Package vivisect :: Module vector
[hide private]
[frames] | no frames]

Module vector

source code

A module full of utils for vectored input tracking and code flow analysis. (when a scalpel finds something you need to be able to figgure out how to get to it right?)

Classes [hide private]
  InputMonitor
Functions [hide private]
 
getEmuAtVa(vw, va)
Build and run an emulator to the given virtual address from the function entry point.
source code
 
trackImportInputs(vw, iname)
Works just like trackFunctionInputs but finds calls to imports by name instead...
source code
 
trackFunctionInputs(vw, fva)
Find all the callers to the given function and return a list of (callva, [ (argval, magic), ...]) tuples.
source code
 
trackArgOrigin(vw, fva, argidx)
Return an input tree (visgraph path tree) of the trackable inputs to the specified function.
source code
 
getCodeFlow(vw, cbva)
Get a list of the code blocks which are known to flow into this one.
source code
 
getCodePaths(vw, fromva, tova, trim=True)
Return a list of paths, where each path is a list of code blocks from fromva to tova.
source code
Function Details [hide private]

getEmuAtVa(vw, va)

source code 

Build and run an emulator to the given virtual address from the function entry point.

(most useful for state analysis. kinda heavy though...)

trackArgOrigin(vw, fva, argidx)

source code 

Return an input tree (visgraph path tree) of the trackable inputs to the specified function.

Each node in the list will be a leaf node for a path leading down toward a call to the target function. Each node will have the following path node properties:

fva - The function argidx - The index of the argument input with this call cva - The address of the call (to our next) (None on root node) argv - A list of (<val>,<magic>) tuples for the call args (None on root node)

getCodeFlow(vw, cbva)

source code 

Get a list of the code blocks which are known to flow into this one. This *will* cross function boundaries.

getCodePaths(vw, fromva, tova, trim=True)

source code 

Return a list of paths, where each path is a list
of code blocks from fromva to tova.

Usage: getCodePaths(vw, <fromva>, <tova>) -> [ [frblock, ..., toblock], ...]

NOTE: "trim" causes an optimization which may not reveal *all* the paths,
      but is much faster to run.  It will never return no paths when there
      are some, but may not return all of them... (based on path overlap)