private IEnumerable <Address> FindPossibleProcedureEntries(Address addrBegin, Address addrEnd)
{
var pattern = new byte[] { 0x55, 0x8B, 0xEC }; //$TODO: platform-dependent.
var search = new AhoCorasickSearch <byte>(new[] { pattern }, true, true);
return(search.GetMatchPositions(prog.Image.Bytes)
.Select(i => prog.Image.BaseAddress + i));
}
/// <summary>
/// Looks for byte patterns that look like procedure entries.
/// </summary>
/// <param name="addrBegin"></param>
/// <param name="addrEnd"></param>
/// <returns></returns>
public IEnumerable <Address> FindPossibleProcedureEntries(MemoryArea mem, Address addrBegin, Address addrEnd)
{
var h = program.Platform.Heuristics;
if (h.ProcedurePrologs == null || h.ProcedurePrologs.Length == 0)
{
return(new Address[0]);
}
byte[] pattern = h.ProcedurePrologs[0].Bytes;
var search = new AhoCorasickSearch <byte>(new[] { pattern }, true, true);
return(search.GetMatchPositions(mem.Bytes)
.Select(i => mem.BaseAddress + i));
}