Skip to content

phulin/symbolic-trace

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

195 Commits

types

types

 
 

.gitignore

.gitignore

 
 

AppList.hs

AppList.hs

 
 

Eval.hs

Eval.hs

 
 

Expr.hs

Expr.hs

 
 

Instances.hs

Instances.hs

 
 

Main.hs

Main.hs

 
 

Memlog.hs

Memlog.hs

 
 

Options.hs

Options.hs

 
 

Pretty.hs

Pretty.hs

 
 

README.md

README.md

 
 

Setup.lhs

Setup.lhs

 
 

atoi.c

atoi.c

 
 

euclid.c

euclid.c

 
 

invsqrt.c

invsqrt.c

 
 

symbolic-trace.cabal

symbolic-trace.cabal

 
 

twentytwo.c

twentytwo.c

 
 

Repository files navigation

RESET

Reverse Engineering through Symbolic Execution of Traces: Symbolic execution of LLVM IR traces for program understanding.

To evaluate a trace, first run:

cabal configure
cabal build --ghc-options="-rtsopts"

Then, to run a program, grab a trace

dist/build/Eval/Eval -q <qemu_build_dir> <program> <program-args>

The qemu_build_dir should be the build directory, such as ~/qemu/x86_64-linux-user.

For a trace in whole-system mode, you need to gather the trace manually. First, make a PANDA record/replay recording of the execution you want to look at. Next, use Volatility or a similar tool to find the CR3 you're looking for, and then run a command like

echo "begin_replay <recording>" | ~/qemu/i386-softmmu/qemu-system-i386 -panda-plugin ~/qemu/i386-softmmu/panda_plugins/panda_llvm_trace.so -panda-arg llvm_trace:cr3=0xDEADBEEF -monitor stdio ~/win7.1.qcows2

followed by

dist/build/Eval/Eval

You can do Eval --help to see a list of command line options. By default, PANDA stores trace information in /tmp; if you want to change this, use Eval -d and qemu -panda-arg llvm_trace:base=/other/dir. Eval will also probably run out stack space; increase that by adding the arguments +RTS -K1G -RTS, where the 1G specifies 1 GB of stack space.

This will start a server that accepts JSON requests for symbolic execution data from the RESET IDA plugin (github.com/phulin/RESETPlugin)

Files

  • types/: Definitions of basic types. This is in a separate Cabal package due to GHC bug #3333 - you can't have Template Haskell code in a package that links to C++ code. We use TH for the JSON parsing; aeson provides a nice auto-serialization interface.
  • AppList.hs: Definition of a linked list type which is optimized for appending; we use this instead of normal List for pretty much everything.
  • Memlog.hs: Functions for parsing and processing the Panda dynamic log
  • Instances.hs: Miscellanous instances of Show, mostly for debugging
  • Options.hs: Definition and parsing of command-line arguments.
  • Pretty.hs: The Pretty class for pretty-printing; probably could be done in a much nicer way
  • Expr.hs: Operations for working with our expression format
  • Eval.hs: Main functions - meat of the symbolic evaluation engine
  • Main.hs: Server code and command-line argument processing, etc

About

Symbolic execution of LLVM IR traces for program understanding.

Resources

Readme
Activity

Stars

16 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages