-
Notifications
You must be signed in to change notification settings - Fork 132
TheLibMjollnir
Libmjollnir is the control flow analysis and fingerprinting component of the ERESI framework. As such, it is the main receipt of all the original API for graph-based analysis in ERESI. It can do a control flow graphs and call graphs (with facilities for handling function pointers), perform an 'unstrip', fingerprint functions using hashing algorithms like MD5 and prepare control flow and function call graphs which can be accessed by containers API (ELFsh can export it into graphviz's .dot files and show the graphs in your favorite image viewing program - see graph command).
The main features of this library are :
- API and generic container data structures for binary analysis.
- Construction of Control Flow Graphs.
- Construction of Call graphs.
- Fingerprinting of function blocks using hashing algorithms.
- 'Recovery' (unstrip without original names) of the symbol table.
- Function pointers recognition.
- Entry Point Fingerprinting.
- January 2007 - Control flow and Call graphs have been built on top of containers - unified data structures
- February 2006 - Modflow has been merged in libmjollnir.
- January 2006 - First operational release.
- December 2005 - Ported ELFsh / Modflow to FreeBSD and improved function pointers recognition to create better Control Flow Graphs.
Libmjollnir supports mostly i386 and SPARC32 objects. There is only few work to do to add an architecture, provided you have libasm support for it.
| OS | IA32 | Sparc | Mips |
|---|---|---|---|
| Computing of Control flow graph | Yes | Yes | Yes |
| Computing of Call Graphs | Yes | Yes | Yes |
| Entry Point Fingerprinting | Yes | Yes | Yes |
| Unstrip without original names | Yes | Yes | Yes |
| Function Fingerprinting (MD5) | Yes | Yes | Yes |
| Function pointers recognition | Partial | Partial | Partial |
Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.
We want show you what adventage bring you the freatures when you want to analyse stripped ELF objects for example.
Most of you will want to use your favorit debugger to analyse ELF objects. When a binary is stripped, setting breakpoints can be very hard and really not efficient, ELFsh can help you recover the symbol table. You have to load the object, analyse it and store on your hdd.
%objdump -t /bin/cat
/bin/cat: file format elf32-i386-freebsd
SYMBOL TABLE:
no symbols
(elfsh-0.78-b3-tst@local) load /bin/cat
[*] Sun Jul 8 21:33:10 2007 - New object loaded : /bin/cat
[*] New object dependences loaded : /lib/libc.so.6
(elfsh-0.78-b3-tst@local) analyse
.: mjollnir : performing object analysis
[*] Entry point: 8048abc
[*] _start found at 8048abc
[*] locating call to .init: 8048888
[*] FreeBSD-like start
[*] main located at 804957c
[*] Found function pointer at 8048b6c
[*] Found function pointer at 804973f
...
[*] Saving .edfmt.blocks section of 8440 bytes
[*] Saving .edfmt.bcontrol section of 7152 bytes
.: mjollnir : object analysis completed successfully.
(elfsh-0.78-b3-tst@local) save /tmp/cat.new
[*] Object /tmp/cat.new saved successfully
(elfsh-0.78-b3-tst@local) quit
[+] Unloading workspace : 0 (local) *
[*] Unloading object 1 (/bin/cat) *
[*] Unloading object 2 (/lib/libc.so.6)
.:: Bye -:: The ELF shell 0.78
[*] Removing 2 FIFO from server side
%file /bin/cat /tmp/cat.new && ( echo '123456' | /tmp/cat.new )
/bin/cat: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD),
dynamically linked (uses shared libs), stripped
/tmp/cat.new: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD),
dynamically linked (uses shared libs), not stripped
123456
%objdump -t /tmp/cat.new
/tmp/cat.new: file format elf32-i386-freebsd
SYMBOL TABLE:
080480d4 l d .interp 00000015 .interp
080480ec l d .hash 0000016c .hash
08048258 l d .dynsym 00000340 .dynsym
...
08048abc l F .text 00000000 _start
0804a960 l O .got 00000000 _GLOBAL_OFFSET_TABLE_
08048a8c l F *UND* 00000000 sub_8048A8C
080488ac l F *UND* 00000000 sub_80488AC
...
In order to recover as much symbols/functions we will need to recognize so called 'function pointers'. Libmjollnir does recognize functions called by pointers. This feature has been introduced in modflow.
Objdump:
...
804ce26: a1 ac e3 04 08 mov 0x804e3ac,%eax
804ce2b: eb 0a jmp 0x804ce37
804ce2d: 8d 76 00 lea 0x0(%esi),%esi
804ce30: 83 eb 04 sub $0x4,%ebx
804ce33: ff d0 call *%eax
...
elfsh:
(during analyse)
[*] Found function pointer at 804ce33
The fingerprinting library depends on other components from the ERESI framework :