GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GrammaTech → Ddisasm

GrammaTech / Ddisasm

Licence: agpl-3.0
A fast and accurate disassembler

Labels

reverse-engineeringanalysisbinarydisassemblerbinary-analysis

Projects that are alternatives of or similar to Ddisasm

Replica
Ghidra Analysis Enhancer 🐉
Stars: ✭ 194 (-40.31%)
Mutual labels:  analysis, disassembler, binary, binary-analysis, reverse-engineering
Gtirb
Intermediate Representation for Binary analysis and transformation
Stars: ✭ 190 (-41.54%)
Mutual labels:  analysis, disassembler, binary, binary-analysis, reverse-engineering
B2r2
B2R2 is a collection of useful algorithms, functions, and tools for binary analysis.
Stars: ✭ 262 (-19.38%)
Mutual labels:  disassembler, binary, binary-analysis, reverse-engineering
Qiling
Qiling Advanced Binary Emulation Framework
Stars: ✭ 2,816 (+766.46%)
Mutual labels:  analysis, binary, reverse-engineering
Die Engine
DIE engine
Stars: ✭ 648 (+99.38%)
Mutual labels:  disassembler, binary-analysis, reverse-engineering
Redasm
The OpenSource Disassembler
Stars: ✭ 1,042 (+220.62%)
Mutual labels:  disassembler, binary-analysis, reverse-engineering
Bap
Binary Analysis Platform
Stars: ✭ 1,385 (+326.15%)
Mutual labels:  disassembler, binary-analysis, reverse-engineering
Pref
Portable Reverse Engineering Framework
Stars: ✭ 127 (-60.92%)
Mutual labels:  analysis, binary-analysis, reverse-engineering
Detect It Easy
Program for determining types of files for Windows, Linux and MacOS.
Stars: ✭ 2,982 (+817.54%)
Mutual labels:  disassembler, binary-analysis, reverse-engineering
Radare2
UNIX-like reverse engineering framework and command-line toolset
Stars: ✭ 15,412 (+4642.15%)
Mutual labels:  disassembler, binary-analysis, reverse-engineering
Binee
Binee: binary emulation environment
Stars: ✭ 408 (+25.54%)
Mutual labels:  analysis, binary, binary-analysis
E9patch
A powerful static binary rewriting tool
Stars: ✭ 317 (-2.46%)
Mutual labels:  binary, binary-analysis, reverse-engineering
Reverse Engineering Tutorials
Some Reverse Engineering Tutorials for Beginners
Stars: ✭ 217 (-33.23%)
Mutual labels:  analysis, binary
Binnavi
BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.
Stars: ✭ 2,781 (+755.69%)
Mutual labels:  analysis, reverse-engineering
SDA
SDA is a rich cross-platform tool for reverse engineering that focused firstly on analysis of computer games. I'm trying to create a mix of the Ghidra, Cheat Engine and x64dbg. My tool will combine static and dynamic analysis of programs. Now SDA is being developed.
Stars: ✭ 98 (-69.85%)
Mutual labels:  analysis, disassembler
bmod
bmod parses binaries for modification/patching and disassembles machine code sections.
Stars: ✭ 12 (-96.31%)
Mutual labels:  binary, disassembler
Idenlib
idenLib - Library Function Identification [This project is not maintained anymore]
Stars: ✭ 322 (-0.92%)
Mutual labels:  binary-analysis, reverse-engineering
sleigh
Unofficial CMake build for Ghidra SLEIGH
Stars: ✭ 54 (-83.38%)
Mutual labels:  disassembler, binary-analysis
BEFA-Library
High-level library for executable binary file analysis
Stars: ✭ 14 (-95.69%)
Mutual labels:  disassembler, binary-analysis
vulnscan
A static binary vulnerability scanner
Stars: ✭ 47 (-85.54%)
Mutual labels:  analysis, binary
View All Similar Projects ➔

Datalog Disassembly

DDisasm is a fast disassembler which is accurate enough for the resulting assembly code to be reassembled. DDisasm is implemented using the datalog (souffle) declarative logic programming language to compile disassembly rules and heuristics. The disassembler first parses ELF file information and decodes a superset of possible instructions to create an initial set of datalog facts. These facts are analyzed to identify code location, symbolization, and function boundaries. The results of this analysis, a refined set of datalog facts, are then translated to the GTIRB intermediate representation for binary analysis and reverse engineering. The GTIRB pretty printer may then be used to pretty print the GTIRB to reassemblable assembly code.

Dependencies

ddisasm uses C++17, and requires a compiler which supports that standard such as gcc 7, clang 6, or MSVC 2017.

To build and install ddisasm, the following requirements should be installed:

  • gtirb
  • gtirb-pprinter
  • Capstone, version 4.0.1 or later
  • Souffle, version 2.0.2
    • Must be configured with support for 64 bit numbers (via --enable-64bit-domain during configuration)
  • libehp, version 1.0.0 or higher
  • LIEF, version 0.10.0 or higher

Note that these versions are newer than what your package manager may provide by default: This is true on Ubuntu 18, Debian 10, and others. Prefer building these dependencies from sources to avoid versioning problems. Alternatively, you can use the GrammaTech PPA to get the correct versions of the dependencies.

Ubuntu16

sudo add-apt-repository ppa:maarten-fonville/protobuf
sudo add-apt-repository ppa:mhier/libboost-latest
echo "deb https://grammatech.github.io/gtirb/pkgs/xenial ./" | sudo tee -a /etc/apt/sources.list.d/gtirb.list
sudo apt-get update

Ubuntu18

sudo add-apt-repository ppa:mhier/libboost-latest
echo "deb [trusted=yes] https://grammatech.github.io/gtirb/pkgs/bionic ./" | sudo tee -a /etc/apt/sources.list.d/gtirb.list
sudo apt-get update

Building ddisasm

Use the following options to configure cmake:

  • You can tell CMake which compiler to use with -DCMAKE_CXX_COMPILER=<compiler>.

  • You can tell CMake about the paths to its dependencies as follows:

Option Use
LIEF_ROOT Path to the LIEF installation dir
gtirb_DIR Path to the GTIRB installation dir
gtirb_pprinter_DIR Path to the gtirb-pprinter build dir
  • ddisasm can make use of GTIRB in static library form (instead of shared library form, the default) if you use the flag -DDDISASM_BUILD_SHARED_LIBS=OFF.

Once the dependencies are installed, you can configure and build as follows:

$ cmake ./ -Bbuild
$ cd build
$ make

Installing ddisasm on ubuntu16 and 18

Packages for Ubuntu 16 and 18 are available in the GTIRB apt repository. Ddisasm has some dependencies which are not available in the official repositories, and so certain PPAs must be added to the system in order for Ddisasm to be installed.

Instructions for adding the appropriate PPAS are listed above, and can be used to install ddisasm as described below.

Ubuntu16

sudo apt-get install --allow-unauthenticated ddisasm

Ubuntu18

sudo apt-get install ddisasm

Running the analysis

Once ddisasm is built, we can run complete analysis on a file by calling build/bin/ddisasm'. For example, we can run the analysis on one of the examples as follows:

cd build/bin && ./ddisasm ../../examples/ex1/ex --asm ex.s

Ddisasm accepts the following parameters:

--help : produce help message

--ir arg : GTIRB output file

--json arg : GTIRB json output file

--asm arg : ASM output file

--debug : if the assembly code is printed, it is printed with debugging information

--debug-dir arg : location to write CSV files for debugging

-K [ --keep-functions ] arg : Print the given functions even if they are skipped by default (e.g. _start)

--self-diagnose : This option is useful for debugging. Use relocation information to emit a self diagnosis of the symbolization process. This option only works if the target binary contains complete relocation information. You can enable that in ld using the option --emit-relocs.

-F [ --skip-function-analysis ] : Skip additional analyses to compute more precise function boundaries.

-j [ --threads ] : Number of cores to use. It is set to the number of cores in the machine by default.

Rewriting a project

The directory tests/ contains the script reassemble_and_test.sh to rewrite and test a complete project. reassemble_and_test.sh rebuilds a project using the compiler and compiler flags specified in the enviroment variables CC and CFLAGS (make -e), rewrites the binary and run the project tests on the new binary.

We can rewrite ex1 as follows:

cd examples/ex1
make
ddisasm ex --asm ex.s
gcc ex.s -o ex_rewritten

Testing

The directory tests/ also contains a script test_small.sh for rewriting the examples in /examples with different compilers and optimization flags.

Contributing

Please read the DDisasm Code of Conduct.

Please follow the Code Requirements in gtirb/CONTRIBUTING.

We ask that all contributors complete our Contributor License Agreement (CLA), which can be found at GrammaTech-CLA-ddisasm.pdfGTIRB.pdf, and email the completed form to [email protected]. Under this agreement contributors retain the copyright to their work but grants GrammaTech unlimited license to the work.

External Contributors

  • Programming Language Group, The University of Sydney: Initial support for ARM64.

AuxData generated by ddisasm

ddisasm generates the following AuxData tables:

Key Type Purpose
binaryType std::vector<std::string> A set of binary type descriptors e.g. for ELF whether the binary is PIE "DYN" or not, "EXEC". PE binaries have additional descriptors, "DLL" or "EXE, and subsystem descriptor, e.g. WINDOWS_GUI or WINDOWS_CUI.
comments std::map<gtirb::Offset, std::string> Per-instruction comments.
functionEntries std::map<gtirb::UUID, std::set<gtirb::UUID>> UUIDs of the blocks that are entry points of functions.
functionBlocks std::map<gtirb::UUID, std::set<gtirb::UUID>> UUIDs of the blocks that belong to each function.
symbolForwarding std::map<gtirb::UUID, gtirb::UUID> Map from symbols to other symbols. This table is used to forward symbols due to relocations or due to the use of plt and got tables.
encodings std::map<gtirb::UUID, std::string> Map from (typed) data objects to the encoding of the data, expressed as a std::string containing an assembler encoding specifier: "string", "uleb128" or "sleb128".
elfSectionProperties std::map<gtirb::UUID, std::tuple<uint64_t, uint64_t>> Map from section UUIDs to tuples with the ELF section types and flags.
cfiDirectives std::map<gtirb::Offset, std::vector<std::tuple<std::string, std::vector<int64_t>, gtirb::UUID>>> Map from Offsets to vector of cfi directives. A cfi directive contains: a string describing the directive, a vector of numeric arguments, and an optional symbolic argument (represented with the UUID of the symbol).
libraries std::vector<std::string> Names of the libraries that are needed.
libraryPaths std::vector<std::string> Paths contained in the rpath of the binary.
padding std::map<gtirb::Offset, uint64_t> Offset of padding in a ByteInterval and the padding length in bytes.
SCCs std::map<gtirb::UUID, int64_t> The intra-procedural SCC identifier of each block
symbolicExpressionSizes std::map<gtirb::Offset, uint64_t> Map from an Offset of a symbolic expression in a ByteInterval to its extent, a size in bytes.
peImportEntries std::vector<std::tuple<uint64_t, int64_t, std::string, std::string>> List of tuples detailing an imported function address, ordinal, function name, and library names for PE.
peExportEntries std::vector<std::tuple<uint64_t, int64_t, std::string>> List of tuples detailing an exported address, ordinal, and name for PE.
peImportedSymbols std::vector<gtirb::UUID> UUIDs of the imported symbols for PE.
peExportedSymbols std::vector<gtirb::UUID> UUIDs of the exported symbols for PE.
peResource std::vector<std::tuple<std::vector<uint8_t>, gtirb::Offset, uint64_t>> List of PE resources. A resource header, data length, and data pointer.

Some References

  1. Datalog Disassembly

  2. Souffle

  3. Capstone disassembler

  4. Control Flow Integrity for COTS Binaries

  5. Alias analysis for Assembly

  6. Reassembleable Disassembling

  7. Ramblr: Making reassembly great again

  8. An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries

  9. Binary Code is Not Easy

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].