Monday, August 10, 2015

New code analyzer

While VDisAsm v.1 code is published here https://github.com/vdisasm/vdisasm currently I make efforts to move my projects to C# to benefit great Visual Studio IDE and language features.

New project will probably differ a lot. The main thing to be done is new code analyzer. That's supposed to be the heart of new analysis tool. Probably first editions will be console only, though I hope to create at least simple usable GUI later.

A simple scheme of analyzer structure:



Input file parser loads executable image and serves as a storage for Virtual Memory class which can be used to read data at given Virtual Address.



The job of Analyzer block is to fetch data from Virtual Memory to Translation block (it translates machine byte-code to instructions in internal form).

Translation block has knowledge of CPU registers and how to translate this instruction to series of simple IR instructions.

Then Analyzer works on obtained IR instructions. It have to trace block-by-block to discover complete control flow graph (or at least all possible blocks).

As a result function with built control flow graph must be returned.

Final function can be transformed, optimized in some way or obfuscated. Or even applied some type propagation and tracing type usage, i.e. it leads to higher level things, like recompilation.

Building good analyzer isn't a trivial task. I hope to post updates to show simple examples of analyzer at work.

No comments:

Post a Comment