MCPcopy
hub / github.com/mandiant/flare-floss / emulate_decoding_routine

Function emulate_decoding_routine

floss/string_decoder.py:179–212  ·  view source on GitHub ↗

Emulate a function with a given context and extract the CPU and memory contexts at interesting points during emulation. These "interesting points" include calls to other functions and the final state. Emulation terminates if the CPU executes an unexpected region of memory

(vw, function_index, function: int, context, max_instruction_count: int)

Source from the content-addressed store, hash-verified

177
178
179def emulate_decoding_routine(vw, function_index, function: int, context, max_instruction_count: int) -> List[Delta]:
180 """
181 Emulate a function with a given context and extract the CPU and
182 memory contexts at interesting points during emulation.
183 These "interesting points" include calls to other functions and
184 the final state.
185 Emulation terminates if the CPU executes an unexpected region of
186 memory, or the function returns.
187 Implementation note: currently limits emulation to 20,000 instructions.
188 This prevents unexpected infinite loops.
189 This number is taken from emulating the decoding of "Hello world" using RC4.
190
191
192 :param vw: The vivisect workspace in which the function is defined.
193 :type function_index: viv_utils.FunctionIndex
194 :param function: The address of the function to emulate.
195 :type context: funtion_argument_getter.FunctionContext
196 :param context: The initial state of the CPU and memory
197 prior to the function being called.
198 :param max_instruction_count: The maximum number of instructions to emulate per function.
199 :rtype: Sequence[decoding_manager.Delta]
200 """
201 emu = floss.utils.make_emulator(vw)
202 emu.setEmuSnap(context.emu_snap)
203 logger.trace(
204 "Emulating function at 0x%08x called at 0x%08x, return address: 0x%08x",
205 function,
206 context.decoded_at_va,
207 context.return_address,
208 )
209 deltas = floss.decoding_manager.emulate_function(
210 emu, function_index, function, context.return_address, max_instruction_count
211 )
212 return deltas
213
214
215@dataclass

Callers 1

decode_stringsFunction · 0.85

Calls 1

traceMethod · 0.80

Tested by

no test coverage detected