Candidate release of source code.

2025-10-04 10:19:23 +02:00 · 2019-03-26 13:45:32 -04:00 · 2019-03-26 13:45:32 -04:00 · 79d8f164f8
commit 79d8f164f8
parent db81e6b3b0
12449 changed files with 2800756 additions and 16 deletions
--- a/Ghidra/Features/Base/ghidra_scripts/FindX86RelativeCallsScript.java
+++ b/Ghidra/Features/Base/ghidra_scripts/FindX86RelativeCallsScript.java
@ -0,0 +1,87 @@
+/* ###
+ * IP: GHIDRA
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+// Search for the start of X86 relative call instructions, look at the potential target and
+// and if the function is valid, then disassemble and create a function at the target.
+//
+// Your mileage may vary!  This should only be run after existing code has been found.
+// The results should be checked for validity.
+// @category Analysis
+
+import ghidra.app.script.GhidraScript;
+import ghidra.app.util.PseudoDisassembler;
+import ghidra.app.util.PseudoInstruction;
+import ghidra.program.model.address.*;
+import ghidra.program.model.listing.CodeUnit;
+import ghidra.program.model.listing.Instruction;
+
+public class FindX86RelativeCallsScript extends GhidraScript {
+
+	@Override
+	public void run() throws Exception {
+
+		Address addr = currentProgram.getMemory().getMinAddress();
+		PseudoDisassembler pdis = new PseudoDisassembler(currentProgram);
+
+		AddressSetView execSet = currentProgram.getMemory().getExecuteSet();
+		AddressSet disSet = new AddressSet();
+
+		while (addr != null) {
+			addr = this.find(addr, (byte) 0xe8);
+			if (addr == null) {
+				break;
+			}
+
+			if (execSet.isEmpty() || execSet.contains(addr)) {
+				CodeUnit cu = currentProgram.getListing().getUndefinedDataAt(addr);
+				if (cu != null) {
+					PseudoInstruction instr = pdis.disassemble(addr);
+
+					Address target = instr.getAddress(0);
+
+					if (currentProgram.getMemory().contains(target) &&
+						(execSet.isEmpty() || execSet.contains(target))) {
+						// println ("e8 call " + addr + " -> "  + target);
+
+						// also disassemble from this call.
+						// This will only get a partial function, so maybe it would be better not to do this
+						if (currentProgram.getFunctionManager().getFunctionAt(target) != null) {
+							disassemble(addr);
+							disSet.add(addr);
+						}
+
+						//  There should be more checks done here on the validity.
+						//  maybe does the potential function at target start like other functions
+						//  that have already been defined.
+						Instruction realinstr =
+							currentProgram.getListing().getInstructionAt(target);
+						if (realinstr == null) {
+							boolean isvalid = pdis.isValidSubroutine(target, true);
+							if (isvalid) {
+								// println("    found");
+								disassemble(target);
+								disSet.add(target);
+								createFunction(target, null);
+							}
+						}
+					}
+				}
+			}
+			addr = addr.add(1);
+		}
+
+		show("X86 Relative Calls", disSet);
+	}
+}