Crate panopticon [−] [src]
A library for disassembling and analysing binary code.
The panopticon crate implements structures to model the in-memory representation of a program including is control flow, call graph and memory maps. The most important types and their interaction are as follows:
Project ├── Region │ └── Layer └── Program └── Function └── BasicBlock └── Mnemonic └── Statement
Panopticon models code as a collection of programs. Each
Program consists of functions. A
Function a graph with nodes representing a
sequence of instructions and edges representing jumps. These instruction sequences are
and contain a list of
Mnemonics. The meaning of each
Mnemonic is described in the [RREIL] language. Each mnemonic includes a sequence of
Statements implementing it.
Panopticon allows multiple programs per project. For example, imagine a C# application that calls into a native DLL written in C. Such an application would have two program instances. One for the CIL code of the C# part of the application and one for the AMD64 object code inside the DLL.
The in-memory layout of an executable is modeled using the
Cell types. All data is organized into
Region is an array of
Cells numbered from 0 to n. Each
Cell is an is either
undefined or has a value between 0 and 255 (both including).
Regions are read
only. Changing their contents is done by applying
Layer instance to them. A
reads part of a
Region or another
Layer and returns a new
Cell array. For example,
can decrypt parts of a
Region or replace individual
Cells with new
In normal operation there is one
Region for each memory address space, one on
Von-Neumann machines two on Harvard architectures. Other uses for
applying functions to
Cell array where the result is not equal in size to the
input (for example uncompressing parts of the executable image).
Abstract Interpretation Framework.
Intel x86 and AMD64 disassembler.
8-bit AVR disassembler.
A basic block is a sequence of Mnemonics that aren't interrupted by incoming or outgoing jumps/branches.
Collection of data flow algorithms.
A disassembler in Panopticon is responsible to translate a sequence of tokens into mnemonics.
Functions are a graph of
Panopticon uses a language called RREIL to model mnemonic semantics.
A layer spans parts of a region and transforms the content of cells inside.
Loader for 32 and 64-bit ELF and PE files.
A Mnemonic is a single CPU instruction.
MOS 6502 disassembler.
A graph of functions and symbolic references.
The root of a Panopticon session.
A regions model continuous memory like RAM, flash memory or files.
Result type used throughout the library.