{"id":13398335,"url":"https://github.com/programa-stic/barf-project","last_synced_at":"2025-03-14T02:31:18.471Z","repository":{"id":22306419,"uuid":"25641440","full_name":"programa-stic/barf-project","owner":"programa-stic","description":"BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework","archived":false,"fork":false,"pushed_at":"2019-11-24T16:06:27.000Z","size":2267,"stargazers_count":1407,"open_issues_count":17,"forks_count":166,"subscribers_count":69,"default_branch":"master","last_synced_at":"2024-10-01T07:48:51.343Z","etag":null,"topics":["arm","binary-analysis","python","reil","reverse-engineering","x86"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"systemedia/Test","license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/programa-stic.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-10-23T14:33:24.000Z","updated_at":"2024-09-16T00:10:05.000Z","dependencies_parsed_at":"2022-08-21T02:00:56.503Z","dependency_job_id":null,"html_url":"https://github.com/programa-stic/barf-project","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fbarf-project","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fbarf-project/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fbarf-project/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/programa-stic%2Fbarf-project/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/programa-stic","download_url":"https://codeload.github.com/programa-stic/barf-project/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243511660,"owners_count":20302595,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm","binary-analysis","python","reil","reverse-engineering","x86"],"created_at":"2024-07-30T19:00:23.101Z","updated_at":"2025-03-14T02:31:17.699Z","avatar_url":"https://github.com/programa-stic.png","language":"Python","readme":"# BARF : Binary Analysis and Reverse engineering Framework\n\n[![Build Status](https://travis-ci.org/programa-stic/barf-project.svg?branch=master)](https://travis-ci.org/programa-stic/barf-project)\n\nThe analysis of binary code is a crucial activity in many areas of the computer sciences and software engineering disciplines ranging from software security and program analysis to reverse engineering. Manual binary analysis is a difficult and time-consuming task and there are software tools that seek to automate or assist human analysts. However, most of these tools have several technical and commercial restrictions that limit access and use by a large portion of the academic and practitioner communities. *BARF* is an open source binary analysis framework that aims to support a wide range of binary code analysis tasks that are common in the information security discipline. It is a scriptable platform that supports instruction lifting from multiple architectures, binary translation to an intermediate representation, an extensible framework for code analysis plugins and interoperation with external tools such as debuggers, SMT solvers and instrumentation tools. The framework is designed primarily for human-assisted analysis but it can be fully automated.\n\nThe *BARF project* includes *BARF* and related tools and packages. So far the\nproject is composed of the following items:\n\n* **BARF** : A multiplatform open source Binary Analysis and Reverse engineering Framework\n* **PyAsmJIT** : A JIT for the Intel x86_64 and ARM architecture.\n* Tools built upon *BARF*:\n    * **BARFgadgets** : Lets you *search*, *classifiy* and *verify* ROP gadgets inside a binary program.\n    * **BARFcfg** : Lets you recover the control-flow graph of the functions of a binary program.\n    * **BARFcg** : Lets you recover the call graph of the functions of a binary program.\n\nFor more information, see:\n\n* *BARF: A multiplatform open source Binary Analysis and Reverse engineering Framework* (Whitepaper) [[en](./doc/papers/barf.pdf)]\n* *BARFing Gadgets* (ekoparty2014 presentation) [[es](./doc/presentations/barfing-gadgets.ekoparty2014.es.pdf)]\n\nCurrent status:\n\n| **Latest Release** | v0.6.0                                                                 |\n|-------------------:|:-----------------------------------------------------------------------|\n|            **URL** | https://github.com/programa-stic/barf-project/releases/tag/v0.6.0      |\n|     **Change Log** | https://github.com/programa-stic/barf-project/blob/v0.6.0/CHANGELOG.md |\n\n\u003e All packages were tested on Ubuntu 16.04 (x86_64).\n\n## BARF\n\n*BARF* is a Python package for binary analysis and reverse engineering. It can:\n\n* Load binary programs in different formats (``ELF``, ``PE``, etc),\n* It supports the Intel x86 architecture for 32 and 64 bits,\n* It supports the ARM architecture for 32 bits,\n* It operates on an intermediate language ([REIL]) thus all analysis algorithm are architecture-agnostic,\n* It has integration with [Z3] and [CVC4] SMT solvers which means that you can express fragments of code as formulae and check restrictions on them.\n\nIt is currently *under development*.\n\n### Installation\n\n*BARF* depends on the following SMT solvers:\n\n* [Z3] : A high-performance theorem prover being developed at Microsoft Research.\n* [CVC4] : An efficient open-source automatic theorem prover for satisfiability modulo theories (SMT) problems.\n\nThe following command installs *BARF* on your system:\n\n```bash\n$ sudo python setup.py install\n```\n\nYou can also install it locally:\n\n```bash\n$ sudo python setup.py install --user\n```\n\n#### Notes\n\n* Only one SMT solver is needed in order to work. You may choose between Z3 and CVC4 or install both.\n* To run some tests you need to install [PyAsmJIT] first: ``sudo pip install pyasmjit``\n* You may need to install [Graphviz]: ``sudo apt-get install graphviz``\n\n### Quickstart\n\nThis is a very simple example which shows how to open a binary file and print each instruction with its translation to the intermediate language (*REIL*).\n\n```python\nfrom barf import BARF\n\n# Open binary file.\nbarf = BARF(\"examples/misc/samples/bin/branch4.x86\")\n\n# Print assembly instruction.\nfor addr, asm_instr, reil_instrs in barf.translate():\n    print(\"{:#x} {}\".format(addr, asm_instr))\n\n    # Print REIL translation.\n    for reil_instr in reil_instrs:\n        print(\"\\t{}\".format(reil_instr))\n```\n\nWe can also recover the CFG and save it to a ``.dot`` file.\n\n```python\n# Recover CFG.\ncfg = barf.recover_cfg()\n\n# Save CFG to a .dot file.\ncfg.save(\"branch4.x86_cfg\")\n```\n\nWe can check restrictions on code using a SMT solver. For instance, suppose you have the following code:\n\n```\n 80483ed:       55                      push   ebp\n 80483ee:       89 e5                   mov    ebp,esp\n 80483f0:       83 ec 10                sub    esp,0x10\n 80483f3:       8b 45 f8                mov    eax,DWORD PTR [ebp-0x8]\n 80483f6:       8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]\n 80483f9:       01 d0                   add    eax,edx\n 80483fb:       83 c0 05                add    eax,0x5\n 80483fe:       89 45 fc                mov    DWORD PTR [ebp-0x4],eax\n 8048401:       8b 45 fc                mov    eax,DWORD PTR [ebp-0x4]\n 8048404:       c9                      leave\n 8048405:       c3                      ret\n```\n\nAnd you want to know what values you have to assign to memory locations ``ebp-0x4``, ``ebp-0x8`` and ``ebp-0xc`` in order to obtain a specific value in ``eax`` register after executing the code.\n\nFirst, we add the instructions to the analyzer component.\n\n```python\nfrom barf import BARF\n\n# Open ELF file\nbarf = BARF(\"examples/misc/samples/bin/constraint1.x86\")\n\n# Add instructions to analyze.\nfor addr, asm_instr, reil_instrs in barf.translate(0x80483ed, 0x8048401):\n    for reil_instr in reil_instrs:\n        barf.code_analyzer.add_instruction(reil_instr)\n```\n\nThen, we generate expressions for each variable of interest and add the desired restrictions on them.\n\n```python\nebp = barf.code_analyzer.get_register_expr(\"ebp\", mode=\"post\")\n\n# Preconditions: set range for variable a and b\na = barf.code_analyzer.get_memory_expr(ebp-0x8, 4, mode=\"pre\")\nb = barf.code_analyzer.get_memory_expr(ebp-0xc, 4, mode=\"pre\")\n\nfor constr in [a \u003e= 2, a \u003c= 100, b \u003e= 2, b \u003c= 100]:\n    barf.code_analyzer.add_constraint(constr)\n\n# Postconditions: set desired value for the result\nc = barf.code_analyzer.get_memory_expr(ebp-0x4, 4, mode=\"post\")\n\nfor constr in [c \u003e= 26, c \u003c= 28]:\n    barf.code_analyzer.add_constraint(constr)\n```\n\nFinally, we check is the restrictions we establish can be resolved.\n\n```python\nif barf.code_analyzer.check() == 'sat':\n    print(\"[+] Satisfiable! Possible assignments:\")\n\n    # Get concrete value for expressions\n    a_val = barf.code_analyzer.get_expr_value(a)\n    b_val = barf.code_analyzer.get_expr_value(b)\n    c_val = barf.code_analyzer.get_expr_value(c)\n\n    # Print values\n    print(\"- a: {0:#010x} ({0})\".format(a_val))\n    print(\"- b: {0:#010x} ({0})\".format(b_val))\n    print(\"- c: {0:#010x} ({0})\".format(c_val))\n\n    assert a_val + b_val + 5 == c_val\nelse:\n    print(\"[-] Unsatisfiable!\")\n```\n\nYou can see these and more examples in the [examples](./examples) directory.\n\n### Overview\n\nThe framework is divided in three main components: **core**, **arch** and **analysis**.\n\n#### Core\n\nThis component contains essential modules:\n\n* ``REIL``: Provides definitions for the REIL language. It, also, implements an *emulator* and a *parser*.\n* ``SMT``: Provides means to interface with [Z3] and [CVC4] SMT solver. Also, it provides functionality to translate REIL instructions to SMT expressions.\n* ``BI``: The *Binary Interface* module is responsible for loading binary files for processing (it uses [PEFile] and [PyELFTools].)\n\n#### Arch\n\nEach supported architecture is provided as a subcomponent which contains the following modules.\n\n* ``Architecture``: Describes the architecture, i.e., registers, memory address size.\n* ``Translator``: Provides translators to REIL for each supported instruction.\n* ``Disassembler``: Provides disassembling functionalities (it uses [Capstone].)\n* ``Parser``: Transforms instruction from string to object form.\n\n#### Analysis\n\nSo far this component consists of modules: *Control-Flow Graph*, *Call Graph* and *Code Analyzer*. The first two, provides functionality for CFG and CG recovery, respectively. The latter, its a high-level interface to the SMT solver related functionality.\n\n## Tools\n\n### BARFgadgets\n\n``BARFgadgets`` is a Python script built upon BARF that lets you *search*, *classifiy* and *verify* ROP gadgets inside a binary program. The *search* stage finds all ``ret``-, ``jmp``- and ``call``-ended gadgets inside the binary. The *classification* stage classifies previously found gadgets according to the following types:\n\n* No-Operation,\n* Move Register,\n* Load Constant,\n* Arithmetic/Logical Operation,\n* Load Memory,\n* Store Memory,\n* Arithmetic/Logical Load,\n* Arithmetic/Logical Store and\n* Undefined.\n\nThis is done through instruction emulation. Finally, the *verification* stage consists of using a SMT solver to verify the semantic assigned to each gadget in the second stage.\n\n```\nusage: BARFgadgets [-h] [--version] [--bdepth BDEPTH] [--idepth IDEPTH] [-u]\n                   [-c] [-v] [-o OUTPUT] [-t] [--sort {addr,depth}] [--color]\n                   [--show-binary] [--show-classification] [--show-invalid]\n                   [--summary SUMMARY] [-r {8,16,32,64}]\n                   filename\n\nTool for finding, classifying and verifying ROP gadgets.\n\npositional arguments:\n  filename              Binary file name.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --version             Display version.\n  --bdepth BDEPTH       Gadget depth in number of bytes.\n  --idepth IDEPTH       Gadget depth in number of instructions.\n  -u, --unique          Remove duplicate gadgets (in all steps).\n  -c, --classify        Run gadgets classification.\n  -v, --verify          Run gadgets verification (includes classification).\n  -o OUTPUT, --output OUTPUT\n                        Save output to file.\n  -t, --time            Print time of each processing step.\n  --sort {addr,depth}   Sort gadgets by address or depth (number of\n                        instructions) in ascending order.\n  --color               Format gadgets with ANSI color sequences, for output\n                        in a 256-color terminal or console.\n  --show-binary         Show binary code for each gadget.\n  --show-classification\n                        Show classification for each gadget.\n  --show-invalid        Show invalid gadget, i.e., gadgets that were\n                        classified but did not pass the verification process.\n  --summary SUMMARY     Save summary to file.\n  -r {8,16,32,64}       Filter verified gadgets by operands register size.\n```\n\nFor more information, see [README](./barf/tools/gadgets/README.md).\n\n### BARFcfg\n\n``BARFcfg`` is a Python script built upon BARF that lets you recover the\ncontrol-flow graph of a binary program.\n\n```\nusage: BARFcfg [-h] [-s SYMBOL_FILE] [-f {txt,pdf,png,dot}] [-t]\n               [-d OUTPUT_DIR] [-b] [--show-reil]\n               [--immediate-format {hex,dec}] [-a | -r RECOVER]\n               filename\n\nTool for recovering CFG of a binary.\n\npositional arguments:\n  filename              Binary file name.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -s SYMBOL_FILE, --symbol-file SYMBOL_FILE\n                        Load symbols from file.\n  -f {txt,pdf,png,dot}, --format {txt,pdf,png,dot}\n                        Output format.\n  -t, --time            Print process time.\n  -d OUTPUT_DIR, --output-dir OUTPUT_DIR\n                        Output directory.\n  -b, --brief           Brief output.\n  --show-reil           Show REIL translation.\n  --immediate-format {hex,dec}\n                        Output format.\n  -a, --recover-all     Recover all functions.\n  -r RECOVER, --recover RECOVER\n                        Recover specified functions by address (comma\n                        separated).\n```\n\n### BARFcg\n\n``BARFcg`` is a Python script built upon BARF that lets you recover the\ncall graph of a binary program.\n\n```\nusage: BARFcg [-h] [-s SYMBOL_FILE] [-f {pdf,png,dot}] [-t] [-a | -r RECOVER]\n              filename\n\nTool for recovering CG of a binary.\n\npositional arguments:\n  filename              Binary file name.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -s SYMBOL_FILE, --symbol-file SYMBOL_FILE\n                        Load symbols from file.\n  -f {pdf,png,dot}, --format {pdf,png,dot}\n                        Output format.\n  -t, --time            Print process time.\n  -a, --recover-all     Recover all functions.\n  -r RECOVER, --recover RECOVER\n                        Recover specified functions by address (comma\n                        separated).\n```\n\n## PyAsmJIT\n\n*PyAsmJIT* is a Python package for x86_64/ARM assembly code generation and execution.\n\nThis package was developed in order to test BARF instruction translation from x86_64/ARM to REIL. The main idea is to be able to run fragments of code natively. Then, the same fragment is translated to REIL and executed in a REIL VM. Finally, both final contexts (the one obtained through native execution and the one from emulation) are compare for differences.\n\nFor more information, see [PyAsmJIT].\n\n## License\n\nThe BSD 2-Clause License. For more information, see [LICENSE](./LICENSE).\n\n[CVC4]: http://cvc4.cs.nyu.edu/web/\n[Capstone]: http://www.capstone-engine.org\n[PyAsmJIT]: https://github.com/programa-stic/pyasmjit\n[PySymEmu]: https://github.com/feliam/pysymemu\n[REIL]: http://www.usenix.org/legacy/event/woot10/tech/full_papers/Dullien.pdf\n[Z3]: https://github.com/Z3Prover/z3\n[Graphviz]: http://graphviz.org/\n[PEFile]: https://github.com/erocarrera/pefile\n[PyELFTools]: https://github.com/eliben/pyelftools\n","funding_links":[],"categories":["Python","Debugging and Reverse Engineering","Tools","Github resources","Software Tools","Reversing"],"sub_categories":["Other Resources","Posts from Hacker101 members on how to get started hacking","Disassemblers/Decompilers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprograma-stic%2Fbarf-project","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprograma-stic%2Fbarf-project","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprograma-stic%2Fbarf-project/lists"}