thorkill / eresi Goto Github PK
View Code? Open in Web Editor NEWThe ERESI Reverse Engineering Software Interface
Home Page: http://www.eresi-project.org
The ERESI Reverse Engineering Software Interface
Home Page: http://www.eresi-project.org
FIXME: This file is not updated to ERESI 0.8 ! TO DO ASAP ------------------- ELFSH 0.65rc2-linux ------------------- Hello dear ELFsh & E2dbg user, Try to read this README, its a precious information ressource for the ELF shell project . For impatient people, this is a short list of provided features : . Analysis on nearly all types of sections . Cool disasm/resolving engine with libelfsh and libasm . Raw read/write capability into ELF32 AND ELF64 objects . Modify ELF header, PHT, SHT, GOT, CTORS, DTORS, .dynamic, PAX bits . Modify symbol table, dynamic symbol table and relocation tables . Remove or reconstruct SHT . Real interactive and scripting modes . Many kind of section injection [even working in non-exec environments] . Control flow graphs with graphviz output (i386) : see modflow . ELFsh Module support and ELFsh internal API . Quiet output for tiny screens and shellcript friendship . Experimental ET_EXEC relocation and remapping feature (INTEL) . Full ET_REL injection into ET_EXEC (INTEL / SPARC / ALPHA) . PLT infection (INTEL, SPARC, ALPHA, MIPS) . ALTPLT technique (INTEL, SPARC, ALPHA) Major features of 0.65 are : . 64 bits support . A better scripting language with variables, conditions, and loops . Support of ALPHA, MIPS, and SPARC64 architecture . The Embedded ELF Debugging for Linux / IA32 . The DUMP protocol for connections between elfsh nodes . The very first source release of libasm . The EXTPLT technique for the X86 architecture . The ALTGOT technique for the MIPS architecture . The CFLOW technique for function redirection on IA32 and MIPS . EXTSTATIC technique for extending static executables The major features of the 0.65 releases are available both for static injections and memory injection, using the Embedded ELF Debugger (e2dbg) for now on the Linux / IA32 environment. We succesfully tested the debugger on Solaris x86 but we are still in the testing phase for it. BSD port is coming as well so stay tuned. If you are running BSD or Solaris and want to test elfsh, then make sure to look at elfsh 0.51rc3 that include a lot of the previously mentionned static features. [0] Introduction [1] Communicate with ELFsh [2] Libelfsh and BFD [3] Portability [4] Changes [5] Module interface [6] Bugs and WIP [7] Contact [0] Introduction $ elfsh The ELF shell 0.65rc2 (32 bits built) .::. .::. This software is under the General Public License V.2 .::. Please visit http://www.gnu.org (elfsh-0.65rc2) [1] ELFsh syntax You can choose to use ELFsh in interactive mode, script mode, or command line. $ elfsh The ELF shell 0.65rc2 (32 bits built) .::. .::. This software is under the General Public License V.2 .::. Please visit http://www.gnu.org (elfsh-0.65rc2) help The ELF shell 0.65rc2 (compiled for 32 bits objects) Configuration commands .::. help, info, cat, sdir, lscripts, profile, quit, exit load, unload, switch, list, workspace ELFsh modules commands .::. modload, modunload, modhelp Ondisk/Memory ELF commands .::. elf, interp, pht, got, sht, rel, notes, dyn, dynsym findrel, ctors, disasm, hexa, set, get, write, print add, sub, mul, div, mod, cmp, reladd, redir Debugger commands .::. break, delete, continue, dumpregs, stack, dbgstack backtrace, linkmap, step ELF objects flags .::. fixup, shtrm, sstrip Ondisk only ELF commands .::. flush, save, sym, stab, append, extend, insert, remove Network commands .::. net, netlist, netkill, connect, disconnect, peerslist, rcmd Available prefixes .::. all, sort, quiet, verb Available Script jumps .::. jmp, je, jne, jg, jl, jge, jle Available modules .::. modtest, modremap, modflow Type 'help command' for specific information (elfsh-0.65rc2) Since ELFsh support his own module format, you can inject code into the VM very easily, or choose to improve libelfsh, if the needed modifications are pure ELF manipulation. [*] D and X commands parameters syntax - Available formats : regx, regx:rva, regx:rva%size, regx%size - regx : Regular expression (mandatory) - rva : Byte offset from the beginning (optional) - size : Bytes number limit (optional) [*] Object access path format - ELF header : filename.hdr.field - got/ctors/dtors tables : filename.table[index] - pht/symtab/dynsym/dynamic/sht/sections : filename.table[index].field - Relocation tables : filename.rel[indextable][indexent].field - Section raw data : filename.section[index:offset%elemsize].raw [*] Section raw data designation format - Available constructions : index, index:offset, index:offset%elemsize - index : The section's index - offset : if specified, offset from the beginning of the section - elemsize : if specified, offset = offset * elemsize The size of the data to be written is automatically determined as : * The lenght of the string for object type ELFSH_OBJSTR * The lenght until the end of the section for object type ELFSH_OBJRAW * sizeof(long) for object type ELFSH_OBJINT [*] Table index format GOT, CTORS, DTORS, SYMTAB, DYNSYM, SHT, Sections, and Relocation tables can be indexed by their _exact_ name instead of an index number. The choice is left to the users. [*] Fields list - hdr [ magic class type machine version entry phoff shoff flags ehsize phentsize shentsize phnum shnum shstrndx pax_pageexec pax_emultramp pax_mprotect pax_randmmap pax_randexec pax_segmexec ] - sht [ type offset addr size link info align entsize a w x s m l o ] - pht [ type offset paddr vaddr filesz memsz flags align ] - symtab/dynsym [ name value size bind type other ] - dynamic [ val tag ] - section [ name raw ] - rel [ type sym offset ] [2] LIBELFSH AND BFD ELFsh mechanisms are different from those of the GNU BFD project since libelfsh is reverse engineering oriented, where BFD is binary translation oriented. [3] PORTABILITY The major features of the 0.65 releases are available both for ondisk injections and memory injection, using the Embedded ELF Debugger (e2dbg) for now on the Linux / IA32 environment. We succesfully tested the debugger on Solaris x86 but we are still in the testing phase for it. BSD port is coming as well so stay tuned. If you are running BSD or Solaris and want to test elfsh, then make sure to look at elfsh 0.51rc3 that include a lot of the previously mentionned static features. [4] MAJOR CHANGES This version is a MAJOR update. Look at doc/Changelog for a complete list of changes. The internal descriptor of ELF objects has been complexified but clarified using an internal hierarchy, and everything is indexed using hash tables. We really care about the modularity of our programs so a lot of general purpose macros make the life easy in elfsh development. See vm/tables.c for an example of such interfaces. This package is now composed of : elfsh .::. The scripting language interpreter e2dbg .::. The embedded ELF debugger libdump .::. ELFsh Distributed Update Management Protocol implementation libasm .::. Disassembly and analysis of IA32 opcodes libelfsh .::. The ELF manipulation library testsuite .::. Example programs using libelfsh doc .::. Documentation and information modules .::. ELFsh provided modules (see modtest.c for basic example) - ELFsh : * We have interactive mode, scripting mode, command line mode. The scripting language now support lazy type variables like in Perl. See examples of scripts in testsuite/testscripts/ for example on the language syntax. * We use readline (version 5). Find it on ftp://ftp.gnu.org/gnu/readline/ * Check http://elfsh.devhell.org/logs/ for detailed log and script samples results working with this version of ELFsh. - E2dbg : * The embedded ELF debugger is the very first UNIX userland debugger that does not use ptrace. It runs in the same process as the debuggee process thus have much more better performance. The debugger is also fully compatible with the PaX hardening Linux kernel patch that you can find on pax.grsecurity.net, at the exception of the MPROTECT option, for which we now know a solution but which is not available in this version of the project. * Most ondisk commands works in the debugger. The 'mode' command let you select between the inspection and change of the memory and the ondisk version of the ELF program. ET_REL injection and function redirection is known to work as well in memory. * E2dbg is a real debugger. It has the important debugger features, such as breakpoints, backtrace, step-by-step analysis, disassembly in memory. E2dbg also provides a display command integrated in the scripting language of ELFsh, so you can execute on step or breakpoint more powerful things than you could do with gdb. - Libelfsh : * The library now support both 32 and 64 bits files with a single code. It means that you have to compile 2 versions (one for 32bits, one for 64bits) if you want to manipulate the 2 different formats at the same time. There is no compatibility between these 2 built for now. * We implemented a self-profiler for the whole project. Using the 'profile' command of elfsh you can control its behavior. It is very useful for understanding more about the internal mechanisms of the code. The self-profiler includes a cheap memory system for function call that makes it capable of a very rudimentary pattern matching, which avoid too big traces. * We kept our modularity by our hook system that allow for plugging new supports for other architectures and OS in the future. Please do contribute anything you can ! See libelfsh/hooks.c for more information. - Libasm : This is a very first source code release of libasm. It now supports only the IA32 architecture, but SPARC and MIPS supports are in the way. Libasm is used at various places in elfsh, particulary useful for guessing the instructions length or plugging symbol resolution callbacks on code fetching. The source is work in progress. - Libdump : This is the very first release of libdump in the project. DUMP is a protocol that we implemented in peer-to-peer style for communicating between elfsh and e2dbg nodes. You can connect for starting a remote debugging session or communicate widely over the network between nodes. Some of the network commands of ELFsh rely on it. - Modules : * modtest is a simple test module for those interrested in writing elfsh or e2dbg modules. * modremap is an old test written by spacewalker and adapted inside elfsh by the ELFsh crew for trying to remap ET_EXEC ELF binaries whoose relocation tables are stripped. It is known to work on small binaries from /bin but wont work on bigger binaries. * modflow now provides basic control flow graph with a good looking output using graphviz (by ATT labs.) This feature is known to work for small binaries, but the graphing tool wont follow libasm on bigger binaries. [5] Module support ELFsh support modules, they are very easy to code, and you can load it at runtime using the modload command (see modunload for unloading) . A basic module would be : modules/modtest.c The module API: * void elfsh_init() Mandatory * void elfsh_fini() Optional From the modules, you can use the internal ELFsh API : * All vm_* API (See vm/include/elfsh.h) [6] BUGS AND WIP - The SHT reconstruction engine is rewritten at the moment to deal with various special case of the 0.43b insertion based algorithm (use ELFsh 0.43b for this feature, waiting for the new implementation in this serie). - Changing sh_size and then display the section content may faults if data it not appended (reported by emper0r) - ET_REL injection on MIPS is work in progress. - The debugger is for now only garanted to work on Linux / IA32. Other OS are beeing tested (BSD, Solaris, HPUX) and other architectures are studied. See the doc/TODO file for a more complete view of the future plans. [7] CONTACT If you have any requests (new features, bugtracking, comments, or just to say hello) you can mail us : [email protected] If you're interrested in the subject, visit the project page : http://elfsh.devhell.org Share & Enjoy ! The ELF shell crew
On FreeBSD, trying to debug a multithread program will make the debugger to segfault.
See the testsuite for reproducing this bug
Ticket: 1 Reported by: jfv on Thu May 17 00:51:32 2007
Elfsh 0.7x does not compile anymore on beos.
2 patches are enclosed to fix the issues:
Ticket: 10 Reported by: zadig on Tue Dec 19 16:38:23 2006
attachment: 2_beos_partial.diff/
attachment: 3_beos_complete.diff/
attachment: 8_beos_tocommit.diff/
attachment: 9_beos_complete.diff/
attachment: 10_elfsh_beos.diff/
Conditional commands : if, elseif, else
Should be made possible within the ERESI language.
Ticket: 22 Reported by: jfv on Wed Sep 19 04:27:43 2007
Some binaries have broken headers which can't be easy analized,
changed etc.
Any ideas?
Ticket: 15 Reported by: thorkill on Thu Mar 16 14:20:00 2006
port summary: into post-commit hook
Ticket: 38 Reported by: thorkill on Tue Feb 19 17:38:01 2008
(elfsh-0.8-a26-dev@local) load ./test-1
[*] Wed Feb 20 00:49:48 2008 - New object loaded : ./test-1
(elfsh-0.8-a26-dev@local) sht
[SECTION HEADER TABLE .::. SHT is not stripped]
[Object ./test-1]
[000] 0x00000000 ------- foffset:00000000 size:00000128 link:00 info:0000 entsize:0000 align:0000 => NULL section
[001] 0x08048080 a-x---- .text foffset:00000128 size:00000043 link:00 info:0000 entsize:0000 align:0016 => Program data
[002] 0x080490AC aw----- .data foffset:00000172 size:00000014 link:00 info:0000 entsize:0000 align:0004 => Program data
[003] 0x080490BA aw----- .bss foffset:00000186 size:00000002 link:00 info:0000 entsize:0000 align:0001 => BSS
[004] 0x00000000 ------- .comment foffset:00000186 size:00000031 link:00 info:0000 entsize:0000 align:0001 => Program data
[005] 0x00000000 ------- .shstrtab foffset:00000217 size:00000053 link:00 info:0000 entsize:0000 align:0001 => String table
[006] 0x00000000 ------- .symtab foffset:00000270 size:00000080 link:07 info:0000 entsize:0016 align:0000 => Symbol table
[007] 0x00000000 ------- .strtab foffset:00000350 size:00000034 link:06 info:0000 entsize:0000 align:0000 => String table
(elfsh-0.8-a26-dev@local) e
[ELF HEADER]
[Object ./test-1, MAGIC 0x464C457F]
Architecture : Intel 80386 ELF Version : 1
Object type : Executable object SHT strtab index : 5
Data encoding : Little endian SHT foffset : 0000000386
PHT foffset : 0000000052 SHT entries number : 8
PHT entries number : 2 SHT entry size : 40
PHT entry size : 32 ELF header size : 52
Runtime PHT offset : 1179403657 Fingerprinted OS : FreeBSD
Entry point : 0x08048083 [?]
{OLD PAX FLAGS = 0x0}
PAX_PAGEEXEC : Disabled PAX_EMULTRAMP : Not emulated
PAX_MPROTECT : Restricted PAX_RANDMAP : Randomized
PAX_RANDEXEC : Not randomized PAX_SEGMEXEC : Enabled
(elfsh-0.8-a26-dev@local) analyse
[*] Now performing Control Flow Analysis
[*] Registered new function starting at 0x08048080
Calling location source 0x08048097
Calling location source 0x080480A6
Assertion failed: (new_size > 0), function mjr_block_split, file src/links.c, line 274.
Abort (core dumped)
$ objdump -d test-1
test-1: file format elf32-i386-freebsd
Disassembly of section .text:
08048080 <.text>:
8048080: cd 80 int $0x80
8048082: c3 ret
8048083: 68 ac 90 04 08 push $0x80490ac
8048088: 68 ac 90 04 08 push $0x80490ac
804808d: 68 01 00 00 00 push $0x1
8048092: b8 04 00 00 00 mov $0x4,%eax
8048097: e8 e4 ff ff ff call 0x8048080
804809c: 68 00 00 00 00 push $0x0
80480a1: b8 01 00 00 00 mov $0x1,%eax
80480a6: e8 d5 ff ff ff call 0x8048080
I have started to make testes on mjollnir. Starting with commit [855] I have found first bug.
It seems that libmjollnir can't handle this one.
Ticket: 39 Reported by: thorkill on Wed Feb 20 00:56:19 2008
Maybe we can have an history for each program (elfsh, kernsh, e2dbg, etrace ...) ?
Actually there is only one history in .elfsh_history.
Ticket: 40 Reported by: pouik on Wed Feb 27 11:45:00 2008
The debugger commands : profile, hexa, step, backtrace, linkmap, stack, dbgstack
are not outputing with colors.
Ticket: 3 Reported by: jfv on Tue Jul 4 20:47:11 2006
Right now, commands are registered this way :
/* General purpose command */
vm_addcmd(CMD_MODLOAD , (void *) cmd_modload , (void *) vm_getoption , 0, HLP_MODLOAD);
vm_addcmd(CMD_MODULOAD, (void *) cmd_modunload, (void *) vm_getoption , 0, HLP_MODULOAD);
vm_addcmd(CMD_DISASM , (void *) cmd_disasm , (void *) vm_getdisasm , 1, HLP_DISASM);
[...]
This way, the string help of each command (HLP_...) is registered at the same time than the command itself.
But HLP_... is a string that is placed in librevm/include/revm-help.h
This makes the creation of complex help quite difficult.
The idea of this task is :
This system should make the beginner users more easily introduced in the framework.
Enjoy
-may
Ticket: 20 Reported by: jfv on Sun Feb 25 16:25:32 2007
The debugger on sparc architecture encounter problem of
cache coherency. Specifically, when writing in a code
section of a program (in e2dbg at runtime) being debugged,
the debuggee program crashes once this code is reached.
Have fun
-jfv
Ticket: 28 Reported by: jfv on Tue Sep 18 02:22:06 2007
ELFsh is not capable to create a static binary. This would be useful when we extract a program from memory
so that we are able to analyse it as it was a real binary afterwards.
THere is no API for creating those things, the problem is not hard and brings lots of advantages,
so we have to support it soon.
Ticket: 7 Reported by: jfv on Sat Dec 30 21:26:19 2006
Maybe we can have an history for each program (elfsh, kernsh, e2dbg, etrace ...) ?
Actually there is only one history in .elfsh_history.
Ticket: 40 Reported by: pouik on Wed Feb 27 11:45:00 2008
The evarista static analyzer : evarista/evarista.esh
is currently broken (fails at some point to execute) due
to changes in the syntax of the ERESI language.
This is the top priority currently to get fixed
-jfv
Ticket: 16 Reported by: jfv on Wed Sep 19 23:53:52 2007
In evarista:
The evarista/elir-dataflow.esh file contains the computation of dataflow analysis
for the ELIR intermediate forms. As specific ELIR types has been defined for
allowing x86 translation, we need to add dataflow computation for these types
in the dataflow file.
Have fun
-jfv
Ticket: 25 Reported by: jfv on Tue Sep 18 16:40:22 2007
cc -Iinclude -Wall -fPIC -g3 -O2 -DELFSH_INTERN -I../libasm/include/ -I../libetrace/include -I../libaspect/include/ -DERESI32 -DM32 -c -o dynamic.32.o dynamic.c
In file included from include/libelfsh.h:35,
from dynamic.c:11:
include/libelfsh/libelfsh-compat.h:180: error: syntax error before "elfsh_Nhdr"
include/libelfsh/libelfsh-compat.h:180: warning: type defaults to int' in declaration of
elfsh_Nhdr'
include/libelfsh.h:1329: error: syntax error before "elfsh_Vernaux"
include/libelfsh.h:1330: error: syntax error before "elfsh_Verdaux"
gmake: *** [dynamic.32.o] Error 1
*** Error code 2
Stop in /usr/home/xsbyme/eresi.
Ticket: 42 Reported by: xsz on Sat Mar 8 16:32:37 2008
The kernel shell fails to handle the solaris kernel.
We need do:
Enjoy
-jfv
Ticket: 27 Reported by: jfv on Mon Sep 17 02:48:08 2007
Our dataflow commands needs to be implemented directly in the eresi language. Dataflow information about use/def chains should be computed using a deductive system on the model of hoare logic where annotations (based on "type" and "inform" commands) correspond to the structure passed from pre- to post- conditions.
Ticket: 41 Reported by: may on Fri Mar 7 10:20:20 2008
Build currently fails on libelfsh.
Ticket: 44 Reported by: enioh on Mon Mar 24 17:48:04 2008
We currently have a global .rc file for eresi : .eresirc
It was also added a local .rc file for kernsh
We should do the same for elfsh, e2dbg, etrace and evarista : they should also
have all a personal .rc that is executed after the common .eresirc
-jv
Ticket: 29 Reported by: jfv on Sat Sep 22 03:39:00 2007
On SPARC/Solaris, there are problems with the debug types conversion into the eresi types.
For instance, when librevm is loaded in the shell (which include libasm.a), we have
many asm_ types (including asm_operand) but we dont have asm_instruction. We need
this to be fixed so that we can acheive reflection on assembly instruction, thus allowing
binary code transformation directly from the ERESI language.
It seems like this bug only affects Solaris, further testing must determine it
-jfv
Ticket: 11 Reported by: jfv on Wed May 23 19:04:40 2007
It is not possible to use elfsh in c++ projects because some includes use reserved names:
Ticket: 4 Reported by: zadig on Fri Feb 2 23:32:55 2007
When loading a binary to be traced, only the main binary functions will be traced
(and the external function it calls). The internal functions of the dependences
will currently not be traced.
This needs to be fixed by injecting the tracer .o file in each library dependence
as well, and modify the .dynamic section of each library to reflect the change
(since libraries will certainly need another path or another name, to avoid messing
with the original non-traced version of the libraries)
x86 should be a priority, then sparc
Enjoy
-jv
Ticket: 31 Reported by: jfv on Mon Sep 24 17:47:57 2007
segfault when trying to analyse a quite big program
Ticket: 35 Reported by: jmp on Fri Aug 24 14:45:04 2007
attachment: 15_buganalyse/
e.g.: add $a
$b
print $a
Should print the value of $a + $b
Ticket: 17 Reported by: jfv on Wed Sep 19 04:30:56 2007
All features of elfsh/e2dbg are not available for the ALPHA architecture. Those features can be implemented
in hooks (vectors elements) very easily. The missing hooks for ALPHA can be filled in existing vectors. The
list of vectors to be completed for the ALPHA architecture is (by order of importance) :
Please respect the order of priority because some hooks depends on others.
Ticket: 13 Reported by: jfv on Tue Aug 1 17:18:17 2006
The relocation function for the MIPS architecture is in place and the main needed relocations are implemented. However
there is a bug in that function that makes the ET_REL injection to fail on this architecture.
See the comments and the code in libelfsh/mips32.c regarding that issue, in the relocate hook function for this
feature/arch.
Ticket: 37 Reported by: jfv on Sun Jul 30 18:22:06 2006
The core file support was done on Linux and FreeBSD but there are lots
of additional information that can be fetched which is currently not
supported.
We need to make sure also to have a very clear core information API
so that it can be used by the debugger when inspecting core files.
-jfv
Ticket: 23 Reported by: jfv on Sun Nov 26 15:54:07 2006
Unsecure functions produce warning at compilation.
We should try to remove strcpy/strcat/sprintf/...
Ticket: 45 Reported by: enioh on Mon Mar 24 23:37:12 2008
The current translation from ELIR to SSA supports only the minimal sets of
type for translating a SPARC binary program to ELIR to SSA.
Other types were introduced by Julio Auto for covering more constructs as
used in the INTEL instruction set. These types do not have conversion from
ELIR to SSA.
The evarista/lir2ssa.esh file contains the translation and should be extended
to cover these types.
Have fun
-jv
Ticket: 33 Reported by: jfv on Sat Sep 22 03:42:23 2007
The debugger misses some stuffs to work on MIPS/IRIX:
Ticket: 36 Reported by: jfv on Tue Jul 4 20:29:57 2006
SHT reconstruction should use :
The current code of that feature is in : libelfsh/sht_rebuild.c
This is quite ugly code that needs to be improved and highly cleaned !
have fun
-may
Ticket: 14 Reported by: jfv on Thu Mar 30 18:54:57 2006
E2dbg has a particularity since it is a debugger capable of debugging without stopping the program.
Right now, e2dbg has only 1 window, and the e2dbg prompt is not waiting for the debuggee to stop before showing the prompt again. While this can
be seen as an inconvenient on the lisibility/utilisability of the debugger, this is actually a very interresting feature if it is packaged a little
bit better.
The proposition is as follow : split the e2dbg interface (as implemented in libui) in multiple windows. The most important windows would be :
Optionally, we could do 2 more window :
This way, the debugger will have a very user-friendly interface. We can think about the integration of such interface with the workspace system, as well, so we use the full features set of the interface all at the same time.
Ticket: 9 Reported by: jfv on Sat Jul 22 17:51:43 2006
Kernsh is currently only available for OS based on Linux.
BSD port is currently in progress but we still do not have
any tests in the testsuite or any kernshrc for these OS.
BSD testing of kernsh must be integrated in ERESI
-jfv
Ticket: 24 Reported by: jfv on Mon Sep 17 02:45:37 2007
THe major features of the ELF shell and the Embedded ELF Debugger are not available on a variety of interesting architectures, including
ARM (ARM7 and ARM9), AMD64, IA64, PPC (32 and 64 bits), and PA-RISC (by order of priority).
Those features are independant of the cores and can be implemented using vector hooks. The list of vector hooks to be implemented are :
For elfsh:
For the debugger :
For the tracer :
All those hooks are independant and can be implemented in any order (except ENCODEPLT / ENCODEPLT1 on which EXTPLT is depending, and GETFP/NEXTFP/GETRET on which
BACKTRACE is depending)
Ticket: 12 Reported by: jfv on Tue Aug 1 17:30:05 2006
The current state of libasm for the MIPS architecture is very draft
heroine and then simkink have started and integrated the backend
skeletton and the most used instructions in libasm-MIPS.tgz which
is not part of the CVS.
If anyone is interested to continue this work, please show up
-jfv
Ticket: 30 Reported by: jfv on Mon Sep 17 02:51:21 2007
Currently we do a linear read of the binary code for constructing the control flow graph, this is not good for multiple reasons:
Instead we should use an entry point and a max depth, and follow the control flow edge when constructing the CFG.
Ticket: 43 Reported by: may on Wed Mar 19 10:50:12 2008
The tracer needs to be ported on SPARC:
Have fun
Ticket: 32 Reported by: jfv on Tue Nov 14 16:35:19 2006
The edfmt API is currently not used in e2dbg.
I will take care of this once the debug API can be used for local variables information.
-jfv
Ticket: 19 Reported by: jfv on Sat Sep 22 00:47:23 2007
The debugger does not currently use the debug format as it should.
Good features for interfacing would be :
Have fun
-jfv
Ticket: 34 Reported by: jfv on Sun May 20 00:15:24 2007
The backend translation from x86 asm code to ELIR form is not complete.
For now, Strauss has implemented the 8086 subset.
x86 has more than 350 instructions, as such its a wise idea to share
work with everyone on this.
-jfv
Ticket: 18 Reported by: jfv on Mon Sep 17 02:29:16 2007
I have a problem with e2dbg64 when loading libe2dbg64.so.
(Source from SVN)
Here an execution :
DEBUG: List frames allocated at 0x2b799a7a55a0 does not exists in hash : CREATING
[*] No configuration in ~/.eresirc
[*] Preloading /usr/local/lib//libe2dbg64.so
/local/code/txpthread/p_hello/p_hello: symbol lookup error: /usr/local/lib//libe2dbg64.so: undefined symbol: cmd_dbgstack
[E] Target binary not found
Syntax : ./e2dbg/e2dbg64 target_binary
I think it is a little bug.
Thank you for your great work and your future fix.
Ticket: 49 Reported by: [email protected] on Fri Mar 28 12:04:59 2008
Mydisasm does not increment instruction pointer when disassembling /bin/ls (elf32-i386)
0x08049ae0: xor %eax,%eax 31 ed
0x08049ae2: pop
0x08049ae2: pop
0x08049ae2: pop
0x08049ae2: pop
[...]
(elfsh-0.81-a5-dev@local) disasm strcpy
0x08049ACC [foff: 6860] strcpy + 0 jmp FF
0x08049ACD [foff: 6861] strcpy + 1 and 25
0x08049ACE [foff: 6862] strcpy + 2 cmp 3C
0x08049ACF [foff: 6863] strcpy + 3 mov B8
0x08049AD0 [foff: 6864] strcpy + 4 add 05
0x08049AD1 [foff: 6865] strcpy + 5 or 08
0x08049AD2 [foff: 6866] strcpy + 6 lock push 68
0x08049AD3 [foff: 6867] strcpy + 7 clc F8
...
Ticket: 46 Reported by: enioh on Tue Mar 25 01:14:35 2008
If a binary is packed (for instance with UPX), elfsh will not be able to load it directly
in unpacked format. The goal is this feature is to load packed binaries transparently.
The ideas for doing this is to create a new vector for the file loading. Vectors (which
are now part of libaspect and not anymore of libelfsh) can make the file loading
dependant on parameters, so that the file loading function is looked up depending on
precise parameters (like fields in the headers, or any other information stored in
the binary)
Example of use of those vectors are in libelfsh/hooks.c
Vectors implementation stands in : libaspect/vectors.c
Enjoy
Ticket: 8 Reported by: jfv on Fri Dec 22 03:00:14 2006
Translation from ELIR (the subset of ELIR for the sparc architecture) to SSA
is missing support for 4 ELIR operation. This has to be finished, it should
not be a long job.
-jv
Ticket: 26 Reported by: jfv on Sat Sep 22 03:36:21 2007
All features of elfsh/e2dbg are not available for the MIPS architecture. Those features can be implemented
in hooks (vectors elements) very easily. The missing hooks for MIPS can be filled in existing vectors. The
list of vectors to be completed for the MIPS architecture is (by order of importance) :
Please respect the order of priority because some hooks depends on others.
Ticket: 21 Reported by: jfv on Tue Aug 1 17:16:19 2006
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41:32: fout: macro "xlate_dev_mem_ptr" vereist 2 argumenten, maar er werden er slechts 1 opgegeven
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c: In functie âkernsh_read_memâ:
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41: fout: âxlate_dev_mem_ptrâ undeclared (first use in this function)
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41: fout: (Each undeclared identifier is reported only once
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41: fout: for each function it appears in.)
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:106:32: fout: macro "xlate_dev_mem_ptr" vereist 2 argumenten, maar er werden er slechts 1 opgegeven
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c: In functie âkernsh_write_memâ:
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:106: fout: âxlate_dev_mem_ptrâ undeclared (first use in this function)
os is centos
Ticket: 48 Reported by: anonymous on Thu Mar 27 18:53:31 2008
e2dbg cannot debug static binaries yet. Make sure the static injection is compatible (e.g. we do not
take too much PT_LOAD in the host binary and that we keep beeing PaX compatible)
Ticket: 2 Reported by: jfv on Sun Nov 26 15:53:19 2006
The embedded ELF debugger does not have the feature that consist in recovering a file
from its image in memory. Some work has been done already about this topic in 2
different articles :
Silvio Cesare 'ELF executable reconstruction from a core image'
ilo (phrack 63) 'Process dump and binary reconstruction'
Enjoy
Ticket: 5 Reported by: jfv on Fri Dec 22 02:55:40 2006
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r
Starting program: /usr/local/bin/elfsh
[Thread debugging using libthread_db enabled]
[New Thread -1214391744 (LWP 12807)]
The ELF shell 0.8 (32 bits built) .::.
.::. This software is under the General Public License V.2
.::. Please visit http://www.gnu.org
~quiet
[*] Set ELFsh default color theme (use nocolor to disable)
[] /home/zarulshahrin/.eresirc sourcing -OK-
[] Type help for regular commands
(elfsh-0.8-a5-cam@local) load hitb
[] Sun Jul 22 14:11:46 2007 - New object loaded : hitb
[] New object dependences loaded : /usr/lib/libcrypto.so.0.9.8
[] New object dependences loaded : /lib/libc.so.6
[] New object dependences loaded : /lib/ld-linux.so.2
[] New object dependences loaded : /lib/libdl.so.2
[] New object dependences loaded : /usr/lib/libz.so.1
(elfsh-0.8-a5-cam@local) analyse
.: mjollnir : performing object analysis
[] Entry point: 8048520
[] start found at 8048520
[] Linux-like start
[] main located at 8048600
[] Found function pointer at 8048589
[] Found function pointer at 80485bf
[] Found function pointer at 8048897
[] Found function pointer at 80488c9
[] Saving .edfmt.function section of 3500 bytes
[] Saving .edfmt.fcontrol section of 336 bytes
[] Found block start for function 8048541
[] Found block start for function 8048550
[] Found block start for function 8048470
[] Found block start for function 8048731
[] Found block start for function 8048715
[] Found block start for function 8048671
[] Found block start for function 8048752
[] Found block start for function 8048475
[] Found block start for function 8048566
[] Found block start for function 8048659
[] Found block start for function 8048859
[] Found block start for function 804846b
[] Found block start for function 80486f0
[] Found block start for function 804863e
[] Found block start for function 804864d
[] Found block start for function 80487a6
[] Found block start for function 804884b
[] Found block start for function 80488f0
[] Found block start for function 804879a
[] Found block start for function 80488e4
[] Found block start for function 804868d
[] Found block start for function 804878c
[] Found block start for function 804877e
[] Found block start for function 80487ab
[] Found block start for function 80486cb
[_] Saving .edfmt.blocks section of 3160 bytes
[*] Saving .edfmt.bcontrol section of 2496 bytes
.: mjollnir : object analysis completed successfully.
(elfsh-0.8-a5-cam@local) save hitb.new
[*] Object hitb.new saved successfully
(elfsh-0.8-a5-cam@local) unload hitb
[] Object /lib/ld-linux.so.2 unloaded on Sun Jul 22 14:12:13 2007
[] Object /lib/libc.so.6 unloaded on Sun Jul 22 14:12:13 2007
[] Object /usr/lib/libz.so.1 unloaded on Sun Jul 22 14:12:13 2007
[] Object /lib/libdl.so.2 unloaded on Sun Jul 22 14:12:13 2007
[] Object /usr/lib/libcrypto.so.0.9.8 unloaded on Sun Jul 22 14:12:13 2007
[] Object hitb unloaded on Sun Jul 22 14:12:13 2007
(elfsh-0.8-a5-cam@local) load hitb.new
[] Sun Jul 22 14:12:17 2007 - New object loaded : hitb.new
[] New object dependences loaded : /usr/lib/libcrypto.so.0.9.8
[] New object dependences loaded : /lib/libc.so.6
[] New object dependences loaded : /lib/ld-linux.so.2
[] New object dependences loaded : /lib/libdl.so.2
[] New object dependences loaded : /usr/lib/libz.so.1
(elfsh-0.8-a5-cam@local) graph
[] .dot file: /tmp/hitb_new/object-dump.dot
[] Dumping 25 functions
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1214391744 (LWP 12807)]
0xb7d0ddc0 in revm_graph_function (cntnr=0x0, fd=6, direction=1, type=0, maxdepth=0, curdepth=1) at graph.c:466
466 fnc = (mjrfunc_t *)cntnr->data;
(gdb) bt
!#0 0xb7d0ddc0 in revm_graph_function (cntnr=0x0, fd=6, direction=1, type=0, maxdepth=0, curdepth=1) at graph.c:466
!#1 0xb7d0ea4c in cmd_graph () at graph.c:600
!#2 0xb7d65c32 in revm_execmd () at loop.c:219
!#3 0xb7d64022 in revm_loop (argc=2, argv=0x81fc3e8) at init.c:115
!#4 0xb7d64ecc in revm_run (ac=1, av=0xbfa2a254) at init.c:393
!#5 0x08049ad9 in esh_main (ac=1, av=0xbfa2a254) at main.c:83
!#6 0x08049b0d in main (ac=-1079860696, av=0xb7b4aebc) at main.c:90
(gdb)
Ticket: 6 Reported by: zarul on Sun Jul 22 08:15:36 2007
attachment: 14_hitb.c/
attachment: 16_daemon01.tar.bz2/
kernimage.c mentioned in the Makefile at http://www.eresi-project.org/browser/trunk/libkernsh/user?rev=930 seems to be missing
Ticket: 47 Reported by: anonymous on Wed Mar 26 02:57:02 2008
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.