| | |
- xml.sax.handler.ContentHandler
-
- cHandle
- Instruction
- PyREMLCommon
-
- Binary
- Function
class Binary(PyREMLCommon) |
| |
Class containing all the data to represent a disassemled binary.
The class attributes:
name The binary's name
entry_point Executable's entry point
don't have a getter method, so they have to be accessed directly.
|
| |
Methods defined here:
- __init__(self)
- add_function(self, function)
- Add function to list of functions contained in this binary."
'function' is an instance of the 'function' class.
- add_string(self, address, str)
- Add string to list of strings contained in this binary.
'address' refers to the address in memory where the string lies.
- get_function_by_address(self, function_address)
- Get the function containing a given address.
All functions with an instruction at 'function_address' will
be returned.
NOTE: More than one function can be returned. Such case can
appear in optimized code, where functions share certain blocks
of code.
None is returned otherwise.
- get_function_by_name(self, function_name)
- Returns a function from the binary's function list.
'function_name' contains a string with the function's name.
- get_functions(self)
- Return the list of function instances composing the binary.
- get_location_by_name(self, name)
- Get a location by name.
- get_name_by_location(self, loc)
- Get a name by its location.
- get_string_by_address(self, addr)
- Get a string contained in this binary by its address.
'address' refers to the address in memory where the string lies.
- get_strings(self)
- Get list of (address, string) contained in this binary.
- get_strings_addresses(self)
- Get list of addresses to strings contained in this binary.
- set_locations(self, name, location)
- Set the name of a location.
- wind_up(self)
Methods inherited from PyREMLCommon:
- get_value_from_dict(self, key, dictionary)
- Get a value from a dictionary.
|
class Function(PyREMLCommon) |
| |
Class containing all data necessary to represent a function.
The class attributes:
name The function's name
start Stating address
end End address (of the last fragment if function is fragmented)
don't have a getter method, so they have to be accessed directly.
|
| |
Methods defined here:
- __init__(self, parent)
- add_data_reference(self, ref)
- Add a data flow reference.
Any data reference within the function will have a
source and destination pair which will be set with
this method.
'ref' is a tuple, with the first element containing
the source of the reference, and the second element
its destination.
Examples of data references is a 'push' of an
offset, which will be the second element in the
given tuple.
- add_flow_reference(self, ref)
- Add a code flow reference.
Any branching within the function will have a source
and destination pair which will be set with this
method.
'ref' is a tuple, with the first element containing
the source of the branch, and the second element its
destination.
- add_instruction(self, ins)
- Add an instruction instance to the function.
- compile_basic_blocks(self)
- Calculate the basic blocks for the function.
- get_basic_blocks(self)
- Return the list of basic blocks.
The returned list of blocks is composed of tuples
containing the start and end address of the basic
blocks.
- get_block_by_addr(self, addr)
- Find block containing the given address.
- get_block_cfg(self)
- Return the list of basic blocks numbered.
A list of tuples is returned, with all the branching
between the basic blocks.
Each pair in the returned list contains the edges
of the CFG, which blocks numbered sequentially from
the function's start.
- get_call_count(self)
- Get the number of outgoing references to the starting address of other functions.
- get_called_functions(self)
- Get the functions called from this one.
- get_caller_count(self)
- Get the number of incoming references to the starting address of this function.
- get_caller_functions(self)
- Get the functions calling to this one.
- get_callers(self)
- Get the incoming references to the starting address of this function.
- get_calls(self)
- Get the outgoing references to the starting address of other functions.
- get_cfg(self)
- Return the list of basic blocks.
A list of tuples is returned, with all the branching
between the basic blocks.
Each pair in the returned list contains the edges
of the CFG.
- get_data_references(self)
- Get data reference pairs within the function.
Pairs have the form (from, to).
- get_data_references_destinations(self)
- Get data reference's destinations.
- get_data_references_sources(self)
- Get data reference's sources within the function.
- get_instruction_by_address(self, addr)
- Return the instruction at the given address.
- get_instruction_count(self)
- Get number of instructions composing the function.
- get_instructions(self)
- Get the list of instruction instances composing the function.
- get_instructions_in_range(self, start, end)
- Get the list of instruction instances within the given address range.
- get_next_address(self, addr)
- Get the next address to the one given.
The address, following the one given, containing an
instruction is returned.
None is returned is the given address does not exist
within the function or if the address points already
to the function's end.
The given address must point to the starting address
of an instruction, not within one.
- get_outgoing_references(self)
- Return the references which point outside this function.
- get_prev_address(self, addr)
- Get the previous address to the one given.
The address, previous to the one given, containing an
instruction is returned.
None is returned is the given address does not exist
within the function or if the address points already
to the function's start.
The given address must point to the starting address
of an instruction, not within one.
- get_referred_strings(self)
- Get all the reference pairs to strings.
A list of tuples is returned, being the first element
the address at which a refernce to the string occurs,
and the second the address of the string.
- get_referred_strings_destinations(self)
- Get all the addresses where the referenced strings lie.
- get_referred_strings_sources(self)
- Get all the addresses at which a reference to a string occurs.
- wind_up(self)
- Proceed with some final processing.
Methods inherited from PyREMLCommon:
- get_value_from_dict(self, key, dictionary)
- Get a value from a dictionary.
|
class Instruction |
| |
Class representing a single instruction.
The class attributes:
function The parent function's instance
address The address where the instruction lies
mnemonic The mnemonic for the instruction
data The data, opcode+operands as a hex string
operands List of operands (See format below)
is_flow IDA's isFlow flag
is_code IDA's isCode flag
size Size in bytes of the opcode+operands
comment Comment data if any
don't have a getter method, so they have to be accessed directly.
'operands' format is defined as follows:
[op1, op2, ..., opN]
opN = [op_ordinal, op_type, op_value]
|
| |
Methods defined here:
- __init__(self, function, address, data, mnemonic, flow, code)
- add_operand(self, op)
- Append an operand.
- get_operand(self, ord)
- Get the instruction's operand by ordinal.
|
class cHandle(xml.sax.handler.ContentHandler) |
| | |
Methods defined here:
- __init__(self)
- endElement(self, name)
- getBinary(self)
- startElement(self, name, attr)
Methods inherited from xml.sax.handler.ContentHandler:
- characters(self, content)
- Receive notification of character data.
The Parser will call this method to report each chunk of
character data. SAX parsers may return all contiguous
character data in a single chunk, or they may split it into
several chunks; however, all of the characters in any single
event must come from the same external entity so that the
Locator provides useful information.
- endDocument(self)
- Receive notification of the end of a document.
The SAX parser will invoke this method only once, and it will
be the last method invoked during the parse. The parser shall
not invoke this method until it has either abandoned parsing
(because of an unrecoverable error) or reached the end of
input.
- endElementNS(self, name, qname)
- Signals the end of an element in namespace mode.
The name parameter contains the name of the element type, just
as with the startElementNS event.
- endPrefixMapping(self, prefix)
- End the scope of a prefix-URI mapping.
See startPrefixMapping for details. This event will always
occur after the corresponding endElement event, but the order
of endPrefixMapping events is not otherwise guaranteed.
- ignorableWhitespace(self, whitespace)
- Receive notification of ignorable whitespace in element content.
Validating Parsers must use this method to report each chunk
of ignorable whitespace (see the W3C XML 1.0 recommendation,
section 2.10): non-validating parsers may also use this method
if they are capable of parsing and using content models.
SAX parsers may return all contiguous whitespace in a single
chunk, or they may split it into several chunks; however, all
of the characters in any single event must come from the same
external entity, so that the Locator provides useful
information.
- processingInstruction(self, target, data)
- Receive notification of a processing instruction.
The Parser will invoke this method once for each processing
instruction found: note that processing instructions may occur
before or after the main document element.
A SAX parser should never report an XML declaration (XML 1.0,
section 2.8) or a text declaration (XML 1.0, section 4.3.1)
using this method.
- setDocumentLocator(self, locator)
- Called by the parser to give the application a locator for
locating the origin of document events.
SAX parsers are strongly encouraged (though not absolutely
required) to supply a locator: if it does so, it must supply
the locator to the application by invoking this method before
invoking any of the other methods in the DocumentHandler
interface.
The locator allows the application to determine the end
position of any document-related event, even if the parser is
not reporting an error. Typically, the application will use
this information for reporting its own errors (such as
character content that does not match an application's
business rules). The information returned by the locator is
probably not sufficient for use with a search engine.
Note that the locator will return correct information only
during the invocation of the events in this interface. The
application should not attempt to use it at any other time.
- skippedEntity(self, name)
- Receive notification of a skipped entity.
The Parser will invoke this method once for each entity
skipped. Non-validating processors may skip entities if they
have not seen the declarations (because, for example, the
entity was declared in an external DTD subset). All processors
may skip external entities, depending on the values of the
http://xml.org/sax/features/external-general-entities and the
http://xml.org/sax/features/external-parameter-entities
properties.
- startDocument(self)
- Receive notification of the beginning of a document.
The SAX parser will invoke this method only once, before any
other methods in this interface or in DTDHandler (except for
setDocumentLocator).
- startElementNS(self, name, qname, attrs)
- Signals the start of an element in namespace mode.
The name parameter contains the name of the element type as a
(uri, localname) tuple, the qname parameter the raw XML 1.0
name used in the source document, and the attrs parameter
holds an instance of the Attributes class containing the
attributes of the element.
The uri part of the name tuple is None for elements which have
no namespace.
- startPrefixMapping(self, prefix, uri)
- Begin the scope of a prefix-URI Namespace mapping.
The information from this event is not necessary for normal
Namespace processing: the SAX XML reader will automatically
replace prefixes for element and attribute names when the
http://xml.org/sax/features/namespaces feature is true (the
default).
There are cases, however, when applications need to use
prefixes in character data or in attribute values, where they
cannot safely be expanded automatically; the
start/endPrefixMapping event supplies the information to the
application to expand prefixes in those contexts itself, if
necessary.
Note that start/endPrefixMapping events are not guaranteed to
be properly nested relative to each-other: all
startPrefixMapping events will occur before the corresponding
startElement event, and all endPrefixMapping events will occur
after the corresponding endElement event, but their order is
not guaranteed.
| |