 |
miasm
Reverse engineering framework
|
|
miasm
Reverse engineering framework
|
Public Member Functions | |
| def | __init__ (self, machine, loc_db) |
| def | prepare (self) |
| def | attach (self, emulator) |
| def | handle (self, cur_addr) |
| def | add_handler (self, addr, callback) |
| def | add_lib_handler (self, libimp, namespace) |
| def | add_instrumentation (self, addr, callback) |
| def | callback (self, _) |
| def | take_snapshot (self) |
| def | restore_snapshot (self, snapshot, memory=True) |
| def | update_state (self, assignblk) |
| def | update_state_from_concrete (self, cpu=True, mem=False) |
| def | eval_expr (self, expr) |
| def | symbolize_memory (self, memory_range) |
Static Public Member Functions | |
| def | memory_to_expr (addr) |
Public Attributes | |
| machine | |
| loc_db | |
| handler | |
| instrumentation | |
| addr_to_cacheblocks | |
| ir_arch | |
| ircfg | |
| jitter | |
| symb | |
| Prepare symbexec engines. More... | |
| symb_concrete | |
| mdis | |
Static Public Attributes | |
| SYMB_ENGINE = ESETrackModif | |
Dynamic Symbolic Execution Engine This class aims to be overridden for each specific purpose
| def miasm.analysis.dse.DSEEngine.__init__ | ( | self, | |
| machine, | |||
| loc_db | |||
| ) |
| def miasm.analysis.dse.DSEEngine.add_handler | ( | self, | |
| addr, | |||
| callback | |||
| ) |
Add a @callback for address @addr before any state update. The state IS NOT updated after returning from the callback @addr: int @callback: func(dse instance)
| def miasm.analysis.dse.DSEEngine.add_instrumentation | ( | self, | |
| addr, | |||
| callback | |||
| ) |
Add a @callback for address @addr before any state update. The state IS updated after returning from the callback @addr: int @callback: func(dse instance)
| def miasm.analysis.dse.DSEEngine.add_lib_handler | ( | self, | |
| libimp, | |||
| namespace | |||
| ) |
Add search for handler based on a @libimp libimp instance
Known functions will be looked by {name}_symb or {name}_{ord}_symb in the @namespace
| def miasm.analysis.dse.DSEEngine.attach | ( | self, | |
| emulator | |||
| ) |
Attach the DSE to @emulator
@emulator: jitload (or API equivalent) instance
To attach *DURING A BREAKPOINT*, one may consider using the following snippet:
def breakpoint(self, jitter):
...
dse.attach(jitter)
dse.update...
...
# Additional call to the exec callback is necessary, as breakpoints are
# honored AFTER exec callback
jitter.exec_cb(jitter)
return True
Without it, one may encounteer a DriftException error due to a
"desynchronization" between jitter and dse states. Indeed, on 'handle'
call, the jitter must be one instruction AFTER the dse.
| def miasm.analysis.dse.DSEEngine.callback | ( | self, | |
| _ | |||
| ) |
Called before each instruction
| def miasm.analysis.dse.DSEEngine.eval_expr | ( | self, | |
| expr | |||
| ) |
Return the evaluation of @expr: @expr: Expr instance
| def miasm.analysis.dse.DSEEngine.handle | ( | self, | |
| cur_addr | |||
| ) |
Handle destination @cur_addr: Expr of the next address in concrete execution /!\ cur_addr may be a loc_key In this method, self.symb is in the "just before branching" state
Reimplemented in miasm.analysis.dse.DSEPathConstraint.
|
static |
Translate an address to its corresponding symbolic ID (8bits) @addr: int
| def miasm.analysis.dse.DSEEngine.prepare | ( | self | ) |
Prepare the environment for attachment with a jitter
| def miasm.analysis.dse.DSEEngine.restore_snapshot | ( | self, | |
| snapshot, | |||
memory = True |
|||
| ) |
Restore a @snapshot taken with .take_snapshot @snapshot: .take_snapshot output @memory: (optional) if set, also restore the memory
| def miasm.analysis.dse.DSEEngine.symbolize_memory | ( | self, | |
| memory_range | |||
| ) |
Register a range of memory addresses to symbolize @memory_range: object with support of __in__ operation (intervals, list, ...)
| def miasm.analysis.dse.DSEEngine.take_snapshot | ( | self | ) |
Return a snapshot of the current state (including jitter state)
| def miasm.analysis.dse.DSEEngine.update_state | ( | self, | |
| assignblk | |||
| ) |
From this point, assume @assignblk in the symbolic execution
@assignblk: AssignBlock/{dst -> src}
| def miasm.analysis.dse.DSEEngine.update_state_from_concrete | ( | self, | |
cpu = True, |
|||
mem = False |
|||
| ) |
Update the symbolic state with concrete values from the concrete engine @cpu: (optional) if set, update registers' value @mem: (optional) if set, update memory value /!\ all current states will be loss. This function is usually called when states are no more synchronized (at the beginning, returning from an unstubbed syscall, ...)
| miasm.analysis.dse.DSEEngine.addr_to_cacheblocks |
| miasm.analysis.dse.DSEEngine.handler |
| miasm.analysis.dse.DSEEngine.instrumentation |
| miasm.analysis.dse.DSEEngine.ir_arch |
| miasm.analysis.dse.DSEEngine.ircfg |
| miasm.analysis.dse.DSEEngine.jitter |
| miasm.analysis.dse.DSEEngine.loc_db |
| miasm.analysis.dse.DSEEngine.machine |
| miasm.analysis.dse.DSEEngine.mdis |
| miasm.analysis.dse.DSEEngine.symb |
Prepare symbexec engines.
| miasm.analysis.dse.DSEEngine.symb_concrete |
|
static |
1.8.20