Skip to content

refactor: separate detectors from filters#44

Merged
maxgio92 merged 1 commit into
mainfrom
refactor/detector-pipeline
Mar 15, 2026
Merged

refactor: separate detectors from filters#44
maxgio92 merged 1 commit into
mainfrom
refactor/detector-pipeline

Conversation

@maxgio92
Copy link
Copy Markdown
Owner

@maxgio92 maxgio92 commented Mar 15, 2026
edited
Loading

Why

EhFrameFilter was doing double duty: emitting candidates from .eh_frame FDE records AND filtering disasm candidates against them. This mix of concerns made the pipeline hard to reason about and impossible to customize cleanly. The public API also had confusing overlap between multiple ELF-based entry points.

What

The pipeline is now cleanly split:

  • Detectors emit candidates from an *elf.File: DisasmDetector, EhFrameDetector
  • Filters only remove candidates: CETFilter, EhFrameFilter, PLTFilter
  • WithDetectors and WithFilters let callers replace either pipeline
  • DetectFunctionsFromELF(f *elf.File, opts ...Option) is the single ELF entry point
  • DetectPrologues and DetectCallSites remain as the raw-bytes primitives
  • DetectProloguesFromELF and DetectCallSitesFromELF are removed - they were thin wrappers with no logic of their own
  • PLT filter is guaranteed to run last

Closes #43.

@maxgio92 maxgio92 force-pushed the refactor/detector-pipeline branch 7 times, most recently from 11d9de3 to 6596f13 Compare March 15, 2026 12:48
@maxgio92 maxgio92 changed the title refactor: split EhFrameFilter into EhFrameDetector and a pure filter refactor: detector/filter pipeline with DetectFunctions(*elf.File) as primary API Mar 15, 2026
@maxgio92 maxgio92 force-pushed the refactor/detector-pipeline branch 8 times, most recently from 57c18d1 to e7651b2 Compare March 15, 2026 13:01
@maxgio92 maxgio92 changed the title refactor: detector/filter pipeline with DetectFunctions(*elf.File) as primary API refactor: detector/filter pipeline with DetectFunctions as primary API Mar 15, 2026
@maxgio92 maxgio92 force-pushed the refactor/detector-pipeline branch 13 times, most recently from 479bfba to d6dd226 Compare March 15, 2026 13:45
@maxgio92 maxgio92 force-pushed the refactor/detector-pipeline branch 4 times, most recently from 54e78da to c92ffe3 Compare March 15, 2026 15:17
@maxgio92 maxgio92 marked this pull request as ready for review March 15, 2026 15:25
@maxgio92 maxgio92 changed the title refactor: detector/filter pipeline with DetectFunctions as primary API refactor: separate detectors from filters Mar 15, 2026
@maxgio92 maxgio92 force-pushed the refactor/detector-pipeline branch 4 times, most recently from 7ca1b3b to db02e61 Compare March 15, 2026 15:51
@maxgio92
refactor: split detctors from filters
6050525 
Add CandidateDetector type symmetric with CandidateFilter, and
WithDetectors option symmetric with WithFilters.

DetectFunctionsFromELF is the only API now.

EhFrameDetector emits CFI candidates from .eh_frame FDE records.
EhFrameFilter is now a pure filter: retains only FDE-confirmed
candidates and upgrades their confidence. It never appends.

Default pipeline in DetectFunctionsFromELF:
- detectors: [disasmDetector, EhFrameDetector]
- filters:   [CETFilter, EhFrameFilter, PLTFilter]

Signed-off-by: Massimiliano Giovagnoli <maxgio92@pm.me>
@maxgio92 maxgio92 force-pushed the refactor/detector-pipeline branch from db02e61 to 6050525 Compare March 15, 2026 15:54
@maxgio92 maxgio92 merged commit 7ac355c into main Mar 15, 2026
6 checks passed
@maxgio92 maxgio92 deleted the refactor/detector-pipeline branch March 15, 2026 15:56
@maxgio92 maxgio92 mentioned this pull request Mar 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

refactor: split EhFrameFilter into a detector and a pure filter

1 participant

@maxgio92