A starting point for struct support in QIRA

The first thing to notice is stack frames are just a special case of structs. So we will work through this example using them.

The binary we are looking at is tests_manual/stackframetest_x86 and the source is tests_auto/source-autogen. The struct for the stacked function looks like

struct stackframe_stacked {      
  char padding[8];
  int plus_2;
  int times_5;
  void *ebp;    // data
  void *return; // code
  int input;
}

That is the static definition of the struct stackframe_stacked, and there is one of these. Hopefully this is recoverable by BAP, I'll leave figuring this out to you guys. Also, we need the instantiation instruction, function to get the address, free instruction, and free instruction conditional. In this example, those are

(stackframe_stacked, 0x804841d, $esp-0x14, 0x8048442, None)

Notice how this generalizes to heap allocations

(heap_structure, call_to_malloc, $eax, free, $eax = $address_of_structure)

Then we have the dynamic instantiations of this struct, generated by the rule above, of the form

(struct_name, base_address, start_change_valid, end_change_valid)

So, in the concrete example, we have three of these for stackframe_stacked.

 [(stackframe_stacked, 0xf6fff4f8, 89, 104),
  (stackframe_stacked, 0xf6fff4f8, 121, 136),
  (stackframe_stacked, 0xf6fff4f8, 149, 164)]

All of these (struct definitions, dynamic instantiation rules, and dynamic instantiations) should be hand specifiable nicely in the UI, plan it first. OMG imagine being able to scroll down the stack and seeing which data comes from which function. Or the heap! Click a malloced block and see where it was malloced!!! This is my dream.

For display, as a first cut, set the background color in the hexeditor to a new color for each struct, and colorcode the structs in the struct editor window. Looking something like (stackframe_stacked is blue, stackframe_main is purple)

If I had this(or if my hex-rays wasn't stupid), I wouldn't have missed fucking bookstore.