ideas's Issues
Add analysis options
Sometimes if we want a faster analysis we can disable some features
- change blocksize (tune for performance?)
- do not follow references, only calls
- Code analysis loop should be pauseable
- Allow background analysis on single thread
- Split the analysis over multiple threads by groups of addresses
Add 'newc' file format
The 'newc' file format is used for initial boot filesystem images. It could be nice to have support for identifying these. Maybe it isn't very high demand though? The specs are pretty well labeled:
https://www.kernel.org/doc/Documentation/early-userspace/buffer-format.txt
I may add it if no one else does once I add more features to the compressed Linux kernel (zimg) format.
Add support to assemble GameBoy roms
Add support for Fujitsu FR, FR-V
http://en.wikipedia.org/wiki/FR-V_%28microprocessor%29 used in DSLR and other stuff
ESIL structured output + JSON representation
Basically printing a structured JSON exposing all the info of n instruction in tree form,
this way we can expose 'capstone-like' struct but for the ESIL representation. This will allow to expose the internals of the IL to the 3rd party scripts without a complex api.
Bind a breakpoint to a specific thread (or threads)
Add a command, and proper checks in the breakpoint hit callback to skip in case the break occurs in a thread not listed.
Graphdiff two functions from the same executable
META - UTF-8 and BiDi support for the various languages
- Support in the comments (including the ascii graph mode radareorg/radare2#1098, radareorg/radare2#1675, radareorg/radare2#1566)
- Store the flags space and flag names in the SDB radareorg/radare2#2389
- Fix glitches in visual mode radareorg/radare2#2359
- Printing Unicode strings (including another formats (UTF-16, UTF-32, etc) radareorg/radare2#926
- Support in the panels https://asciinema.org/a/17305
- V! panels and Unicode (UTF-8)
- Unicode compatibility on Windows radareorg/radare2#7235
-
p=
commands and Unicode (UTF-8) radareorg/radare2#14351 -
p-
commands and Unicode (UTF-8) radareorg/radare2#14352 - Support in the strings operation (including the search operations)
- String references with emojis shown in disasm
- Support for the various code pages esp. code page 437, windows-1252, iso 8859-5?
- Support for right-to-left scripts e.g. Arabic, Hebrew, Persian ... with/without console support
- Support for character shaping e.g. for Arabic, Persian ... with/without console support
- Support for combining characters e.g. diacritics esp. in graph mode
- Graceful fallback for error cases esp. in graph mode
Add LLVM's BitCode parser and disassembler
file header is: dec0170b
See also llvm-dis and clang -emit-llvm -c foo.c -o foo.bc
bitcode can be executed with the lli
tool:
% mount -t binfmt_misc none /proc/sys/fs/binfmt_misc
% echo ':llvm:M::BC::/path/to/lli:' > /proc/sys/fs/binfmt_misc/register
% chmod u+x hello.bc (if needed)
% ./hello.bc
Draw entropy chart and minimap in console using braille fonts
Like here: https://github.com/asciimoo/drawille
Implement support for named/future breakpoints
We want to have breakpoints that may be defined when the lib or file is loaded. This is, for example a dependency library or a dlopen() where symbols are only available when the file is loaded.
This requires a different implementation for OSX/W32/NIX, and also, needs oa
to be working, which actually it is not.
Caching IO for slow connections (like debuggers)
It would be a good feature to cache the IO for slow connections via network or serial port, like debuggers for example.
[TRACKER] radare2 is not cool as mona.py
mona.py is a handy python script from corelan, designed to assist in exploits development. I don't know how much do we want r2 to be designed for this purpose, but I think that we should borrow some of their features:
- Building a complete ROP chain
- Badchar detection
- Jump to reg: search for pointers that will lead to execute the code located at the address pointed by a given register.
- Searching for specialized gadgets such as for SEH overwrite, stackpivots.
- Showing all loaded modules with all their security features.
- Find pattern in memory (marking if it's in SEH, sEIP or registers)
- Heap visualization.
- Display memory map (
dm
). This could be improved (ASLR/...) - Assemble/disassemble.
- Search instructions/strings/...
- Cyclic patterns
- Search with wild-cards (like
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"
) - Analyse the heap, especially guessing pointers.
Grouping nodes
Merging two or more nodes from the ascii art graph would be very useful, the idea behind this feature consists in the following:
- Add a key to toggle node compactness.
- We want to have more than one group
- Maybe we can just tag each block with a keyword and assign a random color to every tag to print the block box.
- Then add a key to group/ungroup all blocks with the same tag as the currently selected one.
- We can automatically add those tags to entry/exit/math/loop/...
- Graph should be relayouted after the grouping operation happens.
- Grouped nodes can have more than one
in
andout
edges
Remove duplication of CFLAGS in the resulting compiler command
Open any radare2 build log to see something like:
x86_64-pc-linux-gnu-gcc -c -O0 -ggdb -O0 -ggdb -O0 -ggdb -MD -O0 -ggdb -MD -fPIC -g -Wall -D__UNIX__=1 -O0 -ggdb -O0 -ggdb -MD -fPIC -g -Wall -D__UNIX__=1 -O0
-ggdb -O0 -ggdb -MD -fPIC -g -Wall -D__UNIX__=1 -DCORELIB -I/var/tmp/portage/dev-util/radare2-9999/work/radare2-9999/libr/include
-DGIT_TAP=\"0.9.8-1335-g7e79b19\" -o help.o help.c
Binfixing to make non-r2 users happy with r2
This is.. some fuzzed bins turn to be problematic for other tools. So let's enhace binpatching support in r2 to fixup headers, sections, symbol names, methods and other susceptible thing to be messed up to allow non-r2 users to use their favourite buggy software.
ROP search is not very good.
Things that rop needs
- auto ropper (not soon)
- primitive detecting (pivot, leak, write-what-where, etc.)
- start at "end" gadgets and disassemble backwards (for speed) (pr radareorg/radare2#1835 )
- regexp search (pr radareorg/radare2#1679 )
- not search nx pages (only search in executable pages)
- remove the comma as a delimiter (perhaps use / as delimiter?) (pr radareorg/radare2#1722 semicolon delimeter)
- cache the results in sdb
Add filesystem notification system
New commands
dcumn
(debug continue until mount notification)mn
(mount notifications, to start inotify against current pid, or any)mn pid
(specify pid)mn /etc
(specify path)mn /etc 30482
(specify path and pid)
Resources
TMS320 C6x support
OMAP4 community would love to use r2 on ducati bios images http://omappedia.org/wiki/Ducati_For_Dummies
I uploaded a variety of bios images from various OMAP4 devices below
CortexM3 bios images - http://goo.gl/4dndeg
I also linked some C6x assembly related content below
http://www.ti.com/lit/ug/spru189g/spru189g.pdf
http://cnx.org/contents/429524a4-6e7e-48f9-8899-18e5d5712116@1
http://www.cs.cmu.edu/afs/cs/academic/class/15745-s05/www/c6xref/tms320c6000.pdf
http://cnx.org/contents/7c6f27c8-b458-4976-ba26-dee0a14ceea4@1/C6x_Assembly_Programming
http://onlinelibrary.wiley.com/doi/10.1002/0471221120.appa/pdf
http://www.ti.com/lit/ug/spru198k/spru198k.pdf
http://www.ti.com/lit/ug/spru187v/spru187v.pdf
http://processors.wiki.ti.com/index.php/SYS/BIOS_Getting_Started_Guide
http://jason.sdsu.edu/c6x/ASSEMBLE.PDF
http://rtsc.eclipse.org/cdoc-tip/ti/targets/C64T.html
http://rtsc.eclipse.org/cdoc-tip/index.html#ti/
http://www.ti.com/lit/ug/spru186x/spru186x.pdf
http://www.cs.cmu.edu/afs/cs/academic/class/15745-s05/www/c6xref/tms320c6000.pdf
https://gcc.gnu.org/onlinedocs/gcc-4.7.3/gcc/C6X-Options.html
https://gcc.gnu.org/wiki/cauldron2013?action=AttachFile&do=get&target=port-gdb-tic6x-qi.pdf
Cauldron 2013 - Port GDB to the TI C6X Architectu…: http://youtu.be/nSL4jcQCeKg
https://github.com/potorange/binutils-tic6x-dis-16bits/commits/tic6x-dis-16bits
https://github.com/potorange/ais-disasm/commits/function-definition-and-boundary
https://github.com/Groundworkstech/pybfd/commits/master
https://github.com/WojciechMigda/gcc/commits/gcc-4.8.2-tic6x-elf-hybrid-pseudo-ops
https://github.com/WojciechMigda/c6xcoffdump/commits/develop
https://github.com/WojciechMigda/binutils/commits/bu-2.24-tic6x-coff
Thanks for this epic resource fellas r2 is really second to none ;)
Fix TE binaries
From fractalg:
This seems to be the procedure for te binaries
- The program image base should be set to the uin64t field ImageBase.
- The .text segment address should be:
BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))
- The entrypoint address should be:
BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER)) + AddressOfEntryPoint
The same formula is valid to process the segments virtual address:
Start:BaseOfCode - (StrippedSize - sizeof(EFI_TE_IMAGE_HEADER))) + IMAGE_SECTION_HEADER->VirtualAddress
End:start + IMAGE_SECTION_HEADER->Size of Raw Data
(because alignment???)
Add support for determining whether an exception has occured during debugging
It would be beneficial to be able to determine whether some exception such as an access violation has occurred during debugging. At the moment, it's only possible to do so by disassembling and determining this from cpu flags, signal received etc...
pancake: but for now you have to disassemble and try to determine this by reading the cpu flags, signal received, instruction, regstate, etc
pancake: this can be a nice TODO for the github issues list" -
Add `e dbg.async=<bool>`
Add this option to make debugger async (non-locking), this requires different changes in the debugger backend:
- we cant asume anything is sync (getregs, cont, step, ..)
- we need a way to determine the state of the queue of commands sent to the debugger backend
- never wait() blocking
- allow to send signals to child to make it stop instead of using ^C
sm5 cpu support
https://github.com/mikeryan/sm5emu has emulator for sm5, we should support this (should be easy)
Add support for IMG3 fileformat
Add config var to only specify what to do when an esil emulation exception happens
- ignore and continue
- stop emulating there
- ...
ESIL exceptions should happen when trying to emulate an instruction that doesnt have an ESIL representation (marked as TODO). or it's just an invalid instruction.
Other kind of ESIL exceptions may happen when trying to read or write on non-allocated memory. This case is not handled yet. and we should have C callbacks for this case. /cc @condret
Support visual mode when cmdremote enabled
We can probably copypasta the code from r2 -C as an initial version, but ideally, the whole visual.c should work with local and remote modes. !=! =!=
Better syntax for internal AND grep
pd~call,mov
--> grep all CALL and MOVs
but if we do pd~call&mov
it gets 0 results, because its not using & as separator. the correct syntax is: pd~&call,mov
.. but this is probably not what the user would expect.
We should fix rcons to handle that syntax too
rabin2: symbol postprocessing
Symbol postprocessing
- Only printable names
- Avoid dupped symnames
- Demangle
ROP Search using ESIL
Will be useful to search for gadgets that indirectly modify registers that are not implicit by the instruction. This is for example DIV on x86, which drops the mod in xDX.
Add support for IPv6 networking
Add updatable posix io backend
Check if the file has changed every time it performs a read in order to reopen the file. the correct way to do that is by using mmap, but this can be useful in other situations
checksec in the debugger
- debugger
- rabin2
r2 needs to provide checksec information from the libraries loaded in memory. we already can extract this information from a specific module. and this is very useful when doing exploiting. So we must display that information in dm
. or maybe just as a separate commnad implemented in a plugin.
`pf` builtin templates for sections for the supported binary formats
Add support of parsing not only basic headers, but also section headers for these file formats:
- PE
- ELF
- Mach-O
- TE
- DEX
- Java CLASS
Improve DOS MZ support
- fuzzing
- able to load binaries that rewrite their header
- rabin2 -C mz
- Add loading of segments like sections
- Add proper loading of entry point
- Add loading of relocation entries radareorg/radare2#1200
-
pf
support - regression tests
Do something with RAnalOp.mnemonic
Currently this field is not used at all; but it should be filled by the output of r_asm_disassemble
(and reuse the asm decoding information to do the analysis). Also, as long as its not used, this will increase size and time for doing analysis, I would prefer to make it optional by adding a flags to choose what fields you want to fill from the analop.
TMS320: add support for instruction qualifiers
Need to support C55X qualifies:
- .CR
- port
- mmap
- .LK
- .LR
Non-executable sections should be disassembled as data by default
The disasm loop should handle data regions in a more handy way than we do right now
Add command to write bits
this requires refactoring of current wb
and wB
commands
Deeper analysis of TMS320 C55x
@milabs like this for example https://github.com/radare/radare2/blob/master/libr/anal/p/anal_x86_udis.c#L295
Mark JSON tests somehow #9
This will allow us to better track the r2pipe compatibility issues between releases. Which commands has changed its format, etc. just by diffing all the tests marked with this between two tags.
This is important after 1.0 imho
Option to show the virtual offsets in the rafind2 output
Just to be able to show also the absolute offsets in the raw file, not only the relative ones.
functionality from exploitable GDB plugin
Adding a command to determine if a bug is exploitable would be really cool. This functionality is implemented as MIT license in a GDB plugin which is linked below.
https://github.com/jfoote/exploitable
Make rbin commands iterate over all opened files
This can be solved with an special @@ foreach iterator. the idea is to allow r2 list all the sections of all the binaries mapped in memory, like (lldb) image dump sections
does. This will be useful as an extend to dm
to list memory regions.
This will be also useful when we add support for core files
Add conditional breakpoints using ESIL expressions
We already have this implemented in 'dsue', but this command only accepts one expression (which can be complex and contain more than one condition), but it would be better if we could register them as watchpoints and use the r_bp api to manage them
WINEDBG protocol support
Wine already supports gdb protocol, but winedbg protocol is more advanced and add some useful options.
DMG format parser (for pf)
Suggested by @radare
Read this before starting http://newosxbook.com/DMG.html
stuff that i want to see in or for esil
-
esil.os
config-var - there must be hooks in esilcallbacks reserved for tracing and hooks reserved for platform voodo custom
- explicit regprofiles in analplugins (don't expect the one from the debugger to be the correct choice for your emulation)
- more interrupt-handlers for x86, that depend on esil.os and anal.bits
- api to register syscalls, so we can hook them instead of hooking the interrupts for catching the syscalls
- fork-syscall (requires the 2 previous points)
- clearing the question how brk-syscall could/should work in esil
- switching between multiple esil-instances that have memory and reg-stats associated to them (this will cause a shitload of bugs, i think)
- redefining stuff with RLang
- open and load libs on aei
- Hook a native handler for esil to a specific
pc=ADDR
- close those libs on esil-fini
- more people interested in esil
- Write an article on the blog explaining how to use ESIL
Parsing the gdt/lgdt
Autoanalysis
Benchmark and optimise hash, io and search
This will be useful when moving to SIOL (the io rewrite), or test different io plugins, and hash implementations. When searching we have a counter that shows the current hit count, address, etc.. but we should enhance this status line with bytes/second processed. we can add a config var to specify which option we want to use for that. (dunno if necessary)
Handle ! and other escape chars in rarun2 for stdin/stdout/stderr
Also, we can also specify a rule to run a program before everything. this way we can write rarun2 script that runs a program to create an input file to be used by the stdin= rule
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.