CodeReason is a semantic binary code analysis framework and toolset. The tool RopTool discovers ROP gadgets in ARM, X86 and X86-64 binaries by providing pre- and post-conditions for the CPU and memory context using Lua scripts. Examples of other tools that can be created with CodeReason are available in the tools/ directory.
CodeReason builds on Linux and OS X. Windows are builds currently broken. Help us fix them!
- LibVEX with custom patches to support static analysis
- gtest for unit tests
- lua for the user interface
- capstone for pretty printing disassembly
sudo ./install_deps.sh ./make.sh
brew update && brew install cmake boost protobuf git ./install_vex.sh ./make.sh
Several helper scripts are available:
install_deps.sh installs Ubuntu dependencies,
make.sh creates a full build,
recompile.sh recompiles CodeReason, and
package.sh creates a debian package. See our Travis-CI configuration for more details about building.
The Lua script bindings are defined in libs/VEE/VEElua.cpp. These bindings provide a way of describing CPU register values and memory contents to the VEX Execution Engine (VEE) which analyzes binary code.
The most common functions are:
- putreg - Writes value to a register
vee.putreg(v, R1, 32, 80808080)
- putmem - Writes a value at an address
vee.putmem(v, 0x40000000, 32, 0x20202020)
- getreg - Read value from a register
vee.getreg(v, R15, 32)
- getmem - Read a value from memory
vee.getmem(v, 0x40000000, 32)
For additional examples, check the scripts/ directory.
RopTool takes in a binary and a Lua script as input and will output results to stdout.
./build/bin/RopTool -a x64 -c ./scripts/x64/call_reg.lua -f ./tests/ELF/ls_x64
BlockExtract reads in a binary and outputs a database file containing block information. This can be useful when analyzing large binaries that take a long time to extract code blocks. Currently only 64-bit block extraction is supported.
./build/bin/BlockExtract -f ./tests/ELF/ls_x64 -a x64 --blocks-out ./blockdbfile
BlockReader consumes the block database created by BlockExtract. It may be useful when debugging information stored inside of blocks. VEX output is printed to stdout.
./build/bin/BlockReader -d ./blockdbfile
ImgTool is a test program that prints information about executable code sections found in a binary.
./build/bin/ImgTool -a x64 -f ./tests/MachO/ls_FAT_x86_x64
In file ./tests/MachO/ls_FAT_x86_x64 found 6 +X sections ------------------ Section of arch AMD64 beginning at 0x1778 of size 0x3635 ------------------ Section of arch AMD64 beginning at 0x4dae of size 0x1bc ------------------ Section of arch AMD64 beginning at 0x4f6c of size 0x2f4 ------------------ Section of arch AMD64 beginning at 0x5260 of size 0x568 ------------------ Section of arch AMD64 beginning at 0x57c8 of size 0x a0 ------------------ Section of arch AMD64 beginning at 0x5868 of size 0x798 ------------------
Originally developed by Andrew Ruef under contract for DARPA Cyber Fast Track.
Contributions made by: