
initializePaddingPatterns
The default implementation does nothing.- Parameters:
paddingVerifier
-
-
getPossiblePaddingSize
Default implementation checks the patterns stored inpaddingVerifier
. When alignment information are present, only unaligned data is considered padding. If nothing is found, result (ChainedOperationResult.getResult()
) is 0L.- Specified by:
getPossiblePaddingSize
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
address
- address to be examined (inclusive)addressMax
- end address to be examined (exclusive)- Returns:
- a Long in
ChainedOperationResult.getResult()
; the size of the padding-like area from address, 0L if it does not look like padding
-
getProbableEntryPoints
public ChainedOperationResult<List<CodePointer>> getProbableEntryPoints(long address, long addressMax) Description copied from interface:INativeCodeAnalyzerExtension
Get the likely entry points in the given memory area. It might provide several entry points (with different modes) ordered by their likelihood.This method is not guaranteed to give the correct result, and should be considered an heuristic. It is intended to be used before the actual disassembly of code; it may provide a hint on the entry point to disassemble with.
- Specified by:
getProbableEntryPoints
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- a list of Integer representing entry points in
ChainedOperationResult.getResult()
, ordered from the most probable to the least probable. The list will be empty if none could be determined
-
getTrampolineTarget
The default result (ChainedOperationResult.getResult()
) is null.- Specified by:
getTrampolineTarget
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- a
Pointer
inChainedOperationResult.getResult()
for the target, null if none (i.e. routine is not a trampoline, or target could not be retrieved) (the return value is not the target itself, but a pointer to the target)
-
determineRoutineStackPointerDelta
The default result (ChainedOperationResult.getResult()
) is null.- Specified by:
determineRoutineStackPointerDelta
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- an Integer in
ChainedOperationResult.getResult()
, null if the routine failed to determine the stack pointer delta
-
determinePotentialPointers
public ChainedOperationResult<Boolean> determinePotentialPointers(long address, InsnType insn, List<Pointer> values) The default result (ChainedOperationResult.getResult()
) is false.- Specified by:
determinePotentialPointers
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
address
- address of the instructioninsn
- instruction to be examinedvalues
- output collection of pointers- Returns:
- a Boolean in
ChainedOperationResult.getResult()
; false to let the code analyzer proceed with its own (generic) pointer discovery algorithm; true to instruct it to skip it
-
determinePotentialPointersInProtoBlock
public ChainedOperationResult<Boolean> determinePotentialPointersInProtoBlock(IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values) The default result (ChainedOperationResult.getResult()
) is false.- Specified by:
determinePotentialPointersInProtoBlock
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Parameters:
blk
- preliminary basic block to be examinedvalues
- output collection of pointers- Returns:
- N/A
-
shouldForceRoutineEnd
The default result (ChainedOperationResult.getResult()
) is false.- Specified by:
shouldForceRoutineEnd
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
insn
- parsed instruction at the provided address- Returns:
- a Boolean in
ChainedOperationResult.getResult()
; true if the address should be considered a routine termination, false otherwise
-
isNonReturningRoutine
Description copied from interface:INativeCodeAnalyzerExtension
Determine if the given routine is non-returning.- Specified by:
isNonReturningRoutine
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- a Boolean in
ChainedOperationResult.getResult()
; true if the routine does not return, false otherwise, null when no determination could be made
-
isCandidateSwitchDispatcher
public ChainedOperationResult<Boolean> isCandidateSwitchDispatcher(long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock) The default result (ChainedOperationResult.getResult()
) is false.- Specified by:
isCandidateSwitchDispatcher
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- a boolean in
ChainedOperationResult.getResult()
; true if the instruction might correspond to a switch-like statement, false otherwise
-
determineSwitchInformation
public ChainedOperationResult<SwitchInformation> determineSwitchInformation(long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks) The default result (ChainedOperationResult.getResult()
) is null.- Specified by:
determineSwitchInformation
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
SwitchInformation
inChainedOperationResult.getResult()
(might be empty), null if the routine failed
-
getPreferredBreakingFlow
public ChainedOperationResult<IFlowInformation> getPreferredBreakingFlow(long address, InsnType insn) The default result (ChainedOperationResult.getResult()
) is null.- Specified by:
getPreferredBreakingFlow
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
- a custom flow-information object or null
-
getPreferredAdvancedAnalysisStage
public ChainedOperationResult<NativeDecompilationStage> getPreferredAdvancedAnalysisStage(INativeMethodItem routine) The default result (ChainedOperationResult.getResult()
) isNativeDecompilationStage.SIMULATION
.- Specified by:
getPreferredAdvancedAnalysisStage
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
NativeDecompilationStage
inChainedOperationResult.getResult()
-
customizeInstructionItem
The default result (ChainedOperationResult.getResult()
) is false.- Specified by:
customizeInstructionItem
in interfaceINativeCodeAnalyzerExtension<InsnType extends IInstruction>
- Returns:
-