TC January 2008

RADARE: Easing binary analysis for fun and profit

Joint TF-CSIRT/FIRST Meeting

Tuesday — January 29th, 2008 11:10

The project aims to create a complete free *nix-like toolchain for working with binary files.

Its core is a commandline block-based hexadecimal editor which handles everything as a file. A process, file, disk, memory. This flexibility offers nice scripting features which can be mixed with perl, python and Vala.

A data block can be visualized in the way you want, making easier to recognize data structures. One of them is a disassembler print format which currently supports intel, arm, powerpc, m68k and java architectures. Here's a pseudocode representation of an intel program.


radare comes with some other utilities:

  • radare: command line hexadecimal editor with IO plugin extensions
  • rabin: get info from ELF/MZ/PE/CLASS files
  • rasc: shellcode generator and tester (outputs in raw, hexpairs or C)
  • xrefs: find crossed references on raw images for ppc, arm and x86
  • hasher: calculate different algorithms over data blocks of a file or stream
  • rsc: command line helpers written in shellscript or perl
  • javasm: minimalistic java assembler/disassembler/classdumper
  • armasm: minimalistic arm assembler
  • xc: converts between multiple radix numeric bases

The abstraction layer is done by IO plugins which wraps all the open/read/..

  • ewf EnCase (R) forensic disk images
  • winedbg WineDebugger interface ( winedbg://./program.exe )
  • haret Remotely read WindowsCE memory ( haret://host:port )
  • ptrace Debugs or attach to a process ( dbg://file or pid://PID )
  • sysproxy Connects to a remote syscallproxy server
  • remote TCP IO ( listen://:port or connect://host:port )
  • gdb Debugs or attach to a process using gdb (gdb://file, gdb://PID, gdb://host:port)
  • w32 posix to native w32 api io
  • posix plain posix file access

Currently the debugging IO layer works on *BSD and Linux on x86 and arm. w32 port is planed.

Here'r the list of current features:

  • Support for x86/arm linux, *bsd
  • step / step-over
  • dump / restore memory and cpu state from/to disk (step-back)
  • continue / until user code / until syscall / until fork
  • trace execution (running TRACECMD at a certain debug level)
  • filedescriptor manipulator
  • thread support on linux
  • memory allocation on the child process
  • process memory maps permissions manipulation
  • map files on process memory
  • run syscalls on the child process
  • DRx registers control on Linux
  • breakpoints / watchpoints (hardware and software) support
  • conditional watchpoint expressions
  • force core dump, jmps and calls
  • trace user code execution to disk
  • signal manipulation
  • process tree
  • code analysis

Presenters

  • Roman Valls (esCERT-UPC, ES) ES

Presentation files

valls-roman-slides.pdf

Type: Slides

Format: application/pdf

Last Update: February 12th, 2008

Size: 432.17 Kb