Skip to main content

Crate ud_analysis

Crate ud_analysis 

Source
Expand description

Analysis passes over loaded binaries.

Function discovery layers signals from highest to lowest confidence:

  1. The full symbol table (.symtab) when present.
  2. The dynamic symbol table (.dynsym).
  3. Byte-pattern signatures (CRT helpers, libc primitives, …).
  4. .eh_frame (DWARF CFI) — names are addresses, but sizes are authoritative; survives stripping.

Each Function in the produced FunctionMap records every source that contributed to it. Names from higher-confidence sources win over names from lower-confidence sources; sizes are merged preserving any non-zero value.

After all sources are merged, a final pass fills in sizes for functions that no source supplied a size for (typically signature matches), using the distance to the next discovered function in the same address window.

Re-exports§

pub use call_sites::discover_from_bpf_call_sites;
pub use call_sites::CallSiteError;

Modules§

bpf_relocs
BPF / SBF call-site name resolution via .rel.dyn.
call_sites
Function discovery from call targets.

Structs§

Function
A discovered function.
FunctionMap
A collection of discovered functions, indexed by address.

Enums§

EhFrameError
Errors specific to .eh_frame parsing.
Error
Crate-level error type.
FunctionSource
Where a function record came from. Ordered by ascending confidence — higher-numbered sources override lower-numbered ones for fields where they disagree (currently: function name).
PltError
Errors specific to PLT thunk discovery.
SymbolError
Errors specific to symbol-table parsing.

Functions§

discover_from_eh_frame
Walk every FDE in .eh_frame and return one Function per entry.
discover_from_signatures
Run signature matching against every executable section in elf.
discover_from_symbol_tables
Sweep every .symtab and .dynsym in elf, return one Function per qualifying entry. Names are resolved via the linked string table.
discover_functions
Run every available discovery source and merge into a single FunctionMap.
discover_plt_thunks
Discover every PLT thunk across .plt, .plt.got, and .plt.sec (IBT-aware variants), and return one Function per entry, named by its imported symbol.

Type Aliases§

Result