Sunday, May 29, 2022
HomeHackerBinAbsInspector - Vulnerability Scanner For Binaries

BinAbsInspector – Vulnerability Scanner For Binaries

BinAbsInspector (Binary Summary Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term analysis challenge incubated at Keenlab. It’s based mostly on summary interpretation with the assist from Ghidra. It really works on Ghidra’s Pcode as an alternative of meeting. At the moment it helps binaries on x86,x64, armv7 and aarch64.

  • Set up Ghidra in keeping with Ghidra’s documentation
  • Set up Z3 (examined model: 4.8.15)
  • Observe that usually there are two components for Z3 library: one is Java bundle, the opposite one is native library. The Java bundle is already included in “/lib” listing, however we advise that you simply substitute it with your personal Java bundle for model compatibility.
    • For Home windows, obtain a pre-built bundle from right here, extract the zip file and add a PATH surroundings variable pointing to z3-${model}-win/bin
    • For Linux, set up with bundle supervisor is NOT really helpful, there are two choices:
      1. You may obtain appropriate pre-build bundle from right here, extract the zip file and duplicate z3-${model}-win/bin/*.so to /usr/native/lib/
      2. or you may construct and set up z3 in keeping with Constructing Z3 utilizing make and GCC/Clang
    • For MacOS, it’s just like Linux.
  • Obtain the extension zip file from launch web page
  • Set up the extension in keeping with Ghidra Extension Notes

Construct the extension by your self, if you wish to develop a brand new characteristic, please check with improvement information.

  • Set up Ghidra and Z3
  • Set up Gradle 7.x (examined model: 7.4)
  • Pull the repository
  • Run gradle buildExtension beneath repository root
  • The extension shall be generated at dist/${GhidraVersion}_${date}

You may run BinAbsInspector in headless mode, GUI mode, or with docker.

  • With Ghidra headless mode.
$GHIDRA_INSTALL_DIR/assist/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector "@@<scriptParams>"

<projectPath> — Ghidra challenge path.
<projectName> — Ghidra challenge title.
<scriptParams> — The argument for our analyzer, gives following choices:

Parameter Description
[-K <kElement>] KSet measurement restrict Okay
[-callStringK <callStringMaxLen>] Name string most size Okay
[-Z3Timeout <timeout>] Z3 timeout
[-timeout <timeout>] Evaluation timeout
[-entry <address>] Entry tackle
[-externalMap <file>] Exterior operate mannequin config
[-json] Output in json format
[-disableZ3] Disable Z3
[-all] Allow all checkers
[-debug] Allow debugging log output
[-check "<cweNo1>[;<cweNo2>...]"] Allow particular checkers
  • With Ghidra GUI

    1. Run Ghidra and import the goal binary right into a challenge
    2. Analyze the binary with default settings
    3. When the evaluation is completed, open Window -> Script Supervisor and discover
    4. Double-click on entry, set the parameters in configuration window and click on OK
    5. When the evaluation is completed, you may see the CWE studies in console window, double-click the addresses from the report can bounce to corresponding tackle
  • With Docker

git clone [email protected]:KeenSecurityLab/BinAbsInspector.git
cd BinAbsInspector
docker construct . -t bai
docker run -v $(pwd):/information/workspace bai "@@<script parameters>" -import <file>

Thus far BinAbsInspector helps following checkers:

  • CWE78 (OS Command Injection)
  • CWE119 (Buffer Overflow (generic case))
  • CWE125 (Buffer Overflow (Out-of-bounds Learn))
  • CWE134 (Use of Externally-Managed Format string)
  • CWE190 (Integer overflow or wraparound)
  • CWE367 (Time-of-check Time-of-use (TOCTOU))
  • CWE415 (Double free)
  • CWE416 (Use After Free)
  • CWE426 (Untrusted Search Path)
  • CWE467 (Use of sizeof() on a pointer kind)
  • CWE476 (NULL Pointer Dereference)
  • CWE676 (Use of Probably Harmful Operate)
  • CWE787 (Buffer Overflow (Out-of-bounds Write))

The construction of this challenge is as follows, please check with technical particulars for extra particulars.

├── most important
│ ├── java
│ │ └── com
│ │ └── bai
│ │ ├── checkers checker implementatiom
│ │ ├── env
│ │ │ ├── funcs operate modeling
│ │ │ │ ├── externalfuncs exterior operate modeling
│ │ │ │ └── stdfuncs cpp std modeling
│ │ │ └── area reminiscence modeling
│ │ ├── solver analyze core and grpah module
│ │ └── util utilities
│ └── sources
└── check

You may as well construct the javadoc with gradle javadoc, the API documentation shall be generated in ./construct/docs/javadoc.

We make use of Ghidra as our basis and ceaselessly leverage JImmutable Collections for higher efficiency.
Right here we want to thank them for his or her nice assist!



Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments