Rust bindings for custom basic block analysis

Author: zznop

rust/src/architecture.rs

@@ -23,12 +23,11 @@ use crate::{
     calling_convention::CoreCallingConvention,
     data_buffer::DataBuffer,
     disassembly::InstructionTextToken,
-    function::Function,
+    function::{ArchAndAddr, Function, NativeBlock},
     platform::Platform,
     rc::*,
     relocation::CoreRelocationHandler,
-    string::IntoCStr,
-    string::*,
+    string::{IntoCStr, *},
     types::{NameAndType, Type},
     Endianness,
 };
@@ -42,8 +41,10 @@ use std::{
     mem::MaybeUninit,
 };
 
+use crate::basic_block::BasicBlock;
 use crate::function_recognizer::FunctionRecognizer;
 use crate::relocation::{CustomRelocationHandlerHandle, RelocationHandler};
+use crate::variable::IndirectBranchInfo;
 
 use crate::confidence::Conf;
 use crate::low_level_il::expression::ValueExpr;
@@ -54,6 +55,7 @@ use crate::low_level_il::{LowLevelILMutableExpression, LowLevelILMutableFunction
 pub use binaryninjacore_sys::BNFlagRole as FlagRole;
 pub use binaryninjacore_sys::BNImplicitRegisterExtend as ImplicitRegisterExtend;
 pub use binaryninjacore_sys::BNLowLevelILFlagCondition as FlagCondition;
+use std::collections::HashSet;
 
 macro_rules! newtype {
     ($name:ident, $inner_type:ty) => {
@@ -471,13 +473,13 @@ pub trait Architecture: 'static + Sized + AsRef<CoreArchitecture> {
         il: &LowLevelILMutableFunction,
     ) -> Option<(usize, bool)>;
 
-    unsafe fn analyze_basic_blocks(
+    fn analyze_basic_blocks(
         &self,
         function: &mut Function,
-        context: *mut BNBasicBlockAnalysisContext,
+        context: &mut BasicBlockAnalysisContext,
     ) {
         unsafe {
-            BNArchitectureDefaultAnalyzeBasicBlocks(function.handle, context);
+            BNArchitectureDefaultAnalyzeBasicBlocks(function.handle, context.handle);
         }
     }
 
@@ -1544,13 +1546,13 @@ impl Architecture for CoreArchitecture {
         }
     }
 
-    unsafe fn analyze_basic_blocks(
+    fn analyze_basic_blocks(
         &self,
         function: &mut Function,
-        context: *mut BNBasicBlockAnalysisContext,
+        context: &mut BasicBlockAnalysisContext,
     ) {
         unsafe {
-            BNArchitectureAnalyzeBasicBlocks(self.handle, function.handle, context);
+            BNArchitectureAnalyzeBasicBlocks(self.handle, function.handle, context.handle);
         }
     }
 
@@ -1925,6 +1927,222 @@ impl Architecture for CoreArchitecture {
     }
 }
 
+pub struct BasicBlockAnalysisContext {
+    pub(crate) handle: *mut BNBasicBlockAnalysisContext,
+    contextual_returns_dirty: bool,
+
+    // In
+    pub indirect_branches: Vec<IndirectBranchInfo>,
+    pub indirect_no_return_calls: HashSet<ArchAndAddr>,
+    pub analysis_skip_override: BNFunctionAnalysisSkipOverride,
+    pub translate_tail_calls: bool,
+    pub disallow_branch_to_string: bool,
+    pub max_function_size: u64,
+    pub halt_on_invalid_instruction: bool,
+    pub max_size_reached: bool,
+
+    // In/Out
+    contextual_returns: HashMap<ArchAndAddr, bool>,
+
+    // Out
+    direct_code_references: HashMap<u64, ArchAndAddr>,
+    direct_no_return_calls: HashSet<ArchAndAddr>,
+    halted_disassembly_addresses: HashSet<ArchAndAddr>,
+}
+
+impl BasicBlockAnalysisContext {
+    pub unsafe fn from_raw(handle: *mut BNBasicBlockAnalysisContext) -> Self {
+        debug_assert!(!handle.is_null());
+
+        let ctx_ref = &*handle;
+
+        let indirect_branches = (0..ctx_ref.indirectBranchesCount)
+            .map(|i| {
+                let raw: BNIndirectBranchInfo =
+                    unsafe { std::ptr::read(ctx_ref.indirectBranches.add(i)) };
+                IndirectBranchInfo::from(raw)
+            })
+            .collect::<Vec<_>>();
+
+        let indirect_no_return_calls = (0..ctx_ref.indirectNoReturnCallsCount)
+            .map(|i| {
+                let raw = unsafe { std::ptr::read(ctx_ref.indirectNoReturnCalls.add(i)) };
+                ArchAndAddr::from(raw)
+            })
+            .collect::<HashSet<_>>();
+
+        let contextual_returns = (0..ctx_ref.contextualFunctionReturnCount)
+            .map(|i| {
+                let loc = unsafe {
+                    let raw = std::ptr::read(ctx_ref.contextualFunctionReturnLocations.add(i));
+                    ArchAndAddr::from(raw)
+                };
+                let val = unsafe { *ctx_ref.contextualFunctionReturnValues.add(i) };
+                (loc, val)
+            })
+            .collect::<HashMap<_, _>>();
+
+        let direct_code_references = (0..ctx_ref.directRefCount)
+            .map(|i| {
+                let src = unsafe {
+                    let raw = std::ptr::read(ctx_ref.directRefSources.add(i));
+                    ArchAndAddr::from(raw)
+                };
+                let tgt = unsafe { *ctx_ref.directRefTargets.add(i) };
+                (tgt, src)
+            })
+            .collect::<HashMap<_, _>>();
+
+        let direct_no_return_calls = (0..ctx_ref.directNoReturnCallsCount)
+            .map(|i| {
+                let raw = unsafe { std::ptr::read(ctx_ref.directNoReturnCalls.add(i)) };
+                ArchAndAddr::from(raw)
+            })
+            .collect::<HashSet<_>>();
+
+        let halted_disassembly_addresses = (0..ctx_ref.haltedDisassemblyAddressesCount)
+            .map(|i| {
+                let raw = unsafe { std::ptr::read(ctx_ref.haltedDisassemblyAddresses.add(i)) };
+                ArchAndAddr::from(raw)
+            })
+            .collect::<HashSet<_>>();
+
+        BasicBlockAnalysisContext {
+            handle,
+            contextual_returns_dirty: false,
+            indirect_branches,
+            indirect_no_return_calls,
+            analysis_skip_override: ctx_ref.analysisSkipOverride,
+            translate_tail_calls: ctx_ref.translateTailCalls,
+            disallow_branch_to_string: ctx_ref.disallowBranchToString,
+            max_function_size: ctx_ref.maxFunctionSize,
+            halt_on_invalid_instruction: ctx_ref.haltOnInvalidInstructions,
+            max_size_reached: ctx_ref.maxSizeReached,
+            contextual_returns,
+            direct_code_references,
+            direct_no_return_calls,
+            halted_disassembly_addresses,
+        }
+    }
+
+    pub fn add_contextual_return(&mut self, loc: ArchAndAddr, value: bool) {
+        if !self.contextual_returns.contains_key(&loc) {
+            self.contextual_returns_dirty = true;
+        }
+
+        self.contextual_returns.insert(loc, value);
+    }
+
+    pub fn add_direct_code_reference(&mut self, target: u64, src: ArchAndAddr) {
+        self.direct_code_references.entry(target).or_insert(src);
+    }
+
+    pub fn add_direct_no_return_call(&mut self, loc: ArchAndAddr) {
+        self.direct_no_return_calls.insert(loc);
+    }
+
+    pub fn add_halted_disassembly_address(&mut self, loc: ArchAndAddr) {
+        self.halted_disassembly_addresses.insert(loc);
+    }
+
+    pub fn create_basic_block(
+        &self,
+        arch: CoreArchitecture,
+        start: u64,
+    ) -> Option<BasicBlock<NativeBlock>> {
+        let raw_block =
+            unsafe { BNAnalyzeBasicBlocksContextCreateBasicBlock(self.handle, arch.handle, start) };
+
+        if raw_block.is_null() {
+            return None;
+        }
+
+        unsafe { Some(BasicBlock::from_raw(raw_block, NativeBlock::new())) }
+    }
+
+    pub fn add_basic_block(&self, block: &BasicBlock<NativeBlock>) {
+        unsafe {
+            BNAnalyzeBasicBlocksContextAddBasicBlockToFunction(self.handle, block.handle);
+        }
+    }
+
+    pub fn add_temp_outgoing_reference(&self, target: &Function) {
+        unsafe {
+            BNAnalyzeBasicBlocksContextAddTempReference(self.handle, target.handle);
+        }
+    }
+
+    pub fn finalize(&mut self) {
+        if !self.direct_code_references.is_empty() {
+            let total = self.direct_code_references.len();
+            let mut sources: Vec<BNArchitectureAndAddress> = Vec::with_capacity(total);
+            let mut targets: Vec<u64> = Vec::with_capacity(total);
+            for (target, src) in &self.direct_code_references {
+                sources.push(src.into_raw());
+                targets.push(*target);
+            }
+            unsafe {
+                BNAnalyzeBasicBlocksContextSetDirectCodeReferences(
+                    self.handle,
+                    sources.as_mut_ptr(),
+                    targets.as_mut_ptr(),
+                    total,
+                );
+            }
+        }
+
+        if !self.direct_no_return_calls.is_empty() {
+            let total = self.direct_no_return_calls.len();
+            let mut locations: Vec<BNArchitectureAndAddress> = Vec::with_capacity(total);
+            for loc in &self.direct_no_return_calls {
+                locations.push(loc.into_raw());
+            }
+            unsafe {
+                BNAnalyzeBasicBlocksContextSetDirectNoReturnCalls(
+                    self.handle,
+                    locations.as_mut_ptr(),
+                    total,
+                );
+            }
+        }
+
+        if !self.halted_disassembly_addresses.is_empty() {
+            let total = self.halted_disassembly_addresses.len();
+            let mut locations: Vec<BNArchitectureAndAddress> = Vec::with_capacity(total);
+            for loc in &self.halted_disassembly_addresses {
+                locations.push(loc.into_raw());
+            }
+            unsafe {
+                BNAnalyzeBasicBlocksContextSetHaltedDisassemblyAddresses(
+                    self.handle,
+                    locations.as_mut_ptr(),
+                    total,
+                );
+            }
+        }
+
+        if self.contextual_returns_dirty {
+            let total = self.contextual_returns.len();
+            let mut locations: Vec<BNArchitectureAndAddress> = Vec::with_capacity(total);
+            let mut values: Vec<bool> = Vec::with_capacity(total);
+            for (loc, value) in &self.contextual_returns {
+                locations.push(loc.into_raw());
+                values.push(*value);
+            }
+            unsafe {
+                BNAnalyzeBasicBlocksContextSetContextualFunctionReturns(
+                    self.handle,
+                    locations.as_mut_ptr(),
+                    values.as_mut_ptr(),
+                    total,
+                );
+            }
+        }
+
+        unsafe { BNAnalyzeBasicBlocksContextFinalize(self.handle) };
+    }
+}
+
 impl Debug for CoreArchitecture {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         f.debug_struct("CoreArchitecture")
@@ -2267,9 +2485,9 @@ where
     {
         let custom_arch = unsafe { &*(ctxt as *mut A) };
         let mut function = unsafe { Function::from_raw(function) };
-        unsafe {
-            custom_arch.analyze_basic_blocks(&mut function, context);
-        }
+        let mut context: BasicBlockAnalysisContext =
+            unsafe { BasicBlockAnalysisContext::from_raw(context) };
+        custom_arch.analyze_basic_blocks(&mut function, &mut context);
     }
 
     extern "C" fn cb_reg_name<A>(ctxt: *mut c_void, reg: u32) -> *mut c_char

rust/src/basic_block.rs

@@ -160,6 +160,22 @@ impl<C: BlockContext> BasicBlock<C> {
         C::InstructionIndex::from(unsafe { BNGetBasicBlockEnd(self.handle) })
     }
 
+    pub fn set_end(&self, end: u64) {
+        unsafe {
+            BNSetBasicBlockEnd(self.handle, end);
+        }
+    }
+
+    pub fn add_instruction_data(&self, data: &[u8]) {
+        unsafe {
+            BNBasicBlockAddInstructionData(
+                self.handle,
+                data.as_ptr() as *const _,
+                data.len(),
+            );
+        }
+    }
+
     pub fn raw_length(&self) -> u64 {
         unsafe { BNGetBasicBlockLength(self.handle) }
     }
@@ -194,6 +210,18 @@ impl<C: BlockContext> BasicBlock<C> {
         }
     }
 
+    pub fn add_pending_outgoing_edge(
+        &self,
+        typ: BranchType,
+        addr: u64,
+        arch: CoreArchitecture,
+        fallthrough: bool,
+    ) {
+        unsafe {
+            BNBasicBlockAddPendingOutgoingEdge(self.handle, typ, addr, arch.handle, fallthrough);
+        }
+    }
+
     // is this valid for il blocks? (it looks like up to MLIL it is)
     pub fn has_undetermined_outgoing_edges(&self) -> bool {
         unsafe { BNBasicBlockHasUndeterminedOutgoingEdges(self.handle) }

rust/src/function.rs

@@ -2906,3 +2906,28 @@ unsafe impl CoreArrayProviderInner for Comment {
         }
     }
 }
+
+#[derive(Debug, Clone, Copy, Hash, PartialEq, Eq)]
+pub struct ArchAndAddr {
+    pub arch: CoreArchitecture,
+    pub addr: u64,
+}
+
+impl From<BNArchitectureAndAddress> for ArchAndAddr {
+    fn from(raw: BNArchitectureAndAddress) -> Self {
+        unsafe {
+            let arch = CoreArchitecture::from_raw(raw.arch);
+            let addr = raw.address;
+            ArchAndAddr { arch, addr }
+        }
+    }
+}
+
+impl ArchAndAddr {
+    pub fn into_raw(self) -> BNArchitectureAndAddress {
+        BNArchitectureAndAddress {
+            arch: self.arch.handle,
+            address: self.addr,
+        }
+    }
+}