MCPcopy
hub / github.com/mandiant/flare-floss / extract_decoding_contexts

Function extract_decoding_contexts

floss/function_argument_getter.py:50–69  ·  view source on GitHub ↗

Extract the CPU and memory contexts of all calls to the given function. Under the hood, we brute-force emulate all code paths to extract the state of the stack, registers, and global memory at each call to the given address.

(
    vw: vivisect.VivWorkspace, decoder_fva: int, index: viv_utils.InstructionFunctionIndex
)

Source from the content-addressed store, hash-verified

48
49
50def extract_decoding_contexts(
51 vw: vivisect.VivWorkspace, decoder_fva: int, index: viv_utils.InstructionFunctionIndex
52) -> List[FunctionContext]:
53 """
54 Extract the CPU and memory contexts of all calls to the given function.
55 Under the hood, we brute-force emulate all code paths to extract the
56 state of the stack, registers, and global memory at each call to
57 the given address.
58 """
59 logger.trace("Getting function context for function at 0x%08x...", decoder_fva)
60
61 emu = floss.utils.make_emulator(vw)
62 driver = viv_utils.emulator_drivers.FullCoverageEmulatorDriver(emu, repmax=1024)
63
64 contexts = list()
65 for caller_va in get_caller_vas(vw, decoder_fva):
66 contexts.extend(get_contexts_via_monitor(driver, caller_va, decoder_fva, index))
67
68 logger.trace("Got %d function contexts for function at 0x%08x.", len(contexts), decoder_fva)
69 return contexts
70
71
72def get_caller_vas(vw, fva) -> Set[int]:

Callers 1

decode_stringsFunction · 0.90

Calls 3

get_caller_vasFunction · 0.85
get_contexts_via_monitorFunction · 0.85
traceMethod · 0.80

Tested by

no test coverage detected