Man Linux: Main Page and Category List

NAME

       ERESI - The ERESI Reverse Engineering Software Interface

SYNOPSIS

       elfsh [OPTIONS]

       etrace [OPTIONS]

       e2dbg programtodebug

       kernsh

DESCRIPTION

       The  ERESI  Reverse Engineering Software Interface is a unified reverse
       engineering  framework  for  UNIX  operating  systems  based   on   the
       Executable  &  Linking  Format (ELF) such as Linux, BSD, Solaris, IRIX,
       and BeOS. It has a command line interface that make it useful remotely,
       and  can  generate  graph images from code analysis on demand. It has a
       real dedicated reverse engineering language that  makes  it  scriptable
       and  adaptable  to  the precise needs of the users. ERESI contains more
       than 10 innovative  and  exclusive  features  that  turns  it  into  an
       environment  of  choice  for  the instrumentation, analysis, debugging,
       tracing, hooking, or simply integrity checking and  events  logging  of
       binary programs. ERESI is composed of ELFsh (the ELF shell), E2dbg (The
       Embedded ELF debugger) and  Etrace  (The  Embedded  ELF  tracer).  This
       documentation applies on all of the components.

OPTIONS

       The  ELF  shell  (part  of  ERESI)  can take the following command line
       parameters:

       -f     input file

       -w     output file

              Note that the command line is slightly different for  E2dbg  and
              Etrace which do NOT take those parameters.

COMMANDS

       E2dbg  and  Etrace  have  to  be  executed  using a unique command line
       parameter (the program file to be debugged or  traced).  The  following
       primitives  can  be used interactively in E2dbg, Etrace, and ELFsh, but
       also on command line when preceded by a -  (ELFsh  only)  at  the  UNIX
       shell command prompt.

       General purpose commands

              cat  edit exec exit help info list load lscripts nocolor profile
              quit sdir setcolor switch unload workspace

       cat    print the file argument

       edit   Edit the file given in parameter

       exec   Fork and execute parameter command (with args)

       help   Print the help screen

       info   Print the extra details help screen

       list   List the loaded files and their ID

       load filename
              Load input file filename

       lscripts
              List macro commands

       nocolor
              Toggle color status

       profile (enable | disable) (traces | warns | alloc | debug | all)

              Change the ELFsh profiling behavior. Traces profiling print  all
              the  internal  function  calls  done  by  the framework. Warning
              profiling prints all the (fatal and non-fatal) warnings reported
              by  the  internal  API : it very useful for tracking bugs and it
              should be used when reporting issues on the bugtracking  system.
              Allocation  and debug profiling are experimental and should only
              be used by experienced ERESI developers.

       quit   Quit the shell without saving

       sdir   Change the script directory. This allows  to  make  precise  the
              location  of  complete  ERESI  library  and bind script files on
              command names in the shell.

       setcolor Associates data types to colors

              setcolor type [bg,fg] color

              setcolor type [underline,bold] (1=on,0=off)

              Available  types   :   address,   number,   string,   endstring,
              warnstring  typestring,  fieldstring,  instr,  pspecial,  psname
              pspecial, pversion, prelease, pedition

              Available colors : black red  green  yellow  blue  magenta  cyan
              white

       switch (filename | fileID)
              Change the current file to work on to filename or fileID

       unload (filename | fileID)
              Unload file filename or fileID without saving

       workspace [wname]
              When  executed  without  parameter,  this  command list existing
              workspaces. When given an existing workspace name, this  command
              switch  to  that  workspace.  If  given a non-existing workspace
              name, this command creates a new workspace and switch to it.

       tables [regex]
              If given without parameter, list all the existing hash tables in
              the  ERESI  framework.  If  given  with  a  parameter, print the
              content of hash tables whoose name match the regular expression.

       vectors [vname[:idx1:...:idxN]] [symbol|addr]
              If given without parameter, list all the existing vectors in the
              ERESI framework. If given with a parameter, print the content of
              this vector. If given one long parameter, print the content of a
              given vector entry. If given 2  parameters,  modify  the  vector
              entry with a user provided address or resolved symbol address.

       ========================================================================

       Ondisk/Memory ELF commands

              Those  commands  works  in all components of the ERESI framework
              (ELFsh, E2dbg, and Etrace).

              add cmp ctors disasm div dtors dyn dynsym elf  findrel  get  got
              hexa interp mod mul notes pht print redir rel reladd set sht sub
              write test

       add    Add the 2 parameters and put the result in variable $_

       cmp    Compare 2 parameters. The difference is put in variable $_

       ct ctors [Regex]
              Print .ctors section entries matching Regex

       D disasm [Regex]
              Disassemble matching binary objects in current file

              disasm parameter

              Allowed parameter format : regx regx:rva regx:rva%size regx%size
               - regx : Regular expression (mandatory)
               - rva  : Byte offset from the beginning (optional)
               - size : Bytes number limit (optional)

       div    Divide first param by second one and put the result in the first
              one

       dt dtors [Regex]
              Print .dtors section entries matching Regex

       dyn    Print the ELF dynamic section

       ds dynsym [Regex]
              Print dynamic symtab (.dynsym) entries matching Regex

       e elf  Print the ELF header

       findrel
              Try  to  find  back  stripped  relocation   information.   Note:
              retreiving  this  information  in  a  very  exact manner is very
              difficult, this command only gives you an approximative list  of
              pointer  accesses  in  the  binary code. It does not deal either
              with constructed addresses using multiple arithmetic  and  logic
              instructions,  or  with  false positives that appear to be valid
              mapped pointers but are not in reality (ex: Hashed data)

       get    Print parameter object value. The parameter can be a constant or
              defined  value, a variable or any ELF object that is part of any
              file loaded in the shell,  provided  you  give  its  id  at  the
              beginning  of  the  object  path. See info command for the exact
              grammar of object paths.

       g got [Regex]
              Print the entries of the  Global  Offset  Table  (GOT)  matching
              Regex. The regex can apply on either an address, an entry index,
              or a resolved  symbol  from  the  entry  address  (or  contained
              address).

       X hexa [Regex]
              Dump  matching binary objects in current file. This has the same
              syntax than D/disasm command.

              X parameter

              ParamFormat : regx regx:rva regx:rva%size regx%size
               - regx : Regular expression (mandatory)
               - rva  : Byte offset from the beginning (optional)
               - size : Bytes number limit (optional)

       interp Print ELF interpreter path standing in .interp section.

       mod    Modulo operation between 2 parameters. The result is put in  the
              destination variable.

       mul    Multiply  the 2 parameters. The result is put in the destination
              variable.

       n notes [Regex]
              Print the Notes sections entries matching Regex

       p pht  Print the Program Header Table (PHT)

       print [ObjectPath1 ObjectPath2 ... ObjectPathN]
              Print  the  values  of  objects  ObjectPath1   ObjectPath2   ...
              ObjectPathN.  Objects  can  be  constant  strings,  ELF objects,
              variables, defined values, and so on.

       redir func (func2 | addr)
              Redirect calls to function func to func2 or address addr. If the
              original  function has a PLT entry, the ALTPLT technique is used
              to perform the redirection. If the function is internal  (or  if
              we  are  in  a  static  binary)  the  CFLOW technique is used to
              perform the redirection. ALTPLT technique is available on INTEL,
              SPARC,  MIPS,  and  ALPHA   architectures.  CFLOW  technique  is
              currently not available on  the  SPARC  architecture.  The  hook
              (second)  function is usually an injected C code provided by the
              user and injected  using  the  reladd  primitive.  In  case  the
              provided hook function calls other function which are not in the
              host binary, ERESI will use the EXTPLT technique  (or  EXTSTATIC
              technique on static binaries) to relink the host binary in order
              to add new relocation entries, dynamic symbols with their names,
              symbol  versions,  extra GOT and PLT entries (using additionally
              the ALTGOT technique on RISC architectures), and will fixup  the
              .dynamic section to reflect those changes on the section list.

       r rel [Regex]
              Print the relocation entries matching Regex

       reladd (DestFilePath | DestfileID) (RelocFilePath | RelocFileID)
              Inject  the  ELF  relocatable  object  RelocFileID  into the ELF
              executable object DestFileID. This command is used for injecting
              plain  C compiled code linked into a .o file into a host ET_EXEC
              (executable) or ET_DYN (shared library) ELF file.

       set DestObjectPath SourceObjectPath
              Set the value of object DestObjectPath to SourceObjectPath.  The
              $_  variable gets modified depending on the result. See the info
              command for a list of  all  accessible  objects  using  the  set
              command.

       s sht [Regex]
              Print  the  sections  in the Section Header Table (SHT) matching
              Regex

       sub    Substract 2nd parameter to the first one.  The  $_  variable  is
              modified depending on the result.

       write DestObjectPath SourceObjectPath
              Copy   data   from   SourceObjectPath   to  DestObjectPath.  The
              destination object has to be of type RAW (the data  field  of  a
              section)  and the source object has to be of type RAW or STRING.
              See the info command for more detail about this.

       ========================================================================

       Debugger commands

              backtrace break continue dbgstack delete dumpregs linkmap  stack
              step display threads itrace

       backtrace
              Print backtrace (needs frame pointer).

       break (BPsymbol | 0xaddress)
              Put  a breakpoint on symbol or address. Print all breakpoints if
              given without parameter.

       step    Enable or disable stepping of debuggee  program.  Use  continue
              for singlestepping.

       continue

              Continue   executing   debuggee   program  after  breakpoint  or
              singlestep.

       delete (BPID | BPsymbol | 0xaddress)

              Delete breakpoint by symbol, address, or ID.

       dbgstack WordsNBR

              Dump N words (N given as  first  parameter)  from  the  debugger
              stack.  We can do that because the debugger is embedded into the
              debuggee process.

       stack WordsNBR

              Dump WordsNBR words on debuggee stack.

       dumpregs

              Dump registers of debuggee at breakpoint or step.

       linkmap

              Print Linkmap list for the debuggee process.

       display BPid Full_ERESI_command
              Set a command to be executed on event. The first parameter  must
              be  the  breakpoint  id  that correspond to the event. The ERESI
              command can be any valid ERESI command, including  the  sourcing
              of an ERESI script.

       threads [ThreadID]
              If  called without parameter, this command list existing threads
              in the debuggee process. If called with a thread  ID  parameter,
              the  current  thread  is switched to the thread indicated by the
              ID.

       itrace Singlestep the debuggee program  until  next  breakpoint  event,
              printing all executed instructions until it stops.

       ========================================================================

       ELFsh modules commands

              modhelp modload modunload

       modhelp ModuleFilePath
              Print help for a loaded ERESI module.

       modload ModuleFilePath
              Load an ERESI module. The path has to be absolute or relative to
              the registered module path.

       modunload ModuleFilePath
              Unload an ERESI module. The path has to be absolute or  relative
              to the registered module path.

       ========================================================================

       ELF objects flags

              fixup shtrm sstrip

       fixup  Mark  BSS  section  to  be  included  in disk file. The BSS gets
              immediately fixed  in  the  ELFsh  internal  descriptor  of  the
              object.

       shtrm  Mark  Section  Header  Table as removed. The SHT will be removed
              only when the file is saved.

       sstrip Mark the Section Header Table (SHT) and Symbol  Table  (.symtab)
              as stripped. They will be removed only when the file is saved.

       ========================================================================

       Ondisk only ELF commands

              Those commands only works in ELFsh, or in E2dbg when switched to
              the static mode using the mode command.

              append extend flush insert remove save stab sym

       append SectionName SourceObjectPath
              Append  the  data  of   object   SourceObjectPath   to   section
              SectionName

       extend SectionName length
              Extend section SectionName with length zero bytes

       flush  Flush all injected .o files from current file.

       insert Inject  new  object  (section,  symbol,  or  program  header) in
              current working file.

              insert sect  name code|data|unmap [sz] [align]
                     sym   name value           [sz]
                     phdr  type vaddr           [sz]

       remove Remove ELF object (section,  symbol,  or  program  header)  from
              current working file

              remove sect name
                     sym  name
                     phdr index

       save filename
              Dump current selected file to output file filename. This command
              writes a file on disk.

       debug  Print unified debug format information for the current file.

       st sym [Regex]
              Print the symtab (.symtab) entries matching Regex.

       ========================================================================

       Kernsh modules commands

              Those commands only works in Kernsh.

       openmem
              Open kernel memory and static kernel

       closemem
              Close kernel memory and static kernel

       sct    Display the syscall table

       idt    Display the interrupt descriptor table

       gdt    Display the global descriptor table

       alloc  Alloc contiguous kernel memory

       free   Free contiguous kernel memory

       alloc_nc
              Alloc non contiguous kernel memory

       free_nc
              Free non contiguous kernel memory

       kmodule
              Handle kernel module

              kmodule -l module : load a lkm

              kmodule -u module : unload a lkm

              kmodule -r module1 module2 moduleout : link module with another

              kmodule -i module original_name  evil_name  :  change  lkm  init
              (original_name) with another function (evil_name)

       ksym   Get an address of a kernel symbol

       kmd5 sa output | sa:rva output | sa%rva%size output | sa%size output
              Make a md5sum.

              sa : Symbol or addr

              rva : Byte offset form the beginning (optional)

              size  :  Bytes number limit (optional) (if size is 0 or not put,
              we search the end of the function)

              output : file output (optional)

       kcmd5 format | file
              Check a md5.

              format : addr:mode:size:off:md5

              file : filename

       ========================================================================

       Type related primitives

              Those primitives allow to define and habitate types in the ERESI
              meta-language:

       type [regex]

              Print  list of types (only those matching the regular expression
              if given in parameter).

       type name = field1:type1 ... fieldN:typeN

              Define a new type in the ERESI meta-language.  Predefined  types
              include  byte,  short,  int,  caddr,  daddr, long, hash, vector,
              string, and raw.

       typedef tname tname2

              Copy and rename a type. Any modification on  one  of  the  types
              will not affect the other.

       inform type [name | address]

              Make  type  name  habitated  by the variable standing at address
              name. If called with a single type name parameter,  the  command
              list   all  variables  that  habitate  this  type.  If  given  2
              parameters, the name is interpreted as a symbol  pointing  on  a
              variable. Its address is resolved and the type is informed about
              this variable. If only an address is given, its symbol is looked
              up  and the variable corresponding to the symbol is informed. If
              no symbol corresponds to this address, a new one is created that
              points  on  the  address,  and  the  newly  symbolic variable is
              informed.

       uninform type [name]

              Uninform a given variable from a type. If no  variable  name  is
              given,  all  variables  previously informed are removed from the
              type habitation.

       ========================================================================

       Network commands

              connect disconnect net netkill netlist peerslist rcmd

       connect
              Add a DUMP connection to given host

       disconnect
              Kill the DUMP connection from IP

       net    Activate networking capabilities

       netkill
              Kill a network client by IP

       netlist
              List connected network clients

       peerslist
              List connected DUMP peers

       rcmd   Execute a command on a remote machine

       ========================================================================

       Available prefixes

              alert all quiet sort verb

       alert  Alert prefix : change alert regular expression

       a all regex
              Set a global regular  expression.  All  commands  which  take  a
              regular  expression  as  a  parameter  will  default to use this
              global regular expression.

       quiet  Toggle quiet flag (do not print executed commands)

       sort   Sorting prefix (use a -addr- or s -size-)

       verb   Toggle verbose flag (undo the quiet flag)

       ========================================================================

       Available Script jumps

              A certain number of jumps construct are available:

              je jg jge jl jle jmp jne

       je     Jump on label if equal (use last cmp result)

       jg     Jump on label if greater (use last cmp result)

       jge    Jump on label if greater or equal (use last cmp result)

       jl     Jump on label if lower (use last cmp result)

       jle    Jump on label if lower or equal (use last cmp result)

       jmp    Unconditional jump to script label

       jne    Jump on label if nont equal (use last cmp result)

              You might also consider using a foreach construct, which is  not
              described in this manual page.

       ========================================================================

       Available modules

              modflow modremap modtest

       modflow
              Modflow  is  an  ELFsh  module  designed to perform control flow
              analysis on ELF binaries for detailed  examples  and  usage  see
              README in ELFsh/modules/modflow

       modremap
              Modflow  is  an  ELFsh  module  designed  to  perform  remapping
              sections in Elf binaries see ELFsh/modules/modremap for  further
              details

       modtest
              Modtest  is  a ElFsh module designed to show the usage of adding
              new commands to  ELFsh  see  ELFsh/modules/modtest  for  further
              details

       ========================================================================

OBJECT PATH FORMAT

       This  section  explains how to access different objects in an ELF file.
       For most commands the object can  also  be  a  decimal  or  hexadecimal
       numbers. In this case the ObjectPath is the number.

       ELF Header
              filename.hdrfield

              ELF header fields are :

       magic  Magic number

       class  File class

       type   Object file type

       machine
              Architecture

       version
              Object file version

       entry  Entry point virtual address

       phoff  Program header table file offset

       shoff  Section header table file offset

       flags  Processor-specific Flags

       ehsize Size of the ELF header in bytes

       phentsize
              Size of the program headers

       shentsize
              Size of the section headers

       phnum  Number of program headers

       shnum  Number of section headers

       shstrndx
              Section header string table index

       pax_pageexec
              PAX use paging based non-executable pages

       pax_emultramp
              PAX emulate trampolines

       pax_mprotect
              PAX restrict mmap

       pax_randmmap
              PAX randomize mmap

       pax_randexec
              PAX randomly map executable address

       pax_segmexec
              PAX use segmentation based non-executable pages

       got/ctors/dtors tables
              (filename | fileID).(got|ctors|dtors)[index]

              In  this  command,  the  index  can  also  be a symbol name that
              corresponds to the requested GOT, CTORS, OR DTORS entry.

       Program segment header table
              (filename | fileID).pht[index].fi eld

              Program segment header table entry fields are :

       type   Segment type

       offset Segment file offset

       paddr  Segment physical address

       vaddr  Segment virtual address

       filesz Segment size in file

       memsz  Segment size in memory

       flags  Segment flags

       align  Segment alignment

       Symbol/Dynamic symbol tables
              (filename | fileID).(symtab|dynsym)[index].fi eld

              Symbol/Dynamic symbol table entry fields are :

       name   Symbol name

       value  Symbol value

       size   Symbol size

       bind   Symbol binding

       type   Symbol type

       other  Symbol visibility

       Dynamic section
              (filename | fileID).dynamic[index].fi eld

              The .dynamic section entry fields are :

       val    Integer or address value

       tag    Dynamic entry type

       Section header table
              (filename | fileID).sht[index].fi eld

              The index can be the name of the section. Section  Header  Table
              entries fields are :

       type   Section type

       offset Section Offset in ELF file

       addr   Section Address

       size   Section Size in bytes

       link   Link to another section

       info   Additional Info

       align  Section Alignment

       entsize
              Entry size if section holds table

       flags

       a      Section occupies memory during execution

       w      Section is Writeable

       x      Section is Executable

       s      Contains nul-terminated strings

       m      Section might be merged

       l      Preserve order after combining

       o      OS specific

       Relocation table
              (filename | fileID).rel[indextable][indexentry].fi eld

              Relocation entry fields are :

       type   Relocation Type

       sym    Relocation symbol index

       offset Address

       Additional sections information
              (filename | fileID).section[sectionindex].fi eld

              The  section  object  is  not a real object of the binary, but a
              kind of virtual one.  It  holds  all  the  information  about  a
              section  that  do not stand in the sectoin header table entries.
              Section fields are :

       name   Section name

       raw    Section Raw data

              To access use following path format :

       filename.section[index[:offset[%elemsize]]].raw

AUTHOR

       ERESI was created by Julien Vanegue and developed by the ERESI team

                      <team at eresi-project dot antispam org>

       The complete list of ERESI contributors can be found on the website:

                      http://www.eresi-project.org

       This manual page was created by Julien Vanegue, from previous  work  on
       the  ELFsh  man  page  by  Peter  De Schrijver for the Debian GNU/Linux
       system. Additional improvements were made by stingduk for version  0.7.

SEE ALSO

       readelf(1), objdump(1), objcopy(1), gdb(1), ltrace(1), strace(1)