Skip to content

ImageMap

Jump to bottom Edit New page
John Källén edited this page Jan 8, 2017 · 3 revisions

The ImageMap data structure keeps track of the address space of a binary that Reko is analyzing. A binary, after being loaded into memory, consists of one or more ImageSegments, each of which has a starting address and size (or extent). Each image segment also has a reference to the MemoryArea that contains its bytes. You can think of the ImageSegments as functioning like "windows" onto a MemoryArea. Note that there one-to-many relation between MemoryAreas and ImageSegments. A typical PE or ELF executable will have logically distinct segments and memory areas:

+---------------+                     +---------------+--------------+
| .text section |                     | .data section | .bss section |
| 0x00401000    |                     | 0x00402000    | 0x00402800   |
+---------------+                     +---------------+--------------+
       ↓                                      ↓              ↓
+---------------+                     +------------------------------+
| Memory area 1 |                     | Memory area 2                |
| 0x00401000    |                     | 0x00402000                   |
+---------------+                     +------------------------------+

while an MS-DOS executable will typically be loaded into a single memory area, and all segments will refer to the same memory area

+----------------+     +----------------+       +----------------+
+ segment 0x0810 |     | segment 0x0CFA |       | segment 0x15AD |
+----------------+     +----------------+       +----------------+
        ↓                      ↓                        ↓
+----------------------------------------------------------------+
| Memory image                                                   |
| 0x0810:0000                                                    |
+----------------------------------------------------------------+

In addition to maintaining a map of all the the segments, the ImageMap also maintains in its Items dictionary the locations of any identified items as Reko performs its analysis. Some executable image file formats contain information like the entry points or symbols identifying machine language procedures or data locations. Reko can use this information to populate the image map before starting its scanning phase. The scanning phase will discover more items and add them to the ImageMap. The user interface also allows the user to add items that Reko can't discover itself.

Add a custom footer
Add a custom sidebar
Clone this wiki locally