Vector35
Main function detection improvements
Now that we have main function detection for x64 PE files, there are a few improvements that we should add:
- [ ] Detect main function for x86 PE files
- [ ] Differentiate main/wmain/WinMain/wWinMain, and apply the prototype of the function (instead of only the name of the function)
- [ ] Add a binary data notification for "main function detected", and use that as the mechanism for navigating to the main symbol
- [ ] Detect DllMain/DriverEntry
- [ ] Detect main function for debug builds
- [ ] Detect main function for compilers other than MSVC
- [ ] Handle conflicts with existing symbols (e.g., from PDB)
Related to https://github.com/Vector35/binaryninja-api/issues/4601
Does this improvements include DllMain detection?
Not yet, I should add it to the list
For DllMain, we should also consider setting UIDF on the first parameter to the value of bv.start
This can be helpful in cases like https://youtu.be/kgyRiQqc1FU?feature=shared&t=549, where the code adds some offset to the 1st argument to get a pointer to somewhere within the DLL
For specific embedded architectures and firmware the assignments to specific global registers would also be a very good indicator that the function is the entry point.
Take for example in TriCore the setting of a0 or a1 would likely indicate a startup routine:
The DllMain function also does not get the correct arguments set in the function prototype.
BN:
IDA:
