---

heuristic.cpp

Go to the documentation of this file.

/*
PeRdr - PE file disassembler
Copyright (C) 1999-2003 Frediano Ziglio
-----

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-----

INFORMATION
  www: https://freddy77.tripod.com/perdr/
  e-mail: freddy77@angelfire.com
*/
#include "global.h"
#ifdef HAVE_HDRSTOP
#pragma hdrstop
#endif

#include "heuristic.h"

using namespace std;

THeuristicMotor::THeuristicMotor(const CodeParser& codeInfo)
{
  // numero consecutivo di indirizzi a codice
//  unsigned numAddress = 0;
//  vector<vma_t> lastAddress;

  FOR_EACH_SECTION_CODE_BEGIN(codeInfo.module,p)
    vma_t address = (*p).begin;
    vma_t end     = (*p).end;
    for(; address<end; )
    {
      bool processed = false;
      // salta istruzioni gia' processate
      int len = 1,l;
      if ( (l=codeInfo.byteInfo.GetIstrLen(address)) != 0)
      {
        len = l;
        processed = true;
        // se non e' istruzione non processare
        // se sono data sono gia' stati processati
        if (codeInfo.byteInfo[address].GetType() != ByteInfo::typeInstruction)
        {
          address += len;
          continue;
        }
        //address += (len-1);
        //continue;
      }

        Instruction instruction;
        int res = GetInstruction(*codeInfo.module,address,instruction);

        // !!! size constant
        if (res > addr_bytes)
        {
          enum FlowTypes flow = instruction.GetFlowType();
          switch (flow)
          {
          case FLOW_CALL:
            _PRG_ASSERT(instruction.numArg == 1);
            // !!! constant
            // !!! questo primo test serve perche' non si prendano anche certi
            // prefissi che potrebbero appertenere ad altre istruzioni
            if (res==5 && instruction.Args[0].type == Param::t_literal)
            {
              if (codeInfo.module->GetSection(instruction.Args[0].literal)->IsCode())
                constCallCount[instruction.Args[0].literal].push_back(address+res);
            }
            if (codeInfo.IsApiReference(instruction.Args[0]))
            {
              callApi.insert(address+res);
            }
          case FLOW_JUMP:
//          if (IsApiReference(instruction.Args[0]))
//          {
//            callApi.insert();
//          }
            break;
          }
        }

        // processa argomenti memoria per vedere riferimenti costanti
        for (int n=0; n < instruction.numArg; ++n)
          if (instruction.Args[n].GetType() == Param::t_memory)
          {
            // se argomento [xxx] aggiungi alla lista
            Param &param = instruction.Args[n];
            if (param.mem_reg1 == null_reg && param.mem_reg2 == null_reg)
            {
              if (codeInfo.ContainValidAddress(param))
                globalVarCount[param.literal].push_back(address+res);
            }
          }
/*
      // !!! la scansione di tutti gli indirizzi non mi sembra molto "euristica"
      // processa puntatori nel codice e nei dati
      for(;;)
      {
        if (processed)
          break;

        // test non occupato
        vma_t addr;
        if (::byteInfo.IsOccupied(address,addr_bytes))
          break;

        // test relocation
        if (hasRelocation && relocationInfos.GetRelocationType(address) == Relocation::relNone)
          break;

        // test indirizzo valido
        addr = module->ReadDword(address);
        if (!hasRelocation && !module->IsValid(addr))
          break;

        // inserisci indirizzo in costanti
        addrConstants.insert(addr);
        break;
      }
*/
      address += len;
    }
  FOR_EACH_SECTION_CODE_END(module,p)
}

bool THeuristicMotor::Process(unsigned minimun,enum ByteInfo::TPriority priority,CodeParser& codeInfo)
{
  // !!! 1 e 3 problemi con AddTempFlow
  //1- chiamate call costante con costante che e' gia' stata chiamata.
  //   (rientra nel caso 2 se chiamata fissa)
  //*2- chiamate call costante con costante che si trova piu volte (>1).
  //*3- jmp/chiamata ad export api o api export (gia' in 1??)
  //   (se call istruzioni seguenti)
  //4- chiamate call costante con costante che si trova una volta (non sicuro).
  //5- Costanti generiche. Verificare che non siano stringhe (non sicuro).
  //6-? Costanti che puntano al codice (non sicuro).

  // processa chiamate a chiamate a api
  while(callApi.begin() != callApi.end())
  {
    // toglie primo elemento
    vma_t address = *callApi.begin();
    callApi.erase(callApi.begin());

    // scandisce a partire da dopo la chiamata

    codeInfo.CheckCodeRecursively(address,priority,false);
  }

  unsigned maxConstCount = 0;
  FOR_EACH_BEGIN(TConstCallCount,constCallCount,p)
    if ( (*p).second.size() > maxConstCount )
      maxConstCount = (*p).second.size();
  FOR_EACH_END(TConstCallCount,constCallCount,p)

  // dividere in due procedure (stesse variabili)
  FOR_EACH_BEGIN(TConstCallCount,globalVarCount,p)
    if ( (*p).second.size() > maxConstCount )
      maxConstCount = (*p).second.size();
  FOR_EACH_END(TConstCallCount,globalVarCount,p)

  // !!! more checks for 1 ??
  // for unsecure heuristic check for validity of code following all calls
  bool bResult = false;;
  if (maxConstCount >= minimun)
  {
    maxConstCount = f77_min(maxConstCount,4u); // 4 or more is secure
    // !!! usare remove_if ??
    bool bFinded;
    do
    {
      bFinded = false;
      FOR_EACH_BEGIN(TConstCallCount,constCallCount,p)
        if ( (*p).second.size() >= maxConstCount )
        {
          codeInfo.CheckCodeRecursively((*p).first,priority);
          FOR_EACH_BEGIN(TAddress,(*p).second,i)
            // scandisce a iniziare dopo la chiamata senza settare Label
            codeInfo.CheckCodeRecursively(*i,priority,false);
          FOR_EACH_END(TAddress,(*p).second,i)
          constCallCount.erase(p);
          bFinded = true;
          bResult = true;
          break;
        }
      FOR_EACH_END(TConstCallCount,(*constCallCount),p)
    } while (bFinded);

    // scan data references
    do
    {
      bFinded = false;
      FOR_EACH_BEGIN(TConstCallCount,globalVarCount,p)
        if ( (*p).second.size() >= maxConstCount )
        {
          // !!! non testare dall'indirizzo (dati presenti)
          FOR_EACH_BEGIN(TAddress,(*p).second,i)
            // scandisce a iniziare dopo la chiamata senza settare Label
            codeInfo.CheckCodeRecursively(*i,priority,false);
          FOR_EACH_END(TAddress,(*p).second,i)
          globalVarCount.erase(p);
          bFinded = true;
          bResult = true;
          break;
        }
      FOR_EACH_END(TConstCallCount,globalVarCount,p)
    } while (bFinded);
  }
  return bResult;
}

---