[docs]deffilter(self,cfg,addr,func_addr,block,jumpkind):ifnotisinstance(self.project.simos,SimWindows):returnFalseifjumpkind!="Ijk_Call":returnFalseinsns=self.project.factory.block(addr).capstone.insnsifnotinsns:returnFalseifnotinsns[-1].insn.operands:returnFalseopnd=insns[-1].insn.operands[0]# Must be of the form: call ds:0xABCDifopnd.type==X86_OP_MEMandopnd.mem.dispandnotopnd.mem.baseandnotopnd.mem.index:returnTruereturnFalse
[docs]defresolve(self,cfg,addr,func_addr,block,jumpkind,func_graph_complete:bool=True,**kwargs):# pylint:disable=unused-argumentslot=self.project.factory.block(addr).capstone.insns[-1].insn.disptarget=cfg._fast_memory_load_pointer(slot)iftargetisNone:l.warning("Address %#x does not appear to be mapped",slot)returnFalse,[]ifnotself.project.is_hooked(target):returnFalse,[]dest=self.project.hooked_by(target)l.debug("Resolved target to %s",dest.display_name)returnTrue,[target]