programa-stic / barf-project Goto Github PK
View Code? Open in Web Editor NEWBARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
License: BSD 2-Clause "Simplified" License
BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
License: BSD 2-Clause "Simplified" License
I think one of most flexible and useful ways of taint data to perform static/dynamic binary analysis is using sets to carry different types of data. In this case, the "False" value of a missing taint is replaced by the empty set and the taint disjunction by the union of the taint sets. A POC of the modifications needed for this enhacement is available here.
For example, in dynamic analysis, they can be used to track how different offset bytes of a file taint instructions in a trace.
If a noreturn
function occurs in a function for which the CFG is being created, the traversing process isn't stopped when it encounters a noreturn
function. After a noreturn
function, there might be data entries (i.e. dd
) which can't be disassembled, so this may lead to unknown behaviors.
For example in the binary file attached, in function foo
we have a __stack_chk_fail
function call which is noreturn
. CFG recovery in this case goes through the next function and yields a weird graph.
Another issue is that in that function there's an instruction which pops on r15
(i.e. pc
). In ARM, stack pop on r15
means function return if its corresponding push was r14
(i.e. link register).
By the way, to build CFG graphs I can only supply the start address and can't determine the address at which a function ends, so CFG recovery functionality should be smart enough to correctly ends at the end of a function.
The CFG recovery functionality uses symbol information to correctly generate the control flow graph of a specific function, however, this information is not automatically extracted from the binary being processed (it has to be done manually). The goal is to extract symbol information automatically once a binary is loaded so it can be used by the different analysis module such as the basicblock
(which implement the CFG recovery functionality).
Currently there's no way to make the BARF project available to another project as a requirement via PyPI, or to install it for use via pip
. The process is generally painless.
Both pybfd and capstone are available by via pip install
, so those dependencies can be automatically installed. Z3 is not yet available in this manner, but I've opened an issue with the project to make it available. In any case, it can be left as a manual dependency.
Would you be interested in implementing this functionality to make BARF more easily usable from external projects? In particular, I'm looking at integrating it with binjitsu.
Implement Optional instruction flags instead of home-brewn REIL instructions.
For example, the implemented RET instruction could be substituted by an JCC instruction with the optional IOPT_RET flag implemented in openREIL.
I acknowledge the work done on this REIL implementation, but this could increase the interoperability of the two projects and may help to make REIL a more popular IR.
Hello guys,
I am doing some malware analysis and building a CFG from this particular sample.
This is the output log in BARF:
2018-03-11 07:19:20,643: barf.barf:INFO: Initializing BARF
2018-03-11 07:19:20,702: barf.core.smt.smtsolver:DEBUG: > (set-option :global-decls false)
2018-03-11 07:19:20,703: barf.core.smt.smtsolver:DEBUG: > (set-logic QF_AUFBV)
2018-03-11 07:19:20,703: barf.core.smt.smtsolver:DEBUG: > (declare-fun MEM_0 () (Array (_ BitVec 32) (_ BitVec 8)))
2018-03-11 07:19:20,704: barf.arch.emulator:INFO: Loading PE image into memory
2018-03-11 07:19:20,728: barf.arch.emulator:INFO: Loading section #0 (0x401000-0x404600)
2018-03-11 07:19:20,741: barf.arch.emulator:INFO: Loading section #1 (0x405000-0x405000)
2018-03-11 07:19:20,741: barf.arch.emulator:INFO: Loading section #2 (0x415000-0x41f800)
2018-03-11 07:19:20,782: barf.arch.emulator:INFO: Loading section #3 (0x420000-0x425000)
2018-03-11 07:19:20,855: barf.core.smt.smtsolver:DEBUG: > (set-option :global-decls false)
2018-03-11 07:19:20,855: barf.core.smt.smtsolver:DEBUG: > (set-logic QF_AUFBV)
2018-03-11 07:19:20,856: barf.core.smt.smtsolver:DEBUG: > (declare-fun MEM_0 () (Array (_ BitVec 32) (_ BitVec 8)))
2018-03-11 07:19:20,856: barf.arch.emulator:INFO: Loading PE image into memory
2018-03-11 07:19:20,881: barf.arch.emulator:INFO: Loading section #0 (0x401000-0x404600)
2018-03-11 07:19:20,893: barf.arch.emulator:INFO: Loading section #1 (0x405000-0x405000)
2018-03-11 07:19:20,893: barf.arch.emulator:INFO: Loading section #2 (0x415000-0x41f800)
2018-03-11 07:19:20,934: barf.arch.emulator:INFO: Loading section #3 (0x420000-0x425000)
2018-03-11 07:19:21,244: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, edi, 0x3 [0f a4 f8 03])
2018-03-11 07:19:21,245: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, edi, 0x3 [0f a4 f8 03])
2018-03-11 07:19:21,401: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:21,402: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:21,605: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:22,838: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, ecx, 0x3 [0f a4 c8 03])
2018-03-11 07:19:22,839: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, ecx, 0x3 [0f a4 c8 03])
2018-03-11 07:19:23,153: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,154: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,237: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, eax, 0x3 [0f a4 c0 03])
2018-03-11 07:19:23,346: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,347: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,371: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,373: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,473: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:23,647: barf.arch.x86.x86translator:INFO: Instruction not supported: shld (shld eax, esi, 0x3 [0f a4 f0 03])
2018-03-11 07:19:24,940: barf.analysis.basicblock.basicblock:ERROR: Failed to save basic block graph: 000021ce9241b56a22923f51ec5895ab.x86_cfg (.dot)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/barf/analysis/basicblock/basicblock.py", line 911, in save
edge = self._create_edge(nodes[bb_src.address], nodes[bb_dst_addr], branch_type)
KeyError: 4248935
It seems that is creating an edge between nodes that doesn't exist?
I cant open '.bin' file and i got "Unknown file format" exception on "BARF(filename)" instruction.
Is there a reason why the following assembly code would not be a valid store memory gadget? The classification stage picked it up but it does not verify as a valid store memory gadget. Is this a bug or am I missing something?
mov dword ptr [rax], esi ; ret
I found the following error in smttranslator.py.
File "/usr/local/lib/python2.7/dist-packages/barf-0.2-py2.7.egg/barf/core/smt/smttranslator.py", line 689, in _translate_sext
expr = (op1_var == smtlibv2.SEXTEND(op1_var, op3_var))
TypeError: SEXTEND() takes exactly 3 arguments (2 given)
I made a short list of unsopported instructions using the serial testcases, with examples:
These instructions (probably) should be supported to obtain correct resuts in our testcases.
Add support for the instructions below (based on this implementation) in order to ease the translation process.
LSHL
: Logical left shift.
LSHR
: Logical right shift.
ASHR
: Arithmetic right shift.
SDIV
: Signed division.
SMUL
: Signed multiplication.
SEXT
: Sign extension.
SYS
: Transition between user and supervisor level code.
BISNZ
: Comparison for non-zero value.
EQU
: Comparison for equality.
Hexagon is an arquitecture for a digital signal processor develop by Qualcomm. The goal is to provide support for the architecture.
Using recover_cfg.py to disassemble /bin/ls fails:
[+] Recovering program CFG...
Traceback (most recent call last):
File "./recover_cfg.py", line 28, in <module>
cfg = barf.recover_cfg()
File "/home/g/Codigo/barf-project/barf/barf/barf.py", line 294, in recover_cfg
bb_list = self.bb_builder.build(start_addr, end_addr)
File "/home/g/Codigo/barf-project/barf/barf/analysis/basicblock/basicblock.py", line 368, in build
bbs = self._find_candidate_bbs(start_address, end_address)
File "/home/g/Codigo/barf-project/barf/barf/analysis/basicblock/basicblock.py", line 426, in _find_candidate_bbs
bb = self._disassemble_bb(curr_addr, end_address + 0x1)
File "/home/g/Codigo/barf-project/barf/barf/analysis/basicblock/basicblock.py", line 553, in _disassemble_bb
ir = self._ir_trans.translate(asm)
File "/home/g/Codigo/barf-project/barf/barf/arch/x86/x86translator.py", line 304, in translate
check_operands_size(instr, self._arch_info.architecture_size)
File "/home/g/Codigo/barf-project/barf/barf/arch/x86/x86translator.py", line 193, in check_operands_size
"Invalid operands size: %s" % instr
AssertionError: Invalid operands size: stm [QWORD rdi, EMPTY, DWORD t2999]
where /bin/ls is a ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=64d095bc6589dd4bfbf1c6d62ae985385965461b, stripped
barf = BARF("/home/user/code")
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python3.8/dist-packages/barf-0.6.0-py3.8.egg/barf/barf.py", line 90, in init
self.open(filename)
File "/usr/local/lib/python3.8/dist-packages/barf-0.6.0-py3.8.egg/barf/barf.py", line 211, in open
self.binary = BinaryFile(filename)
File "/usr/local/lib/python3.8/dist-packages/barf-0.6.0-py3.8.egg/barf/core/binary.py", line 160, in init
self._open(filename)
File "/usr/local/lib/python3.8/dist-packages/barf-0.6.0-py3.8.egg/barf/core/binary.py", line 229, in _open
self._open_elf(filename)
File "/usr/local/lib/python3.8/dist-packages/barf-0.6.0-py3.8.egg/barf/core/binary.py", line 279, in _open_elf
raise Exception("Error loading ELF file.")
Exception: Error loading ELF file.
'movabs' is a GAS specific notation adopted by capstone. It is the same Opcode as regular mov instructions, but is used to handle 64bit operands.
I've implemented rudimentary support like this:
def _translate_movabs(self, tb, instruction):
# alias for mov with 64bit operands
self._translate_mov(tb, instruction)
It works well in the scenarios I tested (mostly objectiveC on x64)
I have just finished installing the latest version of barf and was trying the example scripts. When I ran the recover_cfg.py script (all other x86 scripts worked) barf would error out with:
$> cat barf.log
2018-04-12 10:26:45,874: barf.barf:INFO: [+] BARF: Initializing...
2018-04-12 10:26:45,879: smtlibv2:DEBUG: >(set-option :global-decls false)
2018-04-12 10:26:45,880: smtlibv2:DEBUG: >(set-logic QF_AUFBV)
2018-04-12 10:26:45,880: smtlibv2:DEBUG: >(declare-fun MEM_0 () (Array (_ BitVec 64) (_ BitVec 8)))
2018-04-12 10:26:45,884: smtlibv2:DEBUG: >(set-option :global-decls false)
2018-04-12 10:26:45,884: smtlibv2:DEBUG: >(set-logic QF_AUFBV)
2018-04-12 10:26:45,884: smtlibv2:DEBUG: >(declare-fun MEM_0 () (Array (_ BitVec 64) (_ BitVec 8)))
2018-04-12 10:26:45,923: barf.analysis.basicblock.basicblock:ERROR: Failed to save basic block graph: ~/barf-project/examples/bin/x86/branch4_cfg (dot)
Traceback (most recent call last):
File "~/barf/local/lib/python2.7/site-packages/barf-0.2.1-py2.7.egg/barf/analysis/basicblock/basicblock.py", line 415, in save
dot_graph.write("{}.{}".format(filename, format), format=format)
File "build/bdist.linux-x86_64/egg/pydot.py", line 1756, in write
s = self.create(prog, format, encoding=encoding)
File "build/bdist.linux-x86_64/egg/pydot.py", line 1836, in create
self.write(tmp_name, encoding=encoding)
File "build/bdist.linux-x86_64/egg/pydot.py", line 1750, in write
s = self.to_string()
File "build/bdist.linux-x86_64/egg/pydot.py", line 1492, in to_string
graph.append( node.to_string()+'\n' )
File "build/bdist.linux-x86_64/egg/pydot.py", line 623, in to_string
node += ' [' + node_attr + ']'
TypeError: unsupported operand type(s) for +=: 'long' and 'str'
I am trying to run this on Ubuntu 16.04:
Linux devlinux 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
when i run the example,there have some problem like this
There is no taint cleaning after a ReilEmulator reset, here.
BinNavi is a graphical binary navigator useful for reverse engineering software. Currently, it relies on a commercial software, IDA Pro, to do the disassembly work. The goal is to use BARF as a replacement for the tasks done by IDA Pro.
When I use "barf = BARF(filename)", get an error:
File "C:\python27-x64\Scripts\z3-script.py", line 11, in
load_entry_point('z3==0.2.0', 'console_scripts', 'z3')()
File "c:\python27-x64\lib\site-packages\pkg_resources_init_.py", line 565, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "c:\python27-x64\lib\site-packages\pkg_resources_init_.py", line 2631, in load_entry_point
return ep.load()
File "c:\python27-x64\lib\site-packages\pkg_resources_init_.py", line 2291, in load
return self.resolve()
File "c:\python27-x64\lib\site-packages\pkg_resources_init_.py", line 2297, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "c:\python27-x64\lib\site-packages\z3\snap.py", line 14, in
from z3.config import get_config
ImportError: No module named config
My Environment: Windows10, Z3 version: 0.2.0, barf version: 0.5.0
Thanks!
This module needs to be reimplemented to support ARM CFG reconstruction. Also, it needs to be fixed in order to deal with x86 rep
prefix properly.
Adding a tracking bug, as this is in the TODO.
I am doing my project on the basis of BARF, and I encountered this problem.
AttributeError: 'CodeAnalyzer' object has no attribute 'get_memory_curr'.
I review the code and discover the class 'CodeAnalyzer' have the method 'get_memory' instead of 'get_memory_curr', and it can be discovered in barf/analysis/codeanalyzer/codeanalyzer.py.
The method '_get_constrs_no_operation' in class 'GadgetVerifier' located in 122L, barf/analysis/codeanalyzer/verifier.py calls this method. The commented code in 121L seems to be correct.
It would be very useful to employ BARF's REIL analysis tools for architectures not supported in BARF without modifying its core but rather through a defined API that allows to add support for an architecture (information, disassembler, REIL translator) in a dynamic fashion. In this way, BARF would be used as a library inside another project.
An example of this use case is the Hexag00n project (that works with the Hexagon architecture, currently not supported in BARF), where BARF's REIL analysis tools would be very useful. Hexag00n already has its own disassembler (for the Hexagon architecture) and REIL translator, porting these to the BARF core is not a trivial task, nor it is desirable: BARF and Hexag00n should be able to work together while avoiding as much coupling as possible.
In this scenario Hexag00n will use BARF as a library facilitating the Hexagon architecture support to BARF in a dynamic fashion, without modifying BARF's source code, e.g., forcing BARF to import Hexag00n disassembler (and thus generating a circular dependency). An API has to be defined in BARF to be able to import that architecture support, for this purpose the load_architecture
method has been added to the BARF core. This method is employed in an Hexag00n's example script which will be used as a first step to precisely define what has to be provided to BARF to generate REIL code (from an Hexagon binary) through the BARF framework.
For now, what has been characterized as architecture support are 3 base classes:
ArchitectureInformation
: contains the basic definitions of an architecture like its size, registers, etc.Disassembler
: encapsulates the architecture disassembler.Translator
: encapsulates the architecture to REIL translator.For each architecture supported, new classes have to be derived from these ones, containing all the necessary information for BARF to generate an equivalent REIL code and proceed to its analysis. Up to now these derived classes are part of the BARF core (like x86 and ARM architectures). With this new functionality, the objective is, through a defined API, being able to provide architecture support on the fly while using BARF as a library (imported in the working project).
Adding a tracking bug, as this is in the TODOs
Due to currents limitation in PyAsmJIT
package is not possible to properly test x86 instruction with memory access operands.
When I try recovering cfg from /bin/ls in ubuntu 16.04 I get this error:
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python2.7/dist-packages/barf-0.3-py2.7.egg/barf/barf.py", line 299, in recover_cfg
cfg, _ = self._recover_cfg(start=ea_start, end=ea_end, symbols=symbols, callback=callback)
File "/usr/local/lib/python2.7/dist-packages/barf-0.3-py2.7.egg/barf/barf.py", line 349, in recover_cfg
name = "sub{:x}".format(start)
ValueError: Unknown format code 'x' for object of type 'str'
Here is my code:
from barf import BARF
b = BARF("/bin/ls")
cfg = b.recover_cfg()
Hi,
I am unable to load pe files. The reason is that pe.sections[section_idx].get_data()
always returns null. But after going through pefile
library, I fixed the problem by givng the virtualaddress as the parameter for get_data()
.
This is the fix:
self._section_text = pe.sections[section_idx].get_data(pe.sections[section_idx].VirtualAddress)
This hack works fine for me now . I don't know whether this is correct?
Thanks.
Regards,
Maggie
A comparison between rop-tool
, ROPgadget
, BARFgadget
when used to find gadgets in libc.so.6
.
rop-tools
(written in c):
1229 gadgets found.
rop-tool gadget libc.so.6 17.29s user 0.01s system 100% cpu 17.289 total
ROPgadget
:
Unique gadgets found: 21240
ROPgadget --binary libc.so.6 72.30s user 10.25s system 99% cpu 1:22.82 total
BARFgadget
:
Find Stage : 358.472s
Classification Stage : 854.280s
Verification Stage : 377.223s
Total : 1589.976s
Suggestion:
As far as I know, BARF currently doesn't support thumb mode, however it's set to thumb mode by default.
For ARM mode binaries, recover_cfg
function won't work as it assumes it's thumb. In armdisassembler.py
, the disassembler
function is called without provision of its last argument, so it assumes it's a thumb binary and thereafter everything will be messed up.
pySMT is a library for SMT formulae manipulation and solving, available here:
https://github.com/pysmt/pysmt
It can be used to improve how SMT formulas are generated and solved to allow many solvers to be used.
Error occurred while processing "push large dword ptr fs:0" and "mov large fs:0, ecx" in develop and impove branches
Traceback (most recent call last):
File "/usr/lib/python2.7/logging/init.py", line 851, in emit
msg = self.format(record)
File "/usr/lib/python2.7/logging/init.py", line 724, in format
return fmt.format(record)
File "/usr/lib/python2.7/logging/init.py", line 464, in format
record.message = record.getMessage()
File "/usr/lib/python2.7/logging/init.py", line 328, in getMessage
msg = msg % self.args
File "/home/user/barf-project-develop/barf/barf/core/reil/reil.py", line 282, in str
operands_str = ", ".join(map(print_oprnd, self._operands))
File "/home/user/barf-project-develop/barf/barf/core/reil/reil.py", line 259, in print_oprnd
size_str = str(oprnd.size) if oprnd.size else ""
AttributeError: 'NoneType' object has no attribute 'size'
Logged from file x86translator.py, line 287
Traceback (most recent call last):
File "test.py", line 27, in
for addr, asm_instr, reil_instrs in barf.translate(ea_start, ea_end):
File "/home/user/barf-project-develop/barf/barf/barf.py", line 179, in translate
yield addr, asm, self.ir_translator.translate(asm)
File "/home/user/barf-project-develop/barf/barf/arch/x86/x86translator.py", line 282, in translate
check_operands_size(instr, self._arch_info.architecture_size)
File "/home/user/barf-project-develop/barf/barf/arch/x86/x86translator.py", line 162, in check_operands_size
assert instr.operands[0].size == arch_size,
AttributeError: 'NoneType' object has no attribute 'size'
Using recover_cfg.py to disassemble /bin/true fails:
[+] Recovering program CFG...
[-] Index out of range : 0x40133f
Traceback (most recent call last):
File "./recover_cfg.py", line 28, in <module>
cfg = barf.recover_cfg()
File "/home/g/Codigo/barf-project/barf/barf/barf.py", line 294, in recover_cfg
bb_list = self.bb_builder.build(start_addr, end_addr)
File "/home/g/Codigo/barf-project/barf/barf/analysis/basicblock/basicblock.py", line 368, in build
bbs = self._find_candidate_bbs(start_address, end_address)
File "/home/g/Codigo/barf-project/barf/barf/analysis/basicblock/basicblock.py", line 426, in _find_candidate_bbs
bb = self._disassemble_bb(curr_addr, end_address + 0x1)
File "/home/g/Codigo/barf-project/barf/barf/analysis/basicblock/basicblock.py", line 548, in _disassemble_bb
asm = self._disasm.disassemble(self._mem[start:end], addr)
File "/home/g/Codigo/barf-project/barf/barf/core/bi.py", line 67, in __getitem__
raise IndexError(reason)
IndexError: string index out of range
where /bin/true is a ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9d915e13fb31a59c4d02b39bd596af20873aca0b, stripped
MIPS is a very well known architecture used in multiple devices. The goal is to provide support for the architecture.
I've installed BARF but I'm not sure if it's installed correctly. I run the following code for a binary shared object file (.so
), but it encounters an error while it's translating.
from barf import BARF
# Open binary file.
barf = BARF('bin/tests/test1.so')
# Print assembly instruction.
for addr, asm_instr, reil_instrs in barf.translate():
print("0x{addr:08x} {instr}".format(addr=addr, instr=asm_instr))
# Print REIL translation.
for reil_instr in reil_instrs:
print("{indent:11s} {instr}".format(indent="", instr=reil_instr))
Output:
Couldn't import dot_parser, loading of dot files will not be possible.
0x00000e98 moval r4, r0
str [DWORD r0, EMPTY, DWORD r4]
and [DWORD r0, DWORD 0xffffffff, DWORD t1]
bisz [DWORD t1, EMPTY, BIT zf]
bsh [DWORD r0, DWORD 0xffffffe1, DWORD t2]
and [DWORD t2, DWORD 0x1, BIT t3]
str [BIT t3, EMPTY, BIT nf]
0x00000e9a bal #0x9dc
jcc [BIT 0x1, EMPTY, POINTER 0x9dc00]
0x00000e9c moval r0, r0
str [DWORD r0, EMPTY, DWORD r0]
and [DWORD r0, DWORD 0xffffffff, DWORD t4]
bisz [DWORD t4, EMPTY, BIT zf]
bsh [DWORD r0, DWORD 0xffffffe1, DWORD t5]
and [DWORD t5, DWORD 0x1, BIT t6]
str [BIT t6, EMPTY, BIT nf]
0x00000e9e bal #0xfc0
jcc [BIT 0x1, EMPTY, POINTER 0xfc000]
Traceback (most recent call last):
File "/home/.../main.py", line 15, in <module>
for addr, asm_instr, reil_instrs in barf.translate():
File "/usr/local/lib/python2.7/dist-packages/barf-0.2-py2.7.egg/barf/barf.py", line 195, in translate
for addr, asm, _ in self.disassemble(start_addr, end_addr):
File "/usr/local/lib/python2.7/dist-packages/barf-0.2-py2.7.egg/barf/barf.py", line 217, in disassemble
asm = self.disassembler.disassemble(self.text_section[start:end], curr_addr)
File "/usr/local/lib/python2.7/dist-packages/barf-0.2-py2.7.egg/barf/arch /arm/armdisassembler.py", line 203, in disassemble
instr = self._cs_translate_insn(disasm)
File "/usr/local/lib/python2.7/dist-packages/barf-0.2-py2.7.egg/barf/arch/arm/armdisassembler.py", line 348, in _cs_translate_insn
operands = [self.__cs_translate_operand(op, cs_insn) for op in cs_insn.operands]
File "/usr/lib/python2.7/dist-packages/capstone/__init__.py", line 541, in __getattr__
raise CsError(CS_ERR_DETAIL)
capstone.CsError: Details are unavailable (CS_ERR_DETAIL)
Process finished with exit code 1
However, BARF runs smoothly with no problems on the toys supplied in the repo.
More Info:
pip list | grep capstone
-> capstone (3.0.4)python-capstone 3.0.4
is installedlibcapstone3
and libcapstone-dev
are installedPyBFD
is ok.File "deflat.py", line 89, in main
cfg = barf.recover_cfg(start=start)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\barf.py", line 308, in recover_cfg
cfg, _ = self._recover_cfg(start=start, end=end, symbols=symbols, callback=callback)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\barf.py", line 375, in _recover_cfg
bbs, calls = self.bb_builder.build(start_addr, end_addr, symbols)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\analysis\graphs\controlflowgraph.py", line 450, in build
return self.strategy.build(start, end, symbols)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\analysis\graphs\controlflowgraph.py", line 221, in build
bbs = self._recover_bbs(start, end, symbols)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\analysis\graphs\controlflowgraph.py", line 364, in _recover_bbs
bb = self._disassemble_bb(addr, end + 0x1, symbols)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\analysis\graphs\controlflowgraph.py", line 294, in _disassemble_bb
asm = self._disasm.disassemble(data_chunk, addr)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\arch\arm\disassembler.py", line 211, in disassemble
instr = self._cs_translate_insn(disasm)
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\arch\arm\disassembler.py", line 357, in _cs_translate_insn
operands = [self.__cs_translate_operand(op, cs_insn) for op in cs_insn.operands]
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\arch\arm\disassembler.py", line 357, in <listcomp>
operands = [self.__cs_translate_operand(op, cs_insn) for op in cs_insn.operands]
File "D:\Users\Root\AppData\Local\Programs\Python\Python37\lib\site-packages\barf-0.6.0-py3.7.egg\barf\arch\arm\disassembler.py", line 352, in __cs_translate_operand
raise CapstoneOperandNotSupported(error_msg)
barf.arch.arm.disassembler.CapstoneOperandNotSupported: Instruction: ldcvc p5, c15, [ip, #-0x2b4]. Unknown operand type: 65
Hi,
I am getteting error when stack canary is tranalated to SMT expression. This is the error:
File "XXX/barf-project/barf/barf/analysis/codeanalyzer/codeanalyzer.py", line 313, in check_path_satisfiability
smt_mem_addr = smtlibv2.BitVec(32, "#x%08x" % instr.operands[0].name)
AttributeError: 'ReilImmediateOperand' object has no attribute 'name'
I think the error is caused by this instruction and the correspoding REIL tralanation:
mov eax, dword ptr gs:[0x14]
ldm [DWORD 0x14, EMPTY, DWORD t22]
Thank you.
Regards,
Maggie
Hi,
Is it possible to move pyasmjit to a separate project/repo outside of the barf-project repo? I am interested in experimenting with pyasmjit as a stand-alone library (i.e. without the entire barf dependency) and extending its functionality. Having pyasmjist exist as a separate entity would greatly simplify this.
Many thanks.
Regards,
Adrian
Inadvertent old-style class is preventing using super
on X86Parser
subclasses:
< class X86Parser():
---
> class X86Parser(object):
Thanks!
Currently, there is no support for jump tables processing when generating the CFG of a function. The goal is to provide a way to process them for the current supported architectures.
Currently, BARF relies on PyBFD to open and read the various binary formats that exists. However, there are some issues with the library. The main problem is the lack of Windows support. The idea is to build a replacement for PyBFD using existing libraries that handles specific binary formats, for instance,
pyelftools and pefile.
When I analyze a binary generated by Android-NDK, I face some questions about CFG_recover
The CFG in IDA looks like this:
I use BARF to generate the CFG,
filename = sys.argv[1]
start = int(sys.argv[2], 16)
barf = BARF(filename)
base_addr = barf.binary.entry_point >> 12 << 12cfg = barf.recover_cfg(start) blocks = cfg.basic_blocks
there is a command 'RSB r0, r0,0x0' in the beginning of the second block. Every time I meet command start with rsb, errors like follow appear:
Traceback (most recent call last):
..............
File "/Users/mark/Envs/angr/lib/python2.7/site-packages/barf-0.5.0-py2.7.egg/barf/arch/arm/translators/data.py", line 141, in _translate_rsb
self._translate_sub(tb, instruction)
AttributeError: 'ArmTranslator' object has no attribute '_translate_sub'
But there is a def '_translate_sub' in data.py. Can anyone help me? Or this is a bug?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.