ERESI – Trac. EresiManPage – ERESI – Trac. Section: User commands (1)Updated: May 2007Index ERESI - The ERESI Reverse Engineering Software Interface elfsh [OPTIONS] etrace [OPTIONS] e2dbg programtodebug kernsh The ERESI Reverse Engineering Software Interface is a unified reverse engineering framework for UNIX operating systems based on the Executable & Linking Format (ELF) such as Linux, BSD, Solaris, IRIX, and BeOS.
The ELF shell (part of ERESI) can take the following command line parameters: -f input file -w output file Note that the command line is slightly different for E2dbg and Etrace which do NOT take those parameters. E2dbg and Etrace have to be executed using a unique command line parameter (the program file to be debugged or traced). General purpose commands cat edit exec exit help info list load lscripts nocolor profile quit sdir setcolor switch unload workspace cat print the file argument edit Edit the file given in parameter exec Fork and execute parameter command (with args) help Print the help screen info list load filename lscripts.
Kedbg – ERESI – Trac. TheEmbeddedELFtracer – ERESI – Trac. The ERESI tracer is an embedded tracer which operates directly from within the traced the binary itself.
We acheive this modus operandi by using binary module injection and function redirection. A new binary is created where all functions are hooked so we can display the program entering and leaving functions. As the tracer is directly into the traced binary, we gain performance as we dont need to single-step, in comparison with others tracers relying on a kernel interface like its ptrace debugging API. Another major difference is that etrace works on all functions without using a predefined list, as done by most other tracers. Etrace was designed for reverse engineering targets with not only glibc functions, but also a custom function present in your binary or in a specific library. The main features of the ELF tracer (etrace) are : Command-line tracing on ELF binaries without using ptrace. Our approach of tracing is a new innovation of the ERESI project.
Latest news ¶ Dependencies ¶ TheEmbeddedELFDebugger – ERESI – Trac. The Embedded ELF Debugger (e2dbg) is the implementation of a new concept of debugger that run inside the process to be debugged instead of being an external entity accessing from the outside the target address space.
Instead of using system-specific API such as ptrace, the debugger is linked into a library that is getting injected in a process using the LD_PRELOAD environment variable. This makes e2dbg very efficient as it does not need context switching for inspecting the target process. The ERESI debugger can also be scripted in the same conditions as a complete ERESI interpreter is embedded into the debugger. The main features of the Embedded ELF debugger are : Debugging on dynamic ELF binaries without using ptrace Runtime injection of software extension developed in C language. Allocation proxying is a technique that allow the embedded ELF debugger to run with its own dynamic memory allocator in the debuggee process. Figure 1: E2dbg in action Latest news ¶ Portability of e2dbg ¶
TheKernelShell – ERESI – Trac. Kernsh is an interactive, modular, and scriptable interpreter of the ERESI language dedicated to static and runtime accessibility of the kernel ondisk image and the kernel memory.
Kernsh can apply most of the userland ERESI features at the kernel level. Additionally, kernsh makes it possible to obtain and modify kernel information directly from userland using ERESI scripting. It can access syscall table, IDT, GDT, symbol table, insert modules in memory without LKM support, and so on. Because Kernsh is completely integrated in the ERESI framework, it can create new type definitions and annotate the kernel memory, so that potentially all kernel objects can be accessed from ERESI scripts once their format has been defined by the user. Kernsh comes with an important configuration file predefining all the most popular kernel structures for the Linux 2.4 and 2.6 kernel versions. The main features of kernsh are : Read/Write? Latest news ¶ Portability of Kernsh ¶ TheELFsh – ERESI – Trac. The ELF shell is an interactive, modular, and scriptable ELF (Executable & Linking Format) machine for static binary instrumentation of executable files, shared libraries and relocatable ELF objects.
Its innovative features make it usable by reverse engineers and security analysts for embedded analysis using compiled C code extensions of binary programs. It features execution flow redirection that allows for dynamic analyzers generation and binary-level testing. ELFsh is compatible with kernel hardening patches : It can perform operational modifications on non-executable stack and heap based systems, and this for multiple architectures. The main features of the ELF shell are : Injection of new compiled C code into a binary executable or dynamic library file.
We report here the latest features of the ELF shell in static binary instrumentation and manipulation: June 7 2007 ELFsh 0.78 is now available again in portable branch, for Linux, FreeBSD, NetBSD, and Solaris March 24 2007.