quarkslab / binmap Goto Github PK

Nice tool :)

It'd be even nicer to be able to restrict dependency lookup to a specific root. It'd be particularly useful for scanning extracted filesystems.

For example:
./binscan scan -R extracted_fs/
would consider a reference to /lib/ld.so as extracted_fs/lib/ld.so

Hello,

I don't understand why binmap have multiple keys for one library.
my guess is: you check ELF 'needed libraries' and add it to the graph.
Which means: when they have different name there is different keys, even if the hash is the same.
Which is logic considering there is often symlinks for libraries, and you follow symlinks.

But there is also a key created for each dependency of any elf file (resolved or not), and the metadata of this key have a hash string which I don't know where it comes from, and it has an empty name, and empty version, and when calling view.predecessors on this type of key: there is different results on the same library with different names on the system.
My guess is you use this key to make your graph easily using pure dependency name.

This means : For the same library there is different result when calling view.predecessors

With that said, I don't understand why you have both absolute path to libraries, and pure dependency name of the library in the graph, and with different predecessors.

Case of use:
I want the predecessors of libz.so.1

• I must find myself all the others libz.so on the system, but I can't with the hash because this one could be wrong
• I must call view.predecessors for each libz.so.1 I have found.

Another solution would be to do the merge myself in order to clean up the graph:
Example:
If I have this keys ['libz.so.1', '/usr/main/local/lib/libz.so.1', '/usr/main/local/lib/libz.so.1.2.8', '/usr/main/local/lib/libz.so']
I must merge all of it into one key. (libz.so.1) and do the same for all other keys, in order to recreate a "clean" graph.

It really sounds weird to me to have this kind of behavior considering goal of binmap
Am I doing anything wrong? If no have you planned to change this behavior or are you open to such additions/modifications to binmap?

Hello again. I noticed that binmap can't scan some files and exits without any error.

Example file: http://rgho.st/8HLM52dqN

C:\test>binmap scan drweb32.dll -v2 -o test.dat
blacklisting: "/dev"
blacklisting: "/proc"
blacklisting: "/sys"
blacklisting: "/tmp"
ApiSetMap::parse_apisetmap_v2: not implemented

C:\test>type test.dat
22 serialization::archive 10 0 0 0 0 1 0 0 0 1462888107 3 1 0 0 0 0 0 0 0 0 0 0 0 17 0 0 0 0 0 0 17 0

Directory scanning will be stopped when such file occures.

Hello. I'd like to try your interesting tool but i have problems with compilation.

I've installed cmake, boost 1.55.0 (link=shared threading=single) to "C:\Libs\boost_1_55_0", zlib to "C:\Libs\zlib-1.2.8", visual studio 2013.
Then executed cmake -DBoost_DEBUG=ON -G "Visual Studio 12" -DBOOST_ROOT=C:\libs\boost_1_55_0 -DBOOST_LIBRARYDIR=C:\libs\boost_1_55_0\lib32-msvc-12.0 -DZLIB_LIBRARY=C:\libs\zlib-1.2.8 -DZLIB_INCLUDE_DIR=C:\libs\zlib-1.2.8

When i'm trying to compile 'binmap' project in visual studio i'm getting 2 errors like this:
C:\Libs\boost_1_55_0\boost/serialization/access.hpp(118): error C2039: 'serialize' : is not a member of 'boost::unordered::unordered_map<std::string,MetadataInfo,boost::hash<std::string>,std::equal_to<T>,std::allocator<std::pair<const K,MetadataInfo>>>'

Full log:
binmap.txt

I've also tried to compile with precompiled boost 1.56.0/1.59.0/1.60 and visual studio 2010/2015 - nothing helped.
Hope you can help me. Thank you!

This bug report is pretty similar to the one I wrote last week

The code below segfaults (I believe you can use any *.dat file to reproduce this bug)

blob = blobmap.BlobMap("./test/local.dat")
view = next(blob.values())
view.predecessors("does_not_exists")

I think it should return a python error instead

It's maybe dumb question, but where i can get blobmap module for python?
i believe "blobmap.dll" is the module but i don't know how to install it to python.

The code below segfaults (I believe you can use any *.dat file to reproduce this bug)

import blobmap
f = blobmap.BlobMap("./test/local.dat")
f[0]

I think it should return a python error instead