Pattern matching against decompiler output (weggli) #194
arizvisa
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Taking inspiration from weggli over at https://github.com/weggli-rs/weggli, i wrote the patch (attached at the end of the post) against weggli-rs/weggli@01499e2. It essentially adds support to weggli's python module for returning the spans or bounds from the query results.
After you apply the patch, build weggli, and drop its python module somewhere in your python path, you should be able to use the preliminary decompiler modules over at https://gist.github.com/arizvisa/6a6237205e7cc63e9307dd158078d9fc with minsc. To use those modules, copy
base-hexrays.py
tobase/hexrays.py
andprocs-hexrays.py
toprocs/hexrays.py
. That'll allow you to access thehexrays
module and use its functionality in your scripting.There's a couple of other things in the
hexrays
module, that might be useful. Thehexrays.repr
function is pretty handy in that it recognizes a number of decompiler types and can be used to get a quick representation describing things about that type. Apologies for the scarcity of its documentation.Anyways, the
hexrays.tree
namespace contains all the ctree things. In this namespace you can findhexrays.tree.match
(aliased ashexrays.match
) to query a function using weggli's syntax. For example, to query all calls toWPP_SF_q
, you can do something like the following.The
hexrays.tree.parent
function (that's being used) takes acitem_t
and a function address/body to traverse upwards from whatever was matched.Output of the previous python looks like:
I'm still experimenting with this, and may consider integrating weggli support into the plugin if the interface feels right. However, there's also a chance that I drop weggli entirely in favor of something custom wrapped around the tree-sitter library. Hence, all opinions about this are welcome.
That patch is here (https://gist.github.com/arizvisa/ba180b27fa21a3a65ab12f534be19d27) because I can't figure out how to fucking attach files to the discussion without getting a "We don't support that file type" error message. Apologies in advance for the patch.. I hate rust and hence don't speak it.
Beta Was this translation helpful? Give feedback.
All reactions