Context

ProcessState

class tritondse.ProcessState(endianness: Endian = Endian.LITTLE, time_inc_coefficient: float = 0.0001)[source]

Current process state. This class keeps all the runtime related to a running process, namely current, instruction, thread, memory maps, file descriptors etc. It also wraps Triton execution and thus hold its context. At the top of this, it provides a user-friendly API to access data in both the concrete and symbolic state of Triton.

Parameters:
EXTERN_SEG = '[extern]'
STACK_SEG = '[stack]'
actx: AstContext

Triton AstContext enabling crafting logical expressions to be solved by SMT

property architecture: Architecture

Architecture of the current process state

Returns:

Architecture set

property base_pointer_register: Register

Return the appropriate base pointer register according to the arch.

Return type:

tritondse.types.Register

clear_triton_callbacks() None[source]

Remove all registered callbacks in triton.

close_file_descriptor(fd_id: int) None[source]

Close the given file descriptor id.

Parameters:

fd_id – id of the file descriptor

Returns:

None

concretize_argument(index: int) None[source]

Concretize the given function parameter following the calling convention of the architecture.

Parameters:

index (int) – Argument index

concretize_memory_bytes(addr: tritondse.types.Addr, size: tritondse.types.ByteSize) None[source]

Concretize the given memory with its current concrete value. This operation is sound and allows restraining the memory value to its constant value.

Parameters:
concretize_memory_int(addr: tritondse.types.Addr, size: tritondse.types.ByteSize) None[source]

Concretize the given memory with its current concrete value. This operation is sound and allows restraining the memory value to its constant value.

Parameters:
concretize_register(register: str | Register) None[source]

Concretize the given register with its current concrete value. This operation is sound as it will also add a path constraint to enforce that the symbolic register value is equal to its concrete value.

Parameters:

register (Union[str, tritondse.types.Register]) – Register identifier (str or Register)

cpu: CpuState | None

CpuState holding concrete values of registers (initialized when calling load)

create_file_descriptor(name: str, file: IOBase) FileDesc[source]

Create a new file descriptor out of a name.

Parameters:

  • name – name of the file

  • file – object to read from

Returns:

FileDesc object

property current_instruction: Instruction | None

The current instruction being executed. (None if not set yet)

Return type:

Optional[Instruction]

property current_thread: ThreadContext

Gives the current thread selected.

Returns:

current thread

Return type:

ThreadContext

dynamic_symbol_table: Dict[str, Tuple[Addr, bool]]

Dictionary of dynamic symbols as retrieved during the loading

endianness

Current endianness

evaluate_expression_model(exp: AstNode | Expression, model: Model) int[source]

Evaluate the given expression on the given model. The value returned is the integer value corresponding to the bitvector evaluation of the expression.

Parameters:

  • exp – Symbolic Expression to evaluate

  • model – Model generated by the solver

Returns:

result of the evaluation

fetch_instruction(address: tritondse.types.Addr = None, set_as_current: bool = True, disable_callbacks: bool = True) Instruction[source]

Fetch the instruction at the given address. If no address is specified the current program counter one is used.

Raises:

MemoryAccessViolation – If the instruction cannot be fetched in the memory.

Parameters:

  • address – address where to get the instruction from

  • set_as_current – set as the current instruction in the process state

  • disable_callbacks – whether memory callbacks should be disabled to fetch memory bytes

Returns:

instruction disassembled

file_descriptor_exists(id_: int) bool[source]

Returns whether the file descriptor has been defined or not.

Parameters:

id – id of the file descriptor

Returns:

True if the id is found

static from_loader(loader: Loader) ProcessState[source]
get_argument_symbolic(i: int) Expression[source]

Return the symbolic expression associated with the given ith parameter.

Parameters:

i – Ith function parameter

Returns:

Symbolic expression associated

Return type:

SymbolicExpression

get_argument_value(i: int) int[source]

Get the integer value of parameters following the call convention. The value originate either from a register or the stack depending on the ith argument requested.

Parameters:

i (int) – Ith argument of the function

Returns:

integer value of the parameter

Return type:

int

get_expression_variable_values_model(exp: AstNode | Expression, model: Model) Dict[SymbolicVariable:int][source]

Given a symbolic expression and a model, returns the valuation of all variables involved in the expression.

Parameters:

  • exp – Symbolic Expression to look into

  • model – Model generated by the solver

Returns:

dictionary of symbolic variables and their associated value (as int)

get_file_descriptor(id_: int) FileDesc[source]

Get the given file descriptor.

Raises:

KeyError – if the file descriptor is not found

Parameters:

id – id of the file descriptor

Returns:

FileDesc object

get_format_arguments(fmt_addr: tritondse.types.Addr, args: List[int]) List[int | str][source]

Read the format string at fmt_addr. For each format item which are strings, dereference that associated string and replaces it in args.

Parameters:

  • fmt_addr (tritondse.types.Addr) – Address to concretize

  • args (List[int]) – Parameters associated with the format string

Return type:

List[Union[int, str]]

get_format_string(addr: tritondse.types.Addr) str[source]

Returns a formatted string in Python format from a format string located in memory at addr.

Parameters:

addr (tritondse.types.Addr) – Address to concretize

Return type:

str

get_full_argument(i: int) Tuple[int, Expression][source]

Get both the concrete argument value along with its symbolic expression.

Returns:

Tuple containing concrete value and symbolic expression

get_path_constraints() List[PathConstraint][source]

Get the list of all path constraints set in the Triton context.

Returns:

list of constraints

get_stack_value(index: int, offset: int = 0) int[source]

Returns the value at the ith position further in the stack

Parameters:

  • index (int) – The index position from the top of the stack

  • offset (int) – An integer value offset to apply to stack address

Returns:

the value got

Returns:

the value got

Return type:

int

get_string_argument(idx: int) str[source]

Read a string for which address is a function parameter. The function first get the argument value, and then dereference the string located at that address.

Parameters:

idx (int) – argument index

Returns:

memory string

Return type:

str

heap_allocator: HeapAllocator

Allocator providing alloc, free primitives atop the Memory object

initialize_context(arch: Architecture)[source]

Initialize the context with the given architecture

Parameters:

arch (Architecture) – The architecture to initialize

Returns:

None

is_halt_instruction() bool[source]

Check if the current instruction is corresponding to an ‘halt’ instruction in the target architecture.

Returns:

Return true if on halt instruction architecture independent

is_heap_ptr(ptr: tritondse.types.Addr) bool[source]

Check whether a given address is pointing in the heap area.

Parameters:

ptr (tritondse.types.Addr) – Address to check

Returns:

True if pointer points to the heap area (allocated or not).

is_memory_symbolic(addr: tritondse.types.Addr, size: tritondse.types.ByteSize) bool[source]

Iterate the symbolic memory and returns whether at least one byte of the buffer is symbolic

Parameters:
Returns:

True if at least one byte of the memory is symbolic, false otherwise

is_path_predicate_updated() bool[source]

Return whether the path predicate has been updated

is_register_symbolic(register: str | Register) bool[source]

Check whether the register is symbolic or not.

Parameters:

register (Union[str, tritondse.types.Register]) – register string, or Register object

Returns:

True if the register is symbolic

is_syscall() bool[source]

Check whether the current instruction fetched is a syscall or not.

property last_branch_constraint: PathConstraint

Return the last PathConstraint object added in the path predicate. Should be called after is_path_predicate_updated().

Raises:

IndexError – if the path predicate is empty

Returns:

the path constraint object as returned by Triton

Return type:

PathConstraint

memory: Memory

Memory object associated with the ProcessState

property minus_one: int

Value -1 according to the architecture size (32 or 64 bits)

Returns:

-1 as an unsigned Python integer

pack_integer(value: int, size: int) bytes[source]

Unpack the given bytes into into integer value respecting size given and endianness.

Parameters:

  • value – bytes data to unpack

  • size – size in bits of data to unpack

Returns:

integer value packed as bytes

property path_predicate_size: int

Get the size of the path predicate (conjunction of all branches and additional constraints added)

Returns:

size of the predicate

pop_stack_value() int[source]

Pop a stack value, and the re-increment the stack pointer value. This operation is fully concrete.

Returns:

int

process_instruction(instruction: Instruction) bool[source]

Process the given triton instruction on this process state.

Parameters:

instruction – Triton Instruction object

Returns:

True if the processing of the instruction succeeded (False otherwise)

property program_counter_register: Register

Return the appropriate pc register according to the arch.

Return type:

tritondse.types.Register

property ptr_bit_size: tritondse.types.BitSize

Size of a pointer in bits

Return type:

tritondse.types.BitSize

property ptr_size: tritondse.types.ByteSize

Size of a pointer in bytes

Return type:

tritondse.types.ByteSize

push_constraint(constraint: AstNode, comment: str = '') None[source]

Thin wrapper on the triton context underneath to add a path constraint.

Parameters:

  • constraint (AstNode) – Constraint expression to add

  • comment (str) – String comment to attach to the constraint

push_stack_value(value: int) None[source]

Push a stack value. It then decreases the stack pointer value.

Parameters:

value – The value to push

read_register(register: str | Register) int[source]

Read the current concrete value of the given register.

Parameters:

register (Union[str, tritondse.types.Register]) – string of the register or Register object

Returns:

Integer value

read_symbolic_memory_byte(addr: tritondse.types.Addr) Expression[source]

Thin wrapper to retrieve the symbolic expression of a single bytes in memory.

Parameters:

addr (tritondse.types.Addr) – Memory address

Returns:

Symbolic Expression associated with the memory

Return type:

SymbolicExpression

read_symbolic_memory_bytes(addr: tritondse.types.Addr, size: tritondse.types.ByteSize) Expression[source]

Return a new Symbolic Expression representing the whole memory range given in parameter. That function should not be used on big memory chunks.

Parameters:
Returns:

Symbolic Expression associated with the memory

Return type:

SymbolicExpression

read_symbolic_memory_int(addr: tritondse.types.Addr, size: tritondse.types.ByteSize) Expression[source]

Return a new Symbolic Expression representing the whole memory range given in parameter. That function should not be used on big memory chunks.

Parameters:
Raises:

RuntimeError – If the size is not aligned

Returns:

Symbolic Expression associated with the memory

Return type:

SymbolicExpression

read_symbolic_register(register: str | Register) Expression[source]

Get the symbolic expression associated with the given register.

Parameters:

register (Union[str, tritondse.types.Register]) – register string, or Register object

Returns:

SymbolicExpression of the register as returned by Triton

Return type:

SymbolicExpression

register_triton_callback(cb_type: CALLBACK, callback: Callable) None[source]

Register the given callback as triton callback to hook memory/registers read/writes.

Parameters:

  • cb_type (CALLBACK) – Callback enum type as defined by Triton

  • callback – routines to call on the given event

property registers: Registers

All registers according to the current architecture defined. The object returned is the TritonContext.register object.

Return type:

tritondse.types.Registers

property return_register: Register

Return the appropriate return register according to the arch.

Return type:

tritondse.types.Register

set_solver(solver: str | SOLVER) None[source]

Set the SMT solver to use in the background.

Parameters:

solver – Solver to use

set_solver_timeout(timeout: int) None[source]

Set the timeout for all subsequent queries.

Parameters:

timeout – timeout in milliseconds

set_thumb(enable: bool) None[source]

Set thumb mode activated in the TritonContext. The mode will automatically be switched during execution, but at initialization this method enable activating it / disabling it. (Disabled be default)

Parameters:

enable – bool: Whether to active thumb

set_triton_mode(mode: MODE, value: int = True) None[source]

Set the given mode in the TritonContext.

Parameters:

  • mode – mode to set in triton context

  • value – value to set (default True)

solve(constraint: AstNode | List[AstNode], with_pp: bool = True) Tuple[SolverStatus, Model][source]

Solve the given constraint one the current symbolic state and returns both a Solver status and a model. If not SAT the model returned is empty. Argument with_pp enables checking the constraint taking in account the path predicate.

Parameters:

  • constraint – AstNode or list of AstNodes constraints to solve

  • with_pp – whether to take in account path predicate

Returns:

tuple of status and model

solve_enumerate_expression(exp: AstNode | Expression, constraints: List[AstNode], values_blacklist: List[int], limit: int) List[Tuple[Model, int]][source]
solve_no_pp(constraint: AstNode | List[AstNode]) Tuple[SolverStatus, Model][source]

Helper function that solve a constraint forcing not to use the path predicate.

Warning

Solving a query without the path predicate gives theoretically unsound results.

Parameters:

constraint – AstNode constraint to solve

Returns:

tuple of status and model

spawn_new_thread(new_pc: tritondse.types.Addr, args: tritondse.types.Addr) ThreadContext[source]

Create a new thread in the process state. Parameters are the new program counter and a pointer to arguments to provide the thread.

Parameters:

  • new_pc – new program counter (function to execution)

  • args – arguments

Returns:

thread context newly created

property stack_pointer_register: Register

Return the appropriate stack pointer register according to the arch.

Return type:

tritondse.types.Register

switch_thread(thread: ThreadContext) bool[source]

Change the current thread to the one given in parameter. Thus save the current context, and restore the one of the thread given in parameter. It also resets the counter of the thread restored. If the current_thread is dead, it will also remove it !

Parameters:

thread – thread to restore ThreadContext

Returns:

True if the switch worked fine

symbolize_memory_byte(addr: tritondse.types.Addr, alias: str = None) SymbolicVariable[source]

Symbolize the given memory cell. Returns the associated SymbolicVariable

Parameters:
Returns:

newly created symbolic variable

Return type:

tritondse.types.SymbolicVariable

symbolize_memory_bytes(addr: tritondse.types.Addr, size: tritondse.types.ByteSize, alias_prefix: str = None, offset: int = 0) List[SymbolicVariable][source]

Symbolize a range of memory addresses. Can optionally provide an alias prefix.

Parameters:
Returns:

list of Symbolic variables created

Return type:

List[tritondse.types.SymbolicVariable]

symbolize_register(register: str | Register, alias: str = None) SymbolicVariable[source]

Symbolize the given register. This a proxy for the symbolizeRegister Triton function.

Parameters:

  • register (Union[str, tritondse.types.Register]) – string of the register or Register object

  • alias (str) – alias name to give to the symbolic variable

Returns:

Triton Symbolic variable created

property threads: List[ThreadContext]

Gives a list of all threads currently active.

Returns:

tt_ctx

TritonContext object

unpack_integer(data: bytes, size: int) int[source]

Unpack the given bytes into into integer value respecting size given and endianness.

Parameters:

  • data – bytes data to unpack

  • size – size in bits of data to unpack

Returns:

integer value unpacked

write_argument_value(i: int, val: int) None[source]

Write the parameter index with the given value. It will take in account whether the argument is in a register or the stack.

Parameters:

  • i – Ith argument of the function

  • val – integer value of the parameter

Returns:

None

write_register(register: str | Register, value: int) None[source]

Read the current concrete value of the given register.

Parameters:

  • register (Union[str, tritondse.types.Register]) – string of the register or Register object

  • value (int) – integer value to assign in the register

write_stack_value(index: int, value: int, offset: int = 0) None[source]

Write the given value on the stack at the given index relative to the current stack pointer. The index value can be positive to write further down the stack or negative to write upward.

Parameters:

  • index (int) – The index position from the top of the stack

  • value (int) – Integer value to write on the stack

  • offset (int) – Add an optional ith item offset to add to stack value (not a size)

Returns:

the value got

Return type:

int

write_symbolic_memory_byte(addr: tritondse.types.Addr, expr: AstNode | Expression) None[source]

Set a single bytes symbolic at the given address

Parameters:
write_symbolic_memory_int(addr: tritondse.types.Addr, size: tritondse.types.ByteSize, expr: AstNode | Expression) None[source]

Assign the given symbolic expression representing an integer to the given address. That function should not be used on big memory chunks.

Parameters:
Raises:

RuntimeError – if the size is not aligned

write_symbolic_register(register: str | Register, expr: AstNode | Expression, comment: str = '') None[source]

Assign the given symbolic expression to the register. The given expression can either be an SMT AST node or directly an Expression (SymbolicExpression).

Parameters:

CpuState

class tritondse.arch.CpuState(ctx: TritonContext, arch_info: Arch)[source]

Thin wrapper on a TritonContext, to allow accessing and modifying registers in a Pythonic way. It also abstracts base, stack, and program counter for architecture agnostic operations. This class performs all actions on the TritonContext, and does not hold any information. It is just acting as a proxy

Note

This class adds dynamically attributes corresponding to register. Thus attributes will vary from an architecture to the other.

>>> cpu.rax
12
>>> cpu.rax += 1
>>> cpu.rax
13

No data is stored, all operations are performed on the TritonContext:

>>> cpu.__ctx.getConcreteRegisterValue(cpu.rsp)
0x7ff6540
>>> cpu.stack_pointer += 8
>>> cpu.__ctx.getConcreteRegisterValue(cpu.rsp)
0x7ff6548

Note

The user is not meant to instanciate it manually, and must use it through ProcessState.

property base_pointer: int
Returns:

The value of the base pointer register

property program_counter: int
Returns:

The value of the program counter (RIP for x86, PC for ARM ..)

Return type:

int

property stack_pointer: int
Returns:

The value of the stack pointer register

Memory

class tritondse.memory.Memory(ctx: TritonContext, endianness: Endian = Endian.LITTLE)[source]

Memory representation of the current ProcessState object. It wraps all interaction with Triton’s memory context to provide high-level function. It adds a segmentation and memory permission model at the top of Triton. It also overrides __getitem__ and the slice mechanism to be able to read and write concrete memory values in a Pythonic manner.

Parameters:

ctx – TritonContext to interface with

callbacks_enabled() bool[source]

Return whether memory callbacks are enabled.

Returns:

True if callbacks are enabled

ctx: TritonContext

Underlying Triton context

disable_segmentation() None[source]

Turn-off segmentation enforcing.

enable_segmentation() None[source]

Turn-off segmentation enforcing.

find_map(name: str) List[Map] | None[source]

Find a map given its name.

Parameters:

name – Map name

Returns:

MemMap if found

get_map(addr: int, size: int = 1) Map | None[source]

Find the MemMap associated with the given address and returns it if any.

Parameters:

  • addr – Address of the map (or any map inside)

  • size – size of bytes for which we want the map

Returns:

MemMap if found

get_maps() Generator[Map, None, None][source]

Iterate all the memory maps defined, including all memory areas allocated on the heap.

Returns:

generator of all MemMap objects

has_ever_been_written(ptr: int, size: int) bool[source]

Returns whether the given range of addresses has previously been written or not. (Do not take in account the memory mapping).

Parameters:
Returns:

True if all addresses have been defined

is_mapped(ptr: int, size: int = 1) bool[source]

The function checks whether the memory is mapped or not. The implementation return False if the memory chunk overlap on two memory regions. Complexity is O(log(n))

Parameters:

  • ptr – address in memory

  • size – size of the memory

Returns:

True if mapped

map(start, size, perm: ~tritondse.types.Perm = <Perm.R|W|X: 7>, name='') Map[source]

Map the given address and size in memory with the given permission.

Raises:

MapOverlapException – In the case the map overlap an existing mapping

Parameters:

  • start – address to map

  • size – size to map

  • perm – permission

  • name – name to given to the memory region

Returns:

MemMap freshly mapped

map_from_name(name: str) Map[source]

Return a map from its name. This function assumes the map is present.

Raises:

AssertionError – If the map is not found

Parameters:

name – Map name

Returns:

MemMap

mprotect(addr: int, perm: Perm) None[source]

Update the map at the given address with permissions provided in argument.

Parameters:

  • addr – address of the map of which to change permission

  • perm – permission to assign

Returns:

None

read(addr: int, size: int) bytes[source]

Read size bytes at addr address.

Parameters:

  • addr – address to read

  • size – size of content to read

Returns:

bytes read

read_char(addr: int) int[source]

Read a char in memory (1-byte) following endianness.

Parameters:

addr – address to read

Returns:

char value as int

read_dword(addr: int) int[source]

Read signed double word in memory (4-byte) following endianness.

Parameters:

addr – address to read

Returns:

dword value as int

read_int(addr: int) int[source]

Read a signed integer in memory (4-byte) following endianness.

Parameters:

addr – address to read

Returns:

signed integer value as int

read_long(addr: int) int[source]

Read ‘C style’ long in memory (4-byte) following endianness.

Parameters:

addr – address to read

Returns:

value as int

read_long_long(addr: int) int[source]

Read long long in memory (8-byte) following endianness.

Parameters:

addr – address to read

Returns:

long long value as int

read_ptr(addr: int) int[source]

Read in the process memory a little-endian integer of size tritondse.ProcessState.ptr_size

Parameters:

addr (tritondse.types.Addr) – Address at which to read data

Returns:

Integer value read

read_qword(addr: int) int[source]

Read signed qword in memory (8-byte) following endianness.

Parameters:

addr – address to read

Returns:

qword value as int

read_sint(addr: int, size: int = 4)[source]

Read in the process memory a little-endian integer of the size at addr.

Parameters:
Returns:

Integer value read

Raises:

struct.error – If value can’t fit in size

read_string(addr: int) str[source]

Read a string in process memory at the given address

Warning

The memory read is unbounded. Thus, the memory is iterated up until finding a 0x0.

Returns:

the string read in memory

Return type:

str

read_uchar(addr: int) int[source]

Read an unsigned char in memory (1-byte) following endianness.

Parameters:

addr – address to read

Returns:

unsigned char value as int

read_uint(addr: int, size: int = 4)[source]

Read in the process memory a little-endian integer of the size at addr.

Parameters:
Returns:

Integer value read

Raises:

struct.error – If value can’t fit in size

read_ulong(addr: int) int[source]

Read unsigned long in memory (4-byte) following endianness.

Parameters:

addr – address to read

Returns:

unsigned long value as int

read_ulong_long(addr: int) int[source]

Read unsigned long long in memory (8-byte) following endianness.

Parameters:

addr – address to read

Returns:

unsigned long long value as int

read_word(addr: int) int[source]

Read signed word in memory (2-byte) following endianness.

Parameters:

addr – address to read

Returns:

signed word value as int

property segmentation_enabled: bool

returns whether segmentation enforcing is enabled

Returns:

True if segmentation is enabled

set_endianness(en: Endian) None[source]

Set the endianness of memory accesses. By default, endianness is little.

Parameters:

en – Endian: Endianness to use.

Returns:

None

set_segmentation(enabled: bool) None[source]

Set the segmentation enforcing with the given boolean.

unmap(addr: int) None[source]

Unmap the MemMap object mapped at the address. The address can be within the map and not requires pointing at the head.

Parameters:

addr – address to unmap

Returns:

None

without_segmentation(disable_callbacks=False) Generator[Memory, None, None][source]

Context manager enabling manipulating temporarily the memory without considering the memory permissions. E.g: It enables writing data in a memory mapped in RX :param disable_callbacks: Whether to disable memory callbacks that could have been set :return:

write(addr: int, data: bytes) None[source]

Write the given data bytes at addr address.

Parameters:

  • addr – address where to write

  • data – data to write

Returns:

None

write_char(addr: int, value: int) None[source]

Write the integer value as a single byte in memory.

Parameters:

  • addr – address to write

  • value – integer value

Raises:

struct.error – If integer value do not fit in a byte (>255)

write_dword(addr: int, value: int) None[source]

Write the word (4-byte) in memory following endianness.

Parameters:

  • addr – address to write

  • value – integer value

Raises:

struct.error – If integer value do not fit in a dword

write_int(addr: int, value: int, size: int = 4)[source]

Write in the process memory the given integer value of the given size at a specific address.

Parameters:

  • addr – Address at which to read data

  • value – data to write represented as an integer

  • size – Number of bytes to read

Raises:

struct.error – If integer value cannot fit in size

write_long(addr: int, value: int) None[source]

Write a “C style” long (4-byte) in memory following endianness.

Parameters:

  • addr – address to write

  • value – integer value

Raises:

struct.error – If integer value do not fit in a long

write_long_long(addr: int, value: int) None[source]

Write the “C style” long long (8-byte) in memory following endianness.

Parameters:

  • addr – address to write

  • value – integer value

Raises:

struct.error – If integer value do not fit in a long long

write_ptr(addr: int, value: int) None[source]

Similar to write_int() but the size is automatically adjusted to be ptr_size.

Parameters:
Raises:

struct.error – If integer value cannot fit in a pointer size

write_qword(addr: int, value: int) None[source]

Write the qword (8-byte) in memory following endianness.

Parameters:

  • addr – address to write

  • value – integer value

Raises:

struct.error – If integer value do not fit in a qword

write_word(addr: int, value: int) None[source]

Write the word (2-byte) in memory following endianness.

Parameters:

  • addr – address to write

  • value – integer value

Raises:

struct.error – If integer value do not fit in a word

HeapAllocator

class tritondse.heap_allocator.HeapAllocator(start: int, end: int, memory: Memory)[source]

Custom tiny heap allocator. Used by built-ins routines like malloc/free. This allocation manager also provides an API enabling checking whether a pointer is allocated freed etc.

Warning

This allocator is very simple and does not perform any coalescing of freed memory areas. Thus, it may not correctly model the behavior of libc allocator.

Class constructor. Takes heap bounds as parameter.

Parameters:

  • start (tritondse.types.Addr) – Where the heap area can start

  • end – Where the heap area must end

  • memory – Memory: Memory object on which to perform allocations

alloc(size: int) int[source]

Performs an allocation of the given byte size.

Parameters:

size (tritondse.types.ByteSize) – Byte size to allocate

Raises:

AllocatorException – if not memory is available

Returns:

The pointer address allocated

Return type:

tritondse.types.Addr

free(ptr: int) None[source]

Free the given memory chunk.

Parameters:

ptr (tritondse.types.Addr) – Address to free

Raises:

AllocatorException – if the pointer has already been freed or if it has never been allocated

is_ptr_allocated(ptr: int) bool[source]

Check whether a given address has been allocated

Parameters:

ptr (tritondse.types.Addr) – Address to check

Returns:

True if pointer points to an allocated memory region

is_ptr_freed(ptr: int) bool[source]

Check whether a given pointer has recently been freed.

Parameters:

ptr (tritondse.types.Addr) – Address to check

Returns:

True if pointer has been freed, False otherwise

class tritondse.heap_allocator.AllocatorException(message)[source]

Class used to represent a heap allocator exception. This exception can be raised in the following conditions:

  • trying to allocate data which overflow heap size

  • trying to free a pointer already freed

  • trying to free a non-allocated pointer

ThreadContext

class tritondse.thread_context.ThreadContext(tid: int)[source]

Bases: object

Thread data structure holding all information related to it. Purposely used to save registers and to restore them in a TritonContext.

Parameters:

tid – thread id

cancel_join() None[source]

Cancel a join operation.

Returns:

None

is_dead() bool[source]

Returns whether the thread is killed or not

Returns:

boolean indicating if the thread is dead or not

is_main_thread() bool[source]

Returns whether it is the main thread (namely its id is 0)

Returns:

bool

is_running() bool[source]

Return if the thread is properly running or not.

Returns:

True if the thread is running

is_waiting_to_join() bool[source]

Checks whether the thread is waiting to join another one.

Returns:

boolean on whether it waits for another thread

join_thread(th_id: int) None[source]

Put the thread in a join state where waits for another thread.

Parameters:

th_id – id of the thread to join

Returns:

None

kill() None[source]

Kill the current thread. Called when exiting the thread.

Returns:

restore(tt_ctx: TritonContext) None[source]

Restore a thread state in the given TritonContext

Parameters:

tt_ctx (TritonContext) – context in which to restor the current thread state

save(tt_ctx: TritonContext) None[source]

Save the current thread state from the current execution. That implies keeping a reference on symbolic and concrete registers.

Parameters:

tt_ctx – current TritonContext to save