Welcome

Analysis Options

Several settings relating to the initial analysis can be modified before analysis begins, either in the GUI or in via the plugin framework.

alt text

  • Perform Initial Analysis in Background - After the file is loaded, the initial analysis can be run in a background thread in order to allow you interact with the user interface immediately.

  • Perform Static Library Analysis - Enable or disable static library analysis being performed. Static library analysis will try to identify commonly linked in static library code, such as compiler runtimes, via a collection of static library packages which contain signatures for the static library code to be detected.

  • Ignore if embedded symbols already loaded - If embedded symbols have already been loaded, such as COFF or PDB symbols, then we can choose to prevent static library analysis from being performed, as with embedded symbols available the purpose of static library analysis is largely redundant.

  • Perform strict matching - Static library analysis will perform strict matching by default. Strict matching is more restrictive then when it is disabled, and as a result is faster. Strict matching includes the static functions length and a hash of the functions instructions in the signatures and must be matched exactly during analysis.

  • Perform Jump Table Analysis - In order to identify control flow targets of a compiler generated jump table, jump table analysis must be performed. This will greatly improve a functions control flow graph.

  • Perform Indirect Call Analysis - If indirect calls can be resolved during analysis it will greatly improve the call graphs of the analyzed binary.

  • Propagate Function Data Types - Some compilers introduce stubs before the actual function begins. We can propagate the original function data type back to the stub in order to improve the readability of the analysis.

  • Load Embedded Symbols - If the binary begin analyzed includes embedded symbol information, such as COFF symbols or a PDB entry, we can choose to load and apply the symbol information automatically.

  • Load Lines - If the embedded symbol information contains source line information we can choose to load it. This is disabled by default.

  • Load Pre Compiled Header Symbols - During analysis, data type and function declaration information will be required, such as when processing imports. Relyze ships with several pre compiled header files containing data types declarations and function declarations which can be loaded and used to resolve unknown types and function declarations.

  • Perform Structured Exception Handler Analysis - If the binary being analyzed uses Structured Exception Handlers (SEH), for example via __try/__except keywords in the original source, these handlers can be analyzed in order to identify the filter and handler functions used by the function.

  • Perform C++ Exception Handler Analysis - If the binary being analyzed uses C++ style exception handlers, for example via the try/catch keywords in the original source, these handlers can be analyzed in order to identify the filter and handler functions used by the function.

  • Process Imports - The imported functions from external modules can be processed.

  • Process Exports - The exported functions from the binary being analyzed can be processed.

  • Perform Function Local Analysis - The local variables used by a function can be processed in order to identify them, allowing the local variables to be viewed, access all the references to a local, change their types and rename them.

More general Articles

Other Articles