maat::MaatEngine class

The main engine class of the Maat framework. It is a wrapper around core components (lifter, memory engine, IR CPU, binary loader, environment simulation, etc) that enables to symbolically emulate a process.

❱   Base classes

class Serializable
Virtual interface that serializable classes must implement.

❱   Constructors, destructors, conversion operators

MaatEngine(Arch::Type arch, env::OS os = env::OS::NONE)
Instanciate an engine for architecture 'arch' and operating system 'os'.

~MaatEngine() defaulted virtual
Destructor.

❱   Public functions

auto run(int max_inst = 0) -> info::Stop
Continue executing from the current state. Execute at most 'max_inst' before stopping.

auto run_from(addr_t addr, unsigned int max_inst = 0) -> info::Stop
Set the instruction pointer to address 'addr' and start executing from there. Execute at most 'max_inst' before stopping.

auto run_inst(addr_t addr, uint8_t* raw_inst, size_t raw_instr_size) -> info::Stop
Lift and execute a single instruction located at virtual address 'addr', 'raw_inst' points to the raw assembly of the instruction to be lifted.

void terminate_process(Value status)
Terminate the process emulated by the engine.

auto take_snapshot() -> snapshot_t
Take a snapshot of the current engine state.

void restore_snapshot(snapshot_t snapshot, bool remove = false)
Restore the engine state to 'snapshot'. If remove is true, the snapshot is removed after being restored.

void restore_last_snapshot(bool remove = false)
Restore the engine state to the lastest snapshot. If remove is true, the snapshot is removed after being restored.

auto nb_snapshots() -> int
Return the current number of active snapshots.

void load(const std::string& binary, loader::Format type, addr_t base, const std::vector<loader::CmdlineArg>& args, const loader::environ_t& envp, const std::unordered_map<std::string, std::string>& virtual_fs, const std::list<std::string>& libdirs, const std::list<std::string>& ignore_libs, bool load_interp = true)
Load an executable.

auto refine_value_set(Expr e) -> ValueSet
Return a solver-refined value set for expression e. The refined value set takes into account potential path constraints.

auto get_inst_asm(addr_t addr) -> const std::string&
Return the assembly string for instruction at address 'addr'.

auto class_uid() const -> serial::uid_t virtual
Return the class uid (see ClassId enum)

void dump(serial::Serializer& s) const virtual

void load(serial::Deserializer& d) virtual

❱   Public variables

info::Info info
Public field used by the engine to provide relevant contextual information.

Settings settings
Engine's tweakable settings and options.

Logger log
Logger.

❱   Function documentation

void maat::MaatEngine::load(const std::string& binary, loader::Format type, addr_t base, const std::vector<loader::CmdlineArg>& args, const loader::environ_t& envp, const std::unordered_map<std::string, std::string>& virtual_fs, const std::list<std::string>& libdirs, const std::list<std::string>& ignore_libs, bool load_interp = true)

Load an executable.

Parameters
binary Path of the executable file to load
type Executable format of the file to load
base Base address where to load the binary (used for relocatable binaries and position independent code)
args Command line arguments with whom to invoke the loaded executable
envp
virtual_fs Location of loaded binaries and libraries in the emulated filesystem. Maps the object(s) filenames to their path(s) in the virtual filesystem, eg: { "libc.so.6": "/usr/lib" }
libdirs Directories where to search for shared objects the binary might depend on
ignore_libs List of libraries to NOT load even though the binary lists them as dependencies. This option has no effect when 'load_interp' is 'true'
load_interp If set to True, load and emulate the interpreter and let it load the binary and dependencies by itself. The interpreter binary must be found in one of the 'libdirs' directories. If the interpreter is missing, Maat loads the binary and dependencies manually

void maat::MaatEngine::dump(serial::Serializer& s) const virtual

Serialize the engine state

This serializes the whole engine state except:

  • Event hooks
  • Internal expression simplifier
  • Logger
  • Library emulation callbacks
  • Callother callbacks

In order to keep those members (especially the event hooks), it is necessary to deserialize the engine in place using the same object instance that was serialized.

void maat::MaatEngine::load(serial::Deserializer& d) virtual

Deserialize a state into the engine

See notes in 'MaatEngine::dump()' about members that are not included in serialization.