Skip to content

Latest commit

 

History

History
92 lines (65 loc) · 3 KB

README.md

File metadata and controls

92 lines (65 loc) · 3 KB

Build Status

This repository hosts the native scanner, a library that searches for strings in binary libraries, to inform static analyses. Read more about this library in paper "Identifying Java Calls in Native Code via Binary Scanning".

This library has the following modes:

  • Radare2-based analysis: this mode uses the Radare2 framework.

  • Binutils-based analysis: this mode assumes the existence of utilities such as nm, objdump, and gdb.

  • Built-in mode: this mode uses no external tools but only supports a subset of the functionality for ELF and DLL files (using the JElf parser and the Kaitai Struct PE format respectively). This mode should be used in applications where simple string detection is enough or in platforms where binutils/Radare2 may not be available.

Setup

Standalone application

Install the application locally:

./gradlew installDist

The resulting binary is in build/install/native-scanner/bin/native-scanner.

Library

Add the Bintray repository in your application build.gradle and add the library as a dependency:

repositories {
  maven { url 'https://dl.bintray.com/gfour/plast-lab' }
  ...
}

dependencies {
  implementation 'org.clyze:native-scanner:0.6.1'
}

Note: this project also supports publishing to the local Maven repository via ./gradlew publishToMavenLocal.

Radare2 mode

This mode uses the Radare2 reverse engineering framework for portability. Tested with Radare 3.5.0 and 4.5.0.

Setup:

  1. Install Radare2 so that it is available in your PATH.

  2. Install Python and r2pipe:

pip install r2pipe --user

Binutils mode

This mode uses command-line programs available in your POSIX system, such as nm, objdump, and gdb. This works for analyzing binaries on a system with the same ABI (for example, x86 binaries on a x86 system).

To analyze ARM binaries on a x86 system, appropriate toolchains should be used and the PATH should be adjusted to point to the directory containing tools nm and objdump. To generate such toolchains for Android, consult the Android NDK documentation.

Use

For the standalone application, pass --help to see the available options.

For the library, instantiate a NativeScanner object and a BinaryAnalysis object, and use method NativeScanner.scanBinaryCode() to scan a native library. To consume the results, implement interface NativeDatabaseConsumer. See the standalone entry point org.clyze.scanner.Main.main() for an actual piece of code using this library.