Given an arbitrary executable, is it possible to determine some or all of the indirect branch destination addresses? What is a programmatic approach to computing these destinations? I'm asking because I am reconstructing a CFG from an executable and can't figure out a clean way of computing indirect branches. Sometimes the operand can be determined with a little forensic analysis, but other times it's not so clear.
Indirect jump destination calculation
Asked Answered
You are talking about destinations that are not found through disassembly? basically use an instruction set simulator. Or simply analysis. Some of these you will not be able to completely resolve (without simulating all real world code paths). –
Forzando
Can it be done solely with static analysis? –
Bountiful
Calculating possible indirect branch destinations in a compiled program statically is possible by performing data-flow analysis for finding out the possible values for the address.
It might work well on simple things such as jump tables (the kind of stuff often generated from switch statements).
In the general case, though, I think that it will be pretty hard to get decent results from that - especially since I suspect your analysis will need some sort of heap analysis to be of any value, and that is not easy, particularly on assembly which might be riddled with loads and stores to memory.
© 2022 - 2024 — McMap. All rights reserved.