public abstract class

AbstractAnalyzerExtension

extends Object
implements INativeCodeAnalyzerExtension<InsnType extends IInstruction>
java.lang.Object
   ↳ com.pnfsoftware.jeb.core.units.code.asm.analyzer.AbstractAnalyzerExtension<InsnType extends com.pnfsoftware.jeb.core.units.code.IInstruction>

Class Overview

Extension of the INativeCodeAnalyzer.

Summary

Fields
protected INativeCodeAnalyzer<InsnType extends IInstruction> gca
protected BinaryPatternVerifier paddingVerifier
protected BinaryPatternVerifier prologueVerifier
Public Constructors
AbstractAnalyzerExtension()
Public Methods
ChainedOperationResult<Boolean> customizeInstructionItem(INativeInstructionItem item)
The default result (getResult()) is false.
ChainedOperationResult<Boolean> determinePotentialPointers(long address, InsnType insn, List<PointerDescription> values)
The default result (getResult()) is false.
ChainedOperationResult<Boolean> determinePotentialPointersInProtoBlock(IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values)
The default result (getResult()) is false.
ChainedOperationResult<Integer> determineRoutineStackPointerDelta(CFG<InsnType> routine)
The default result (getResult()) is null.
ChainedOperationResult<SwitchInformation> determineSwitchInformation(long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks)
The default result (getResult()) is null.
ChainedOperationResult<Long> getPossiblePaddingSize(long address, long addressMax)
Default implementation checks the patterns stored in paddingVerifier.
ChainedOperationResult<NativeDecompilationStage> getPreferredAdvancedAnalysisStage(INativeMethodItem routine)
The default result (getResult()) is SIMULATION.
ChainedOperationResult<IFlowInformation> getPreferredBreakingFlow(long address, InsnType insn)
The default result (getResult()) is null.
IPrimitiveSizes getPrimitiveSizes(SubsystemType subsystemType, CompilerType compilerType)
The default implementation returns null.
ChainedOperationResult<List<EntryPointDescription>> getProbableEntryPoints(long address, long addressMax)
Get the likely entry points in the given memory area.
ChainedOperationResult<EntryPointDescription> getPrologueLooking(long address, long addressMax)
Default implementation checks the patterns stored in prologueVerifier.
ChainedOperationResult<? extends PointerDescription> getTrampolineTarget(CFG<InsnType> routine)
The default result (getResult()) is null.
INativeCodeUnit<InsnType> getUnit()
Get the code unit managing INativeCodeAnalyzer.
void initialize(INativeCodeAnalyzer<InsnType> analyzer)
Must be called by the GCA.
ChainedOperationResult<Boolean> isCandidateSwitchDispatcher(long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock)
The default result (getResult()) is false.
ChainedOperationResult<Boolean> isNonReturningRoutine(INativeMethodItem routine)
Determine if the given routine is non-returning.
ChainedOperationResult<Boolean> postprocessImage(int passIndex)
This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).
ChainedOperationResult<Boolean> preprocessImage(int passIndex)
This method is called before an analysis pass is performed.
ChainedOperationResult<Boolean> shouldForceRoutineEnd(long address, InsnType insn)
The default result (getResult()) is false.
ChainedOperationResult<Boolean> sigMatchingPostProcess(int passIndex)
This method is called after signatures matching was performed.
void typeManagerInitialized(ITypeManager typeman)
The default implementation does nothing.
ChainedOperationResult<Boolean> verifyGapRoutineCandidate(long address)
The default implementation returns true, that is a candidate address for a routine creation in a gap will be authorized by default.
Protected Methods
void initializePaddingPatterns(BinaryPatternVerifier paddingVerifier)
The default implementation does nothing.
void initializeProloguePatterns(BinaryPatternVerifier prologueVerifier)
The default implementation does nothing.
[Expand]
Inherited Methods
From class java.lang.Object
From interface com.pnfsoftware.jeb.core.units.code.asm.analyzer.INativeCodeAnalyzerExtension

Fields

protected INativeCodeAnalyzer<InsnType extends IInstruction> gca

protected BinaryPatternVerifier paddingVerifier

protected BinaryPatternVerifier prologueVerifier

Public Constructors

public AbstractAnalyzerExtension ()

Public Methods

public ChainedOperationResult<Boolean> customizeInstructionItem (INativeInstructionItem item)

The default result (getResult()) is false.

public ChainedOperationResult<Boolean> determinePotentialPointers (long address, InsnType insn, List<PointerDescription> values)

The default result (getResult()) is false.

Parameters
address address of the instruction
insn instruction to be examined
values output collection of pointers
Returns
  • a Boolean in getResult(); false to let the code analyzer proceed with its own (generic) pointer discovery algorithm; true to instruct it to skip it

public ChainedOperationResult<Boolean> determinePotentialPointersInProtoBlock (IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values)

The default result (getResult()) is false.

Parameters
blk preliminary basic block to be examined
values output collection of pointers
Returns
  • N/A

public ChainedOperationResult<Integer> determineRoutineStackPointerDelta (CFG<InsnType> routine)

The default result (getResult()) is null.

Returns
  • an Integer in getResult(), null if the routine failed to determine the stack pointer delta

public ChainedOperationResult<SwitchInformation> determineSwitchInformation (long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks)

The default result (getResult()) is null.

Returns

public ChainedOperationResult<Long> getPossiblePaddingSize (long address, long addressMax)

Default implementation checks the patterns stored in paddingVerifier. When alignment information are present, only unaligned data is considered padding. If nothing is found, result (getResult()) is 0L.

Parameters
address address to be examined (inclusive)
addressMax end address to be examined (exclusive)
Returns
  • a Long in getResult(); the size of the padding-like area from address, 0L if it does not look like padding

public ChainedOperationResult<NativeDecompilationStage> getPreferredAdvancedAnalysisStage (INativeMethodItem routine)

The default result (getResult()) is SIMULATION.

Returns

public ChainedOperationResult<IFlowInformation> getPreferredBreakingFlow (long address, InsnType insn)

The default result (getResult()) is null.

Returns
  • a custom flow-information object or null

public IPrimitiveSizes getPrimitiveSizes (SubsystemType subsystemType, CompilerType compilerType)

The default implementation returns null.

Parameters
subsystemType optional hint
compilerType optional hint
Returns
  • if null is returned, the code unit will attempt to generate the most appropriate primitive type sizes

public ChainedOperationResult<List<EntryPointDescription>> getProbableEntryPoints (long address, long addressMax)

Get the likely entry points in the given memory area. It might provide several entry points (with different modes) ordered by their likelihood.

This method is not guaranteed to give the correct result, and should be considered an heuristic. It is intended to be used before the actual disassembly of code; it may provide a hint on the entry point to disassemble with.

Returns
  • a list of Integer representing entry points in getResult(), ordered from the most probable to the least probable. The list will be empty if none could be determined

public ChainedOperationResult<EntryPointDescription> getPrologueLooking (long address, long addressMax)

Default implementation checks the patterns stored in prologueVerifier. Can be overridden, but sub-class should call super-method first. If nothing is found, result (getResult()) is null.

Parameters
address address to be examined (inclusive)
addressMax end address to be examined (exclusive)
Returns

public ChainedOperationResult<? extends PointerDescription> getTrampolineTarget (CFG<InsnType> routine)

The default result (getResult()) is null.

Returns
  • a PointerDescription in getResult() for the target, null if none (i.e. routine is not a trampoline, or target could not be retrieved) (the return value is not the target itself, but a pointer to the target)

public INativeCodeUnit<InsnType> getUnit ()

Get the code unit managing INativeCodeAnalyzer. This method allows extensions to easily retrieve properties of the managing code unit.

Important: no guarantee is given on the unit's state; this method should be used preferably to retrieve static features (eg, unit's properties).

Returns
  • code unit

public void initialize (INativeCodeAnalyzer<InsnType> analyzer)

Must be called by the GCA. We cannot use @SerCustomInit here, as the GCA may not exist yet (eg, unprocessed unit).

public ChainedOperationResult<Boolean> isCandidateSwitchDispatcher (long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock)

The default result (getResult()) is false.

Returns
  • a boolean in getResult(); true if the instruction might correspond to a switch-like statement, false otherwise

public ChainedOperationResult<Boolean> isNonReturningRoutine (INativeMethodItem routine)

Determine if the given routine is non-returning.

Returns
  • a Boolean in getResult(); true if the routine does not return, false otherwise, null when no determination could be made

public ChainedOperationResult<Boolean> postprocessImage (int passIndex)

This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).

Parameters
passIndex 0-based analysis pass index
Returns
  • true if some processing

public ChainedOperationResult<Boolean> preprocessImage (int passIndex)

This method is called before an analysis pass is performed.

Parameters
passIndex 0-based analysis pass index
Returns
  • true if some processing

public ChainedOperationResult<Boolean> shouldForceRoutineEnd (long address, InsnType insn)

The default result (getResult()) is false.

Parameters
insn parsed instruction at the provided address
Returns
  • a Boolean in getResult(); true if the address should be considered a routine termination, false otherwise

public ChainedOperationResult<Boolean> sigMatchingPostProcess (int passIndex)

This method is called after signatures matching was performed.

Parameters
passIndex 0-based analysis pass index
Returns
  • true if some processing

public void typeManagerInitialized (ITypeManager typeman)

The default implementation does nothing.

public ChainedOperationResult<Boolean> verifyGapRoutineCandidate (long address)

The default implementation returns true, that is a candidate address for a routine creation in a gap will be authorized by default. Extensions that need to perform additional checks can override this method.

Parameters
address routine start address
Returns
  • true or false (no nulls)

Protected Methods

protected void initializePaddingPatterns (BinaryPatternVerifier paddingVerifier)

The default implementation does nothing.

protected void initializeProloguePatterns (BinaryPatternVerifier prologueVerifier)

The default implementation does nothing.