---

THeuristicMotor Class Reference

#include <heuristic.h>

List of all members.

Public Methods
	THeuristicMotor (const CodeParser &codeInfo)
bool	ProcessSecure (CodeParser &codeInfo)
bool	ProcessUnsecure (CodeParser &codeInfo)
Protected Types
typedef std::list< vma_t >	TAddress
typedef std::map< vma_t, TAddress, std::less< vma_t > >	TConstCallCount
Protected Attributes
TConstCallCount	constCallCount
TConstCallCount	globalVarCount
TAddresses	callApi
Private Methods
bool	Process (unsigned minimun, enum ByteInfo::TPriority priority, CodeParser &codeInfo)

---

Member Typedef Documentation

typedef std::list<vma_t> THeuristicMotor::TAddress [protected]

Definition at line 40 of file heuristic.h. Referenced by Process().

typedef std::map< vma_t, TAddress, std::less<vma_t> > THeuristicMotor::TConstCallCount [protected]

Definition at line 41 of file heuristic.h. Referenced by Process().

---

Constructor & Destructor Documentation

THeuristicMotor::THeuristicMotor (  const CodeParser &    codeInfo )

Definition at line 34 of file heuristic.cpp. References _PRG_ASSERT, Instruction::Args, CodeInfo::byteInfo, callApi, constCallCount, CodeParser::ContainValidAddress(), FLOW_CALL, FLOW_JUMP, FlowTypes, FOR_EACH_SECTION_CODE_BEGIN, FOR_EACH_SECTION_CODE_END, Instruction::GetFlowType(), GetInstruction(), ByteInfos::GetIstrLen(), ObjectModule::GetSection(), Param::GetType(), globalVarCount, CodeParser::IsApiReference(), Param::literal, Param::mem_reg1, Param::mem_reg2, CodeInfo::module, null_reg, Instruction::numArg, Param::t_literal, Param::t_memory, Param::type, ByteInfo::typeInstruction, and vma_t. { // numero consecutivo di indirizzi a codice // unsigned numAddress = 0; // vector<vma_t> lastAddress; FOR_EACH_SECTION_CODE_BEGIN(codeInfo.module,p) vma_t address = (*p).begin; vma_t end = (*p).end; for(; address<end; ) { bool processed = false; // salta istruzioni gia' processate int len = 1,l; if ( (l=codeInfo.byteInfo.GetIstrLen(address)) != 0) { len = l; processed = true; // se non e' istruzione non processare // se sono data sono gia' stati processati if (codeInfo.byteInfo[address].GetType() != ByteInfo::typeInstruction) { address += len; continue; } //address += (len-1); //continue; } Instruction instruction; int res = GetInstruction(*codeInfo.module,address,instruction); // !!! size constant if (res > addr_bytes) { enum FlowTypes flow = instruction.GetFlowType(); switch (flow) { case FLOW_CALL: _PRG_ASSERT(instruction.numArg == 1); // !!! constant // !!! questo primo test serve perche' non si prendano anche certi // prefissi che potrebbero appertenere ad altre istruzioni if (res==5 && instruction.Args[0].type == Param::t_literal) { if (codeInfo.module->GetSection(instruction.Args[0].literal)->IsCode()) constCallCount[instruction.Args[0].literal].push_back(address+res); } if (codeInfo.IsApiReference(instruction.Args[0])) { callApi.insert(address+res); } case FLOW_JUMP: // if (IsApiReference(instruction.Args[0])) // { // callApi.insert(); // } break; } } // processa argomenti memoria per vedere riferimenti costanti for (int n=0; n < instruction.numArg; ++n) if (instruction.Args[n].GetType() == Param::t_memory) { // se argomento [xxx] aggiungi alla lista Param &param = instruction.Args[n]; if (param.mem_reg1 == null_reg && param.mem_reg2 == null_reg) { if (codeInfo.ContainValidAddress(param)) globalVarCount[param.literal].push_back(address+res); } } /* // !!! la scansione di tutti gli indirizzi non mi sembra molto "euristica" // processa puntatori nel codice e nei dati for(;;) { if (processed) break; // test non occupato vma_t addr; if (::byteInfo.IsOccupied(address,addr_bytes)) break; // test relocation if (hasRelocation && relocationInfos.GetRelocationType(address) == Relocation::relNone) break; // test indirizzo valido addr = module->ReadDword(address); if (!hasRelocation && !module->IsValid(addr)) break; // inserisci indirizzo in costanti addrConstants.insert(addr); break; } */ address += len; } FOR_EACH_SECTION_CODE_END(module,p) }

---

Member Function Documentation

bool THeuristicMotor::Process (  unsigned    minimun, enum ByteInfo::TPriority    priority, CodeParser &    codeInfo )  [private]

Definition at line 139 of file heuristic.cpp. References callApi, CodeParser::CheckCodeRecursively(), constCallCount, f77_min(), FOR_EACH_BEGIN, FOR_EACH_END, globalVarCount, TAddress, TConstCallCount, ByteInfo::TPriority, and vma_t. Referenced by ProcessSecure(), and ProcessUnsecure(). { // !!! 1 e 3 problemi con AddTempFlow //1- chiamate call costante con costante che e' gia' stata chiamata. // (rientra nel caso 2 se chiamata fissa) //*2- chiamate call costante con costante che si trova piu volte (>1). //*3- jmp/chiamata ad export api o api export (gia' in 1??) // (se call istruzioni seguenti) //4- chiamate call costante con costante che si trova una volta (non sicuro). //5- Costanti generiche. Verificare che non siano stringhe (non sicuro). //6-? Costanti che puntano al codice (non sicuro). // processa chiamate a chiamate a api while(callApi.begin() != callApi.end()) { // toglie primo elemento vma_t address = *callApi.begin(); callApi.erase(callApi.begin()); // scandisce a partire da dopo la chiamata codeInfo.CheckCodeRecursively(address,priority,false); } unsigned maxConstCount = 0; FOR_EACH_BEGIN(TConstCallCount,constCallCount,p) if ( (*p).second.size() > maxConstCount ) maxConstCount = (*p).second.size(); FOR_EACH_END(TConstCallCount,constCallCount,p) // dividere in due procedure (stesse variabili) FOR_EACH_BEGIN(TConstCallCount,globalVarCount,p) if ( (*p).second.size() > maxConstCount ) maxConstCount = (*p).second.size(); FOR_EACH_END(TConstCallCount,globalVarCount,p) // !!! more checks for 1 ?? // for unsecure heuristic check for validity of code following all calls bool bResult = false;; if (maxConstCount >= minimun) { maxConstCount = f77_min(maxConstCount,4u); // 4 or more is secure // !!! usare remove_if ?? bool bFinded; do { bFinded = false; FOR_EACH_BEGIN(TConstCallCount,constCallCount,p) if ( (*p).second.size() >= maxConstCount ) { codeInfo.CheckCodeRecursively((*p).first,priority); FOR_EACH_BEGIN(TAddress,(*p).second,i) // scandisce a iniziare dopo la chiamata senza settare Label codeInfo.CheckCodeRecursively(*i,priority,false); FOR_EACH_END(TAddress,(*p).second,i) constCallCount.erase(p); bFinded = true; bResult = true; break; } FOR_EACH_END(TConstCallCount,(*constCallCount),p) } while (bFinded); // scan data references do { bFinded = false; FOR_EACH_BEGIN(TConstCallCount,globalVarCount,p) if ( (*p).second.size() >= maxConstCount ) { // !!! non testare dall'indirizzo (dati presenti) FOR_EACH_BEGIN(TAddress,(*p).second,i) // scandisce a iniziare dopo la chiamata senza settare Label codeInfo.CheckCodeRecursively(*i,priority,false); FOR_EACH_END(TAddress,(*p).second,i) globalVarCount.erase(p); bFinded = true; bResult = true; break; } FOR_EACH_END(TConstCallCount,globalVarCount,p) } while (bFinded); } return bResult; }

bool THeuristicMotor::ProcessSecure (  CodeParser &    codeInfo )  [inline]

Definition at line 35 of file heuristic.h. References ByteInfo::priSafeHeuristics, and Process(). { return Process(2,ByteInfo::priSafeHeuristics,codeInfo); };

bool THeuristicMotor::ProcessUnsecure (  CodeParser &    codeInfo )  [inline]

Definition at line 37 of file heuristic.h. References ByteInfo::priHeuristics, and Process(). { return Process(1,ByteInfo::priHeuristics,codeInfo); };

---

Member Data Documentation

TAddresses THeuristicMotor::callApi [protected]

Definition at line 44 of file heuristic.h. Referenced by Process(), and THeuristicMotor().

TConstCallCount THeuristicMotor::constCallCount [protected]

Definition at line 42 of file heuristic.h. Referenced by Process(), and THeuristicMotor().

TConstCallCount THeuristicMotor::globalVarCount [protected]

Definition at line 43 of file heuristic.h. Referenced by Process(), and THeuristicMotor().

---

The documentation for this class was generated from the following files:

• heuristic.h
• heuristic.cpp

---