Crate panopticon [] [src]

A library for disassembling and analysing binary code.

The panopticon crate implements structures to model the in-memory representation of a program including is control flow, call graph and memory maps. The most important types and their interaction are as follows:

Project
├── Region
│   └── Layer
└── Program
    └── Function
        └── BasicBlock
            └── Mnemonic
                └── Statement

The Program, Function, BasicBlock and Statement types model the behaviour of code. The Region and Layer types represent how the program is laid out in memory.

Code

Panopticon models code as a collection of programs. Each Program consists of functions. A Function a graph with nodes representing a sequence of instructions and edges representing jumps. These instruction sequences are BasicBlocks and contain a list of Mnemonics. The meaning of each Mnemonic is described in the [RREIL][1] language. Each mnemonic includes a sequence of Statements implementing it.

Panopticon allows multiple programs per project. For example, imagine a C# application that calls into a native DLL written in C. Such an application would have two program instances. One for the CIL code of the C# part of the application and one for the AMD64 object code inside the DLL.

The Disassembler and CodeGen are used to fill Function structures with Mnemonics.

Data

The in-memory layout of an executable is modeled using the Region, Layer and Cell types. All data is organized into Regions. Each Region is an array of Cells numbered from 0 to n. Each Cell is an is either undefined or has a value between 0 and 255 (both including). Regions are read only. Changing their contents is done by applying Layer instance to them. A Layer reads part of a Region or another Layer and returns a new Cell array. For example, Layer can decrypt parts of a Region or replace individual Cells with new ones.

In normal operation there is one Region for each memory address space, one on Von-Neumann machines two on Harvard architectures. Other uses for Regions are applying functions to Cell array where the result is not equal in size to the input (for example uncompressing parts of the executable image).

Reexports

pub use disassembler::State;
pub use disassembler::Architecture;
pub use disassembler::Disassembler;
pub use disassembler::Match;
pub use il::Rvalue;
pub use il::Lvalue;
pub use il::Guard;
pub use il::Statement;
pub use il::Operation;
pub use il::execute;
pub use il::lift;
pub use mnemonic::Mnemonic;
pub use mnemonic::MnemonicFormatToken;
pub use mnemonic::Bound;
pub use basic_block::BasicBlock;
pub use function::Function;
pub use function::ControlFlowTarget;
pub use function::ControlFlowRef;
pub use function::ControlFlowEdge;
pub use function::ControlFlowGraph;
pub use program::Program;
pub use program::CallTarget;
pub use program::CallGraph;
pub use program::CallGraphRef;
pub use project::Project;
pub use region::Region;
pub use region::World;
pub use layer::Layer;
pub use layer::OpaqueLayer;
pub use layer::LayerIter;
pub use result::Result;
pub use result::Error;
pub use dataflow::*;
pub use abstractinterp::Avalue;
pub use abstractinterp::Constraint;
pub use abstractinterp::ProgramPoint;
pub use abstractinterp::approximate;
pub use abstractinterp::results;
pub use abstractinterp::bounded_addr_track::BoundedAddrTrack;
pub use abstractinterp::kset::Kset;

Modules

abstractinterp

Abstract Interpretation Framework.

amd64

Intel x86 and AMD64 disassembler.

avr

8-bit AVR disassembler.

basic_block

A basic block is a sequence of Mnemonics that aren't interrupted by incoming or outgoing jumps/branches.

dataflow

Collection of data flow algorithms.

disassembler

A disassembler in Panopticon is responsible to translate a sequence of tokens into mnemonics.

function

Functions are a graph of BasicBlocks connected with conditional jumps.

il

Panopticon uses a language called RREIL to model mnemonic semantics.

layer

A layer spans parts of a region and transforms the content of cells inside.

loader

Loader for 32 and 64-bit ELF, PE, and Mach-o files.

mnemonic

A Mnemonic is a single CPU instruction.

mos

MOS 6502 disassembler.

program

A graph of functions and symbolic references.

project

The root of a Panopticon session.

region

A regions model continuous memory like RAM, flash memory or files.

result

Result type used throughout the library.

Macros

new_disassembler
opt
rreil
rreil_binop
rreil_extop
rreil_imm
rreil_lvalue
rreil_memop
rreil_rvalue
rreil_selop
rreil_unop