Skip to content

Latest commit

 

History

History
145 lines (124 loc) · 10.5 KB

security.md

File metadata and controls

145 lines (124 loc) · 10.5 KB

1. Dynamical analysis

This repository lists dynamic analysis tools for all programming languages, build tools, config files and more.

1.1 Control/Data Flow Analysis (CFG/DFG)

A data-flow graph (DFG) is a graph which represents a data dependency between a number of operations. A control-flow graph (CFG) is a directed graph where the nodes are basic blocks (a section of code with a single entry and a single exit point) and edges represent branch/jump instructions. Finding Redundant Structures in Data Flow Graphs gives a lot of details (code and theory) about DFG construction.

DFG generation Tool

This is a simple example of DFG, and more detailed Introduction.

  • Perf tools are packaged based on the kernel version, which means the version of perf provided by Linux distributions is always quite old, whereas updates to Intel PT support are happening all the time. That means, for the latest Intel PT features, we really need to download and build that latest perf.
  • angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.
  • PolyTracker is a tool originally created for the Automated Lexical Annotation and Navigation of Parsers, a backronym devised solely for the purpose of referring to it as The ALAN Parsers Project.
  • Intel Pin: Pin tool example
  • Triton is a dynamic binary analysis library. It provides internal components like a dynamic symbolic execution engine, a dynamic taint analysis engine, AST representation of the x86, x86-64, ARM32 and AArch64 ISA semantic, an expressions synthesis engine, some SMT simplification passes, SMT solver interface to Z3 and Bitwuzla and, the last but not least, Python bindings. Based on these components, you are able to build your program analysis tools, automate reverse engineering, perform software verification or just emulate code.

2. Static analysis

Static Analysis is the automated analysis of source code without executing the application. When the analysis is performed during program execution then it is known as Dynamic Analysis. Static Analysis is often used to detect:

  • Security vulnerabilities.
  • Performance issues.
  • Non-compliance with standards.
  • Use of out of date programming constructs.

This is a curated list of static analysis tool list.

3. LLVM

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies. More details are written in the blog

4. GDB

GDB is a debugger which can only use debugging symbols that are generated by g++. GDB command can be split into several parts: start, run, backtrace, breakpoints (including conditional breakpoints), print.

Compile

To prepare your program for debugging with gdb, you must compile it with the -g flag. So, if your program is in a source file called memsim.c and you want to put the executable in the file memsim, then you would compile with the following command: gcc -g -o memsim memsim.c

run

run will start the program running under gdb. The program that starts will be the one that you have previously selected with the file command, or on the unix command line when you started gdb. You can give command line arguments to your program on the gdb command line the same way you would on the unix command line.

(gdb) run        	run the program with current arguments
(gdb) run args redirection        run with args and redirection
(gdb) set args args...        set arguments for run 
(gdb) show args        show current arguments to run
(gdb) cont            continue the program
(gdb) step            single step the program; step into functions
(gdb) step count       singlestep \fIcount\fR times
(gdb) next            step but step over functions 
(gdb) next count       next \fIcount\fR times
(gdb) CTRL-C          actually SIGINT, stop execution of current program 
(gdb) attach process-id        attach to running program
(gdb) detach        detach from running program
(gdb) finish        finish current function\'s execution
(gdb) kill           kill current executing program 

clear

clear function will delete the breakpoint set at that function. Similarly for linenumber, filename:function, and filename:linenumber.

continue

continue will set the program running again, after you have stopped it at a breakpoint.

step

step will go ahead and execute the current source line, and then stop execution again before the next source line.

backtrace

(gdb) bt        	print stack backtrace
(gdb) frame        	show current execution position
(gdb) up        	move up stack trace  (towards main)
(gdb) down        	move down stack trace (away from main)
(gdb) info locals      print automatic variables in frame
(gdb) info args         print function parameters 

breakpoints

A ``breakpoint'' is a spot in your program where you would like to temporarily stop execution in order to check the values of variables, or to try to find out where the program is crashing, etc. To set a breakpoint you use the break command.

break function sets the breakpoint at the beginning of function. If your code is in multiple files, you might need to specify filename:function.

break linenumber or break filename:linenumber sets the breakpoint to the given line number in the source file. Execution will stop before that line has been executed.

print

print expression will print out the value of the expression, which could be just a variable name.

(gdb) print expression        print expression, added to value history
(gdb) print/x expressionR        print in hex
(gdb) print array[i]@count        artificial array - print array range
(gdb) print $        	print last value
(gdb) print *$->next    print thru list
(gdb) print $1        	print value 1 from value history
(gdb) print ::gx        force scope to be global
(gdb) print 'basic.c'::gx        global scope in named file (>=4.6)
(gdb) print/x &main     print address of function

reference

Here is a quick reference of GDB -- GDB GUIDE.

5. Objdump

objdump displays information about one or more object files. The options control what particular information to display. This information is mostly useful to programmers who are working on the compilation tools, as opposed to programmers who just want their program to compile and work.

Here are some objdump examples -- Linux Objdump Command Examples. And you could check the official page -- objdump man page.

6. Makefile

7. Vim

Here is a quick reference of Vim -- Vim Cheat Sheet.

8. Pack

  • PEiD: PEiD detects most common packers, cryptors and compilers for PE files.
  • UPX: UPX is a free, portable, extendable, high-performance executable packer for several executable formats.

9. Obfuscation

Other Tools

  • IDA Pro: IDA Pro Tutotial
  • Ollydbg
  • X64dbg
    • ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library.
  • radare2: UNIX-like reverse engineering framework and command-line toolset.
  • HyperDbg: HyperDbg Debugger is an open-source, community-driven, hypervisor-assisted, user-mode and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing and reversing.

PE tool

  • Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module.
  • PE view: PEview is a viewer for PE files.
  • PE Explorer is the most feature-packed program for inspecting the inner workings of your own software, and more importantly, third party Windows applications and libraries for which you do not have source code.
  • PEiD detects most common packers, cryptors and compilers for PE files.
  • LIEF: Library to Instrument Executable Formats

Misc