bap [--map-terms-with=SCHEME] [--map-terms-using=FILE] --map-terms
Transform terms using a domain specific pattern matching language. The pass accepts a list of patterns via a command line argument --map-terms-with (that can be specified several times), or via file, that contains a list of patterns. Each pattern is represented by a pair (<condition> <action>). The <action> specifies a transformation over a term, that is applied if a <condition> is satisfied. Both <condition> and <action> can be a single <expression> or a list of expressions, delimited with parentheses. If there is a list of conditions, then all must be satisfied. If there is a list of actions, then all actions are applied in order. Each expression is either a nullary function (<id>) or an unary function (<id> <arg>). Where <id> must be a valid predicate or mapper name. There is a predefined set of standard functions, but it can be extended by adding new mappers or predicates to the BML language using bap-bml library.
(true) Is always satisfied.
(is-ATTR) Is satisfied when a term has the given attribute, where ATTR must be one of one of synthetic, live, dead or visited.
(is-ATTR-sub) Is satisfied when a term is a subroutine with the given attribute, where ATTR must be one of one of const, pure, stub, extern, leaf, malloc, noreturn, return_twice or nothrow.
(is-ATTR-arg) Is satisfied when a term is an argument with the given attribute, where ATTR must be one of one of alloc-size, restricted or nonnull.
(has-mark) Is satisfied when a term has an attribute mark.
(has-color COLOR) Is satisfied when a term's attribute color has the given value, where COLOR must be one of one of black, red, green, yellow, blue, magenta, cyan, white or gray
(has-foreground COLOR) Is satisfied when a term's attribute foreground has the given value, where COLOR must be one of one of black, red, green, yellow, blue, magenta, cyan, white or gray
(has-background COLOR) Is satisfied when a term's attribute background has the given value, where COLOR must be one of one of black, red, green, yellow, blue, magenta, cyan, white or gray
(term-addr VALUE) Is satisfied when a term's attribute addr has the given value
(term-tid VALUE) Is satisfied when a term's tid has the given value
(term-name VALUE) Is satisfied when a term's name has the given value
(term-parent name) Is satisfied when a term is a parent for term with a given name
(def-lhs VAR) Is satisfied when a term defines VAR
(def-uses VAR) Is satisfied when a term uses VAR
(taints) Is satisfied if a term is taint source, i.e., has tainted-reg or tainted-ptr attributes.
(taints-reg) Is satisfied if a term is taint source, that taints a value stored in a register, i.e., has a tainted-reg attribute.
(taints-ptr) Is satisfied if a term is taint source, that taints a value pointed by a value stored in a register, i.e., has a tainted-ptr attribute.
(has-taints) Is satisfied if a term is tainted, i.e., has tainted-reg or tainted-ptr attributes.
(has-tainted-reg) Is satisfied if a term uses a tainted value stored in a register, i.e., has a tainted-regs attribute.
(has-tainted-reg taint) Is satisfied if a term uses a value tainted with taint and stored in a register, where taint must be a valid taint identifier, e.g., %12.
(has-tainted-ptr) Is satisfied if a term loads a value from a tainted address, i.e., has a tainted-regs attribute.
(has-tainted-reg taint) Is satisfied if a term loads a value from an address tainted by the give taint. The taint must be a valid taint identifier, e.g., %42.
(set-ATTR) Mark a term with the specified attribute, where ATTR must be one of one of synthetic, live, dead or visited.
(set-ATTR-sub) Mark a term with the specified attribute, where ATTR must be one of one of const, pure, stub, extern, leaf, malloc, noreturn, return_twice or nothrow.
(set-ATTR-arg) Mark a term with the specified attribute, where ATTR must be one of one of alloc-size, restricted or nonnull.
(set-mark) Attch mark attribute to a term
(color COLOR) Set term's attribute color to the given value, where COLOR must be one of one of black, red, green, yellow, blue, magenta, cyan, white or gray
(foreground COLOR) Set term's attribute foreground to the given value, where COLOR must be one of one of black, red, green, yellow, blue, magenta, cyan, white or gray
(background COLOR) Set term's attribute background to the given value, where COLOR must be one of one of black, red, green, yellow, blue, magenta, cyan, white or gray
(taint-reg TID) Mark a term with the given TID as a taint source for register values.
(taint-ptr TID) Mark a term with the given TID as a taint source for memory values.
(unset-ATTR) Unmark a term from attribute ATTR e.g. unset-visited, unset-foreground
bml ::= (<exps> <exps>)
exps ::= <exp> | (<exp>1 .. <exp>N)
exp ::= (<id>) | (<id> <arg>)
arg ::= <id> | ?quoted string?
id ::= ?alphanumeric sequence?
bap exe --map-terms-with='((is-visited) (foreground blue))'
bap exe --map-terms-with='((taints-ptr %12) (comment "ha ha"))'
bap exe --map-terms-with='((term-name @strlen) (foreground blue))'
bap exe --map-terms-with='((term-tid %0000042) (foreground blue))'
bap exe --map-terms-with='((goto mem[0x42]) (foreground blue))'
bap-plugin-taint(1), bap-bml(3)