Ejemplo n.º 1
0
        public void Find_Matching_Frames_Complex()
        {
            var frameAccess = new FrameAccess();
            var builder     = new ContextFactoryBuilder();

            builder.WithFrame(new FrameEntity
            {
                PosHi    = 0,
                PosLo    = 0,
                ThreadId = 1,
                Rax      = ((ulong)1).ToHexString()
            }).WithFrame(new FrameEntity
            {
                PosHi    = 0,
                PosLo    = 0,
                ThreadId = 2,
                Rax      = ((ulong)2).ToHexString()
            }).WithFrame(new FrameEntity
            {
                PosHi    = 1,
                PosLo    = 0,
                ThreadId = 2,
                Rax      = ((ulong)2).ToHexString()
            }).WithFrame(new FrameEntity
            {
                PosHi    = 1,
                PosLo    = 1,
                ThreadId = 2,
                Rax      = ((ulong)1).ToHexString(),
                Rbx      = ((ulong)2).ToHexString()
            });
            frameAccess.ContextFactory = builder.Build();

            var rax           = new RegisterEqualsCriterion(Register.Rax, ((ulong)1).ToHexString());
            var rbx           = new RegisterEqualsCriterion(Register.Rbx, ((ulong)2).ToHexString());
            var and           = new AndCriterion(new[] { rax, rbx });
            var or            = new OrCriterion(new[] { rax, rbx });
            var not           = new NotCriterion(rax);
            var all           = new OrCriterion(new ICriterion[] { not, rax });
            var none          = new AndCriterion(new ICriterion[] { not, rax });
            var andAll        = new AndCriterion(new ICriterion[] { and, all });
            var andResults    = frameAccess.Search("", and);
            var orResults     = frameAccess.Search("", or);
            var notResults    = frameAccess.Search("", not);
            var allResults    = frameAccess.Search("", all);
            var noneResults   = frameAccess.Search("", none);
            var andAllResults = frameAccess.Search("", andAll);

            andResults.Single().RegisterSet.Rax.Should().Be(1);
            andResults.Single().RegisterSet.Rbx.Should().Be(2);

            orResults.Should().HaveCount(2);
            notResults.Should().HaveCount(2);
            allResults.Should().HaveCount(4);
            noneResults.Should().HaveCount(0);
            andAllResults.Should().HaveCount(1);
        }
Ejemplo n.º 2
0
        public void Create_The_Correct_Expression_Tree_For_And()
        {
            var visitor   = new FrameCriterionVisitor();
            var criteria1 = new RegisterEqualsCriterion(Register.Rax, ((ulong)0).ToHexString());
            var criteria2 = new RegisterEqualsCriterion(Register.Rbx, ((ulong)1).ToHexString());
            var and       = new AndCriterion(new[] { criteria1, criteria2 });
            var f         = visitor.Visit(and);

            var frame = new FrameEntity
            {
                Rax = ((ulong)0).ToHexString(),
                Rbx = ((ulong)1).ToHexString()
            };
            var frame2 = new FrameEntity
            {
                Rax = ((ulong)1).ToHexString(),
                Rbx = ((ulong)1).ToHexString()
            };

            var method = ((FramePredicateExpression)f).Compile();

            new[] { frame, frame2 }.Single(x => method(x)).Should().Be(frame);
        }
Ejemplo n.º 3
0
        public void Create_The_Correct_Expression_Tree_For_Or()
        {
            var visitor   = new FrameCriterionVisitor();
            var criteria1 = new RegisterEqualsCriterion(Register.Rax, ((ulong)0).ToHexString());
            var criteria2 = new RegisterEqualsCriterion(Register.Rbx, ((ulong)1).ToHexString());
            var and       = new OrCriterion(new[] { criteria1, criteria2 });
            var f         = visitor.Visit(and);
            var builder   = new ContextFactoryBuilder();
            var frame     = new FrameEntity
            {
                Rax = ((ulong)0).ToHexString(),
                Rbx = ((ulong)1).ToHexString()
            };
            var frame2 = new FrameEntity
            {
                Rax = ((ulong)1).ToHexString(),
                Rbx = ((ulong)1).ToHexString()
            };

            builder.WithFrame(frame).WithFrame(frame2);
            var method = ((FramePredicateExpression)f).Compile();

            new[] { frame, frame2 }.Where(x => method(x)).SequenceEqual(new[] { frame, frame2 }).Should().BeTrue();
        }
Ejemplo n.º 4
0
        /// <summary>
        ///     Visits the specified register equals criterion.
        /// </summary>
        /// <param name="registerEqualsCriterion">The register equals criterion.</param>
        /// <returns>FramePredicateExpression.</returns>
        /// <exception cref="IndexOutOfRangeException">Unknown register</exception>
        public object Visit(RegisterEqualsCriterion registerEqualsCriterion)
        {
            var bytes = registerEqualsCriterion.HexString;

            if (registerEqualsCriterion.Register == Register.Rax)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rax == null && bytes == null || entity.Rax != null && entity.Rax == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rcx)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rcx == null && bytes == null || entity.Rcx != null && entity.Rcx == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rdx)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rdx == null && bytes == null || entity.Rdx != null && entity.Rdx == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rbx)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rbx == null && bytes == null || entity.Rbx != null && entity.Rbx == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rsp)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rsp == null && bytes == null || entity.Rsp != null && entity.Rsp == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rbp)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rbp == null && bytes == null || entity.Rbp != null && entity.Rbp == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rsi)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rsi == null && bytes == null || entity.Rsi != null && entity.Rsi == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rdi)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rdi == null && bytes == null || entity.Rdi != null && entity.Rdi == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R8)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R8 == null && bytes == null || entity.R8 != null && entity.R8 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R9)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R9 == null && bytes == null || entity.R9 != null && entity.R9 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R10)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R10 == null && bytes == null || entity.R10 != null && entity.R10 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R11)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R11 == null && bytes == null || entity.R11 != null && entity.R11 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R12)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R12 == null && bytes == null || entity.R12 != null && entity.R12 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R13)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R13 == null && bytes == null || entity.R13 != null && entity.R13 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R14)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R14 == null && bytes == null || entity.R14 != null && entity.R14 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.R15)
            {
                FramePredicateExpression exp = entity =>
                                               entity.R15 == null && bytes == null || entity.R15 != null && entity.R15 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Rip)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Rip == null && bytes == null || entity.Rip != null && entity.Rip == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Efl)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Efl == null && bytes == null || entity.Efl != null && entity.Efl == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Cs)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Cs == null && bytes == null || entity.Cs != null && entity.Cs == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ds)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ds == null && bytes == null || entity.Ds != null && entity.Ds == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Es)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Es == null && bytes == null || entity.Es != null && entity.Es == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fs)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fs == null && bytes == null || entity.Fs != null && entity.Fs == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Gs)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Gs == null && bytes == null || entity.Gs != null && entity.Gs == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ss)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ss == null && bytes == null || entity.Ss != null && entity.Ss == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Dr0)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Dr0 == null && bytes == null || entity.Dr0 != null && entity.Dr0 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Dr1)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Dr1 == null && bytes == null || entity.Dr1 != null && entity.Dr1 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Dr2)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Dr2 == null && bytes == null || entity.Dr2 != null && entity.Dr2 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Dr3)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Dr3 == null && bytes == null || entity.Dr3 != null && entity.Dr3 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Dr6)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Dr6 == null && bytes == null || entity.Dr6 != null && entity.Dr6 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Dr7)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Dr7 == null && bytes == null || entity.Dr7 != null && entity.Dr7 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fpcw)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fpcw == null && bytes == null || entity.Fpcw != null && entity.Fpcw == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fpsw)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fpsw == null && bytes == null || entity.Fpsw != null && entity.Fpsw == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fptw)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fptw == null && bytes == null || entity.Fptw != null && entity.Fptw == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St0)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St0 == null && bytes == null || entity.St0 != null && entity.St0 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St1)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St1 == null && bytes == null || entity.St1 != null && entity.St1 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St2)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St2 == null && bytes == null || entity.St2 != null && entity.St2 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St3)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St3 == null && bytes == null || entity.St3 != null && entity.St3 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St4)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St4 == null && bytes == null || entity.St4 != null && entity.St4 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St5)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St5 == null && bytes == null || entity.St5 != null && entity.St5 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St6)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St6 == null && bytes == null || entity.St6 != null && entity.St6 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.St7)
            {
                FramePredicateExpression exp = entity =>
                                               entity.St7 == null && bytes == null || entity.St7 != null && entity.St7 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm0)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm0 == null && bytes == null || entity.Mm0 != null && entity.Mm0 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm1)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm1 == null && bytes == null || entity.Mm1 != null && entity.Mm1 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm2)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm2 == null && bytes == null || entity.Mm2 != null && entity.Mm2 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm3)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm3 == null && bytes == null || entity.Mm3 != null && entity.Mm3 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm4)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm4 == null && bytes == null || entity.Mm4 != null && entity.Mm4 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm5)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm5 == null && bytes == null || entity.Mm5 != null && entity.Mm5 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm6)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm6 == null && bytes == null || entity.Mm6 != null && entity.Mm6 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mm7)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mm7 == null && bytes == null || entity.Mm7 != null && entity.Mm7 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Mxcsr)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Mxcsr == null && bytes == null || entity.Mxcsr != null && entity.Mxcsr == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm0)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm0 == null && bytes == null || entity.Ymm0 != null && entity.Ymm0 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm1)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm1 == null && bytes == null || entity.Ymm1 != null && entity.Ymm1 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm2)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm2 == null && bytes == null || entity.Ymm2 != null && entity.Ymm2 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm3)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm3 == null && bytes == null || entity.Ymm3 != null && entity.Ymm3 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm4)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm4 == null && bytes == null || entity.Ymm4 != null && entity.Ymm4 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm5)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm5 == null && bytes == null || entity.Ymm5 != null && entity.Ymm5 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm6)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm6 == null && bytes == null || entity.Ymm6 != null && entity.Ymm6 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm7)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm7 == null && bytes == null || entity.Ymm7 != null && entity.Ymm7 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm8)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm8 == null && bytes == null || entity.Ymm8 != null && entity.Ymm8 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm9)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm9 == null && bytes == null || entity.Ymm9 != null && entity.Ymm9 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm10)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm10 == null && bytes == null || entity.Ymm10 != null && entity.Ymm10 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm11)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm11 == null && bytes == null || entity.Ymm11 != null && entity.Ymm11 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm12)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm12 == null && bytes == null || entity.Ymm12 != null && entity.Ymm12 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm13)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm13 == null && bytes == null || entity.Ymm13 != null && entity.Ymm13 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm14)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm14 == null && bytes == null || entity.Ymm14 != null && entity.Ymm14 == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Ymm15)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Ymm15 == null && bytes == null || entity.Ymm15 != null && entity.Ymm15 == bytes;
                return(exp);
            }

            if (registerEqualsCriterion.Register == Register.Exfrom)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Exfrom == null && bytes == null || entity.Exfrom != null && entity.Exfrom == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Exto)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Exto == null && bytes == null || entity.Exto != null && entity.Exto == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Brfrom)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Brfrom == null && bytes == null || entity.Brfrom != null && entity.Brfrom == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Brto)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Brto == null && bytes == null || entity.Brto != null && entity.Brto == bytes;
                return(exp);
            }

            if (registerEqualsCriterion.Register == Register.Fopcode)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fopcode == null && bytes == null || entity.Fopcode != null && entity.Fopcode == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fpip)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fpip == null && bytes == null || entity.Fpip != null && entity.Fpip == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fpipsel)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fpipsel == null && bytes == null || entity.Fpipsel != null && entity.Fpipsel == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fpdp)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fpdp == null && bytes == null || entity.Fpdp != null && entity.Fpdp == bytes;
                return(exp);
            }
            if (registerEqualsCriterion.Register == Register.Fpdpsel)
            {
                FramePredicateExpression exp = entity =>
                                               entity.Fpdpsel == null && bytes == null || entity.Fpdpsel != null && entity.Fpdpsel == bytes;
                return(exp);
            }
            throw new ArgumentOutOfRangeException(nameof(registerEqualsCriterion), $"Register provided was ${registerEqualsCriterion.Register.Name}, but that is not allowed");
        }