cle, 清除所有( 至少有两种二进制格式) !

分享于 

6分钟阅读

GitHub

  繁體 雙語
CLE Loads Everything (at least, many binary formats!)
  • 源代码名称:cle
  • 源代码网址:http://www.github.com/angr/cle
  • cle源代码文档
  • cle源代码下载
  • Git URL:
    git://www.github.com/angr/cle.git
    Git Clone代码到本地:
    git clone http://www.github.com/angr/cle
    Subversion代码到本地:
    $ svn co --depth empty http://www.github.com/angr/cle
    Checked out revision 1.
    $ cd repo
    $ svn up trunk
    

    加载二进制文件及它的关联库,解析导入并提供与操作系统加载程序一样的进程内存抽象。

    安装

    $ pip install cle

    用法示例
    >>>import cle>>> ld = cle.Loader("/bin/ls")>>>hex(ld.main_object.entry)'0x4048d0'>>> ld.shared_objects
    {'ld-linux-x86-64.so.2': <ELF Object ld-2.21.so, maps [0x5000000:0x522312f]>,
     'libacl.so.1': <ELF Object libacl.so.1.1.0, maps [0x2000000:0x220829f]>,
     'libattr.so.1': <ELF Object libattr.so.1.1.0, maps [0x4000000:0x4204177]>,
     'libc.so.6': <ELF Object libc-2.21.so, maps [0x3000000:0x33a1a0f]>,
     'libcap.so.2': <ELF Object libcap.so.2.24, maps [0x1000000:0x1203c37]>}>>> ld.addr_belongs_to_object(0x5000000)<ELF Object ld-2.21.so, maps [0x5000000:0x522312f]>>>> libc_main_reloc = ld.main_object.imports['__libc_start_main']>>>hex(libc_main_reloc.addr) # Address of GOT entry for libc_start_main'0x61c1c0'>>>import pyvex>>> some_text_data =''.join(ld.memory.read_bytes(ld.main_object.entry, 0x100))>>> irsb = pyvex.IRSB(some_text_data, ld.main_object.entry, ld.main_object.arch)>>> irsb.pp()IRSB {
     t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I64 t4:Ity_I64 t5:Ity_I64 t6:Ity_I32 t7:Ity_I64 t8:Ity_I32 t9:Ity_I64 t10:Ity_I64 t11:Ity_I64 t12:Ity_I64 t13:Ity_I64 t14:Ity_I64
     15|------ IMark(0x4048d0, 2, 0) ------16| t5 = 32Uto64(0x00000000)
     17| PUT(rbp) = t5
     18| t7 = GET:I64(rbp)
     19| t6 = 64to32(t7)
     20| t2 = t6
     21| t9 = GET:I64(rbp)
     22| t8 = 64to32(t9)
     23| t1 = t8
     24| t0 = Xor32(t2,t1)
     25| PUT(cc_op) = 0x000000000000001326| t10 = 32Uto64(t0)
     27| PUT(cc_dep1) = t10
     28| PUT(cc_dep2) = 0x000000000000000029| t11 = 32Uto64(t0)
     30| PUT(rbp) = t11
     31| PUT(rip) = 0x00000000004048d232|------ IMark(0x4048d2, 3, 0) ------33| t12 = GET:I64(rdx)
     34| PUT(r9) = t12
     35| PUT(rip) = 0x00000000004048d536|------ IMark(0x4048d5, 1, 0) ------37| t4 = GET:I64(rsp)
     38| t3 = LDle:I64(t4)
     39| t13 = Add64(t4,0x0000000000000008)
     40| PUT(rsp) = t13
     41| PUT(rsi) = t3
     42| PUT(rip) = 0x00000000004048d643| t14 = GET:I64(rip)
     NEXT: PUT(rip) = t14; Ijk_Boring
    }
    有效选项

    有关可以提供给加载程序的选项及其提供的方法的完整列表和说明,请检查 cle/loader.py 中的文档字符串。 如果有什么不清楚或者文档不正确的( 有很多),请在任何你感觉适当的频道上投诉。

    加载后端

    清装器的装载器在装载器类中实现。 有几个后端可以用于加载单个 file:

    
    - ELF, as its name says, loads ELF binaries. ELF files loaded this way are
    
    
     statically parsed using PyElfTools.
    
    
    
    - IdaBin relies on IDA (through IdaLink) to get information from the
    
    
     binaries. At the moment, it works in a bare-bones fashion, but is
    
    
     mostly unsupported.
    
    
    
    - PE is a backend to load Microsoft's Portable Executable format,
    
    
     effectively Windows binaries. It uses the (optional) `pefile` module.
    
    
    
    - Mach-O is a backend to load, you guessed it, Mach-O binaries. It is
    
    
     subject to several limitations, which you can read about in the
    
    
     [readme in the macho directory](backends/macho/README.md)
    
    
    
    - Blob is a backend to load unknown data. It requires that you specify
    
    
     the architecture it would be run on, in the form of a class from
    
    
     ArchInfo.
    
    
    
    

    可以将你使用的后端指定为加载程序的参数。 如果未指定,加载程序将选取一个合理的默认值。

    正在查找共享库
    • auto_load_libs 选项设置为 false,加载程序将不会自动加载加载的对象所请求的库。 否则。

    • 加载程序确定加载二进制文件时需要哪些共享对象,并按以下顺序搜索它们:

      • 在当前工作目录中
      • custom_ld_path 选项中指定的文件夹中
      • 在与主二进制文件相同的文件夹中
      • system系统( 二进制。比如。ARM。ARM的相应库路径) 中,需要在Debian上安装跨库,需要安装emdebian库)
      • 在系统中,但是如果 ignore_import_version_numbers 选项是 true,则不匹配的版本号与所指定的版本号不匹配。
    • 如果没有找到正确的架构,加载程序会在 except_missing_libs 选项为 true 时引发异常。 否则它只留下依赖项 unresolevd。


    for  form  BIN  格式  二进制  Formats  
    相关文章