{"id":13843063,"url":"https://github.com/KeenSecurityLab/BinAbsInspector","last_synced_at":"2025-07-11T17:33:14.956Z","repository":{"id":37301920,"uuid":"474228289","full_name":"KeenSecurityLab/BinAbsInspector","owner":"KeenSecurityLab","description":"BinAbsInspector: Vulnerability Scanner for Binaries","archived":false,"fork":false,"pushed_at":"2024-06-17T15:29:24.000Z","size":798,"stargazers_count":1615,"open_issues_count":22,"forks_count":233,"subscribers_count":27,"default_branch":"main","last_synced_at":"2025-05-22T17:15:01.778Z","etag":null,"topics":["abstract-interpretation","binary-analysis","ghidra","reverse-engineering","security","static-analyzer","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KeenSecurityLab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-26T03:13:33.000Z","updated_at":"2025-05-21T03:33:54.000Z","dependencies_parsed_at":"2022-07-09T05:46:26.081Z","dependency_job_id":"72265428-b018-4c10-a231-e074f703237c","html_url":"https://github.com/KeenSecurityLab/BinAbsInspector","commit_stats":{"total_commits":20,"total_committers":6,"mean_commits":"3.3333333333333335","dds":0.65,"last_synced_commit":"658b41389b2fc16c2fcd4bfc5610f6c26d31ca6f"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/KeenSecurityLab/BinAbsInspector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KeenSecurityLab%2FBinAbsInspector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KeenSecurityLab%2FBinAbsInspector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KeenSecurityLab%2FBinAbsInspector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KeenSecurityLab%2FBinAbsInspector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KeenSecurityLab","download_url":"https://codeload.github.com/KeenSecurityLab/BinAbsInspector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KeenSecurityLab%2FBinAbsInspector/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264862639,"owners_count":23675013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abstract-interpretation","binary-analysis","ghidra","reverse-engineering","security","static-analyzer","vulnerability-scanner"],"created_at":"2024-08-04T17:01:54.277Z","updated_at":"2025-07-11T17:33:14.565Z","avatar_url":"https://github.com/KeenSecurityLab.png","language":"Java","readme":"# What is  BinAbsInspector?\n\nBinAbsInspector (Binary Abstract Inspector) is a static analyzer for automated reverse engineering and scanning vulnerabilities in binaries, which is a long-term research project incubated at [Keenlab](https://keenlab.tencent.com/). It is based on abstract interpretation with the support from Ghidra. It works on Ghidra's Pcode instead of assembly. Currently it supports binaries on x86,x64, armv7 and aarch64. \n\n# Installation\n+ Install Ghidra according to [Ghidra's documentation](https://github.com/NationalSecurityAgency/ghidra#install)\n+ Install [Z3](https://github.com/Z3Prover/z3) (tested version: 4.8.15)\n+ Note that generally there are two parts for Z3 library: one is Java package, the other one is native library. The Java package is already included in \"/lib\" directory, but we suggest that you replace it with your own Java package for version compatibility.\n  + For Windows, download a pre-built package from [here](https://github.com/Z3Prover/z3/releases), extract the zip file and add a PATH environment variable pointing to `z3-${version}-win/bin`\n  + For Linux, install with package manager is NOT recommended, there are two options:\n    1. You can download suitable pre-build package from [here](https://github.com/Z3Prover/z3/releases), extract the zip file and copy `z3-${version}-glibc-${version}/bin/*.so` to `/usr/local/lib/`\n    2. or you can build and install z3 according to [Building Z3 using make and GCC/Clang](https://github.com/Z3Prover/z3#building-z3-using-make-and-gccclang)\n  + For MacOS, it is similar to Linux.\n+ Download the extension zip file from [release page](https://github.com/KeenSecurityLab/BinAbsInspector/releases)\n+ Install the extension according to [Ghidra Extension Notes](https://ghidra-sre.org/InstallationGuide.html#GhidraExtensionNotes)\n\n# Building\nBuild the extension by yourself, if you want to develop a new feature, please refer to [development guide](https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Developer-Guide).\n+ Install Ghidra and Z3\n+ Install [Gradle 7.x](https://gradle.org/releases/) (tested version: 7.4)\n+ Pull the repository\n+ Run `gradle buildExtension` under repository root\n+ The extension will be generated at `dist/${GhidraVersion}_${date}_BinAbsInspector.zip` \n\n# Usage\nYou can run BinAbsInspector in headless mode, GUI mode, or with docker.\n\n+ With Ghidra headless mode.\n```\n$GHIDRA_INSTALL_DIR/support/analyzeHeadless \u003cprojectPath\u003e \u003cprojectName\u003e -import \u003cfile\u003e -postScript BinAbsInspector \"@@\u003cscriptParams\u003e\"\n```\n`\u003cprojectPath\u003e`   --   Ghidra project path.  \n`\u003cprojectName\u003e`   --   Ghidra project name.  \n`\u003cscriptParams\u003e`  --   The argument for our analyzer, provides following options:\n\n| Parameter                                 | Description                           |\n| ----------------------------------------- | --------------------------------------|\n| `[-K \u003ckElement\u003e]`                         | KSet size limit [K](https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Technical-Details#kset)             |\n| `[-callStringK \u003ccallStringMaxLen\u003e]`       | Call string maximum length [K](https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Technical-Details#context)|\n| `[-Z3Timeout \u003ctimeout\u003e]`                  | Z3 timeout                            |\n| `[-timeout \u003ctimeout\u003e]`                    | Analysis timeout                      |\n| `[-entry \u003caddress\u003e]`                      | Entry address                         |\n| `[-externalMap \u003cfile\u003e]`                   | External function model config        |\n| `[-json]`                                 | Output in json format                 |\n| `[-disableZ3]`                            | Disable Z3                            |\n| `[-all]`                                  | Enable all checkers                   |\n| `[-debug]`                                | Enable debugging log output           |\n| `[-check \"\u003ccweNo1\u003e[;\u003ccweNo2\u003e...]\"]`       | Enable specific checkers              |\n\n+ With Ghidra GUI\n  1. Run Ghidra and import the target binary into a project\n  2. Analyze the binary with default settings\n  3. When the analysis is done, open `Window -\u003e Script Manager` and find `BinAbsInspector.java`\n  4. Double-click on `BinAbsInspector.java` entry, set the parameters in configuration window and click OK\n  5. When the analysis is done, you can see the CWE reports in console window, double-click the addresses from the report can jump to corresponding address\n\n+ With Docker\n\n```shell\ngit clone git@github.com:KeenSecurityLab/BinAbsInspector.git\ncd BinAbsInspector\ndocker build . -t bai\ndocker run -v $(pwd):/data/workspace bai \"@@\u003cscript parameters\u003e\" -import \u003cfile\u003e\n```\n\n# Implemented Checkers\nSo far BinAbsInspector supports following checkers:\n\n+ [CWE78](https://cwe.mitre.org/data/definitions/78.html)  (OS Command Injection)\n+ [CWE119](https://cwe.mitre.org/data/definitions/119.html) (Buffer Overflow (generic case))\n+ [CWE125](https://cwe.mitre.org/data/definitions/125.html) (Buffer Overflow (Out-of-bounds Read))\n+ [CWE134](https://cwe.mitre.org/data/definitions/134.html) (Use of Externally-Controlled Format string)\n+ [CWE190](https://cwe.mitre.org/data/definitions/190.html) (Integer overflow or wraparound)\n+ [CWE367](https://cwe.mitre.org/data/definitions/367.html) (Time-of-check Time-of-use (TOCTOU))\n+ [CWE415](https://cwe.mitre.org/data/definitions/415.html) (Double free)\n+ [CWE416](https://cwe.mitre.org/data/definitions/416.html) (Use After Free)\n+ [CWE426](https://cwe.mitre.org/data/definitions/426.html) (Untrusted Search Path)\n+ [CWE467](https://cwe.mitre.org/data/definitions/467.html) (Use of sizeof() on a pointer type)\n+ [CWE476](https://cwe.mitre.org/data/definitions/476.htmll) (NULL Pointer Dereference)\n+ [CWE676](https://cwe.mitre.org/data/definitions/676.html) (Use of Potentially Dangerous Function)\n+ [CWE787](https://cwe.mitre.org/data/definitions/787.html) (Buffer Overflow (Out-of-bounds Write))\n\n# Project Structure\nThe structure of this project is as follows, please refer to [technical details](https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Technical-Details) or the [Chinese version article](https://keenlab.tencent.com/zh/2022/04/20/2022-BinAbsInspector-public-release/) for more details.\n```\n├── main\n│   ├── java\n│   │   └── com\n│   │       └── bai\n│   │           ├── checkers                       checker implementatiom\n│   │           ├── env\n│   │           │   ├── funcs                      function modeling\n│   │           │   │   ├── externalfuncs          external function modeling\n│   │           │   │   └── stdfuncs               cpp std modeling\n│   │           │   └── region                     memory modeling\n│   │           ├── solver                         analyze core and grpah module\n│   │           └── util                           utilities\n│   └── resources\n└── test\n```\nYou can also build the javadoc with `gradle javadoc`, the API documentation will be generated in `./build/docs/javadoc`.\n\n# Acknowledgement\nWe employ [Ghidra](https://ghidra-sre.org/) as our foundation and frequently leverage [JImmutable Collections](http://brianburton.github.io/java-immutable-collections/) for better performance.  \nHere we would like to thank them for their great help!\n","funding_links":[],"categories":["其他_安全与渗透","Java"],"sub_categories":["网络服务_其他"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKeenSecurityLab%2FBinAbsInspector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKeenSecurityLab%2FBinAbsInspector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKeenSecurityLab%2FBinAbsInspector/lists"}