maat::MemEngine class

A memory engine representing a process's memory

❱   Base classes

class Serializable
Virtual interface that serializable classes must implement.

❱   Constructors, destructors, conversion operators

MemEngine(std::shared_ptr<VarContext> varctx = nullptr, size_t arch_bits = 64, std::shared_ptr<SnapshotManager<Snapshot>> snap = nullptr)
Create new memory engine.

❱   Public functions

void map(addr_t start, addr_t end, mem_flag_t mflags = mem_flag_rwx, const std::string& map_name = "")
Map memory from 'start' to 'end' (included), with permissions 'mflags'. Necessary segments are created in order to fill the map. The map is NOT initialised with zeros.

auto allocate(addr_t init_base, addr_t size, addr_t align, mem_flag_t flags, const std::string& name) -> addr_t
Allocate a new memory map of 'size' bytes. The map wills be aligned according to the 'align' value. Returns the start address of the map.

void unmap(addr_t start, addr_t end)
Unmap memory from 'start' to 'end'. Memory is NOT reset to zeros.

void new_segment(addr_t start, addr_t end, mem_flag_t flags = maat::mem_flag_rwx, const std::string& name = "", bool is_special_segment = false)
Create a new memory segment from addresses 'start' to 'end' (included)

auto allocate_segment(addr_t base_addr, addr_t size, addr_t align, mem_flag_t flags = maat::mem_flag_rwx, const std::string& name = "", bool is_special_segment = false) -> addr_t
Allocate new memory segment of 'size' bytes. The segment will be aligned according to the 'align' value.

void delete_segment(addr_t start)
Delete segment starting at address 'start'.

auto is_free(addr_t start, addr_t end) -> bool
Return 'true' if nothing is mapped between 'start' and 'end'.

void read(Value& res, addr_t addr, unsigned int nb_bytes, mem_alert_t* alert = nullptr, bool force_concrete_read = false)
Read 'nb_bytes' at address 'addr'.

void read_buffer(std::vector<Value>& res, const Value& addr, unsigned int nb_elems, unsigned int elem_size = 1)
Read a buffer in memory.

auto read_string(const Value& addr, unsigned int len = 0) -> std::string
Read a concrete string of length len from address addr. If len=0, it reads a C-style string and stops at the first null-byte. If addr is not concrete, the function raises a mem_exception.

void write(addr_t addr, const Value& value, mem_alert_t* alert = nullptr, bool ignore_mem_permissions = false, bool called_by_engine = false)
Write 'value' at address 'addr'.

void symbolic_ptr_write(Expr addr, const ValueSet& range, const Value& val, const Settings& settings, mem_alert_t* alert = nullptr, bool called_by_engine = false)
Write at a symbolic memory address. range is the range of possible values for addr

void symbolic_ptr_read(Value& res, Expr addr, const ValueSet& range, unsigned int nb_bytes, const Settings& settings)
Read at a symbolic memory address. range is the range of possible values for addr. Write result in 'res'.

auto read(addr_t addr, unsigned int nb_bytes, mem_alert_t* alert = nullptr, bool force_concrete_read = false) -> Value
Read 'nb_bytes' at address 'addr'.

auto read(const Value& addr, unsigned int nb_bytes, bool ignore_mem_permissions = false) -> Value
Read 'nb_bytes' at address 'addr'.

auto read(Expr addr, unsigned int nb_bytes) -> Expr
Read nb_bytes at address addr. If addr is not concrete, this function automatically performs a symbolic pointer read.

void write(const Value& addr, cst_t val, int nb_bytes, bool ignore_mem_permissions = false)
Write concrete value in memory.

void write(const Value& addr, const Value& value, bool ignore_mem_permissions = false)
Write 'value' at address 'addr'.

void write(addr_t addr, cst_t val, int nb_bytes, bool ignore_mem_permissions = false)
Write concrete value to memory.

auto read_buffer(const Value& addr, unsigned int nb_elems, unsigned int elem_size = 1) -> std::vector<Value>
Read a buffer in memory.

auto read_buffer(addr_t addr, unsigned int nb_elems, unsigned int elem_size = 1) -> std::vector<Value>
Read a buffer of 'nb_elems' elements of size 'elem_size' from address 'addr'.

void read_buffer(std::vector<Value>& buffer, addr_t addr, unsigned int nb_elems, unsigned int elem_size = 1)
Read a buffer of 'nb_elems' elements of size 'elem_size' from address 'addr' and writes each element as an abstract expression in the vector 'res'.

auto read_string(addr_t addr, unsigned int len = 0) -> std::string
Read a concrete string of length 'len' from address 'addr'. If len=0, it reads a C-style string and stops at the first null-byte.

void write_buffer(const Value& addr, uint8_t* src, int nb_bytes, bool ignore_mem_permissions = false)
Write concrete buffer in memory.

void write_buffer(const Value& addr, const std::vector<Value>& src, bool ignore_mem_permissions = false)
Write abstract buffer in memory.

void write_buffer(addr_t addr, uint8_t* src, int nb_bytes, bool ignore_mem_permissions = false)
Write a concrete buffer in memory.

void write_buffer(addr_t addr, const std::vector<Value>& src, bool ignore_mem_permissions = false)
Write an abstract buffer in memory.

auto make_symbolic(addr_t addr, unsigned int nb_elems, unsigned int elem_size, const std::string& basename) -> std::string
Make a buffer purely symbolic, return the symbolic name of the buffer.

auto make_concolic(addr_t addr, unsigned int nb_elems, unsigned int elem_size, const std::string& basename) -> std::string
Make a buffer concolic, return the symbolic name of the buffer.

auto make_tainted(addr_t addr, unsigned int nb_elems, unsigned int elem_size, const std::string& basename = "") -> std::string
Make a buffer tainted. If 'name' is specified, the buffer is made concolic then tainted, otherwise the memory contents are tainted without being transformed into symbolic variables.

auto abstract_snapshot(addr_t addr, int nb_bytes) -> abstract_mem_chunk_t
Take snapshot of abstract memory for nb_bytes from 'addr'.

auto concrete_snapshot(addr_t addr, int nb_bytes) -> cst_t
Take snapshot of concrete memory for nb_bytes from 'addr' (nb_bytes must be inferior or equal to 8)

auto raw_mem_at(addr_t addr) -> uint8_t*
Returns a raw pointer to the raw concrete memory buffer at address 'addr'. If the address isn't mapped, throws an exception.

void check_status(addr_t start, addr_t end, bool& is_symbolic, bool& is_tainted)
Check memory status between start and end (included): is it symbolic/concrete/tainted ? If at least one byte is symbolic, set is_symbolic It at least one byte is tainted, set is_tainted.

auto _get_pending_x_mem_overwrites() -> std::list<mem_access_t>&
Get the list of pending executable memory overwrites that happened (to be used by the engine only)

void _clear_pending_x_mem_overwrites()
Clear the list of pending executable memory overwrites (to be used by the engine only)

auto class_uid() const -> uid_t virtual
Return the class uid (see ClassId enum)

void dump(serial::Serializer&) const virtual
Dump the object contents in a serializer stream.

void load(serial::Deserializer&) virtual
Restore an object from a deserializer stream.

❱   Protected functions

auto has_segment_containing(addr_t start, addr_t end) -> bool
Return 'true' if there is a MemSegment that overlaps with [start:end].

❱   Friends

auto operator<<(std::ostream& os, MemEngine& mem) -> std::ostream&
Print the memory engine to a stream.

❱   Function documentation

maat::MemEngine::MemEngine(std::shared_ptr<VarContext> varctx = nullptr, size_t arch_bits = 64, std::shared_ptr<SnapshotManager<Snapshot>> snap = nullptr)

Create new memory engine.

Parameters
varctx VarContext to use when concretising abstract expressions
arch_bits Default address size in bits
snap Snapshot manager to use if snapshots are enabled

void maat::MemEngine::read_buffer(std::vector<Value>& res, const Value& addr, unsigned int nb_elems, unsigned int elem_size = 1)

Read a buffer in memory.

Parameters
res Vector where to store the buffer elements
addr Start address of the buffer
nb_elems Number of elements to read in the buffer
elem_size Size of a single buffer element in bytes

std::vector<Value> maat::MemEngine::read_buffer(const Value& addr, unsigned int nb_elems, unsigned int elem_size = 1)

Read a buffer in memory.

Parameters
addr Start address of the buffer
nb_elems Number of elements to read in the buffer
elem_size Size of a single buffer element in bytes