public void HPSC_DiscardNodes() { Given_Image32( 0x0010000, "55 8B EC a1 32 12 1a 12 5D c3"); Given_x86_32(); Given_RewriterHost(); Given_NoImportedProcedures(); mr.ReplayAll(); When_DisassembleProcedure(); var hps = new HeuristicProcedureScanner(program, proc, host); hps.BlockConflictResolution(); var sExp = #region Expected @"l00010000: // pred: push ebp l00010001: // pred: l00010000 mov ebp,esp l00010003: // pred: l00010001 mov eax,[121A1232] l00010008: // pred: l00010003 pop ebp l00010009: // pred: l00010008 ret "; #endregion AssertBlocks(sExp, proc.Cfg); }
/// Plan of attack: /// In each unscanned "hole", look for signatures of procedure entries. /// These are procedure entry candidates. /// Scan each of the procedure entry candidates heuristically. /// /// Next scan all executable code segments for: /// - calls that reach those candidates /// - jmps to those candidates /// - pointers to those candidates. /// Each time we find a call, we increase the score of the candidate. /// At the end we have a list of scored candidates. public void ScanImageHeuristically() { var sw = new Stopwatch(); sw.Start(); var list = new List<HeuristicBlock>(); var ranges = FindUnscannedRanges(); var fnRanges = FindPossibleFunctions(ranges).ToList(); int n = 0; foreach (var range in fnRanges) { var hproc = DisassembleProcedure(range.Item1, range.Item2); var hps = new HeuristicProcedureScanner(program, hproc, host); hps.BlockConflictResolution(); DumpBlocks(hproc.Cfg.Nodes); hps.GapResolution(); // TODO: add all guessed code to image map -- clearly labelled. AddBlocks(hproc); list.AddRange(hproc.Cfg.Nodes); eventListener.ShowProgress("Estimating procedures", n, fnRanges.Count); ++n; } eventListener.Warn( new Reko.Core.Services.NullCodeLocation("Heuristics"), string.Format("Scanned image in {0} seconds, finding {1} blocks.", sw.Elapsed.TotalSeconds, list.Count)); list.ToString(); }
/// Plan of attack: /// In each unscanned "hole", look for signatures of procedure entries. /// These are procedure entry candidates. /// Scan each of the procedure entry candidates heuristically. /// /// Next scan all executable code segments for: /// - calls that reach those candidates /// - jmps to those candidates /// - pointers to those candidates. /// Each time we find a call, we increase the score of the candidate. /// At the end we have a list of scored candidates. public void ScanImageHeuristically() { var ranges = FindUnscannedRanges(); foreach (var range in FindPossibleFunctions(ranges)) { var hproc = DisassembleProcedure(range.Item1, range.Item2); var hps = new HeuristicProcedureScanner(program, hproc); hps.BlockConflictResolution(); hps.GapResolution(); // TODO: add all guessed code to image map -- clearly labelled. } }
public void HPSC_TrickyProc() { Given_Image32(0x0010000, TrickyProc); program.SegmentMap.AddSegment(new ImageSegment( "code", new MemoryArea(Address.Ptr32(0x11750000), new byte[100]), AccessMode.ReadExecute)); Given_x86_32(); Given_RewriterHost(); Given_NoImportedProcedures(); mr.ReplayAll(); When_DisassembleProcedure(); var hps = new HeuristicProcedureScanner(program, CreateScanResults(proc.Cfg), proc.IsValidAddress, host); hps.BlockConflictResolution(proc.BeginAddress); var sExp = #region Expected @"l00010000: // pred: push ebp l00010001: // pred: l00010000 mov ebp,esp l00010003: // pred: l00010001 call 11750008 l0001000A: // pred: cmp al,00 l0001000C: // pred: l0001000A jnz 00010014 l0001000E: // pred: l0001000C mov al,00 l00010010: // pred: l0001000E jmp 00010019 l00010014: // pred: l0001000C mov eax,[01740000] l00010019: // pred: l00010010 l00010014 mov esp,ebp l0001001B: // pred: l00010019 pop ebp l0001001C: // pred: l0001001B ret "; #endregion AssertBlocks(sExp, proc.Cfg); }
public void HPSC_TrickyProc() { Given_Image32(0x0010000, TrickyProc); Given_x86_32(); Given_RewriterHost(); Given_NoImportedProcedures(); mr.ReplayAll(); When_DisassembleProcedure(); var hps = new HeuristicProcedureScanner(program, proc, host); hps.BlockConflictResolution(); var sExp = #region Expected @"l00010000: // pred: push ebp l00010001: // pred: l00010000 mov ebp,esp l00010003: // pred: l00010001 call 11750008 l0001000A: // pred: cmp al,00 l0001000C: // pred: l0001000A jnz 00010014 l0001000E: // pred: l0001000C mov al,00 l00010010: // pred: l0001000E jmp 00010019 l00010014: // pred: l0001000C mov eax,[01740000] l00010019: // pred: l00010010 l00010014 mov esp,ebp l0001001B: // pred: l00010019 pop ebp l0001001C: // pred: l0001001B ret l0001001D: // pred: nop "; #endregion AssertBlocks(sExp, proc.Cfg); }
[Test] public void HPSC_TrickyProc() { Given_Image32(0x0010000, TrickyProc); Given_x86_32(); Given_RewriterHost(); Given_NoImportedProcedures(); mr.ReplayAll(); When_DisassembleProcedure(); var hps = new HeuristicProcedureScanner(prog, proc); hps.BlockConflictResolution(); var sExp = #region Expected @"l00010000: // pred: push ebp l00010001: // pred: l00010000 mov ebp,esp l00010003: // pred: l00010001 call 11750008 l0001000A: // pred: cmp al,00 l0001000C: // pred: l0001000A jnz 00010014 l0001000E: // pred: l0001000C mov al,00 l00010010: // pred: l0001000E jmp 00010019 l00010014: // pred: l0001000C mov eax,[01740000] l00010019: // pred: l00010010 l00010014 mov esp,ebp l0001001B: // pred: l00010019 pop ebp l0001001C: // pred: l0001001B ret "; #endregion AssertBlocks(sExp, proc.Cfg);
[Test] public void HPSC_DiscardNodes() { Given_Image32( 0x0010000, "55 8B EC a1 32 12 1a 12 5D c3"); Given_x86_32(); Given_RewriterHost(); Given_NoImportedProcedures(); mr.ReplayAll(); When_DisassembleProcedure(); var hps = new HeuristicProcedureScanner(prog, proc); hps.BlockConflictResolution(); var sExp = #region Expected @"l00010000: // pred: push ebp l00010001: // pred: l00010000 mov ebp,esp l00010003: // pred: l00010001 mov eax,[121A1232] l00010008: // pred: l00010003 pop ebp l00010009: // pred: l00010008 ret "; #endregion AssertBlocks(sExp, proc.Cfg);