|
Ghidra Decompiler Analysis Engine
|
Table of Contents
Key Classes
Overview
Welcome to SLEIGH, a machine language translation and dissassembly engine. SLEIGH is both a processor specification language and the associated library and tools for using such a specification to generate assembly and to generate pcode, a reverse engineering Register Transfer Language (RTL), from binary machine instructions.
SLEIGH was originally based on SLED, a Specification Language for Encoding and Decoding, designed by Norman Ramsey and Mary F. Fernandez, which performed disassembly (and assembly). SLEIGH extends SLED by providing semantic descriptions (via the RTL) of machine instructions and other practical enhancements for doing real world reverse engineering.
SLEIGH is part of Project GHIDRA. It provides the core of the GHIDRA disassembler and the data-flow and decompilation analysis. However, SLEIGH can serve as a standalone library for use in other applications for providing a generic disassembly and RTL translation interface.
Building SLEIGH
There are a couple of make targets for building the SLEIGH library from source. These are:
make libsla.a # Build the main library
make libsla_dbg.a # Build the library with debug symbols
The source code file sleighexample.cc has a complete example of initializing the Translate engine and using it to generate assembly and pcode. The source has a hard-coded file name, x86testcode, as the example binary executable it attempts to decode, but this can easily be changed. It also needs a SLEIGH specification file (.sla) to be present.
Building the example application can be done with something similar to the following makefile fragment.
# The C compiler
CXX=g++
# Debug flags
DBG_CXXFLAGS=-g -Wall -Wno-sign-compare
OPT_CXXFLAGS=-O2 -Wall -Wno-sign-compare
# libraries
INCLUDES=-I./src
LNK=src/libsla_dbg.a
sleighexample.o: sleighexample.cc
$(CXX) -c $(DBG_CXXFLAGS) -o sleighexample sleighexample.o $(LNK)
clean:
rm -rf *.o sleighexample
Using SLEIGH
SLEIGH is a generic reverse engineering tool in the sense that the API is designed to be completely processor independent. In order to process binary executables for a specific processor, The library reads in a specification file, which describes how instructions are encoded and how they are interpreted by the processor. An application which needs to do disassembly or generate pcode can design to the SLEIGH API once, and then the application will automatically support any processor for which there is a specification.
For working with a single processor, the SLEIGH library needs to load a single compiled form of the processor specification, which is traditionally given a ".sla" suffix. Most common processors already have a ".sla" file available. So to use SLEIGH with these processors, the library merely needs to be made aware of the desired file. This documentation covers the use of the SLEIGH API, assuming that this specification file is available.
The ".sla" files themselves are created by running the compiler on a file written in the formal SLEIGH language. These files traditionally have the suffix ".slaspec" For those who want to design such a specification for a new processor, please refer to the document, "SLEIGH: A Language
for Rapid Processor Specification."
void setValue(AddrSpace *spc, uintb off, int4 size, uintb cval)
Set a value on the memory state.
Definition: memstate.cc:650
virtual int4 printAssembly(AssemblyEmit &emit, const Address &baseaddr) const =0
Disassemble a single machine instruction.
Abstract class for emitting pcode to an application.
Definition: translate.hh:76
An in-memory implementation of the ContextDatabase interface.
Definition: globalcontext.hh:256
A region where processor data is stored.
Definition: space.hh:73
AddrSpace * space
The address space.
Definition: pcoderaw.hh:34
Memory storage/state for a single AddressSpace.
Definition: memstate.hh:36
virtual int4 oneInstruction(PcodeEmit &emit, const Address &baseaddr) const =0
Transform a single machine instruction into pcode.
virtual string getArchType(void) const
Get a string indicating the architecture type.
Definition: sleighexample.cc:74
void registerTag(const Element *el)
Register the given XML Element object under its tag name.
Definition: xml.cc:2321
const char * get_opname(OpCode opc)
Convert an OpCode to the name as a string.
Definition: opcodes.cc:58
Abstract class for emitting disassembly to an application.
Definition: translate.hh:118
void getChunk(uint1 *res, AddrSpace *spc, uintb off, int4 size) const
Get a chunk of data from memory state.
Definition: memstate.cc:710
Definition: loadimage_bfd.hh:33
virtual void dump(const Address &addr, OpCode opc, VarnodeData *outvar, VarnodeData *vars, int4 isize)
The main pcode emit method.
Definition: sleighexample.cc:144
A SLEIGH based implementation of the Emulate interface.
Definition: emulate.hh:296
virtual void adjustVma(long adjust)
Adjust load addresses with a global offset.
Definition: sleighexample.cc:75
An XML element. A node in the DOM tree.
Definition: xml.hh:150
void setVariableDefault(const string &nm, uintm val)
Provide a default value for a context variable.
Definition: globalcontext.cc:109
An interface into a particular binary executable image.
Definition: loadimage.hh:71
Definition: sleighexample.cc:67
AddrSpace * getUniqueSpace(void) const
Get the temporary register space for this processor.
Definition: translate.hh:482
Translate * getTranslate(void) const
Get the Translate object.
Definition: memstate.hh:179
virtual void loadFill(uint1 *ptr, int4 size, const Address &addr)
Get data from the LoadImage.
Definition: sleighexample.cc:80
uintb offset
The offset within the space.
Definition: pcoderaw.hh:35
uint4 size
The number of bytes in the location.
Definition: pcoderaw.hh:36
A full SLEIGH engine.
Definition: sleigh.hh:158
AddrSpace * getDefaultCodeSpace(void) const
Get the default address space of this processor.
Definition: translate.hh:491
All storage/state for a pcode machine.
Definition: memstate.hh:148
Definition: sleighexample.cc:131
A kind of MemoryBank which retrieves its data from an underlying LoadImage.
Definition: memstate.hh:93
const string & getName(void) const
Get the name.
Definition: space.hh:264
A low-level machine address for labelling bytes and data.
Definition: address.hh:46
An interface to a database of disassembly/decompiler context information.
Definition: globalcontext.hh:108
The interface to a translation engine for a processor.
Definition: translate.hh:294
Emulate * emulate
The emulator currently associated with this breakpoint.
Definition: emulate.hh:79
A memory bank that implements reads and writes using a hash table.
Definition: memstate.hh:128
OpCode
The op-code defining a specific p-code operation (PcodeOp)
Definition: opcodes.hh:35
Memory bank that overlays some other memory bank, using a "copy on write" behavior.
Definition: memstate.hh:110
uintb getValue(AddrSpace *spc, uintb off, int4 size) const
Retrieve a memory value from the memory state.
Definition: memstate.cc:666
A breakpoint object.
Definition: emulate.hh:77
void printRaw(ostream &s) const
Write a raw version of the address to a stream.
Definition: address.hh:276
AddrSpace * getSpaceByName(const string &nm) const
Get address space by name.
Definition: translate.cc:534
Data defining a specific memory location.
Definition: pcoderaw.hh:33
virtual void setExecuteAddress(const Address &addr)=0
Set the address of the next instruction to emulate.
A container for parsed XML documents.
Definition: xml.hh:249
virtual bool addressCallback(const Address &addr)
Call back method for address based breakpoints.
Definition: sleighexample.cc:189
Definition: sleighexample.cc:102
Document * openDocument(const string &filename)
Open and parse an XML file.
Definition: xml.cc:2310
void printOffset(ostream &s, uintb offset) const
Write an address offset to a stream.
Definition: space.cc:177
Definition: sleighexample.cc:184
virtual void initialize(DocumentStorage &store)=0
Initialize the translator given XML configuration documents.
virtual void dump(const Address &addr, const string &mnem, const string &body)
The main disassembly emitting method.
Definition: sleighexample.cc:104
