Introduction
What is BinCAT?
BinCAT is a static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA or using Python for automation.
It features:
- value analysis (registers and memory)
- taint analysis
- type reconstruction and propagation
- backward and forward analysis
- use-after-free and double-free detection
In action
You can check (an older version of) BinCAT in action here:
Check the tutorial out to see the corresponding tasks.
Quick FAQ
Supported host platforms:
- IDA plugin: all, version 7.4 or later (Only Python 3 is supported)
- analyzer (local or remote): Linux, Windows, macOS (maybe)
Supported CPU for analysis (for now):
- x86-32
- x86-64
- ARMv7
- ARMv8
- PowerPC
Installation
Only IDA v7.4 or later is supported
Older versions may work, but we won't support them.
Binary distribution install (recommended)
The binary distribution includes everything needed:
- the analyzer
- the IDA plugin
Install steps:
- Extract the binary distribution of BinCAT (not the git repo)
- In IDA, click on "File -> Script File..." menu (or type ALT-F7)
- Select
install_plugin.py
- BinCAT is now installed in your IDA user dir
- Restart IDA
Manual installation
Analyzer
The analyzer can be used locally or through a Web service.
On Linux:
- Using Docker: Docker installation instructions
- Manual: build and installation instructions
On Windows:
IDA Plugin
BinCAT should work with IDA on Wine, once pip is installed:
- download https://bootstrap.pypa.io/get-pip.py (verify it's good ;)
~/.wine/drive_c/Python/python.exe get-pip.py
Using BinCAT
Quick start
-
Load the plugin by using the
Ctrl-Shift-B
shortcut, or using theEdit -> Plugins -> BinCAT
menu -
Go to the instruction where you want to start the analysis
-
Select the
BinCAT Configuration
pane, click<-- Current
to define the start address -
Launch the analysis
Configuration
Global options can be configured through the Edit/BinCAT/Options
menu.
Default config and options are stored in $IDAUSR/idabincat/conf
.
Options
- "Use remote bincat": select if you are running docker in a Docker container
- "Remote URL": http://localhost:5000 (or the URL of a remote BinCAT server)
- "Autostart": autoload BinCAT at IDA startup
- "Save to IDB": default state for the
save to idb
checkbox
Documentation
A manual is provided and check here for a description of the configuration file format.
A tutorial is provided to help you try BinCAT's features.
Article and presentations about BinCAT
- SSTIC 2017, Rennes, France: article (english), slides (french), video of the presentation (french)
- REcon 2017, Montreal, Canada: slides, video
Licenses
BinCAT is released under the GNU Affero General Public Licence.
The BinCAT OCaml code includes code from the original Ocaml runtime, released under the LGPLv2.
The BinCAT IDA plugin includes code from python-pyqt5-hexview by Willi Ballenthin, released under the Apache License 2.0.
BinCAT includes a modified copy of newspeak.
Automated builds
Windows
Automated builds are performed automatically (see azure-pipelines.yml). The latest builds and test results can be accessed here
Linux
Automated builds are performed automatically using GitHub Actions (see here), results can be obtained on GitHub's Actions tab.