elfmaster/binflow elfmaster/binflow

  • Stars
    star
    107
  • Rank 323,587 (Top 7 %)
  • Language
    C++
  • Created over 9 years ago
  • Updated about 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
elfmaster/binflow
github

elfmaster

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This is the new ftrace (https://github.com/elfmaster/ftrace) - Much faster, better resolution but not complete yet! :) 
DISCLAIMER: This software sucks, I wrote it in about a day, and never finished it. The code base is terrible!
Feel free to use the code if it helps you, but realize that it was a half-baked prototype that I never completed.
The idea is to write a version of github.com/elfmaster/ftrace that sets breakpoints instead of singlestepping naively.
There is an even faster method which avoids the use of ptrace all together, and will be possible to write quite easily
once this ul_exec_trace debugging functionality is added into github.com/elfmaster/libelfmaster

With that said:

binflow v0.0.1

This software is a re-design of ftrace (https://github.com/elfmaster/ftrace)
which was somewhat popular but has some naive implementation qualities that
make it slow, and not suitable for some applications. 

binflow is much faster, and has better argument resolution and will be able
to handle multi-threaded applications/processes. Currently it is only 30%
complete and does not yet handle return values.

Stay tuned. Here is an example of binflow tracing a binary that was compiled
from the following source code:

int f(int a, int b, int c)
{
	printf("%d, %d, %d\n", a, b, c);
}

int main(void)
{
	int j = 0;
	int i;
	char *ptr = strdup("Hello");
	char buf[255];
	strncpy(buf, "hello", 8);
	printf("%s\n", buf);
	printf("%s\n", ptr);
	f(3, 2, 1);
	for (i = 0; i < 3; i++)
		f(1 + i, 2, 3 + i);
}

$ ./binflow -s -b ./test
PLT_call@0x4005b4: __libc_start_main()
LOCAL_call@0x4007ae: _init()
LOCAL_call@0x4006d3: strdup("Hello")
PLT_call@0x4006f3: strncpy((stack_t *)7fffef7a1c90, "hello", 0x8)
PLT_call@0x400702: puts("hello")
hello
PLT_call@0x400711: puts("Hello")
Hello
LOCAL_call@0x400725: f(0x3, 0x2, 0x1)
PLT_call@0x4006a3: printf("%d, %d, %d\n", 0x3, 0x2, 0x2)
3, 2, 1
LOCAL_call@0x40074f: f(0x1, 0x2, 0x3)
PLT_call@0x4006a3: printf("%d, %d, %d\n", 0x1, 0x2, 0x2)
1, 2, 3
LOCAL_call@0x40074f: f(0x2, 0x2, 0x4)
PLT_call@0x4006a3: printf("%d, %d, %d\n", 0x2, 0x2, 0x2)
2, 2, 4
LOCAL_call@0x40074f: f(0x3, 0x2, 0x5)
PLT_call@0x4006a3: printf("%d, %d, %d\n", 0x3, 0x2, 0x2)
3, 2, 5
$

More Repositories

1

libelfmaster

Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools
C
403
star
2

ftrace

POSIX Function tracing
C
323
star
3

skeksi_virus

Devestating and awesome Linux X86_64 ELF Virus
C
221
star
4

ecfs

extended core file snapshot format
C
219
star
5

maya

Highly advanced Linux anti-exploitation and anti-tamper binary protector for ELF.
C
151
star
6

dsym_obfuscate

Obfuscates dynamic symbol table
C
134
star
7

saruman

ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection)
C
126
star
8

kdress

Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore
C
121
star
9

dt_infect

ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD
C
106
star
10

sherlocked

Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging.
Objective-C
102
star
11

linker_preloading_virus

An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses
C
58
star
12

taskverse

A tool like /bin/ps but uses /proc/kcore for walking the tasklist; this finds hidden processes
C
56
star
13

libelfmaster_examples

Simple ELF tools written to demonstrate libelfmaster capabilities.
C
37
star
14

kprobe_rootkit

Linux kernel rootkit using kprobes (From http://phrack.org/issues/67/6.html)
C
35
star
15

ecfs_exec

Be able to execute memory snapshots so they can start running where they left off.
C
34
star
16

static_binary_mitigations

relros.c applies RELRO to static binaries, and static_to_dyn.c applies ASLR to static binaries.
C
32
star
17

shiva

Shiva is a programmable dynamic linker for loading ELF microprograms
Roff
29
star
18

davinci

Transforms any file into a protected ELF executable
C
26
star
19

scop_virus_paper

ELF Virus infection techniques that work with SCOP (Secure code partitioned) executables
C
14
star
20

fork_trace

C++
10
star
21

avu32

anti virus 32bit. my first attempt (in 2008) to write prototype for detecting/disinfecting unix ELF viruses
C
8
star
22

canaryism

Canaryism will tell you which functions are protected with gcc stack canaries
C
6
star
23

packt_book

C
6
star
24

interpx_documentation

4
star
25

shiva_blogposts

Multiple blogposts are maintained here.
3
star
26

shiva_presentations

2
star
27

unix_virus_anniversary

2
star
28

veriexec.linux

Veriexec implementation for Linux
C
2
star
29

poetry

Transcribing my poetry from 19yrs ago
1
star