DBG (ANALYSIS): formatting
This commit is contained in:
parent
8399a77015
commit
3cb5805d5c
|
|
@ -111,7 +111,7 @@ bool AnalysisRunner::disasmChilds(const duint subTreeStartAddress, const duint p
|
|||
{
|
||||
// disassemble instruction
|
||||
const int instrLength = Disasm(&disasm);
|
||||
DISASM *disasm2 = new DISASM;
|
||||
DISASM* disasm2 = new DISASM;
|
||||
*disasm2 = disasm;
|
||||
// everything ok?
|
||||
if(instrLength != UNKNOWN_OPCODE)
|
||||
|
|
@ -304,7 +304,7 @@ void AnalysisRunner::emulateInstructions()
|
|||
Register->emulate(&(it->second.BeaStruct));
|
||||
|
||||
//for(std::vector<ClientInterface>::iterator itt = interfaces.begin();itt!=interfaces.end();itt++)
|
||||
a->see(it->second,Register,Stack);
|
||||
a->see(it->second, Register, Stack);
|
||||
b->see(it->second, Register, Stack);
|
||||
// next instruction
|
||||
it++;
|
||||
|
|
|
|||
|
|
@ -31,12 +31,13 @@ void ClientApiResolver::see(const Instruction_t Instr, const RegisterEmulator* r
|
|||
{
|
||||
if(n->outEdge->type == fa::CALL)
|
||||
{
|
||||
ttDebug("api: found call at "fhex" to "fhex" \n", (duint)Instr.BeaStruct.VirtualAddr,n->outEdge->end->vaddr);
|
||||
ttDebug("api: found call at "fhex" to "fhex" \n", (duint)Instr.BeaStruct.VirtualAddr, n->outEdge->end->vaddr);
|
||||
// test if the end has an edge, too
|
||||
ttDebug("api: opcode is %x \n",(((n->outEdge->end))->instruction.BeaStruct.Instruction.Opcode)&0xFF);
|
||||
ttDebug("api: opcode is %x \n",Analysis->graph()->node(n->outEdge->end->vaddr)->instruction.BeaStruct.Instruction.Opcode);
|
||||
ttDebug("api: opcode is %x \n", (((n->outEdge->end))->instruction.BeaStruct.Instruction.Opcode) & 0xFF);
|
||||
ttDebug("api: opcode is %x \n", Analysis->graph()->node(n->outEdge->end->vaddr)->instruction.BeaStruct.Instruction.Opcode);
|
||||
|
||||
if(((n->outEdge->end))->instruction.BeaStruct.Instruction.Opcode == 0xFF){
|
||||
if(((n->outEdge->end))->instruction.BeaStruct.Instruction.Opcode == 0xFF)
|
||||
{
|
||||
tDebug("api: --> is API CALL\n", (duint)n->outEdge->end->instruction.BeaStruct.VirtualAddr);
|
||||
// there is an api call
|
||||
//DbgSetAutoCommentAt((duint)Instr.BeaStruct.VirtualAddr, "hi");
|
||||
|
|
|
|||
|
|
@ -45,10 +45,11 @@ void ClientFunctionFinder::see(const Instruction_t Instr, const RegisterEmulator
|
|||
// there is a branching!
|
||||
if(n->outEdge->type == fa::RET)
|
||||
{
|
||||
if((duint) n->outEdge->end->instruction.BeaStruct.Instruction.AddrValue != Analysis->oep()){
|
||||
if((duint) n->outEdge->end->instruction.BeaStruct.Instruction.AddrValue != Analysis->oep())
|
||||
{
|
||||
// internal call
|
||||
DbgSetAutoFunctionAt((duint)n->outEdge->end->instruction.BeaStruct.Instruction.AddrValue, (duint)Instr.BeaStruct.VirtualAddr);
|
||||
tDebug("add function from "fhex" to "fhex"\n",(duint) n->outEdge->end->instruction.BeaStruct.Instruction.AddrValue, (duint)Instr.BeaStruct.VirtualAddr);
|
||||
tDebug("add function from "fhex" to "fhex"\n", (duint) n->outEdge->end->instruction.BeaStruct.Instruction.AddrValue, (duint)Instr.BeaStruct.VirtualAddr);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,40 +6,43 @@
|
|||
namespace fa
|
||||
{
|
||||
|
||||
FlowGraph::FlowGraph(AnalysisRunner * ana) : analysis(ana)
|
||||
{
|
||||
FlowGraph::FlowGraph(AnalysisRunner* ana) : analysis(ana)
|
||||
{
|
||||
|
||||
}
|
||||
FlowGraph::~FlowGraph(void)
|
||||
{
|
||||
}
|
||||
FlowGraph::~FlowGraph(void)
|
||||
{
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
bool FlowGraph::insertNode(Node_t* node)
|
||||
{
|
||||
// if (!contains(nodes,(duint)node->vaddr))
|
||||
// {
|
||||
// return (nodes.insert(std::make_pair<duint,Node_t*>(node->vaddr,node))).second;
|
||||
// }
|
||||
bool FlowGraph::insertNode(Node_t* node)
|
||||
{
|
||||
// if (!contains(nodes,(duint)node->vaddr))
|
||||
// {
|
||||
// return (nodes.insert(std::make_pair<duint,Node_t*>(node->vaddr,node))).second;
|
||||
// }
|
||||
return true;
|
||||
|
||||
}
|
||||
bool FlowGraph::insertEdge(Node_t* startNode, Node_t* endNode, EdgeType currentEdgeType)
|
||||
}
|
||||
bool FlowGraph::insertEdge(Node_t* startNode, Node_t* endNode, EdgeType currentEdgeType)
|
||||
{
|
||||
Node_t* workStart;
|
||||
Node_t* workEnd;
|
||||
if(!contains(nodes, startNode->vaddr))
|
||||
{
|
||||
Node_t *workStart;
|
||||
Node_t *workEnd;
|
||||
if(!contains(nodes,startNode->vaddr)){
|
||||
nodes.insert(std::pair<duint,Node_t*>(startNode->vaddr, startNode));
|
||||
nodes.insert(std::pair<duint, Node_t*>(startNode->vaddr, startNode));
|
||||
}
|
||||
if(!contains(nodes,endNode->vaddr)){
|
||||
nodes.insert(std::pair<duint,Node_t*>(endNode->vaddr, endNode));
|
||||
if(!contains(nodes, endNode->vaddr))
|
||||
{
|
||||
nodes.insert(std::pair<duint, Node_t*>(endNode->vaddr, endNode));
|
||||
}
|
||||
|
||||
workStart = &*(nodes.find(startNode->vaddr)->second);
|
||||
workEnd = &*(nodes.find(endNode->vaddr)->second);
|
||||
|
||||
|
||||
if (startNode->hasInstr && !((nodes.find(startNode->vaddr)->second))->hasInstr){
|
||||
if(startNode->hasInstr && !((nodes.find(startNode->vaddr)->second))->hasInstr)
|
||||
{
|
||||
ttDebug("updating old startnode");
|
||||
workStart->instruction = startNode->instruction;
|
||||
}
|
||||
|
|
@ -49,8 +52,8 @@ namespace fa
|
|||
|
||||
Edge_t* edge = new Edge_t(workStart, workEnd, currentEdgeType);
|
||||
|
||||
edges.insert(std::pair<duint,Edge_t*>(workStart->vaddr,edge));
|
||||
std::map<duint,Edge_t*>::iterator ansiter = edges.find(workStart->vaddr);
|
||||
edges.insert(std::pair<duint, Edge_t*>(workStart->vaddr, edge));
|
||||
std::map<duint, Edge_t*>::iterator ansiter = edges.find(workStart->vaddr);
|
||||
edge = &*(ansiter->second);
|
||||
edge->start = workStart;
|
||||
edge->end = workEnd;
|
||||
|
|
@ -60,11 +63,11 @@ namespace fa
|
|||
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void FlowGraph::clean()
|
||||
{
|
||||
void FlowGraph::clean()
|
||||
{
|
||||
// first delete all edges whoses aks for it
|
||||
std::map<duint, Edge_t*>::iterator e = edges.begin();
|
||||
while(e != edges.end())
|
||||
|
|
@ -89,9 +92,9 @@ namespace fa
|
|||
nodes.erase(current);
|
||||
}
|
||||
}
|
||||
}
|
||||
bool FlowGraph::find(const duint va , Node_t* node)
|
||||
{
|
||||
}
|
||||
bool FlowGraph::find(const duint va , Node_t* node)
|
||||
{
|
||||
if(contains(nodes, va))
|
||||
{
|
||||
std::map<duint, Node_t*>::iterator iter = nodes.find(va);
|
||||
|
|
@ -104,9 +107,9 @@ namespace fa
|
|||
}
|
||||
return false;
|
||||
|
||||
}
|
||||
Node_t* FlowGraph::node(const duint va)
|
||||
{
|
||||
}
|
||||
Node_t* FlowGraph::node(const duint va)
|
||||
{
|
||||
if(contains(nodes, va))
|
||||
{
|
||||
std::map<duint, Node_t*>::iterator iter = nodes.find(va);
|
||||
|
|
@ -115,17 +118,18 @@ namespace fa
|
|||
}
|
||||
return NULL;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
void FlowGraph::fillNodes()
|
||||
void FlowGraph::fillNodes()
|
||||
{
|
||||
for(std::map<duint, Node_t*>::iterator i = nodes.begin(); i != nodes.end(); i++)
|
||||
{
|
||||
for(std::map<duint, Node_t*>::iterator i=nodes.begin();i!=nodes.end();i++){
|
||||
i->second->hasInstr=true;
|
||||
i->second->hasInstr = true;
|
||||
i->second->instruction.BeaStruct = analysis->instruction_t(i->first).BeaStruct;
|
||||
if(i->second->instruction.BeaStruct.Instruction.Opcode == 0xFF)
|
||||
ttDebug("ext jump at %x",i->first);
|
||||
}
|
||||
ttDebug("ext jump at %x", i->first);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -18,9 +18,9 @@ class FlowGraph
|
|||
// all existing nodes
|
||||
std::map<duint, Node_t*> nodes;
|
||||
|
||||
AnalysisRunner *analysis;
|
||||
AnalysisRunner* analysis;
|
||||
public:
|
||||
FlowGraph(AnalysisRunner *ana);
|
||||
FlowGraph(AnalysisRunner* ana);
|
||||
~FlowGraph(void);
|
||||
void clean();
|
||||
// insert a new node an returns the existing node if there was already the node
|
||||
|
|
|
|||
|
|
@ -28,14 +28,14 @@
|
|||
namespace fa
|
||||
{
|
||||
|
||||
enum EdgeType{RET,CALL,EXTERNCALL,CONDJMP,UNCONDJMP,EXTERNJMP,INF,UNKOWN};
|
||||
enum EdgeType {RET, CALL, EXTERNCALL, CONDJMP, UNCONDJMP, EXTERNJMP, INF, UNKOWN};
|
||||
|
||||
|
||||
|
||||
// every edge in the application flow graph is an instruction that active modifies the EIP
|
||||
// every edge in the application flow graph is an instruction that active modifies the EIP
|
||||
|
||||
typedef struct Instruction_t
|
||||
{
|
||||
typedef struct Instruction_t
|
||||
{
|
||||
DISASM BeaStruct;
|
||||
unsigned int Length;
|
||||
|
||||
|
|
@ -50,10 +50,10 @@ namespace fa
|
|||
BeaStruct = DISASM();
|
||||
Length = UNKNOWN_OPCODE;
|
||||
}
|
||||
} Instruction_t;
|
||||
} Instruction_t;
|
||||
|
||||
struct ArgumentInfo_t
|
||||
{
|
||||
struct ArgumentInfo_t
|
||||
{
|
||||
std::string Type;
|
||||
std::string Name;
|
||||
|
||||
|
|
@ -64,10 +64,10 @@ namespace fa
|
|||
}
|
||||
|
||||
ArgumentInfo_t() {}
|
||||
};
|
||||
};
|
||||
|
||||
struct FunctionInfo_t
|
||||
{
|
||||
struct FunctionInfo_t
|
||||
{
|
||||
std::string DLLName;
|
||||
std::string ReturnType;
|
||||
std::string Name;
|
||||
|
|
@ -104,16 +104,16 @@ namespace fa
|
|||
}
|
||||
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
template<typename T, typename D>
|
||||
bool contains(std::map<T, D> s, T key)
|
||||
{
|
||||
template<typename T, typename D>
|
||||
bool contains(std::map<T, D> s, T key)
|
||||
{
|
||||
std::map<T, D>::iterator it = s.find(key);
|
||||
return (it != s.end());
|
||||
}
|
||||
}
|
||||
|
||||
typedef std::map<duint, Instruction_t>::const_iterator instrIter;
|
||||
typedef std::map<duint, Instruction_t>::const_iterator instrIter;
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ Node_t::Node_t(Instruction_t t)
|
|||
outEdge = NULL;
|
||||
instruction = t;
|
||||
vaddr = (duint)t.BeaStruct.VirtualAddr;
|
||||
hasInstr=true;
|
||||
hasInstr = true;
|
||||
}
|
||||
|
||||
Node_t::Node_t(duint va)
|
||||
|
|
|
|||
Loading…
Reference in New Issue