dotscope 0.7.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296

//! Trace filtering for method-level and depth-level tracing control.
//!
//! Complex emulation runs (e.g., PureLogs string decryption) can execute
//! millions of instructions across thousands of methods, producing trace
//! files in the tens of gigabytes. The [`TraceFilter`] allows restricting
//! trace output to only the methods and call depths of interest, making
//! traces manageable for debugging.
//!
//! # Filtering Dimensions
//!
//! Three independent filtering dimensions can be combined:
//!
//! - **Method tokens** — a whitelist of specific method tokens to trace.
//!   When non-empty, only methods in the list produce events.
//! - **Name patterns** — glob-style patterns matching namespace, type, and
//!   method name (e.g., `"System.IO*"` matches all `System.IO` types).
//!   Patterns are applied in order; the last matching pattern wins.
//! - **Call depth** — minimum and/or maximum call depth limits. Useful for
//!   focusing on top-level dispatch without drilling into BCL internals.
//!
//! # Usage
//!
//! ```rust,ignore
//! use dotscope::emulation::{TraceFilter, MethodPattern};
//!
//! // Only trace a specific decryptor method
//! let filter = TraceFilter {
//!     method_tokens: vec![Token::new(0x0600_0D12)],
//!     ..TraceFilter::default()
//! };
//!
//! // Trace all System.IO methods at depth 1-5
//! let filter = TraceFilter {
//!     method_patterns: vec![MethodPattern {
//!         namespace: Some("System.IO*".into()),
//!         type_name: None,
//!         method_name: None,
//!         include: true,
//!     }],
//!     min_depth: Some(1),
//!     max_depth: Some(5),
//!     ..TraceFilter::default()
//! };
//! ```
//!
//! # Integration
//!
//! The filter is stored in [`TracingConfig`](crate::emulation::TracingConfig)
//! and checked by the controller at each trace point. When the filter
//! rejects a method, no trace event is emitted — the overhead is a single
//! `should_trace()` call per event.

use crate::metadata::token::Token;

/// Controls which trace events are emitted based on method tokens,
/// name patterns, and call depth.
#[derive(Clone, Debug, Default)]
pub struct TraceFilter {
    /// Only trace these specific method tokens (empty = all methods).
    pub method_tokens: Vec<Token>,
    /// Glob patterns for method matching (namespace/type/method).
    pub method_patterns: Vec<MethodPattern>,
    /// Minimum call depth to trace (None = no minimum).
    pub min_depth: Option<u32>,
    /// Maximum call depth to trace (None = no maximum).
    pub max_depth: Option<u32>,
    /// Whether to capture argument values as strings in call events.
    pub capture_arguments: bool,
    /// Whether to capture return values as strings in return events.
    pub capture_returns: bool,
    /// Instruction trace verbosity level.
    pub instructions: InstructionTraceLevel,
}

/// Glob-style method name pattern for trace filtering.
#[derive(Clone, Debug)]
pub struct MethodPattern {
    /// Namespace pattern (e.g., "System.Collections.*"). None matches any.
    pub namespace: Option<String>,
    /// Type name pattern. None matches any.
    pub type_name: Option<String>,
    /// Method name pattern. None matches any.
    pub method_name: Option<String>,
    /// Whether this is an include (true) or exclude (false) pattern.
    pub include: bool,
}

/// Instruction-level trace verbosity.
#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
pub enum InstructionTraceLevel {
    /// No instruction tracing.
    Off,
    /// Only trace call/callvirt/ret instructions.
    CallsOnly,
    /// Trace calls and branch instructions.
    BranchesAndCalls,
    /// Trace all instructions.
    #[default]
    All,
}

impl TraceFilter {
    /// Returns a filter that allows everything (no filtering).
    #[must_use]
    pub fn allow_all() -> Self {
        Self::default()
    }

    /// Checks if a method at the given call depth should be traced.
    ///
    /// Evaluates the depth limits and token whitelist. Returns `true` if the
    /// method passes all active filters.
    ///
    /// # Arguments
    ///
    /// * `method_token` — Token of the method being called.
    /// * `call_depth` — Current call stack depth (0 = entry point).
    ///
    /// # Returns
    ///
    /// `true` if trace events should be emitted for this method, `false` to
    /// suppress them.
    #[must_use]
    pub fn should_trace(&self, method_token: Token, call_depth: u32) -> bool {
        // Check depth limits
        if let Some(min) = self.min_depth {
            if call_depth < min {
                return false;
            }
        }
        if let Some(max) = self.max_depth {
            if call_depth > max {
                return false;
            }
        }

        // Check token whitelist
        if !self.method_tokens.is_empty() && !self.method_tokens.contains(&method_token) {
            return false;
        }

        true
    }

    /// Checks if a method should be traced using name-based patterns.
    ///
    /// Unlike [`should_trace`](Self::should_trace), this method matches against
    /// the method's namespace, type name, and method name rather than its token.
    /// Patterns are evaluated in order; the last matching pattern determines
    /// inclusion (allowing exclude-then-include layering).
    ///
    /// # Arguments
    ///
    /// * `namespace` — Namespace of the method's declaring type (e.g., `"System.IO"`).
    /// * `type_name` — Name of the method's declaring type (e.g., `"Stream"`).
    /// * `method_name` — Name of the method (e.g., `"Read"`).
    /// * `call_depth` — Current call stack depth (0 = entry point).
    ///
    /// # Returns
    ///
    /// `true` if trace events should be emitted, `false` to suppress.
    /// Returns `true` when no patterns are configured (empty = trace everything).
    #[must_use]
    pub fn should_trace_by_name(
        &self,
        namespace: &str,
        type_name: &str,
        method_name: &str,
        call_depth: u32,
    ) -> bool {
        // Check depth limits
        if let Some(min) = self.min_depth {
            if call_depth < min {
                return false;
            }
        }
        if let Some(max) = self.max_depth {
            if call_depth > max {
                return false;
            }
        }

        // No patterns = trace everything
        if self.method_patterns.is_empty() {
            return true;
        }

        // Check patterns — start with default include, apply patterns in order
        let mut included = false;
        for pattern in &self.method_patterns {
            if pattern_matches(pattern, namespace, type_name, method_name) {
                included = pattern.include;
            }
        }

        included
    }
}

/// Simple glob matching (only supports trailing `*`).
fn glob_matches(pattern: &str, value: &str) -> bool {
    if pattern == "*" {
        return true;
    }
    if let Some(prefix) = pattern.strip_suffix('*') {
        value.starts_with(prefix)
    } else {
        pattern == value
    }
}

fn pattern_matches(
    pattern: &MethodPattern,
    namespace: &str,
    type_name: &str,
    method_name: &str,
) -> bool {
    if let Some(ref ns) = pattern.namespace {
        if !glob_matches(ns, namespace) {
            return false;
        }
    }
    if let Some(ref tn) = pattern.type_name {
        if !glob_matches(tn, type_name) {
            return false;
        }
    }
    if let Some(ref mn) = pattern.method_name {
        if !glob_matches(mn, method_name) {
            return false;
        }
    }
    true
}

#[cfg(test)]
mod tests {
    use crate::{
        emulation::tracer::filter::{InstructionTraceLevel, MethodPattern, TraceFilter},
        metadata::token::Token,
    };

    #[test]
    fn test_allow_all_traces_everything() {
        let filter = TraceFilter::allow_all();
        assert!(filter.should_trace(Token::new(0x0600_0001), 0));
        assert!(filter.should_trace(Token::new(0x0600_0001), 100));
    }

    #[test]
    fn test_depth_limits() {
        let filter = TraceFilter {
            min_depth: Some(2),
            max_depth: Some(5),
            ..TraceFilter::default()
        };
        assert!(!filter.should_trace(Token::new(0x0600_0001), 1));
        assert!(filter.should_trace(Token::new(0x0600_0001), 3));
        assert!(!filter.should_trace(Token::new(0x0600_0001), 6));
    }

    #[test]
    fn test_token_whitelist() {
        let target = Token::new(0x0600_0001);
        let other = Token::new(0x0600_0002);
        let filter = TraceFilter {
            method_tokens: vec![target],
            ..TraceFilter::default()
        };
        assert!(filter.should_trace(target, 0));
        assert!(!filter.should_trace(other, 0));
    }

    #[test]
    fn test_name_pattern_matching() {
        let filter = TraceFilter {
            method_patterns: vec![MethodPattern {
                namespace: Some("System.IO*".to_string()),
                type_name: None,
                method_name: None,
                include: true,
            }],
            ..TraceFilter::default()
        };

        assert!(filter.should_trace_by_name("System.IO", "Stream", "Read", 0));
        assert!(filter.should_trace_by_name("System.IO.Compression", "GZipStream", "Read", 0));
        assert!(!filter.should_trace_by_name("System.Text", "Encoding", "GetBytes", 0));
    }

    #[test]
    fn test_default_instruction_level() {
        let filter = TraceFilter::default();
        assert_eq!(filter.instructions, InstructionTraceLevel::All);
    }
}