miasm
Reverse engineering framework
Classes | Functions | Variables
miasm.analysis.data_flow Namespace Reference

Classes

class  AssignBlockLivenessInfos
 
class  DeadRemoval
 
class  DelDummyPhi
 
class  DiGraphDefUse
 
class  DiGraphLiveness
 
class  DiGraphLivenessIRA
 
class  DiGraphLivenessSSA
 
class  ExprToGraph
 
class  IRBlockLivenessInfos
 
class  PropagateExpressions
 
class  ReachingDefinitions
 
class  SSADefUse
 
class  State
 
class  UnionFind
 

Functions

def merge_blocks (ircfg, heads)
 
def remove_empty_assignblks (ircfg)
 
def expr_has_mem (expr)
 
def stack_to_reg (expr)
 
def is_stack_access (ir_arch_a, expr)
 
def visitor_get_stack_accesses (ir_arch_a, expr, stack_vars)
 
def get_stack_accesses (ir_arch_a, expr)
 
def get_interval_length (interval_in)
 
def check_expr_below_stack (ir_arch_a, expr)
 
def retrieve_stack_accesses (ir_arch_a, ircfg)
 
def fix_stack_vars (expr, base_to_info)
 
def replace_mem_stack_vars (expr, base_to_info)
 
def replace_stack_vars (ir_arch_a, ircfg)
 
def memlookup_test (expr, bs, is_addr_ro_variable, result)
 
def memlookup_visit (expr, bs, is_addr_ro_variable)
 
def get_memlookup (expr, bs, is_addr_ro_variable)
 
def read_mem (bs, expr)
 
def load_from_int (ir_arch, bs, is_addr_ro_variable)
 
def discard_phi_sources (ircfg, deleted_vars)
 
def get_unreachable_nodes (ircfg, edges_to_del, heads)
 
def update_phi_with_deleted_edges (ircfg, edges_to_del)
 
def del_unused_edges (ircfg, heads)
 
def get_phi_sources (phi_src, phi_dsts, ids_to_src)
 
def replace_expr_from_bottom (expr_orig, dct)
 
def is_mem_sub_part (needle, mem)
 

Variables

dictionary ATTR_DEP
 
 AssignblkNode = namedtuple('AssignblkNode', ['label', 'index', 'var'])
 

Detailed Description

Data flow analysis based on miasm intermediate representation

Function Documentation

◆ check_expr_below_stack()

def miasm.analysis.data_flow.check_expr_below_stack (   ir_arch_a,
  expr 
) 
Return False if expr pointer is below original stack pointer
@ir_arch_a: ira instance
@expr: Expression instance
Here is the caller graph for this function:

◆ del_unused_edges()

def miasm.analysis.data_flow.del_unused_edges (   ircfg,
  heads 
) 
Delete non accessible edges in the @ircfg graph.
@ircfg: IRCFG instance in ssa form
@heads: location of the heads of the graph
Here is the call graph for this function:
Here is the caller graph for this function:

◆ discard_phi_sources()

def miasm.analysis.data_flow.discard_phi_sources (   ircfg,
  deleted_vars 
) 
Remove phi sources in @ircfg belonging to @deleted_vars set
@ircfg: IRCFG instance in ssa form
@deleted_vars: unused phi sources
Here is the caller graph for this function:

◆ expr_has_mem()

def miasm.analysis.data_flow.expr_has_mem (   expr) 
Return True if expr contains at least one memory access
@expr: Expr instance
Here is the caller graph for this function:

◆ fix_stack_vars()

def miasm.analysis.data_flow.fix_stack_vars (   expr,
  base_to_info 
) 
Replace local stack accesses in expr using information in @base_to_info
@expr: Expression instance
@base_to_info: dictionary linking stack base address to its size/name
Here is the caller graph for this function:

◆ get_interval_length()

def miasm.analysis.data_flow.get_interval_length (   interval_in)

◆ get_memlookup()

def miasm.analysis.data_flow.get_memlookup (   expr,
  bs,
  is_addr_ro_variable 
)
Here is the call graph for this function:
Here is the caller graph for this function:

◆ get_phi_sources()

def miasm.analysis.data_flow.get_phi_sources (   phi_src,
  phi_dsts,
  ids_to_src 
) 
Return False if the @phi_src has more than one non-phi source
Else, return its source
@ids_to_src: Dictionary linking phi source to its definition
Here is the caller graph for this function:

◆ get_stack_accesses()

def miasm.analysis.data_flow.get_stack_accesses (   ir_arch_a,
  expr 
)
Here is the call graph for this function:
Here is the caller graph for this function:

◆ get_unreachable_nodes()

def miasm.analysis.data_flow.get_unreachable_nodes (   ircfg,
  edges_to_del,
  heads 
) 
Return the unreachable nodes starting from heads and the associated edges to
be deleted.

@ircfg: IRCFG instance
@edges_to_del: edges already marked as deleted
heads: locations of graph heads
Here is the caller graph for this function:

◆ is_mem_sub_part()

def miasm.analysis.data_flow.is_mem_sub_part (   needle,
  mem 
) 
If @needle is a sub part of @mem, return the offset of @needle in @mem
Else, return False
@needle: ExprMem
@mem: ExprMem
Here is the call graph for this function:
Here is the caller graph for this function:

◆ is_stack_access()

def miasm.analysis.data_flow.is_stack_access (   ir_arch_a,
  expr 
)
Here is the caller graph for this function:

◆ load_from_int()

def miasm.analysis.data_flow.load_from_int (   ir_arch,
  bs,
  is_addr_ro_variable 
) 
Replace memory read based on constant with static value
@ir_arch: ira instance
@bs: binstream instance
@is_addr_ro_variable: callback(addr, size) to test memory candidate
Here is the call graph for this function:
Here is the caller graph for this function:

◆ memlookup_test()

def miasm.analysis.data_flow.memlookup_test (   expr,
  bs,
  is_addr_ro_variable,
  result 
)
Here is the call graph for this function:
Here is the caller graph for this function:

◆ memlookup_visit()

def miasm.analysis.data_flow.memlookup_visit (   expr,
  bs,
  is_addr_ro_variable 
)
Here is the call graph for this function:
Here is the caller graph for this function:

◆ merge_blocks()

def miasm.analysis.data_flow.merge_blocks (   ircfg,
  heads 
) 
This function modifies @ircfg to apply the following transformations:
- group an irblock with its son if the irblock has one and only one son and
  this son has one and only one parent (spaghetti code).
- if an irblock is only made of an assignment to IRDst with a given label,
  this irblock is dropped and its parent destination targets are
  updated. The irblock must have a parent (avoid deleting the function head)
- if an irblock is a head of the graph and is only made of an assignment to
  IRDst with a given label, this irblock is dropped and its son becomes the
  head. References are fixed

This function avoid creating predecessors on heads

Return True if at least an irblock has been modified

@ircfg: IRCFG instance
@heads: loc_key to keep
Here is the caller graph for this function:

◆ read_mem()

def miasm.analysis.data_flow.read_mem (   bs,
  expr 
)
Here is the call graph for this function:
Here is the caller graph for this function:

◆ remove_empty_assignblks()

def miasm.analysis.data_flow.remove_empty_assignblks (   ircfg) 
Remove empty assignblks in irblocks of @ircfg
Return True if at least an irblock has been modified

@ircfg: IRCFG instance
Here is the caller graph for this function:

◆ replace_expr_from_bottom()

def miasm.analysis.data_flow.replace_expr_from_bottom (   expr_orig,
  dct 
)
Here is the caller graph for this function:

◆ replace_mem_stack_vars()

def miasm.analysis.data_flow.replace_mem_stack_vars (   expr,
  base_to_info 
)
Here is the call graph for this function:
Here is the caller graph for this function:

◆ replace_stack_vars()

def miasm.analysis.data_flow.replace_stack_vars (   ir_arch_a,
  ircfg 
) 
Try to replace stack based memory accesses by variables.

Hypothesis: the input ircfg must have all it's accesses to stack explicitly
done through the stack register, ie every aliases on those variables is
resolved.

WARNING: may fail

@ir_arch_a: ira instance
@ircfg: IRCFG instance
Here is the call graph for this function:

◆ retrieve_stack_accesses()

def miasm.analysis.data_flow.retrieve_stack_accesses (   ir_arch_a,
  ircfg 
) 
Walk the ssa graph and find stack based variables.
Return a dictionary linking stack base address to its size/name
@ir_arch_a: ira instance
@ircfg: IRCFG instance
Here is the call graph for this function:
Here is the caller graph for this function:

◆ stack_to_reg()

def miasm.analysis.data_flow.stack_to_reg (   expr)

◆ update_phi_with_deleted_edges()

def miasm.analysis.data_flow.update_phi_with_deleted_edges (   ircfg,
  edges_to_del 
) 
Update phi which have a source present in @edges_to_del
@ssa: IRCFG instance in ssa form
@edges_to_del: edges to delete
Here is the call graph for this function:
Here is the caller graph for this function:

◆ visitor_get_stack_accesses()

def miasm.analysis.data_flow.visitor_get_stack_accesses (   ir_arch_a,
  expr,
  stack_vars 
)
Here is the call graph for this function:
Here is the caller graph for this function:

Variable Documentation

◆ AssignblkNode

miasm.analysis.data_flow.AssignblkNode = namedtuple('AssignblkNode', ['label', 'index', 'var'])

◆ ATTR_DEP

dictionary miasm.analysis.data_flow.ATTR_DEP
Initial value:
1 = {"color" : "black",
2  "_type" : "data"}