INativeCodeAnalyzerExtension
| com.pnfsoftware.jeb.core.units.code.asm.analyzer.INativeCodeAnalyzerExtension<InsnType extends com.pnfsoftware.jeb.core.units.code.IInstruction> |
 Known Indirect Subclasses
AbstractAnalyzerExtension<InsnType extends IInstruction>,
INativeCodeAnalyzerExtensionsManager<InsnType extends IInstruction>
|
Class Overview
INativeCodeAnalyzer extensions. A collection of heuristics to improve the generic code
analyzer. Clients should inherit from AbstractAnalyzerExtension, which provides default
implementations, and implement only the needed methods.
Summary
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| abstract ChainedOperationResult<Boolean> |
customizeInstructionItem(INativeInstructionItem item)
Customize an instruction item just after its creation by the code analyzer.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
determinePotentialPointers(long address, InsnType insn, List<PointerDescription> values)
Determine pointers (addresses to data or code) contained in the provided instruction, to let
the code analyzer enqueue them for additional analysis.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
determinePotentialPointersInProtoBlock(IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values)
Determine additional pointers to be analyzed (addresses to data or code) that may be inferred
from the analysis of the provided basic block skeleton (proto-basic block).
| ||||||||||
| abstract ChainedOperationResult<Integer> |
determineRoutineStackPointerDelta(CFG<InsnType> routine)
Determine (heuristically) the stack pointer delta generated by the execution of a routine.
| ||||||||||
| abstract ChainedOperationResult<SwitchInformation> |
determineSwitchInformation(long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks)
Determine (heuristically) the information related to a switch-like statement, i.e.
| ||||||||||
| abstract ChainedOperationResult<Long> |
getPossiblePaddingSize(long address, long addressMax)
Determine if a given memory area looks like (could be) starting with padding, and
provides the size of the padding looking area, if any.
| ||||||||||
| abstract ChainedOperationResult<NativeDecompilationStage> |
getPreferredAdvancedAnalysisStage(INativeMethodItem routine)
Determine which
NativeDecompilationStage should be used by
INativeCodeAdvancedAnalyzer for the given routine. | ||||||||||
| abstract ChainedOperationResult<IFlowInformation> |
getPreferredBreakingFlow(long address, InsnType insn)
Provide alternate/custom breaking-flow information.
| ||||||||||
| abstract IPrimitiveSizes |
getPrimitiveSizes(SubsystemType subsystemType, CompilerType compilerType)
This method is called by the code unit to retrieve primitive type information.
| ||||||||||
| abstract ChainedOperationResult<List<EntryPointDescription>> |
getProbableEntryPoints(long address, long addressMax)
Get the likely entry points in the given memory area.
| ||||||||||
| abstract ChainedOperationResult<EntryPointDescription> |
getPrologueLooking(long address, long addressMax)
Determine if a given memory area looks like (could be) the beginning of a routine.
| ||||||||||
| abstract ChainedOperationResult<? extends PointerDescription> |
getTrampolineTarget(CFG<InsnType> routine)
Get the location targeted by a trampoline routine -- a routine that only branches to another
location --, if any.
| ||||||||||
| abstract INativeCodeUnit<InsnType> |
getUnit()
Get the code unit managing
INativeCodeAnalyzer. | ||||||||||
| abstract void |
initialize(INativeCodeAnalyzer<InsnType> analyzer)
Implementors will receive a reference to the main analyzer.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
isCandidateSwitchDispatcher(long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock)
Determine (heuristically) if the provided branching instruction (jump/call/...) could be the
dispatcher of a switch-like statement.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
isNonReturningRoutine(INativeMethodItem routine)
Determine if the given routine is non-returning.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
postprocessImage(int passIndex)
This method is called after the standard analysis pass completes (i.e., before any optional
advanced analysis takes place).
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
preprocessImage(int passIndex)
This method is called before an analysis pass is performed.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
shouldForceRoutineEnd(long address, InsnType insn)
Determine if the address is the last instruction of a routine.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
sigMatchingPostProcess(int passIndex)
This method is called after signatures matching was performed.
| ||||||||||
| abstract void |
typeManagerInitialized(ITypeManager typeman)
This method is called by the code unit right after it created a type manager suitable for
processing.
| ||||||||||
| abstract ChainedOperationResult<Boolean> |
verifyGapRoutineCandidate(long address)
Determine whether a candidate routine in a gap should be considered as valid.
| ||||||||||
Public Methods
public abstract ChainedOperationResult<Boolean> customizeInstructionItem (INativeInstructionItem item)
Customize an instruction item just after its creation by the code analyzer.
public abstract ChainedOperationResult<Boolean> determinePotentialPointers (long address, InsnType insn, List<PointerDescription> values)
Determine pointers (addresses to data or code) contained in the provided instruction, to let
the code analyzer enqueue them for additional analysis. This method is called by the
INativeCodeAnalyzer on non breaking flow instructions before it tries to
determine such additions itself.
Parameters
| address | address of the instruction |
|---|---|
| insn | instruction to be examined |
| values | output collection of pointers |
Returns
- a Boolean in
getResult(); false to let the code analyzer proceed with its own (generic) pointer discovery algorithm; true to instruct it to skip it
public abstract ChainedOperationResult<Boolean> determinePotentialPointersInProtoBlock (IBasicBlockSkeleton<InsnType> blk, List<PointerLocation> values)
Determine additional pointers to be analyzed (addresses to data or code) that may be inferred
from the analysis of the provided basic block skeleton (proto-basic block). This method is
called by the INativeCodeAnalyzer after a basic block is preliminary terminated.
Parameters
| blk | preliminary basic block to be examined |
|---|---|
| values | output collection of pointers |
Returns
- N/A
public abstract ChainedOperationResult<Integer> determineRoutineStackPointerDelta (CFG<InsnType> routine)
Determine (heuristically) the stack pointer delta generated by the execution of a routine.
Returns
- an Integer in
getResult(), null if the routine failed to determine the stack pointer delta
public abstract ChainedOperationResult<SwitchInformation> determineSwitchInformation (long branchInstructionAddress, IBasicBlockSkeleton<InsnType> branchInstructionBlock, List<IBasicBlockSkeleton<InsnType>> knownBlocks)
Determine (heuristically) the information related to a switch-like statement, i.e. the list
of reachable EntryPointDescription (case handlers) and the jump table addresses (if
any).
This method works on not-yet-built routines, i.e. using IBasicBlockSkeleton.
Returns
SwitchInformationingetResult()(might be empty), null if the routine failed
public abstract ChainedOperationResult<Long> getPossiblePaddingSize (long address, long addressMax)
Determine if a given memory area looks like (could be) starting with padding, and provides the size of the padding looking area, if any.
Parameters
| address | address to be examined (inclusive) |
|---|---|
| addressMax | end address to be examined (exclusive) |
Returns
- a Long in
getResult(); the size of the padding-like area from address, 0L if it does not look like padding
public abstract ChainedOperationResult<NativeDecompilationStage> getPreferredAdvancedAnalysisStage (INativeMethodItem routine)
Determine which NativeDecompilationStage should be used by
INativeCodeAdvancedAnalyzer for the given routine.
The default implementation returns SIMULATION
Returns
public abstract ChainedOperationResult<IFlowInformation> getPreferredBreakingFlow (long address, InsnType insn)
Provide alternate/custom breaking-flow information. If no custom information is to be
provided, the implementation should return a null object. Upon a null return, it is the
responsibility of the caller to retrieve the standard breaking-flow information
(getBreakingFlow(long)).
Returns
- a custom flow-information object or null
public abstract IPrimitiveSizes getPrimitiveSizes (SubsystemType subsystemType, CompilerType compilerType)
This method is called by the code unit to retrieve primitive type information.
Parameters
| subsystemType | optional hint |
|---|---|
| compilerType | optional hint |
Returns
- if null is returned, the code unit will attempt to generate the most appropriate primitive type sizes
public abstract ChainedOperationResult<List<EntryPointDescription>> getProbableEntryPoints (long address, long addressMax)
Get the likely entry points in the given memory area. It might provide several entry points (with different modes) ordered by their likelihood.
This method is not guaranteed to give the correct result, and should be considered an heuristic. It is intended to be used before the actual disassembly of code; it may provide a hint on the entry point to disassemble with.
Returns
- a list of Integer representing entry points in
getResult(), ordered from the most probable to the least probable. The list will be empty if none could be determined
public abstract ChainedOperationResult<EntryPointDescription> getPrologueLooking (long address, long addressMax)
Determine if a given memory area looks like (could be) the beginning of a routine.
Parameters
| address | address to be examined (inclusive) |
|---|---|
| addressMax | end address to be examined (exclusive) |
Returns
- an
EntryPointDescriptioningetResult()if a prologue was found, possibly at a different address than address parameter, null if no prologue was found.
public abstract ChainedOperationResult<? extends PointerDescription> getTrampolineTarget (CFG<InsnType> routine)
Get the location targeted by a trampoline routine -- a routine that only branches to another location --, if any.
Note: the target might be indirectly retrieved (i.e. through a memory/register indirection).
Returns
- a
PointerDescriptioningetResult()for the target, null if none (i.e. routine is not a trampoline, or target could not be retrieved) (the return value is not the target itself, but a pointer to the target)
public abstract INativeCodeUnit<InsnType> getUnit ()
Get the code unit managing INativeCodeAnalyzer. This method allows extensions to
easily retrieve properties of the managing code unit.
Important: no guarantee is given on the unit's state; this method should be used preferably to retrieve static features (eg, unit's properties).
Returns
- code unit
public abstract void initialize (INativeCodeAnalyzer<InsnType> analyzer)
Implementors will receive a reference to the main analyzer. This method is not to be called by third-party code. It will be called by the GCA when the extension object (this object) is being initialized.
public abstract ChainedOperationResult<Boolean> isCandidateSwitchDispatcher (long branchInstructionAddress, InsnType branchInstruction, IBasicBlockSkeleton<InsnType> branchInstructionBlock)
Determine (heuristically) if the provided branching instruction (jump/call/...) could be the dispatcher of a switch-like statement.
This method is intended to be a fast check, and candidates will then be processed by
determineSwitchInformation(long, IBasicBlockSkeleton, List).
Returns
- a boolean in
getResult(); true if the instruction might correspond to a switch-like statement, false otherwise
public abstract ChainedOperationResult<Boolean> isNonReturningRoutine (INativeMethodItem routine)
Determine if the given routine is non-returning.
Returns
- a Boolean in
getResult(); true if the routine does not return, false otherwise, null when no determination could be made
public abstract ChainedOperationResult<Boolean> postprocessImage (int passIndex)
This method is called after the standard analysis pass completes (i.e., before any optional advanced analysis takes place).
Parameters
| passIndex | 0-based analysis pass index |
|---|
Returns
- true if some processing
public abstract ChainedOperationResult<Boolean> preprocessImage (int passIndex)
This method is called before an analysis pass is performed.
Parameters
| passIndex | 0-based analysis pass index |
|---|
Returns
- true if some processing
public abstract ChainedOperationResult<Boolean> shouldForceRoutineEnd (long address, InsnType insn)
Determine if the address is the last instruction of a routine. If true, the basic block containing the provided instruction will be closed, i.e. it will be as if the instruction breaks the flow to nothing.
When working with delay slots, this method will indicate routine end for the jump instruction that precedes the delay slot(s), not for the delay slot.
Parameters
| insn | parsed instruction at the provided address |
|---|
Returns
- a Boolean in
getResult(); true if the address should be considered a routine termination, false otherwise
public abstract ChainedOperationResult<Boolean> sigMatchingPostProcess (int passIndex)
This method is called after signatures matching was performed.
Parameters
| passIndex | 0-based analysis pass index |
|---|
Returns
- true if some processing
public abstract void typeManagerInitialized (ITypeManager typeman)
This method is called by the code unit right after it created a type manager suitable for processing. This happens before the code analysis starts. Implementors are free to customize the type manager, e.g. by adding types that will be required when further processing takes place.
public abstract ChainedOperationResult<Boolean> verifyGapRoutineCandidate (long address)
Determine whether a candidate routine in a gap should be considered as valid.
Parameters
| address | routine start address |
|---|
Returns
- true or false (no nulls)