Examples with IInstructionGraphEdge com.google.security.zynamics.reil.algorithms.mono2.common.instructiongraph.interfaces.IInstructionGraphEdge used on opensource projects

Example 1 with IInstructionGraphEdge

use of com.google.security.zynamics.reil.algorithms.mono2.common.instructiongraph.interfaces.IInstructionGraphEdge in project binnavi by google.

the class MonoReilSolver method solve.

@Override
public MonoReilSolverResult<LatticeElementType> solve(final ITransformationProvider<LatticeElementType> transformationProvider, final Iterable<Pair<IInstructionGraphEdge, LatticeElementType>> initialStates, int maximumIteration) {
    Preconditions.checkNotNull(transformationProvider, "Error: transformation provider argument can not be null");
    Preconditions.checkNotNull(initialStates, "Error: initialStates argument can not be null");
    for (final Pair<IInstructionGraphEdge, LatticeElementType> initialState : initialStates) {
        setState(initialState.first(), initialState.second());
    }
    while (m_workList.size() > 0) {
        if (--maximumIteration == 0) {
            throw new IllegalStateException("Solver could not generate a sane result");
        }
        final CComparableInstructionGraphNode comparableInstructionGraphNode = m_workList.removeFirst();
        final List<LatticeElementType> statesToCombine = new ArrayList<LatticeElementType>();
        for (final IInstructionGraphEdge edge : getRelevantEdges(comparableInstructionGraphNode)) {
            if (m_stateMap.containsKey(edge)) {
                statesToCombine.add(m_stateMap.get(edge));
            }
        }
        final LatticeElementType combinedState = m_lattice.combine(statesToCombine);
        Pair<LatticeElementType, LatticeElementType> newStates;
        newStates = transformationProvider.transform(comparableInstructionGraphNode.getNode(), combinedState);
        setOutgoingState(comparableInstructionGraphNode.getNode(), newStates);
    }
    return new MonoReilSolverResult<LatticeElementType>(m_graph, m_direction, m_lattice, m_stateMap, m_traversedEdges);
}

Example 2 with IInstructionGraphEdge

use of com.google.security.zynamics.reil.algorithms.mono2.common.instructiongraph.interfaces.IInstructionGraphEdge in project binnavi by google.

the class MonoReilSolverResult method generateAddressToStateMapping.

/**
   * Collect lattice results and generate a map which associates a lattice result with each address.
   * 
   * @param startInstruction The instruction where collecting the results is started.
   * @param trackIncoming Flag whether to start collecting immediately before or after the start
   *        instruction.
   * 
   * @return The map which associates addresses with lattice results.
   */
@Override
public Map<IAddress, LatticeElementType> generateAddressToStateMapping(final IInstruction startInstruction, final boolean trackIncoming) {
    final Map<IAddress, LatticeElementType> addressToLatticeElementMap = new TreeMap<>();
    final Iterator<Pair<IInstructionGraphEdge, LatticeElementType>> iter = resultIterator();
    while (iter.hasNext()) {
        final Pair<IInstructionGraphEdge, LatticeElementType> edgeToLatticeElement = iter.next();
        if (edgeToLatticeElement.first().isInstructionExit()) {
            IAddress address;
            if (hasResult(edgeToLatticeElement.first())) {
                if (direction == AnalysisDirection.DOWN) {
                    address = graph.getSource(edgeToLatticeElement.first()).getReilInstruction().getAddress();
                } else {
                    address = graph.getDestination(edgeToLatticeElement.first()).getReilInstruction().getAddress();
                }
                if (addressToLatticeElementMap.containsKey(address)) {
                    final ArrayList<LatticeElementType> combinelist = new ArrayList<>();
                    combinelist.add(edgeToLatticeElement.second());
                    combinelist.add(addressToLatticeElementMap.get(address));
                    addressToLatticeElementMap.put(address, lattice.combine(combinelist));
                } else {
                    addressToLatticeElementMap.put(address, edgeToLatticeElement.second());
                }
            } else if (ReilHelpers.toNativeAddress(graph.getSource(edgeToLatticeElement.first()).getReilInstruction().getAddress()).equals(startInstruction.getAddress()) && (direction == AnalysisDirection.DOWN) && !trackIncoming) {
                address = graph.getSource(edgeToLatticeElement.first()).getReilInstruction().getAddress();
                addressToLatticeElementMap.put(address, edgeToLatticeElement.second());
            } else if (ReilHelpers.toNativeAddress(graph.getDestination(edgeToLatticeElement.first()).getReilInstruction().getAddress()).equals(startInstruction.getAddress()) && (direction == AnalysisDirection.UP) && trackIncoming) {
                address = graph.getDestination(edgeToLatticeElement.first()).getReilInstruction().getAddress();
                addressToLatticeElementMap.put(address, edgeToLatticeElement.second());
            }
        }
    }
    return addressToLatticeElementMap;
}

Example 3 with IInstructionGraphEdge

use of com.google.security.zynamics.reil.algorithms.mono2.common.instructiongraph.interfaces.IInstructionGraphEdge in project binnavi by google.

the class CReilInstructionGraph method getIncomingEdgesForAddress.

/**
   * Convenience method to obtain the edge in the ReilInstructionGraph that corresponds to ENTERING
   * a particular native instruction
   * 
   * @param nativeInstructionAddress The address of the native instruction
   * 
   * @return The edge corresponding to entering the native instruction
   */
public Iterable<IInstructionGraphEdge> getIncomingEdgesForAddress(final IAddress nativeInstructionAddress) {
    final ArrayList<IInstructionGraphEdge> result = new ArrayList<IInstructionGraphEdge>();
    final EdgeCursor edgeCursor = m_internalGraph.edges();
    while (edgeCursor.ok()) {
        final Edge currentEdge = (Edge) edgeCursor.current();
        final long targetAddress = m_nodesMap.get(currentEdge.target()).getReilInstruction().getAddress().toLong();
        if ((targetAddress >> 8) == nativeInstructionAddress.toLong()) {
            result.add(m_edgesMap.get(currentEdge));
        }
        edgeCursor.next();
    }
    return result;
}

Example 4 with IInstructionGraphEdge

use of com.google.security.zynamics.reil.algorithms.mono2.common.instructiongraph.interfaces.IInstructionGraphEdge in project binnavi by google.

the class RegisterTracker method track.

/**
   * Function to do register tracking.
   * 
   * @param function The {@link ReilFunction} in which to do the register tracking.
   * @param startInstruction The {@link IInstruction} which is the start instruction.
   * @param trackedRegister The register to be tracked.
   * @param options The {@link RegisterTrackingOptions}.
   * 
   * @return The {@link MonoReilSolverResult} of the tracking.
   */
public static MonoReilSolverResult<RegisterSetLatticeElement> track(final ReilFunction function, final IInstruction startInstruction, final String trackedRegister, final RegisterTrackingOptions options) {
    Preconditions.checkNotNull(function, "Error: function argument can not be null");
    Preconditions.checkNotNull(startInstruction, "Error: startInstruction argument can not be null");
    Preconditions.checkNotNull(trackedRegister, "Error: trackedRegister argument can not be null");
    Preconditions.checkNotNull(options, "Error: options argument can not be null");
    final CReilInstructionGraph instructionGraph = new CReilInstructionGraph(function.getGraph());
    final RegisterSetLatticeElement registerSetLatticeElement = new RegisterSetLatticeElement(trackedRegister);
    final MonoReilSolver<RegisterSetLatticeElement> monoReilSolver = new MonoReilSolver<RegisterSetLatticeElement>(instructionGraph, options.getAnalysisDirection(), new RegisterSetLattice());
    final Iterable<IInstructionGraphEdge> relevantEdges = options.trackIncoming() ? instructionGraph.getIncomingEdgesForAddress(startInstruction.getAddress()) : instructionGraph.getOutgoingEdgesForAddress(startInstruction.getAddress());
    final List<Pair<IInstructionGraphEdge, RegisterSetLatticeElement>> initialState = new ArrayList<Pair<IInstructionGraphEdge, RegisterSetLatticeElement>>();
    for (final IInstructionGraphEdge currentRelevantEdge : relevantEdges) {
        initialState.add(new Pair<IInstructionGraphEdge, RegisterSetLatticeElement>(currentRelevantEdge, registerSetLatticeElement));
    }
    final ITransformationProvider<RegisterSetLatticeElement> transformationProvider = new RegisterTrackingTransformationProvider(options);
    final MonoReilSolverResult<RegisterSetLatticeElement> solverResult = monoReilSolver.solve(transformationProvider, initialState, Integer.MAX_VALUE);
    return solverResult;
}

Example 5 with IInstructionGraphEdge

use of com.google.security.zynamics.reil.algorithms.mono2.common.instructiongraph.interfaces.IInstructionGraphEdge in project binnavi by google.

the class CReilInstructionGraph method getOutgoingEdgesForAddress.

/**
   * Convenience method to obtain the edge in the ReilInstructionGraph that corresponds to LEAVING a
   * particular native instruction
   * 
   * @param nativeInstructionAddress The address of the native instruction
   * 
   * @return The edge corresponding to entering the native instruction
   */
public Iterable<IInstructionGraphEdge> getOutgoingEdgesForAddress(final IAddress nativeInstructionAddress) {
    final ArrayList<IInstructionGraphEdge> result = new ArrayList<IInstructionGraphEdge>();
    final EdgeCursor edgeCursor = m_internalGraph.edges();
    while (edgeCursor.ok()) {
        final Edge edge = (Edge) edgeCursor.current();
        final long sourceAddress = m_nodesMap.get(edge.source()).getReilInstruction().getAddress().toLong();
        final long targetAddress = m_nodesMap.get(edge.target()).getReilInstruction().getAddress().toLong();
        if (((targetAddress & 0xFF) == 0) && ((sourceAddress >> 8) == nativeInstructionAddress.toLong())) {
            result.add(m_edgesMap.get(edge));
        }
        edgeCursor.next();
    }
    return result;
}