114网址导航From YobiWiki
BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.
It relies on
project is an attempt to remove that dependency and build on top of
Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger.
It has some advanced features such as live process manipulation, GCC/Microsoft Visual Studio-compatible preprocessor, automatic backtracking in the disassembler (similar to "slicing"), C headers shrinking, linux/windows/remote debugging API interface, a C compiler/decompiler, a gdb-server compatible debugger, and various advanced features. It is written in pure Ruby, with no dependency.
Intel IA32 (16/32/64bits), MIPS, PPC. Ongoing: ARM
MZ, PE/COFF (32 and 64 bits), ELF (32 and 64 bits), Mach-O (incomplete) and UniversalBinary
Windows, Linux, Mac OS X
HLA disassembler
Useful commands:
decompile /tmp/myprog.c
click on a function in the "Project" function list to HLA disass it
Intel (32 and 64bits), and ARM (ARMv6, ARMv7 and ARM64) processors
Mach-O binaries (Mac and iOS), PE32/32+/64 Windows binaries and ELF binaries
decompiler
ARM, ARM64 (ARMv8), Mips, PowerPC, Sparc, SystemZ & Intel
X86 Encoder Decoder Software Library
The reverse engineering framework
synced with mercurial repo
Amoco is a python package dedicated to the (static) analysis of binaries
Very young but promising, seems easy to add an arch
With BBL symbolic execution
Miasm is a a free and open source (GPLv2) reverse engineering framework. Miasm aims at analyzing/modifying/generating binary programs. * opening/modifying/generating PE/ELF 32/64 le/be using Elfesteem
Assembling/Disassembling ia32/ppc/arm
Representing assembly semantic using intermediate language
Emulating using jit (dynamic code analysis, unpacking, ...)
Expression simplification for automatic de-obfuscation
Medusa is a disassembler designed to be both modular and interactive. It runs on Windows and Linux
It actually can do more than static
(was called SmartDec)
Native code to C/C++ decompiler
x86 and x86-64 architectures, ELF and PE file formats
IDA Pro & standalone versions, for Windows
Standalone i86 Windows version runs fine under Wine
fcd is a LLVM-based native program decompiler.
There is support for custom optimization passes written in Python, helping users defeat custom obfuscation schemes.
Reverse engineering tool for x86/ARM/MIPS. Generates indented pseudo-C with colored syntax code.
diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, this is great for advanced binary code analysis
PyPEELF is a multi-platform binary editor written in Python, wxPython and BOA Constructor. It allows you to manage binary data in PE32, PE32+ (x64) and ELF binary files.
PyPEELF uses pefile to manage PE32 and PE32+ files and pyelf to manage ELF files. Besides, it uses winappdbg and pydasm in some others features like Task Running Viewer and Disassembling files.
PyPEELF was designed for Reverse Engineers who want to edit or visualize binary file data in multi-platforms. That is why PyPEELF runs under Windows and Unix/BSD operating systems
Support ELF & PE for Intel x86, ARM, ARM+Thumb, MIPS, PIC32, and PowerPC architectures
available!
Binwalk is a fast, easy to use tool for analyzing and extracting firmware images.
Portable Reverse Engineering Framework
apt-get install qtbase5-dev ...
A static analysis tool for binaries.
ELF/PE, x86/x64, IL RREIL, DBI PIN
A powerful hexadecimal editor
sudo apt-key adv --keyserver pgp.mit.edu --recv-keys A04A6C
sudo apt-get install apt-transport-https
echo "deb [arch=amd64,i386]
synalysis non-free" |sudo tee /etc/apt/sources.list.d/hexinator.list
sudo apt-get update
sudo apt-get install hexinator
A library for translating the semantics of native code to LLVM IR. McSema support translation of x86 machine code, including integer, floating point, and SSE instructions
Reverse engineering (x86 / elf) to pseudo-C
A Patch Analysis and Binary Diffing Tool
Online disassembler
File, -z to uncompress, -s to inspect non-files, e.g. /dev/sda1
file -k [-z] [-s] mybin
strings [-n min_length] -a -e [s|S|b|l|B|L] mybin
: bytecode, dex & VM instructions
A tool for converting Android’s .dex format to Java’s .class format
./d2j-dex2jar.sh myapp.apk
This returns a file myapp-dex2jar.jar
Then use Java decompilers: jad, jd-gui, cf below
Similar to dex2jar but newer and supposed to handle cases where dex2jar was failing
Dex to Java decompiler
smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation
It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after makin it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
apktool d myapp.apk
Swiss knive (was Apk Manager)
Contains apktool, smali/baksmali etc
for Linux release
9 decompile apk / 1 select apk / 9 decompile apk
Small script to prepare a sed script to inject resource strings into jad, to ease reversing.
Update: inject resource names for other resources than strings, will still be more explanatory than 0x7f123456
To be used e.g. after apktool / Apk Multi-Tool decompilation
#!/bin/bash
DECOMPILED_DIR=working/*apk/
cat $DECOMPILED_DIR/res/values/public.xml|grep &type=.string&|\
sed 's/.*name=&\?//;s/& id=&\?/ /;s/&\? \/&//'|\
awk --non-decimal-data '{print $2, int($2), $1}'\
& getstring-pub
cat $DECOMPILED_DIR/res/values/strings.xml|grep '&string'|\
sed 's/.*name=&\?//; s/&\?&/ /;s/&\/string&//;s/#/\\#/g'\
& getstring-str
join -1 3 -2 1 --nocheck-order getstring-pub getstring-str|\
sed 's/[^ ]\+ \([[:alnum:]]\+\) [[:alnum:]]\+ \(.*\)/s#\1#&\2&#/'\
& getstring-sed
rm getstring-pub getstring-str
cat $DECOMPILED_DIR/res/values/public.xml|grep &type=&|\
grep -v &type=.string&|\
sed 's/.*type=&\(.*\)& name=&\(.*\)& id=&\(.*\)& \/&/s#\3#\1:\2#/'\
&& getstring-sed
find $1 -name &*.jad& -exec sed -i -f getstring-sed {} \;
Soot is a Java bytecode analysis and transformation framework, now supporting Dalvik too.
Get soot.jar
java -jar soot.jar --help|less
SootDisassembleApkToJimple.sh
#In case you don't have the right platform android.jar, you can force using another one, e.g.:
#FORCEJAR=&-force-android-jar /path/to/android-sdk-linux_x86/platforms/android-17/android.jar&
java -jar soot.jar -allow-phantom-refs -android-jars /path/to/android-sdk-linux_x86/platforms -src-prec apk -process-dir $1 -output-format jimple $FORCEJAR
SootAssembleJimpleToDex.sh
java -jar soot.jar -allow-phantom-refs -android-jars /path/to/android-sdk-linux_x86/platforms -src-prec jimple -process-dir sootOutput -output-format dex
mv sootOutput/classes.dex .
Example of reverse-engineering and modding APK with smali:
in APK-Multi-Tool-Linux working dir:
Drop myapp.apk in place-apk-here-for-modding/
./script.sh (and leave it always open in a separate window)
9 decompile / 1 select myapp.apk / 9 decompile
./getstrings
Copy apk to dex2jar working dir
Copy getstring-sed to jad working dir
in dex2jar working dir:
./d2j-dex2jar.sh myapp.apk
Copy myapp-dex2jar.jar to jad working dir (and/or jd-gui)
in jad working dir:
./unjar myapp-dex2jar.jar
./setstrings.sh myapp-dex2jar
Analyse .jad file and understand what to modify
in jd-gui working dir:
As alternative analysis can also be done with jd-gui directly on .jar file
in APK-Multi-Tool-Linux working dir:
In working/ find corresponding .smali file and modify it
(in script.sh windows) 13 compile/sign/install
A GUI wrapper for apktool.jar, dex2jar.bat and jad.exe on Windows.
Example of reverse-engineering and modding APK with Soot / jimple
in APK-Multi-Tool-Linux working dir:
Drop myapp.apk in place-apk-here-for-modding/
./script.sh (and leave it always open in a separate window)
1 extract apk
Copy apk to soot working dir
in soot working dir:
./SootDisassembleApkToJimple.sh myapp.apk
Analyse and modify sootoutput/*.jimple files
./SootAssembleJimpleToDex.sh
Copy classes.dex to overwrite APK-Multi-Tool-Linux/out/classes.dex
in APK-Multi-Tool-Linux working dir (in script.sh windows)
3 zip apk / 2 regular app
4 sign app
adb install place-apk-here-for-modding/repackaged-signed.apk
Dalvik Retargeting, a tool for converting Android’s .dex format to Java’s .class format
Retargeted .class:
./dare -d output_dir -e myapp.apk
Optimized retargeted .class: (using Soot, slow!)
./dare -o -d output_dir -e myapp.apk
Decompiled optimized retargeted .class: (using Soot, very slow!)
./dare -c -d output_dir -e myapp.apk
The goal of this project is to help analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code. APKInspector provides both analysis functions and graphic features for the users to gain deep insight into the malicious apps
Still beta and inactive for a year.
GUI around other tools
Reverse engineering, Malware analysis of Android applications … and more !
Seems to be able to tackle also dynamically loaded code, native code, reflection code
Java .dex file format decompiler
Inactive since 2009
FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications
Provides online static analysis of malware images.
Commercial ($1000)
Decompile Android apps and obfuscated Dalvik bytecode
Lobotomy is an Android security toolkit that will automate different Android assessments and reverse engineering tasks. The goal of the Lobotomy toolkit is to provide a console environment, which would allow a user to load their target Android APK once, then have all the necessary tools without needing to exit that environment.
Lobotomy leverages and provides wrappers around other popular tools such as Androguard, apktool, Dex2Jar, Frida
Introduction , , more to come
Joint Advanced Defect Assessment framework for android applications (JAADS, original name JADE) is a tool written in Java and Scala with the power of Soot to provide both interprocedure and intraprocedure static analysis for android applications.
Online decompilation at
(using dex2jar, jad, apktool, zip/unzip)
Java Decompiler
To use on a jar (from dex2jar):
#!/bin/bash
JAD=$(pwd)/jad
ODIR=${1%.jar}
if [ &$ODIR& == &$1& ]; then
echo &Error: expecting a file ending with .jar&
7z x -o${ODIR} $1
for d in $(find ${ODIR}/com -type d); do
echo Entering $d
# Clean Android stuffs
rm *\$*.class
for c in *. do
# Want to keep the .class or not?
./unjar myapp-dex2jar.jar
Helps converting Java 1.4, Java 1.5 or later classes so JAD gives better results
Aligns java-files, which are decompiled by jad
java -jar JadHelper-0.0.1.jar myfile.java
No much effect on jad from dex
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files
Helper to manual de-obfuscate obfuscated jars
rename class/packages in a jar
match a jarjar-ed & obfuscated jar with a known jar,to find the 'same' classes
bytecode dump(asm)
class dependency graph
Java Overall Editor is a complex editor and viewer for compiled java binaries (.class files)
CFR, Jadx, JDCore, Procyon, Fernflower, JAD
readelf -a -g -t --dyn-syms -W mybin
objdump -C -g -F -x -T --special-syms mybin
objdump -d -l -r -R -S mybin
objdump -D -l -r -R -S mybin
nm -a -C -S -s --special-syms mybin
Shared library dependencies:
ldd -v mybin
A Python module to read and work with PE (Portable Executable) files, see
#!/usr/bin/env python
import sys, pefile
pe = pefile.PE(sys.argv[1])
pe.dump_info()
open('out.txt', 'w').write(pe.dump_info())
Can run under Linux
Can run with Wine
Can run with Wine
A Scriptable In-memory and On-disk PE Parsing Utility
Can run with Wine
Can run with Wine
Can run with Wine
Can run with Wine
Under Wine, require absolute path to DLL so: click on gears, "load functions from the following DLL file", Browse
Can run with Wine
CFF Explorer: Allows also to modify a PE
Signature Explorer
PE Detective
Task Explorer (32 & 64)
Portable Executable (PE) file viewer
upx -d myfile
: some insane PE packing tool coming from the demoscene world.
Midgetpack is a binary packer for ELF binaries. The curve25519 is the real advantage of midgetpack. In this mode, you do not provide any password or key. Instead, a key file is generated at packing time. This key file must be used every time you wish to use the binary. When you start the binary, it will give a challenge and expect a response.
(, ), Windows only?
(binwalk --3D), Linux, OSX
, Windows, Linux
, Dynamic Visual Debugging / Reverse Engineering Toolsuite, Linux, à la Cantor Dust
Metasm has debugging capabilities too.
Windows, Linux, Mac OS X, Android
x86-32, x86-64 (only Intel platforms obviously)
binary instrumentation
The best way to think about Pin is as a "just in time" (JIT) compiler. The input to this compiler is not bytecode, however, but a regular executable. Pin intercepts the execution of the first instruction of the executable and generates ("compiles") new code for the straight line code sequence starting at this instruction. It then transfers control to the generated sequence. The generated code sequence is almost identical to the original one, but Pin ensures that it regains control when a branch exits the sequence. After regaining control, Pin generates more code for the branch target and continues execution. Pin makes this efficient by keeping all of the generated code in memory so it can be reused and directly branching from one sequence to another.
In JIT mode, the only code ever executed is the generated code. The original code is only used for reference. When generating code, Pin gives the user an opportunity to inject their own code (instrumentation).
New attempt to bind with Python: @ancat & @1blankwall1 at Shmoocon2015: ,
Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint Engine, an intermediate representation based on SMT2-Lib of the x86 and x86-64 instructions set, SMT simplification passes, an SMT Solver Interface and, the last but not least, Python bindings.
Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.
A curated list of awesome projects, libraries, and tools powered by Frida.
An automated framework for monitoring and tampering system API calls of native iOS and Android apps
DynamoRIO is a runtime code manipulation system that supports code transformations on any part of a program, while it executes. DynamoRIO exports an interface for building dynamic tools for a wide variety of uses: program analysis and understanding, profiling, instrumentation, optimization, translation, etc. Unlike many dynamic tool systems, DynamoRIO is not limited to insertion of callouts/trampolines and allows arbitrary modifications to application instructions via a powerful IA-32/AMD64 instruction manipulation library. DynamoRIO provides efficient, transparent, and comprehensive manipulation of unmodified applications running on stock operating systems (Windows or Linux) and commodity IA-32 and AMD64 hardware.
For ARM, see also
and (dead?)
The BitBlaze infrastructure provides a component, called TEMU, for dynamic binary analysis. TEMU is built upon a whole-system emulator, QEMU, and provides the following functionality:
Dynamic taint analysis. TEMU is able to perform whole-system dynamic taint analysis. Marking certain information sources (e.g., keystrokes, network inputs, reads for certain memory locations, and function call outputs) as tainted, TEMU keeps track of the tainted information propagating in the system. This feature also provides a plug-in environment for dynamic symbolic execution, in which symbolic values are marked as tainted, and concrete values as untainted.
OS awareness. Information about OS-level abstractions like processes and files is important for many kinds of analysis. Using knowledge of the guest operating system (Windows XP or Linux), TEMU can determine what process and module is currently executing, what API calls have been invoked (with their arguments), and what disk locations belong to which files.
In-depth behavioral analysis. TEMU is able to understand how an analyzed binary interacts with the environment, such as what API calls are invoked, and what outstanding memory locations are accessed. By marking the inputs as tainted (i.e., symbolic), TEMU provides insights about how outputs are formulated from inputs.
QEMU Interactive Runtime Analyser to do dynamic analysis as well as IDA does static analysis
Write-up example:
QIRA src now at
debugger, static analysis
Windows, Linux, Android
Intel, ARM
vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
vivisect is a Python based static analysis and emulation framework
Self-optimizing cross-platform code tracer based on dynamic recompilation, powered by Frida and Capstone
Avatar is an event-based arbitration framework that orchestrates the communication between an emulator and a target physical device. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities including (but not limited to) reverse engineering, malware analysis, vulnerability discovery, vulnerability assessment, backtrace acquisition and root-cause analysis of known test cases.
DECAF(short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU.
This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF
and article
Android Application Sandbox
Realtime Privacy Monitoring on Smartphones
Java, Dalvik (see
Comprehensive security and attack framework for Android
Interacts with Dalvik VM and explore applications attack surface (activities, content providers, services, etc).
Can also be used remotely à la Metasploit with exploits & payloads
A Scriptable Debugger for Android's Dalvik Virtual Machine
Hooker is an opensource project for dynamic analysis of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application. It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, ...) in an elasticsearch database. A set of python scripts can be used to automatize the execution of an analysis in order to collect any API calls made by a set of applications.
Changes app_process binary and hooks into all system or applications
Many modules
Similar to Xposed but not via replacement of system components.
Hooks into Dalvik and native code
Simple and easy to use library to intercept virtual-method calls under the Android ART runtime.
, as setprop but changes read-only properties by attaching to init via ptrace
, A dynamic information flow tracing system for Android, sources
Android app dynamic reverse tool based on Xposed framework (you'd better understand Chinese...)
Generic exploit for master key vulnerability in Android
Android Pentesting Portable Integrated Environment
A reverse engineering framework for iOS
A tool that lets you intercept methods, alter data and otherwise hack Java applications running on your computer.
ActionScript Bytecode instrumentation framework
Tracing library calls and system calls.
Getting a summary:
ltrace -f -S mybin 2&&1|grep '(.*)'|sed 's/(.*//'|sort|uniq -c
Getting more:
ltrace -f -i -S -n 4 -s 1024 mybin
Tracing inner execution flow as well
#define _GNU_SOURCE
#include &dlfcn.h&
#include &sys/types.h&
#include &unistd.h&
#include &errno.h&
#include &stdio.h&
#include &time.h&
// Kill nanosleep()
int nanosleep(const struct timespec *req, struct timespec *rem){
printf(&\n==== In our own nanosleep(), I dunnah want sleep\n&);
// Kill usleep()
int usleep(useconds_t usec){
printf(&\n==== In our own usleep(), I dunnah want sleep\n&);
// Fix time()
time_t time(time_t *t){
printf(&\n==== In our own time(), will return \n&);
// Fix srand()
void srand(unsigned int seed){
printf(&\n==== In our own srand(), will do srand(0)\n&);
void (*original_srand)(unsigned int seed);
original_srand = dlsym(RTLD_NEXT, &srand&);
unsigned int myseed = 0;
return (*original_srand)(myseed);
// Kill rand()
int rand(void){
printf(&\n==== In our own rand(), will return 0\n&);
// Intercept rand()
int rand(void){
int (*original_rand)(void);
original_rand = dlsym(RTLD_NEXT, &rand&);
int r = (*original_rand)();
printf(&\n==== In our own rand(), will return %04X\n&, r);
gcc -fPIC -shared -Wl,-soname,patch -o patch.so patch.c -ldl
export LD_PRELOAD=patch.so
export LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH
a quick open/close/ioctl/read/write/free symbol hooker
x86-32, x86-64, ARM (since v0.52)
scanmem is a simple interactive debugging utility for linux, used to locate the address of a variable in an executing process. This can be used for the analysis or modification of a hostile process on a compromised machine, reverse engineering, or as a "pokefinder" to cheat at video games.
Linux/Android
with a GUI since v0.13: GameConqueror
Enable binary writing, here changing a conditional jump to unconditional jump:
gdb -write -silent --args mycode 1 2 3
(gdb) set {unsigned char}0x400123 = 0xeb
(gdb) disassemble 0xx400124
0x400123 jmp 0x...
or injecting NOPs:
(gdb) set {unsigned char}0x400123 = 0x90
Stephen Bradshaw ha swritten some extensions to have more useful gdb info when debugging stripped binaries, closer to what you get with OllyDbg. See:
is an unobtrusive debugger UI for hackers
is a backend agnostic debugger frontend that focuses on debugging binaries without access to the source code
The ERESI Reverse Engineering Software Interface is a multi-architecture binary analysis framework with a domain-specific language tailored to reverse engineering and program manipulation.
rr aspires to be your primary debugging tool, replacing — well, enhancing — gdb. You record a failure once, then debug the recording, deterministically, as many times as you want. The same execution is replayed every time.
rr also provides efficient reverse execution under gdb. Set breakpoints and data watchpoints and quickly reverse-execute to where they were hit.
angr is a framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.
Computes diff between two registry snapshots
PE32-only dynamic disassembler and debugger: .
Version 1.1 is historically widespread, version 2.0 is re-written from scratch, still considered as beta by some.
Support software and hardware breakpoint, binary patching and repacking, symbol analysis, advanced instruction pattern search, trace with conditional breaking, etc.
There is also a patched version of OllyDbg with advanced python scripting ability called Immunity Debugger:
Expect some OllyDbg plugins to not work properly with ImmDbg.
, a debugger plugin / Exploit Development Swiss Army Knife
The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment.
Based on WinAppDbg, finds interesting bits in trace by dichotomy signal/noise
run first time and try everything but not the interesting stuff -& use noise option
then run again and try interesting stuff -& use signal option
Find libraries loaded at runtime and the functions called
An open-source x64/x32 debugger for windows.
Currently only supporting Windows binaries.
Cuckoo Sandbox is a malware analysis system. You can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Cuckoo generates a handful of different raw data which include:
Native functions and Windows API calls traces
Copies of files created and deleted from the filesystem
Dump of the memory of the selected process
Full memory dump of the analysis machine
Screenshots of the desktop during the execution of the malware analysis
Network dump generated by the machine used for the analysis
Unknown price
ptrace e.g.
sysctl, e.g.
let analysis tools show wrong external symbol calls
, 32bit PE files (EXE and DLLs),
, rop gadget finder and binary information tool, based on Capstone
, supports ELF/PE/Mach-O format on x86, x64, ARM, PowerPC, SPARC and MIPS architectures
, online, supports ELF/PE/Mach-O format on x86, x64, ARM
, semantic ROP search, based on LLVM & Z3
: Python Exploit Development Assistance for GDB (x86/x64)
: GDB enhanced features - multi-arch (x86/x64/mips/ppc/arm)
by Xipiter / dontstuffbeansupyournose
Framing Signals a return to portable shellcode: ,
 : A multiplatform open source Binary Analysis and Reverse engineering Framework
Some are taken from excellent Android Hacker's Handbook
Hardened version of dlmalloc? Alternatives?
This can be done with LD_PRELOAD, e.g. with
LD_PRELOAD="/usr/lib/libtcmalloc.so"
Protected calloc?
Hardened library for safe integer operations:
Set stack (and heap) as non-executable.
Kernel marks stack as executable unless it finds a GNU_STACK program header without executable flag set.
To insert non-exec statement:
flag: -znoexecstack
/usr/sbin/execstack -q myprog
"?": myprog has no GNU_STACK -& stack is executable
"-": stack non-executable
"X": stack executable
readelf -a myprog|grep -A1 GNU_STACK
present? with RW or RWE?
cat /proc/123/maps|grep -E '(stack|heap)'
rw or rwx?
To modify existing bin:
/usr/sbin/execstack -s myprog # set executable stack
/usr/sbin/execstack -c myprog # clear
/sbin/sysctl kernel.pid_max
Traditionally 32768
/sbin/sysctl -w kernel.pid_max=4194303
/sbin/sysctl kernel.yama.ptrace_scope
To allow ptrace:
/sbin/sysctl -w kernel.yama.ptrace_scope=0
Bin needs to be compiled position-independent:
CFLAGS: -fPIE
LDFLAGS: -pie
readelf -h myprog | grep Type:
DYN? position-independent
EXEC? Not position-independent
readelf -d myprog | grep TEXTREL
Global settings
/sbin/sysctl kernel.randomize_va_space
/sbin/sysctl -w kernel.randomize_va_space=2
0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed in the previous point, memory managed through brk() is also randomized.
To disable it locally (in a bash and its children)
setarch `uname -m` -R /bin/bash
On 32 bit systems “ulimit -s unlimited” disables the randomization of the mmap()-ing
ProPolice stack protection is enabled by using
flags: -fstack-protector
Enabled by using
flags: -Wformat-security -Werror=format-security
Beware compiler cannot detect all corner cases
See also _FORTIFY_SOURCE=2 for runtime protection against %n
Partial relro enabled by using
flags: -Wl,-z,relro
readelf -h myprog|grep RELRO
GNU_RELRO? Partial relro protection present
Full relro enabled by using
flags: -Wl,-z,relro -Wl,-z,now
readelf -d myprog|grep NOW
flags NOW? Full relro protection present
Opensource ring0 Windows x64 anti-anti-debug driver
cppcheck --quiet --check-config .
cppcheck --xml --xml-version=2 --std=posix --std=c99 \
--enable=style,performance,portability,information,unusedFunction \
-I include --force --inconclusive .
flawfinder --quiet --dataonly --singleline --followdotdir .|sort -k 2 -r|less
flawfinder --immediate --dataonly --inputs --followdotdir .
export CFLAGS="-Wall -g -O2 -Wextra -pipe -funsigned-char -fstrict-aliasing -Wchar-subscripts -Wundef -Wshadow -Wcast-align -Wwrite-strings -Wunused -Wuninitialized -Wpointer-arith -Wredundant-decls -Winline -Wformat -Wformat-security -Wswitch-enum -Winit-self -Wmissing-include-dirs -Wmissing-prototypes -Wstrict-prototypes -Wold-style-definition -Wbad-function-cast -Wnested-externs -Wmissing-declarations "
export CFLAGS="-Wunreachable-code"
export CFLAGS="$CFLAGS -fno-omit-frame-pointer -D_FORTIFY_SOURCE=2 -fstack-protector"
export LDFLAGS="$LDFLAGS -fsanitizer=address -fno-omit-frame-pointer -D_FORTIFY_SOURCE=2 -fstack-protector"
, free, by @yurichev
Shellcode Disassembling and XOR decryption
Big lists of tools
forum: Android, IDA,...
Dalvik and ART
& , slides
, tutorial
list collected by
: mix of QEMU IR () and LLVM IR
- VEX based
Python - X86 / ARM / MIPS / SH4 / MSP430
Ruby - x86 (16 and 32bits), X86_64, MIPS, PowerPC, Sh4
C++, Python bindings
C/C++, Python bindings - x86, x86_64
Python - arm, msp430, pic, sparc, x64, x86, z80
"Commercial product, the internal IR is only documented/accessible for some filtered customers though..."
x86-64, arm
C++/Python
by Carlos Prado
, big list of tools
, big list of tools
, x86, x86-64, ARM, RE, malware RE,... tutorials, slides, videos
signal identification software (Windows)