access_c Namespace Reference

Classes
class	MyCHandler
class	MyExprToAccessC

Functions
def	find_call (ircfg)
def	get_funcs_arg0 (ctx, ira, ircfg, lbl_head)

Variables
	loc_db = LocationDB()
	data = open(sys.argv[1], 'rb').read()
string	text
	base_types = CTypeAMD64_unk()
	types_ast = CAstTypes()
	types_mngr = CTypesManagerNotPacked(types_ast, base_types)
	cont = Container.fallback_container(data, None, addr=0)
	machine = Machine("x86_64")
	dis_engine
	ira
	mdis = dis_engine(cont.bin_stream, loc_db=loc_db)
int	addr_head = 0
	asmcfg = mdis.dis_multiblock(addr_head)
	lbl_head = loc_db.get_offset_location(addr_head)
	ir_arch_a = ira(loc_db)
	ircfg = ir_arch_a.new_ircfg_from_asmcfg(asmcfg)
	ptr_llhuman = types_mngr.get_objc(CTypePtr(CTypeStruct('ll_human')))
	arg0 = ExprId('ptr', 64)
dictionary	ctx = {ir_arch_a.arch.regs.RDI: arg0}
dictionary	expr_types
	mychandler = MyCHandler(types_mngr, expr_types)

Detailed Description

This example demonstrates the recovering of possible C types for an arbitrary
variable in an assembly code (the types are inferred from the function
argument types). It also displays the C code used to access this variable.

Input:
* definitions of the C types that can be used by the code
* layout of structures (packed/not packed)
* prototype of the analyzed function

Algorithm:
The DepGraph of the target variable is computed, which gives possible
expressions for this variable. For each DepGraph solution, if the expression
depends on typed arguments, the code infers the variable type and displays the C
code to access this variable.


Here be dragons:
For the moment, Miasm can infer C types (and generate C) for simple expressions.
To summarize, Miasm only supports accesses that do not involve arithmetic or
conditional expressions such as the following:
* var1.field
* var1[12][4]
* *(var1.field->tab[4])

Unsupported forms:
* var1 + var2
* var1[var2+4]
* var1?var2->field:6

In the following example, we have an explicit cast for "age", from uint16_t to
uint64_t, and for "height", from uint32_t to uint64_t. We are adding a naive
reduction rule to support such a cast.

First, in the type inference engine:
ExprCompose(int, 0) => int
Then, in the C generator:
ExprCompose(var1, 0) => var1

Function Documentation

find_call()

def access_c.find_call

(

ircfg

)

Returns (irb, index) which call

Here is the caller graph for this function:

get_funcs_arg0()

def access_c.get_funcs_arg0	(		ctx,
			ira,
			ircfg,
			lbl_head
	)

Compute DependencyGraph on the func @lbl_head

Here is the call graph for this function:

Variable Documentation

addr_head

int access_c.addr_head = 0

arg0

access_c.arg0 = ExprId('ptr', 64)

asmcfg

access_c.asmcfg = mdis.dis_multiblock(addr_head)

base_types

access_c.base_types = CTypeAMD64_unk()

cont

access_c.cont = Container.fallback_container(data, None, addr=0)

ctx

dictionary access_c.ctx = {ir_arch_a.arch.regs.RDI: arg0}

data

access_c.data = open(sys.argv[1], 'rb').read()

dis_engine

access_c.dis_engine

expr_types

dictionary access_c.expr_types

Initial value:

=  {arg0: (ptr_llhuman,),
              ExprInt(0x8A, 64): (ptr_llhuman,)}

ir_arch_a

access_c.ir_arch_a = ira(loc_db)

ira

access_c.ira

ircfg

access_c.ircfg = ir_arch_a.new_ircfg_from_asmcfg(asmcfg)

lbl_head

access_c.lbl_head = loc_db.get_offset_location(addr_head)

loc_db

access_c.loc_db = LocationDB()

machine

access_c.machine = Machine("x86_64")

mdis

access_c.mdis = dis_engine(cont.bin_stream, loc_db=loc_db)

mychandler

access_c.mychandler = MyCHandler(types_mngr, expr_types)

ptr_llhuman

access_c.ptr_llhuman = types_mngr.get_objc(CTypePtr(CTypeStruct('ll_human')))

text

string access_c.text

Initial value:

=  """
struct human {
        unsigned short age;
        unsigned int height;
        char name[50];
};
 
struct ll_human {
        struct ll_human* next;
        struct human human;
};
"""

types_ast

access_c.types_ast = CAstTypes()

types_mngr

access_c.types_mngr = CTypesManagerNotPacked(types_ast, base_types)