dotscope 0.6.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286

//! Data flow analysis framework trait and direction.
//!
//! This module defines the core abstraction for data flow analyses. Any
//! specific analysis (reaching definitions, liveness, constant propagation)
//! implements the [`DataFlowAnalysis`] trait to work with the solver.

use std::fmt::Debug;

use crate::{
    analysis::{
        dataflow::lattice::MeetSemiLattice, ControlFlowGraph, SsaBlock, SsaCfg, SsaFunction,
    },
    utils::graph::{NodeId, Predecessors, RootedGraph, Successors},
};

/// Trait for control flow graphs usable with the dataflow solver.
///
/// This trait abstracts over different CFG implementations, allowing the solver
/// to work with both [`ControlFlowGraph`] (CIL-level) and [`SsaCfg`] (SSA-level).
///
/// [`ControlFlowGraph`]: crate::analysis::ControlFlowGraph
/// [`SsaCfg`]: crate::analysis::SsaCfg
pub trait DataFlowCfg: Predecessors + Successors {
    /// Returns the entry node of the CFG.
    fn entry(&self) -> NodeId;

    /// Returns the exit nodes of the CFG.
    fn exits(&self) -> Vec<NodeId>;

    /// Returns nodes in postorder (for backward analysis).
    fn postorder(&self) -> Vec<NodeId>;

    /// Returns nodes in reverse postorder (for forward analysis).
    fn reverse_postorder(&self) -> Vec<NodeId>;
}

/// Direction of data flow analysis.
///
/// The direction determines how information propagates through the CFG
/// and which operation (meet or join) is used at control flow merge points.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Direction {
    /// Information flows forward, from entry to exit.
    ///
    /// At join points (blocks with multiple predecessors), values from
    /// all predecessors are combined using the meet operation.
    ///
    /// Examples: reaching definitions, available expressions, constant propagation.
    Forward,

    /// Information flows backward, from exit to entry.
    ///
    /// At split points (blocks with multiple successors), values from
    /// all successors are combined.
    ///
    /// Examples: live variables, very busy expressions.
    Backward,
}

/// A data flow analysis that can be run on SSA form.
///
/// This trait defines the interface for a data flow analysis. Implementations
/// provide the transfer function and boundary conditions; the solver handles
/// iteration to a fixpoint.
///
/// # Type Parameters
///
/// * `L` - The lattice type representing abstract values at each program point
///
/// # Direction
///
/// The `DIRECTION` constant specifies whether this is a forward or backward
/// analysis. The solver uses this to determine iteration order and how to
/// combine values at control flow merge points.
///
/// # Transfer Functions
///
/// The core of any data flow analysis is the transfer function, which
/// describes how flowing through a basic block transforms the abstract state.
///
/// For forward analyses: `out[B] = transfer(B, in[B])`
/// For backward analyses: `in[B] = transfer(B, out[B])`
///
/// # Example
///
/// ```rust,ignore
/// use dotscope::analysis::{DataFlowAnalysis, Direction, MeetSemiLattice};
///
/// struct MyAnalysis;
///
/// impl DataFlowAnalysis for MyAnalysis {
///     type Lattice = MyLattice;
///     const DIRECTION: Direction = Direction::Forward;
///
///     fn boundary(&self, _ssa: &SsaFunction) -> Self::Lattice {
///         MyLattice::initial_at_entry()
///     }
///
///     fn initial(&self, _ssa: &SsaFunction) -> Self::Lattice {
///         MyLattice::top()
///     }
///
///     fn transfer(
///         &self,
///         block_id: usize,
///         block: &SsaBlock,
///         input: &Self::Lattice,
///         ssa: &SsaFunction,
///     ) -> Self::Lattice {
///         // Compute the output state from the input state
///         // by applying the block's effects
///         todo!()
///     }
/// }
/// ```
pub trait DataFlowAnalysis {
    /// The lattice type for this analysis.
    ///
    /// This must implement `MeetSemiLattice` to support combining values
    /// at control flow merge points.
    type Lattice: MeetSemiLattice;

    /// The direction of this analysis.
    const DIRECTION: Direction;

    /// Returns the initial value at the boundary of the function.
    ///
    /// For forward analyses, this is the value at function entry.
    /// For backward analyses, this is the value at function exit(s).
    ///
    /// This often represents the "known" information at the boundary,
    /// such as "all parameters are defined" for reaching definitions.
    fn boundary(&self, ssa: &SsaFunction) -> Self::Lattice;

    /// Returns the initial value for interior blocks.
    ///
    /// This is the value used to initialize all non-boundary blocks
    /// before iteration begins. For most analyses, this is the top
    /// element of the lattice (no information).
    fn initial(&self, ssa: &SsaFunction) -> Self::Lattice;

    /// Computes the transfer function for a basic block.
    ///
    /// Given the input state to a block, computes the output state
    /// after flowing through the block.
    ///
    /// # Arguments
    ///
    /// * `block_id` - The index of the block being processed
    /// * `block` - The SSA block
    /// * `input` - The abstract state flowing into (forward) or out of (backward) the block
    /// * `ssa` - The complete SSA function for context
    ///
    /// # Returns
    ///
    /// The abstract state after flowing through the block.
    fn transfer(
        &self,
        block_id: usize,
        block: &SsaBlock,
        input: &Self::Lattice,
        ssa: &SsaFunction,
    ) -> Self::Lattice;

    /// Called when analysis is complete.
    ///
    /// This hook allows analyses to perform post-processing, such as
    /// computing per-instruction results from block-level results.
    ///
    /// The default implementation does nothing.
    fn finalize(
        &mut self,
        _in_states: &[Self::Lattice],
        _out_states: &[Self::Lattice],
        _ssa: &SsaFunction,
    ) {
        // Default: no post-processing
    }
}

/// Results of a data flow analysis.
///
/// This provides access to the computed abstract values at block boundaries.
#[derive(Debug, Clone)]
pub struct AnalysisResults<L> {
    /// Input state for each block (before transfer function).
    pub in_states: Vec<L>,
    /// Output state for each block (after transfer function).
    pub out_states: Vec<L>,
}

impl<L: Clone> AnalysisResults<L> {
    /// Creates new analysis results with the given states.
    ///
    /// # Arguments
    ///
    /// * `in_states` - The input states for each block
    /// * `out_states` - The output states for each block
    ///
    /// # Returns
    ///
    /// A new [`AnalysisResults`] instance.
    #[must_use]
    pub fn new(in_states: Vec<L>, out_states: Vec<L>) -> Self {
        Self {
            in_states,
            out_states,
        }
    }

    /// Returns the input state for a block.
    ///
    /// # Arguments
    ///
    /// * `block` - The block index to query
    ///
    /// # Returns
    ///
    /// The input state for the block, or `None` if the index is out of bounds.
    #[must_use]
    pub fn in_state(&self, block: usize) -> Option<&L> {
        self.in_states.get(block)
    }

    /// Returns the output state for a block.
    ///
    /// # Arguments
    ///
    /// * `block` - The block index to query
    ///
    /// # Returns
    ///
    /// The output state for the block, or `None` if the index is out of bounds.
    #[must_use]
    pub fn out_state(&self, block: usize) -> Option<&L> {
        self.out_states.get(block)
    }

    /// Returns the number of blocks.
    ///
    /// # Returns
    ///
    /// The total number of blocks in the analysis results.
    #[must_use]
    pub fn block_count(&self) -> usize {
        self.in_states.len()
    }
}

// Implement DataFlowCfg for ControlFlowGraph
impl DataFlowCfg for ControlFlowGraph<'_> {
    fn entry(&self) -> NodeId {
        RootedGraph::entry(self)
    }

    fn exits(&self) -> Vec<NodeId> {
        self.exits().to_vec()
    }

    fn postorder(&self) -> Vec<NodeId> {
        self.postorder()
    }

    fn reverse_postorder(&self) -> Vec<NodeId> {
        self.reverse_postorder()
    }
}

// Implement DataFlowCfg for SsaCfg
impl DataFlowCfg for SsaCfg<'_> {
    fn entry(&self) -> NodeId {
        RootedGraph::entry(self)
    }

    fn exits(&self) -> Vec<NodeId> {
        self.exits()
    }

    fn postorder(&self) -> Vec<NodeId> {
        self.postorder()
    }

    fn reverse_postorder(&self) -> Vec<NodeId> {
        self.reverse_postorder()
    }
}