dotscope 0.6.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333

//! Call site representation and call target types.
//!
//! This module defines the types used to represent individual call instructions
//! and their resolved targets within the call graph.

use crate::metadata::token::Token;

/// Type of call instruction.
///
/// Represents the different CIL opcodes that can invoke methods, ranging from
/// direct calls to virtual dispatch and indirect function pointer invocations.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum CallType {
    /// Direct call instruction (`call`).
    Call,
    /// Virtual call instruction (`callvirt`).
    CallVirt,
    /// Tail call (`tail.call` or `tail.callvirt`).
    TailCall,
    /// Object construction (`newobj`).
    NewObj,
    /// Indirect call through function pointer (`calli`).
    Calli,
    /// Load function pointer (`ldftn`).
    Ldftn,
    /// Load virtual function pointer (`ldvirtftn`).
    LdVirtFtn,
}

impl CallType {
    /// Returns `true` if this is a virtual call that requires runtime dispatch.
    ///
    /// Virtual calls use the actual runtime type of the receiver object to
    /// determine the method implementation to invoke.
    ///
    /// # Returns
    ///
    /// `true` for `CallVirt` and `LdVirtFtn` call types, `false` otherwise.
    #[must_use]
    pub const fn is_virtual(&self) -> bool {
        matches!(self, Self::CallVirt | Self::LdVirtFtn)
    }

    /// Returns `true` if this is an indirect call through a function pointer.
    ///
    /// Indirect calls invoke a method through a computed address rather than
    /// a statically resolved method token.
    ///
    /// # Returns
    ///
    /// `true` for `Calli` call type, `false` otherwise.
    #[must_use]
    pub const fn is_indirect(&self) -> bool {
        matches!(self, Self::Calli)
    }

    /// Returns `true` if this call creates a new object.
    ///
    /// Constructor calls allocate a new object and invoke its constructor.
    ///
    /// # Returns
    ///
    /// `true` for `NewObj` call type, `false` otherwise.
    #[must_use]
    pub const fn is_constructor(&self) -> bool {
        matches!(self, Self::NewObj)
    }
}

/// Resolved target of a call instruction.
///
/// Represents the outcome of call target resolution, which may be a single
/// resolved method, multiple possible targets (for virtual calls), or various
/// unresolved states.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum CallTarget {
    /// Resolved to a specific method in the current assembly.
    Resolved(Token),

    /// Virtual call with multiple possible targets from Class Hierarchy Analysis.
    Virtual {
        /// The declared method being called.
        declared: Token,
        /// All possible runtime targets (including overrides).
        possible_targets: Vec<Token>,
    },

    /// Call to an external method (different assembly).
    External {
        /// The assembly reference name.
        assembly: String,
        /// The full method signature string.
        method: String,
    },

    /// Delegate or function pointer invocation.
    Delegate {
        /// The delegate type token (if known).
        delegate_type: Option<Token>,
    },

    /// Indirect call through computed function pointer.
    Indirect,

    /// Target could not be resolved.
    Unresolved {
        /// The original token that couldn't be resolved.
        token: Token,
        /// Reason for resolution failure.
        reason: String,
    },
}

impl CallTarget {
    /// Returns `true` if this target was successfully resolved.
    ///
    /// A target is considered resolved if we know what method(s) could be
    /// invoked at runtime, even if there are multiple possibilities.
    ///
    /// # Returns
    ///
    /// `true` for `Resolved`, `Virtual`, and `External` variants, `false` otherwise.
    #[must_use]
    pub const fn is_resolved(&self) -> bool {
        matches!(
            self,
            Self::Resolved(_) | Self::Virtual { .. } | Self::External { .. }
        )
    }

    /// Returns the primary target token, if available.
    ///
    /// For resolved calls, returns the method token. For virtual calls, returns
    /// the declared method token. For unresolved calls, returns the original
    /// token that couldn't be resolved.
    ///
    /// # Returns
    ///
    /// - `Some(token)` for `Resolved`, `Virtual`, and `Unresolved` variants
    /// - `None` for `External`, `Delegate`, and `Indirect` variants
    #[must_use]
    pub fn primary_token(&self) -> Option<Token> {
        match self {
            Self::Resolved(token) | Self::Unresolved { token, .. } => Some(*token),
            Self::Virtual { declared, .. } => Some(*declared),
            _ => None,
        }
    }

    /// Returns all possible target tokens for this call.
    ///
    /// For resolved calls, returns a single-element vector. For virtual calls,
    /// returns all possible runtime targets determined by Class Hierarchy Analysis.
    ///
    /// # Returns
    ///
    /// A vector of method tokens. Empty for `External`, `Delegate`, and `Indirect` variants.
    /// For `Unresolved` variants, returns the original unresolved token to allow
    /// external method references (MemberRef/MethodSpec) to be included in the call graph.
    #[must_use]
    pub fn all_targets(&self) -> Vec<Token> {
        match self {
            Self::Resolved(token) | Self::Unresolved { token, .. } => vec![*token],
            Self::Virtual {
                possible_targets, ..
            } => possible_targets.clone(),
            _ => Vec::new(),
        }
    }
}

/// A specific call instruction within a method body.
///
/// Represents a single call site, including its location (IL offset), the type
/// of call instruction, and the resolved target.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct CallSite {
    /// IL offset of the call instruction within the method body.
    pub offset: u32,
    /// Type of call instruction.
    pub call_type: CallType,
    /// Resolved target of the call.
    pub target: CallTarget,
}

impl CallSite {
    /// Creates a new call site.
    ///
    /// # Arguments
    ///
    /// * `offset` - The IL offset of the call instruction within the method body
    /// * `call_type` - The type of call instruction (call, callvirt, etc.)
    /// * `target` - The resolved target of the call
    ///
    /// # Returns
    ///
    /// A new `CallSite` instance with the specified properties.
    #[must_use]
    pub const fn new(offset: u32, call_type: CallType, target: CallTarget) -> Self {
        Self {
            offset,
            call_type,
            target,
        }
    }

    /// Returns `true` if this call may have multiple runtime targets.
    ///
    /// A polymorphic call site is a virtual call where Class Hierarchy Analysis
    /// determined that multiple method implementations could be invoked at runtime.
    ///
    /// # Returns
    ///
    /// `true` if the call target has more than one possible implementation,
    /// `false` otherwise.
    #[must_use]
    pub fn is_polymorphic(&self) -> bool {
        matches!(
            &self.target,
            CallTarget::Virtual {
                possible_targets, ..
            } if possible_targets.len() > 1
        )
    }

    /// Returns `true` if the call target is fully resolved.
    ///
    /// # Returns
    ///
    /// `true` if we know what method(s) could be invoked, `false` for unresolved
    /// or indirect calls.
    #[must_use]
    pub const fn is_resolved(&self) -> bool {
        self.target.is_resolved()
    }
}

#[cfg(test)]
mod tests {
    use crate::analysis::callgraph::{CallSite, CallTarget, CallType};
    use crate::metadata::token::Token;

    #[test]
    fn test_call_type_properties() {
        assert!(!CallType::Call.is_virtual());
        assert!(CallType::CallVirt.is_virtual());
        assert!(CallType::LdVirtFtn.is_virtual());
        assert!(!CallType::Calli.is_virtual());

        assert!(!CallType::Call.is_indirect());
        assert!(CallType::Calli.is_indirect());

        assert!(!CallType::Call.is_constructor());
        assert!(CallType::NewObj.is_constructor());
    }

    #[test]
    fn test_call_target_resolved() {
        let token = Token::new(0x0600_0001);
        let resolved = CallTarget::Resolved(token);
        assert!(resolved.is_resolved());
        assert_eq!(resolved.primary_token(), Some(token));
        assert_eq!(resolved.all_targets(), vec![token]);
    }

    #[test]
    fn test_call_target_virtual() {
        let declared = Token::new(0x0600_0001);
        let target1 = Token::new(0x0600_0002);
        let target2 = Token::new(0x0600_0003);
        let virtual_target = CallTarget::Virtual {
            declared,
            possible_targets: vec![target1, target2],
        };

        assert!(virtual_target.is_resolved());
        assert_eq!(virtual_target.primary_token(), Some(declared));
        assert_eq!(virtual_target.all_targets(), vec![target1, target2]);
    }

    #[test]
    fn test_call_target_external() {
        let external = CallTarget::External {
            assembly: "mscorlib".to_string(),
            method: "System.Console::WriteLine".to_string(),
        };
        assert!(external.is_resolved());
        assert_eq!(external.primary_token(), None);
        assert!(external.all_targets().is_empty());
    }

    #[test]
    fn test_call_target_unresolved() {
        let token = Token::new(0x0A00_0001);
        let unresolved = CallTarget::Unresolved {
            token,
            reason: "External assembly not loaded".to_string(),
        };
        assert!(!unresolved.is_resolved());
        assert_eq!(unresolved.primary_token(), Some(token));
    }

    #[test]
    fn test_call_site_polymorphic() {
        let declared = Token::new(0x0600_0001);

        // Single target - not polymorphic
        let single = CallSite::new(
            0,
            CallType::CallVirt,
            CallTarget::Virtual {
                declared,
                possible_targets: vec![declared],
            },
        );
        assert!(!single.is_polymorphic());

        // Multiple targets - polymorphic
        let multiple = CallSite::new(
            0,
            CallType::CallVirt,
            CallTarget::Virtual {
                declared,
                possible_targets: vec![declared, Token::new(0x0600_0002)],
            },
        );
        assert!(multiple.is_polymorphic());

        // Direct call - not polymorphic
        let direct = CallSite::new(0, CallType::Call, CallTarget::Resolved(declared));
        assert!(!direct.is_polymorphic());
    }
}