binary/pe/pe_binaries
- pe_data_directory(Type:symbol, Address:address, Size:unsigned)
Used by:
data_region,merged_data_region
- pe_import_entry(Address:address, Ordinal:number, Function:symbol, Library:symbol)
- pe_export_entry(Address:address, Ordinal:number, Name:symbol)
- pe_debug_data(Type:symbol, Address:address, Size:unsigned)
Used by:
data_region,merged_data_region
- pe_load_config(Name:symbol, Value:unsigned)
Used by:
seh_handler_table
- pe_section_characteristics(Name:symbol, Mask:unsigned)
Table maps PE section attribute names to a bitflag.
WARNING: Predicate not present in compiled Datalog program (Dead Code)
- npad(EA:address, Size:unsigned)
Non-destructive multi-byte NOPs used by the MSVC compiler. (See `listing.inc’.)
Uses:
direct_jump,instruction,op_regdirect,unconditional_jumpUsed by:
data_object_point,is_paddingRecursive:
npad
- incremental_linking_candidate(First:address, Last:address)
Identify series of jump trampolines prepended to the .text section of PE binaries built with “incremental linking”.
Uses:
binary_format,code_section,direct_jump,loaded_section,next,repeated_byte,unconditional_jumpUsed by:
incremental_linkingRecursive:
incremental_linking_candidate
- incremental_linking(First:address, Last:address)
Select the ‘First’ address and ‘Last’ address of candidate jump trampolines, where the number of consecutives jumps exceeds a threshold indicative of incremental linking.
- merged_data_region(Start:address, End:address)
Locate data directory and debug data merged with the text section. Note that this is used to splice merged .rdata and .text sections.
Uses:
binary_format,loaded_section,pe_data_directory,pe_debug_dataUsed by:
__agg_single4
- padded_rel_addr_start(EA:address, OpIndex:operand_index, TableStart:address, Offset:number, Dest1:address, Dest2:address)
Jump table start pattern where the TableStart is moved through padding.
WARNING: Predicate not present in compiled Datalog program (Dead Code)