Expand description
This crate includes Rust bindings to the Ghidra SLEIGH library libsla for translating native code to p-code. This allows binary analysis programs to model p-code instead of needing to model each processor architecture separately.
§Examples
§Native Disassembly
This example disassembles the PUSH RBP x86-64 instruction (byte 0x55).
let sleigh = GhidraSleigh::builder()
.processor_spec(sleigh_config::processor_x86::PSPEC_X86_64)?
.build(sleigh_config::processor_x86::SLA_X86_64)?;
// PUSH RBP instruction is the byte 0x55.
let instructions = InstructionBytes::new(vec![0x55]);
// InstructionBytes is a simple byte loader that does not model multiple address spaces.
// However an address space is required, so for simplicity use the default code space.
let address_space = sleigh.default_code_space();
// Start disassembly from the first byte (index 0)
let instruction_address = Address::new(address_space, 0);
// Confirming this is indeed PUSH RBP.
let native_disassembly = sleigh.disassemble_native(&instructions, instruction_address)?;
assert_eq!(native_disassembly.instruction.mnemonic, "PUSH");
assert_eq!(native_disassembly.instruction.body, "RBP");§Pcode Disassembly
This example disassembles the PUSH RBP x86-64 instruction (0x55) into pcode. The pcode for
this instruction is
COPY temp <- RBPSUBTRACT RSP <- RSP 0x8STORE [RSP] <- temp
§
let sleigh = GhidraSleigh::builder()
.processor_spec(sleigh_config::processor_x86::PSPEC_X86_64)?
.build(sleigh_config::processor_x86::SLA_X86_64)?;
// PUSH RBP
let instructions = InstructionBytes::new(vec![0x55]);
let instruction_address = Address::new(sleigh.default_code_space(), 0);
let pcode_disassembly = sleigh.disassemble_pcode(&instructions, instruction_address)?;
let pcode_instructions = pcode_disassembly.instructions;
assert_eq!(pcode_instructions.len(), 3, "There should be 3 pcode instructions");
// Copy RBP into a temporary
let copy_destination = pcode_instructions[0].output.as_ref().unwrap();
assert_eq!(pcode_instructions[0].op_code, OpCode::Copy);
assert_eq!(sleigh.register_name(&pcode_instructions[0].inputs[0]).unwrap(), "RBP");
// Subtract 8 bytes from RSP
assert_eq!(pcode_instructions[1].op_code, OpCode::Int(IntOp::Subtract));
assert_eq!(sleigh.register_name(&pcode_instructions[1].inputs[0]).unwrap(), "RSP");
assert_eq!(pcode_instructions[1].inputs[1].address.offset, 8);
// Store temporary (RBP) into memory address pointed to by RSP
assert_eq!(pcode_instructions[2].op_code, OpCode::Store);
assert_eq!(sleigh.register_name(&pcode_instructions[2].inputs[1]).unwrap(), "RSP");
assert_eq!(&pcode_instructions[2].inputs[2], copy_destination);
Structs§
- Address
- An address is represented by an offset into an address space
- Address
Space - Information about an address space
- Address
Space Id - Address space identifier for an address space. While this value is unique, it is NOT guaranteed to be deterministically constructed. This means different instances of Sleigh may identify the same address space with different identifiers.
- Assembly
Instruction - A disassembled native assembly instruction
- Ghidra
Sleigh - Sleigh instance that uses Ghidra libsla for its disassembly.
- Ghidra
Sleigh Builder - Builder for GhidraSleigh. The parameter
Ptracks whether the processor specification has been provided. - Instruction
Bytes - A sequence of instruction bytes which can be used by Sleigh for disassembly.
- Native
Disassembly - Disassembly of an instruction into its native assembly
- Pcode
Disassembly - Disassembly of an instruction into pcode
- Pcode
Instruction - A pcode instruction. Interpreting the pcode instruction can require additional context in some cases. For example, the OpCode::Load operation encodes the AddressSpace using the AddressSpaceId. This identifier in particular may differ across Sleigh instances.
- Varnode
Data - A VarnodeData represents the address and size of data.
Enums§
- Address
Space Type - Types for an AddressSpace.
- Analysis
Op - Operations which are only generated by analysis programs. These operations are not permitted for use in processor specifications and therefore will never be emitted when directly translating machine instructions.
- BoolOp
- Operations for boolean, single-bit inputs.
- Error
- Errors returned by this crate. Note that APIs that may pass through FFI boundaries return String since those errors are ultimately serialized anyway.
- FloatOp
- Operations on floating-point numbers.
- HasSpec
- The sleigh or processor specification has been provided
- IntOp
- Operations on integers.
- IntSign
- Indicates whether an integer operation is operating on signed or unsigned inputs. If the
operation does not include
IntSignas an argument, then distinguishing between signed and unsigned is not applicable for the operation. - Missing
Spec - The sleigh or processor specification has not yet been provided
- OpCode
- A representation of opcodes for p-code instructions.
- Pseudo
Op - Operations which represent black-box placeholders for some sequence of changes to the machine state.
- SlaData
Encoding - The encoding of the compiled sleigh specification (.slaspec).
Traits§
- Instruction
Loader - Interface for loading instruction bytes to be disassembled.
- Sleigh
- Interface for the Sleigh API. See GhidraSleigh for the Ghidra implementation.
Type Aliases§
- Result
- Result returned by Sleigh APIs