A fast disassembler which is accurate enough for the resulting assembly code to be reassembled. The disassembler implemented using the datalog (souffle) declarative logic programming language to compile disassembly rules and heuristics. The disassembler first parses ELF file information and decodes a superset of possible instructions to create an initial set of datalog facts. These facts are analyzed to identify code location, symbolization, and function boundaries. The results of this analysis, a refined set of datalog facts, are then translated to the GTIRB intermediate representation for binary analysis and reverse engineering. The GTIRB pretty printer may then be used to pretty print the GTIRB to reassemblable assembly code.
ddisasm uses C++17, and requires a compiler which supports that standard such as gcc 7, clang 6, or MSVC 2017.
To build and install ddisasm, the following requirements should be installed:
- Capstone, version 4.0.1 or later
- Souffle, version 1.7.0 and 1.7.1
- Must be configured with support for 64 bit numbers (via
- Must be configured with support for 64 bit numbers (via
- libehp, version 1.0.0 or higher
- LIEF, version 0.10.0 or higher
Note that these versions are newer than what your package manager may provide by default: This is true on Ubuntu 18, Debian 10, and others. Prefer building these dependencies from sources to avoid versioning problems. Alternatively, you can use the GrammaTech PPA to get the correct versions of the dependencies.
sudo add-apt-repository ppa:maarten-fonville/protobuf sudo add-apt-repository ppa:mhier/libboost-latest echo "deb https://grammatech.github.io/gtirb/pkgs/xenial ./" | sudo tee -a /etc/apt/sources.list.d/gtirb.list sudo apt-get update
sudo add-apt-repository ppa:mhier/libboost-latest echo "deb [trusted=yes] https://grammatech.github.io/gtirb/pkgs/bionic ./" | sudo tee -a /etc/apt/sources.list.d/gtirb.list sudo apt-get update
Use the following options to configure cmake:
You can tell CMake which compiler to use with
You can tell CMake about the paths to its dependencies as follows:
||Path to the LIEF installation dir|
||Path to the GTIRB installation dir|
||Path to the gtirb-pprinter build dir|
- ddisasm can make use of GTIRB in static library form (instead of
shared library form, the default) if you use the flag
Once the dependencies are installed, you can configure and build as follows:
$ cmake ./ -Bbuild $ cd build $ make
Installing ddisasm on ubuntu16 and 18
Packages for Ubuntu 16 and 18 are available in the GTIRB apt repository. Ddisasm has some dependencies which are not available in the official repositories, and so certain PPAs must be added to the system in order for Ddisasm to be installed.
Instructions for adding the appropriate PPAS are listed above, and can be used to install ddisasm as described below.
sudo apt-get install --allow-unauthenticated ddisasm
sudo apt-get install ddisasm
Running the analysis
ddisasm is built, we can run complete analysis on a file by
build/bin/ddisasm'. For example, we can run the analysis on one
of the examples as follows:
cd build/bin && ./ddisasm ../../examples/ex1/ex --asm ex.s
Ddisasm accepts the following parameters:
: produce help message
: GTIRB output file
: GTIRB json output file
: ASM output file
: if the assembly code is printed, it is printed with debugging information
: location to write CSV files for debugging
-K [ --keep-functions ] arg
: Print the given functions even if they are skipped by default (e.g. _start)
: This option is useful for debugging. Use relocation information to emit a self diagnosis
of the symbolization process. This option only works if the target
binary contains complete relocation information. You can enable
ld using the option
-F [ --skip-function-analysis ]
: Skip additional analyses to compute more precise function boundaries.
-j [ --threads ]
: Number of cores to use. It is set to the number of cores in the machine by default.
Rewriting a project
The directory tests/ contains the script
rewrite and test a complete project.
a project using the compiler and compiler flags specified in the
enviroment variables CC and CFLAGS (
make -e), rewrites the binary
and run the project tests on the new binary.
We can rewrite ex1 as follows:
cd examples/ex1 make ddisasm ex --asm ex.s gcc ex.s -o ex_rewritten
tests/ also contains a script
rewriting the examples in
/examples with different compilers and
Please read the DDisasm Code of Conduct.
Please follow the Code Requirements in gtirb/CONTRIBUTING.
We ask that all contributors complete our Contributor License
Agreement (CLA), which can be found at
and email the completed form to
CLA@GrammaTech.com. Under this
agreement contributors retain the copyright to their work but grants
GrammaTech unlimited license to the work.
AuxData generated by ddisasm
ddisasm generates the following AuxData tables:
||UUIDs of the blocks that are entry points of functions.|
||UUIDs of the blocks that belong to each function.|
||Map from symbols to other symbols. This table is used to forward symbols due to relocations or due to the use of plt and got tables.|
||Map from (typed) data objects to the encoding of the data, expressed as a
||Map from section UUIDs to tuples with the ELF section types and flags.|
||Map from Offsets to vector of cfi directives. A cfi directive contains: a string describing the directive, a vector of numeric arguments, and an optional symbolic argument (represented with the UUID of the symbol).|
||Names of the libraries that are needed.|
||Paths contained in the rpath of the binary.|
||Offset of padding in a ByteInterval and the padding length in bytes.|
||The intra-procedural SCC identifier of each block|
||Map from an Offset of a symbolic expression in a ByteInterval to its extent, a size in bytes.|