Java Code Examples for ghidra.program.model.listing.Program#getImageBase()
The following examples show how to use
ghidra.program.model.listing.Program#getImageBase() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ProgramMemoryUtil.java From ghidra with Apache License 2.0 | 6 votes |
|
/**
* Checks a programs memory for 32 bit image base offset references to the address
* indicated. These relative references are only found at addresses that match the
* indicated alignment.
*
* @param program the program whose memory is to be checked.
* @param alignment 32 bit image base offset relative references are to only be found
* at the indicated alignment in memory.
* @param toAddress address that we are interested in finding references to.
* @param monitor a task monitor for progress or to allow canceling.
* @return list of addresses with 32 bit image base offset relative references to the
* toAddress
*
* @throws CancelledException if the user cancels via the monitor.
*/
public static Set<Address> findImageBaseOffsets32(Program program, int alignment,
Address toAddress, TaskMonitor monitor) throws CancelledException {
if (monitor == null) {
monitor = TaskMonitorAdapter.DUMMY_MONITOR;
}
Memory memory = program.getMemory();
Address imageBase = program.getImageBase();
long offsetValue = toAddress.subtract(imageBase);
int offsetSize = 4; // 32 bit offset
byte[] bytes = new byte[offsetSize];
for (int i = 0; i < offsetSize; i++) {
bytes[i] = (byte) offsetValue;
offsetValue >>= 8; // Shift by a single byte.
}
Set<Address> iboRefsAddrs = new TreeSet<>();
findBytePattern(memory, (AddressRange) null, bytes, alignment, iboRefsAddrs, monitor);
return iboRefsAddrs;
}
Example 2
| Source File: IPCAnalyzer.java From Ghidra-Switch-Loader with ISC License | 5 votes |
|
/**
* A map of relocated entries in the global offset table to their new values.
*/
protected Map<Address, Address> getGotDataSyms(Program program, ElfCompatibilityProvider elfProvider)
{
if (gotDataSyms != null)
return this.gotDataSyms;
Address baseAddr = program.getImageBase();
gotDataSyms = new HashMap<Address, Address>();
for (NXRelocation reloc : elfProvider.getRelocations())
{
long off;
if (reloc.sym != null && reloc.sym.getSectionHeaderIndex() != ElfSectionHeaderConstants.SHN_UNDEF && reloc.sym.getValue() == 0)
{
off = reloc.sym.getValue();
}
else if (reloc.addend != 0)
{
off = reloc.addend;
}
else continue;
// Target -> Value
this.gotDataSyms.put(baseAddr.add(reloc.offset), baseAddr.add(off));
}
return gotDataSyms;
}
Example 3
| Source File: AddBlockModel.java From ghidra with Apache License 2.0 | 5 votes |
|
AddBlockModel(PluginTool tool, Program program) {
this.tool = tool;
this.program = program;
nameIndexer = new StringKeyIndexer();
loadBlockNames();
startAddr = program.getImageBase();
blockType = MemoryBlockType.DEFAULT;
initialValue = 0;
}
Example 4
| Source File: DbgLoader.java From ghidra with Apache License 2.0 | 5 votes |
|
@Override
public void load(ByteProvider provider, LoadSpec loadSpec, List<Option> options, Program prog,
TaskMonitor monitor, MessageLog log) throws IOException {
GenericFactory factory = MessageLogContinuesFactory.create(log);
if (!prog.getExecutableFormat().equals(PeLoader.PE_NAME)) {
throw new IOException("Loading of DBG file may only be 'added' to existing " +
PeLoader.PE_NAME + " Program");
}
SeparateDebugHeader debug = new SeparateDebugHeader(factory, provider);
String parentPath = prog.getExecutablePath();
File parentFile = new File(parentPath);
RandomAccessByteProvider provider2 = null;
try {
provider2 = new RandomAccessByteProvider(parentFile);
PortableExecutable parentPE =
PortableExecutable.createPortableExecutable(factory, provider2, SectionLayout.FILE);
Address imageBase = prog.getImageBase();
Map<SectionHeader, Address> sectionToAddress = new HashMap<>();
FileHeader fileHeader = parentPE.getNTHeader().getFileHeader();
SectionHeader[] sectionHeaders = fileHeader.getSectionHeaders();
for (SectionHeader sectionHeader : sectionHeaders) {
sectionToAddress.put(sectionHeader,
imageBase.add(sectionHeader.getVirtualAddress()));
}
processDebug(debug.getParser(), fileHeader, sectionToAddress, prog, monitor);
}
finally {
if (provider2 != null) {
provider2.close();
}
}
}
Example 5
| Source File: ProgramMemoryUtil.java From ghidra with Apache License 2.0 | 5 votes |
|
public static byte[] getImageBaseOffsets32Bytes(Program program, int alignment,
Address toAddress) {
Address imageBase = program.getImageBase();
long offsetValue = toAddress.subtract(imageBase);
int offsetSize = 4; // 32 bit offset
byte[] bytes = new byte[offsetSize];
for (int i = 0; i < offsetSize; i++) {
bytes[i] = (byte) offsetValue;
offsetValue >>= 8; // Shift by a single byte.
}
return bytes;
}
Example 6
| Source File: IPCAnalyzer.java From Ghidra-Switch-Loader with ISC License | 4 votes |
|
protected HashBiMap<Address, Address> locateSTables(Program program, ElfCompatibilityProvider elfProvider)
{
HashBiMap<Address, Address> out = HashBiMap.create();
List<Pair<Long, Long>> candidates = new ArrayList<>();
AddressSpace aSpace = program.getAddressFactory().getDefaultAddressSpace();
Address baseAddr = program.getImageBase();
Memory mem = program.getMemory();
for (NXRelocation reloc : elfProvider.getRelocations())
{
if (reloc.addend > 0)
candidates.add(new Pair(baseAddr.getOffset() + reloc.addend, baseAddr.getOffset() + reloc.offset));
}
candidates.sort((a, b) -> a.first.compareTo(b.first));
// 5.x: match on the "SFCI" constant used in the template of s_Table
// MOV W?, #0x4653
// MOVK W?, #0x4943, LSL#16
long movMask = 0x5288CAL;
long movkMask = 0x72A928L;
MemoryBlock text = mem.getBlock(".text"); // Text is one of the few blocks that isn't split
try
{
for (long off = text.getStart().getOffset(); off < text.getEnd().getOffset(); off += 0x4)
{
long val1 = (elfProvider.getReader().readUnsignedInt(off) & 0xFFFFFF00L) >> 8;
long val2 = (elfProvider.getReader().readUnsignedInt(off + 0x4) & 0xFFFFFF00L) >> 8;
// Match on a sequence of MOV, MOVK
if (val1 == movMask && val2 == movkMask)
{
long processFuncOffset = 0;
long sTableOffset = 0;
// Find the candidate after our offset, then pick the one before that
for (Pair<Long, Long> candidate : candidates)
{
if (candidate.first > off)
break;
processFuncOffset = candidate.first;
sTableOffset = candidate.second;
}
long pRetOff;
// Make sure our SFCI offset is within the process function by matching on the
// RET instruction
for (pRetOff = processFuncOffset; pRetOff < text.getEnd().getOffset(); pRetOff += 0x4)
{
long rval = elfProvider.getReader().readUnsignedInt(pRetOff);
// RET
if (rval == 0xD65F03C0L)
break;
}
if (pRetOff > off)
{
Address stAddr = aSpace.getAddress(sTableOffset);
Address pFuncAddr = aSpace.getAddress(processFuncOffset);
out.put(stAddr, pFuncAddr);
}
}
}
}
catch (IOException e)
{
Msg.error(this, "Failed to locate s_Tables", e);
}
return out;
}
Example 7
| Source File: iOS_Analyzer.java From ghidra with Apache License 2.0 | 4 votes |
|
@Override
public boolean analyze(Program program, AddressSetView set, TaskMonitor monitor,
final MessageLog log) throws Exception {
DisassemblerMessageListener listener = new DisassemblerMessageListener() {
@Override
public void disassembleMessageReported(String msg) {
log.appendMsg(msg);
}
};
Address imageBase = program.getImageBase();
AutoAnalysisManager manager = AutoAnalysisManager.getAnalysisManager(program);
Disassembler disassembler = Disassembler.getDisassembler(program, monitor, listener);
disassembler.disassemble(imageBase.add(0x00000000L), null, false);
manager.disassemble(imageBase.add(0x00000000L));
disassembler.disassemble(imageBase.add(0x00000004L), null, false);
disassembler.disassemble(imageBase.add(0x00000008L), null, false);
disassembler.disassemble(imageBase.add(0x0000000cL), null, false);
disassembler.disassemble(imageBase.add(0x00000010L), null, false);
disassembler.disassemble(imageBase.add(0x00000014L), null, false);
disassembler.disassemble(imageBase.add(0x00000018L), null, false);
disassembler.disassemble(imageBase.add(0x0000001cL), null, false);
disassembler.disassemble(imageBase.add(0x00000020L),
new AddressSet(imageBase.add(0x00000020L)), false);
disassembler.disassemble(imageBase.add(0x00000040L), null, false);
disassembler.disassemble(imageBase.add(0x00000074L), null, false);
createData(program, imageBase.add(0x00000200L), new StringDataType());
createData(program, imageBase.add(0x00000240L), new StringDataType());
createData(program, imageBase.add(0x00000280L), new StringDataType());
long offset = 0x0000032cL;
while (!monitor.isCancelled()) {
if (offset > 0x000005e8) {//end of ARM code...
break;
}
disassembler.disassemble(imageBase.add(offset), null);
Function function = createFunction(program, imageBase.add(offset));
if (function == null) {
break;
}
offset = function.getBody().getMaxAddress().getOffset() + 1 - imageBase.getOffset();
}
log.appendMsg("You should now run the iOS_ThumbFunctionFinder script!");
return true;
}
