reven2.trace._find_inverse

Return the Program Counter (PC) value for the context.

RIP for 64bit or EIP for 32bit.

Return the ASID (Address Space IDentifier) for the context.

Return the return PC stored by the syscall instruction.

The syscall instruction stores the return PC in RCX or ECX.

Undocumented

find last memory access writting given value at tr

find last memory access reading given value at tr

Undocumented

Undocumented

Undocumented

Undocumented

Undocumented

Returns the iret transition matching the given exception or None.

Find the memory access used by the exception to write the return pc. Search for the matching read access, where the iret would get the return pc. Ensure the matching transition is an iret-like.

Returns the exception transition matching the given iret or None.

Find the memory access used by iret to read the return pc. Search for the matching write access, where the exception would write the return pc. Ensure the matching transition is an exception.

Returns the sysret transition matching the given syscall or None.

The syscall instruction stores the return pc (used by sysret) in rcx. Search for the executions of the return pc in the trace, and check the matches against the syscall ASID (cr3) and by mnemonic.

Would be very slow without the pc ranges fast search.

Returns the syscall transition matching the given sysret or None.

Iterate over `cs` changes to find the previous matching syscall. Currently checks the mnemonic, the ASID (cr3) and the return pc (rip) stored (in rcx) by the syscall instruction.

Returns the sysexit transition matching the given sysenter or None.

Iterates over `cs` changes to find the next matching sysexit. Currently only the mnemonic and the ASID (cr3) are checked.

Returns the sysenter transition matching the given sysexit or None.

Assumes `transition` is a sysexit instruction.

Iterates over `cs` changes to find the previous matching sysenter. Currently only the mnemonic and the ASID (cr3) are checked.