thorkill / eresi Goto Github PK

SHT reconstruction should use :

• PT_DYNAMIC segment information (reconstruct .dynsym, .dynstr, .rel*, .init, .fini, .got or .plt) on dynamic binaries
• reconstruct the SHT from the PHT information in core files and static binaries lacking a SHT.

The current code of that feature is in : libelfsh/sht_rebuild.c

This is quite ugly code that needs to be improved and highly cleaned !

have fun

-may

Ticket: 14 Reported by: jfv on Thu Mar 30 18:54:57 2006

Elfsh 0.7x does not compile anymore on beos.

2 patches are enclosed to fix the issues:

• The "partial" patch contains changes that should be applied to cvs without troubles.
• The "complete" patch contains all changes necessary to make elfsh compile and work on Zeta. Some of the changes (especially ia32.c) need some checks before being committed. Others must not be committed because they are due to missing features in the beos build (libmalloc, e2dbg...)

Ticket: 10 Reported by: zadig on Tue Dec 19 16:38:23 2006
attachment: 2_beos_partial.diff/
attachment: 3_beos_complete.diff/
attachment: 8_beos_tocommit.diff/
attachment: 9_beos_complete.diff/
attachment: 10_elfsh_beos.diff/

On FreeBSD, trying to debug a multithread program will make the debugger to segfault.

See the testsuite for reproducing this bug

Ticket: 1 Reported by: jfv on Thu May 17 00:51:32 2007

We currently have a global .rc file for eresi : .eresirc

It was also added a local .rc file for kernsh

We should do the same for elfsh, e2dbg, etrace and evarista : they should also
have all a personal .rc that is executed after the common .eresirc

-jv

Ticket: 29 Reported by: jfv on Sat Sep 22 03:39:00 2007

The backend translation from x86 asm code to ELIR form is not complete.

For now, Strauss has implemented the 8086 subset.

x86 has more than 350 instructions, as such its a wise idea to share
work with everyone on this.

-jfv

Ticket: 18 Reported by: jfv on Mon Sep 17 02:29:16 2007

Mydisasm does not increment instruction pointer when disassembling /bin/ls (elf32-i386)

0x08049ae0: xor %eax,%eax 31 ed
0x08049ae2: pop
0x08049ae2: pop
0x08049ae2: pop
0x08049ae2: pop
[...]

(elfsh-0.81-a5-dev@local) disasm strcpy
0x08049ACC [foff: 6860] strcpy + 0 jmp FF
0x08049ACD [foff: 6861] strcpy + 1 and 25
0x08049ACE [foff: 6862] strcpy + 2 cmp 3C
0x08049ACF [foff: 6863] strcpy + 3 mov B8
0x08049AD0 [foff: 6864] strcpy + 4 add 05
0x08049AD1 [foff: 6865] strcpy + 5 or 08
0x08049AD2 [foff: 6866] strcpy + 6 lock push 68
0x08049AD3 [foff: 6867] strcpy + 7 clc F8
...

Ticket: 46 Reported by: enioh on Tue Mar 25 01:14:35 2008

Build currently fails on libelfsh.

Ticket: 44 Reported by: enioh on Mon Mar 24 17:48:04 2008

The evarista static analyzer : evarista/evarista.esh

is currently broken (fails at some point to execute) due
to changes in the syntax of the ERESI language.

This is the top priority currently to get fixed

-jfv

Ticket: 16 Reported by: jfv on Wed Sep 19 23:53:52 2007

When loading a binary to be traced, only the main binary functions will be traced
(and the external function it calls). The internal functions of the dependences
will currently not be traced.

This needs to be fixed by injecting the tracer .o file in each library dependence
as well, and modify the .dynamic section of each library to reflect the change
(since libraries will certainly need another path or another name, to avoid messing
with the original non-traced version of the libraries)

x86 should be a priority, then sparc

Enjoy

-jv

Ticket: 31 Reported by: jfv on Mon Sep 24 17:47:57 2007

The debugger does not currently use the debug format as it should.

Good features for interfacing would be :

• Make sure we can do print $var in the debugger (with $var informed from edfmt)
• Make sure we can associate an address to a source code line, and display that line on events (backtrace, breakpoints, stepping)
• Make sure we handle local variables (register them as variable on procedure entry, unregister them on exit)

Have fun

-jfv

Ticket: 34 Reported by: jfv on Sun May 20 00:15:24 2007

In evarista:

The evarista/elir-dataflow.esh file contains the computation of dataflow analysis
for the ELIR intermediate forms. As specific ELIR types has been defined for
allowing x86 translation, we need to add dataflow computation for these types
in the dataflow file.

Have fun

-jfv

Ticket: 25 Reported by: jfv on Tue Sep 18 16:40:22 2007

All features of elfsh/e2dbg are not available for the ALPHA architecture. Those features can be implemented
in hooks (vectors elements) very easily. The missing hooks for ALPHA can be filled in existing vectors. The
list of vectors to be completed for the ALPHA architecture is (by order of importance) :

• All the very small debugger hooks (GETPC, GETFP, NEXTFP, GETRET, GETREGS, SETREGS, SETSTEP, RESETSTEP)
• The breakpoint hook (SETBREAK)
• The backtrace hook (BT)
• THe 3 EXTPLT related hooks (ENCODEPLT, ENCODEPLT1, EXTPLT)
• The tracer related hook (ARGCOUNT)

Please respect the order of priority because some hooks depends on others.

Ticket: 13 Reported by: jfv on Tue Aug 1 17:18:17 2006

Our dataflow commands needs to be implemented directly in the eresi language. Dataflow information about use/def chains should be computed using a deductive system on the model of hoare logic where annotations (based on "type" and "inform" commands) correspond to the structure passed from pre- to post- conditions.

Ticket: 41 Reported by: may on Fri Mar 7 10:20:20 2008

The current state of libasm for the MIPS architecture is very draft

heroine and then simkink have started and integrated the backend
skeletton and the most used instructions in libasm-MIPS.tgz which
is not part of the CVS.

If anyone is interested to continue this work, please show up

-jfv

Ticket: 30 Reported by: jfv on Mon Sep 17 02:51:21 2007

THe major features of the ELF shell and the Embedded ELF Debugger are not available on a variety of interesting architectures, including
ARM (ARM7 and ARM9), AMD64, IA64, PPC (32 and 64 bits), and PA-RISC (by order of priority).

Those features are independant of the cores and can be implemented using vector hooks. The list of vector hooks to be implemented are :

For elfsh:

• ET_REL injection
• ALTPLT redirection
• CFLOW redirection
• ENCODEPLT and ENCODEPLT1 hooks
• EXTPLT relinking

For the debugger :

• The 8 very small debugger hooks (GETPC, GETFP, NEXTFP, GETRET, GETREGS, SETREGS, SETSTEP, RESETSTEP)
• The breakpoint hook
• The backtrace hook

For the tracer :

• ARGCOUNT hook

All those hooks are independant and can be implemented in any order (except ENCODEPLT / ENCODEPLT1 on which EXTPLT is depending, and GETFP/NEXTFP/GETRET on which
BACKTRACE is depending)

Ticket: 12 Reported by: jfv on Tue Aug 1 17:30:05 2006

GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r
Starting program: /usr/local/bin/elfsh
[Thread debugging using libthread_db enabled]
[New Thread -1214391744 (LWP 12807)]

     The ELF shell 0.8 (32 bits built) .::.

     .::. This software is under the General Public License V.2
     .::. Please visit http://www.gnu.org

~quiet
[*] Set ELFsh default color theme (use nocolor to disable)

[] /home/zarulshahrin/.eresirc sourcing -OK-
[] Type help for regular commands

(elfsh-0.8-a5-cam@local) load hitb

[] Sun Jul 22 14:11:46 2007 - New object loaded : hitb
[] New object dependences loaded : /usr/lib/libcrypto.so.0.9.8
[] New object dependences loaded : /lib/libc.so.6
[] New object dependences loaded : /lib/ld-linux.so.2
[] New object dependences loaded : /lib/libdl.so.2
[] New object dependences loaded : /usr/lib/libz.so.1

(elfsh-0.8-a5-cam@local) analyse

.: mjollnir : performing object analysis
[] Entry point: 8048520
[] start found at 8048520
[] Linux-like start
[] main located at 8048600
[] Found function pointer at 8048589
[] Found function pointer at 80485bf
[] Found function pointer at 8048897
[] Found function pointer at 80488c9
[] Saving .edfmt.function section of 3500 bytes
[] Saving .edfmt.fcontrol section of 336 bytes
[] Found block start for function 8048541
[] Found block start for function 8048550
[] Found block start for function 8048470
[] Found block start for function 8048731
[] Found block start for function 8048715
[] Found block start for function 8048671
[] Found block start for function 8048752
[] Found block start for function 8048475
[] Found block start for function 8048566
[] Found block start for function 8048659
[] Found block start for function 8048859
[] Found block start for function 804846b
[] Found block start for function 80486f0
[] Found block start for function 804863e
[] Found block start for function 804864d
[] Found block start for function 80487a6
[] Found block start for function 804884b
[] Found block start for function 80488f0
[] Found block start for function 804879a
[] Found block start for function 80488e4
[] Found block start for function 804868d
[] Found block start for function 804878c
[] Found block start for function 804877e
[] Found block start for function 80487ab
[] Found block start for function 80486cb
[_] Saving .edfmt.blocks section of 3160 bytes
[*] Saving .edfmt.bcontrol section of 2496 bytes
.: mjollnir : object analysis completed successfully.
(elfsh-0.8-a5-cam@local) save hitb.new

[*] Object hitb.new saved successfully

(elfsh-0.8-a5-cam@local) unload hitb

[] Object /lib/ld-linux.so.2 unloaded on Sun Jul 22 14:12:13 2007
[] Object /lib/libc.so.6 unloaded on Sun Jul 22 14:12:13 2007
[] Object /usr/lib/libz.so.1 unloaded on Sun Jul 22 14:12:13 2007
[] Object /lib/libdl.so.2 unloaded on Sun Jul 22 14:12:13 2007
[] Object /usr/lib/libcrypto.so.0.9.8 unloaded on Sun Jul 22 14:12:13 2007
[] Object hitb unloaded on Sun Jul 22 14:12:13 2007

(elfsh-0.8-a5-cam@local) load hitb.new

[] Sun Jul 22 14:12:17 2007 - New object loaded : hitb.new
[] New object dependences loaded : /usr/lib/libcrypto.so.0.9.8
[] New object dependences loaded : /lib/libc.so.6
[] New object dependences loaded : /lib/ld-linux.so.2
[] New object dependences loaded : /lib/libdl.so.2
[] New object dependences loaded : /usr/lib/libz.so.1

(elfsh-0.8-a5-cam@local) graph

[] .dot file: /tmp/hitb_new/object-dump.dot
[] Dumping 25 functions

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1214391744 (LWP 12807)]
0xb7d0ddc0 in revm_graph_function (cntnr=0x0, fd=6, direction=1, type=0, maxdepth=0, curdepth=1) at graph.c:466
466 fnc = (mjrfunc_t *)cntnr->data;
(gdb) bt
!#0 0xb7d0ddc0 in revm_graph_function (cntnr=0x0, fd=6, direction=1, type=0, maxdepth=0, curdepth=1) at graph.c:466
!#1 0xb7d0ea4c in cmd_graph () at graph.c:600
!#2 0xb7d65c32 in revm_execmd () at loop.c:219
!#3 0xb7d64022 in revm_loop (argc=2, argv=0x81fc3e8) at init.c:115
!#4 0xb7d64ecc in revm_run (ac=1, av=0xbfa2a254) at init.c:393
!#5 0x08049ad9 in esh_main (ac=1, av=0xbfa2a254) at main.c:83
!#6 0x08049b0d in main (ac=-1079860696, av=0xb7b4aebc) at main.c:90
(gdb)

Ticket: 6 Reported by: zarul on Sun Jul 22 08:15:36 2007
attachment: 14_hitb.c/
attachment: 16_daemon01.tar.bz2/

Conditional commands : if, elseif, else

Should be made possible within the ERESI language.

Ticket: 22 Reported by: jfv on Wed Sep 19 04:27:43 2007

The debugger commands : profile, hexa, step, backtrace, linkmap, stack, dbgstack

are not outputing with colors.

Ticket: 3 Reported by: jfv on Tue Jul 4 20:47:11 2006

Right now, commands are registered this way :

/* General purpose command */
vm_addcmd(CMD_MODLOAD , (void *) cmd_modload , (void *) vm_getoption , 0, HLP_MODLOAD);
vm_addcmd(CMD_MODULOAD, (void *) cmd_modunload, (void *) vm_getoption , 0, HLP_MODULOAD);
vm_addcmd(CMD_DISASM , (void *) cmd_disasm , (void *) vm_getdisasm , 1, HLP_DISASM);
[...]

This way, the string help of each command (HLP_...) is registered at the same time than the command itself.

But HLP_... is a string that is placed in librevm/include/revm-help.h

This makes the creation of complex help quite difficult.

The idea of this task is :

• To replace this HLP_ string with a function pointer help_cmdname() and make that function to display
  the help, when typing help , instead of printing the HLP_ string as it is done right now.
• To add a 3rd function pointer : hint_cmdname. That function pointer should register a serie of hints
  for this command. All hints should be registered in a unique new hash table : hints_hash, standing
  in librevm/vm/tables.c
• Make a system that print a random hint about a random command just after having registered all commands,
  at the beginning of the execution of the shell. ("Did you know it : .. ")

This system should make the beginner users more easily introduced in the framework.

Enjoy

-may

Ticket: 20 Reported by: jfv on Sun Feb 25 16:25:32 2007

cc -Iinclude -Wall -fPIC -g3 -O2 -DELFSH_INTERN -I../libasm/include/ -I../libetrace/include -I../libaspect/include/ -DERESI32 -DM32 -c -o dynamic.32.o dynamic.c
In file included from include/libelfsh.h:35,
from dynamic.c:11:
include/libelfsh/libelfsh-compat.h:180: error: syntax error before "elfsh_Nhdr"
include/libelfsh/libelfsh-compat.h:180: warning: type defaults to int' in declaration ofelfsh_Nhdr'
include/libelfsh.h:1329: error: syntax error before "elfsh_Vernaux"
include/libelfsh.h:1330: error: syntax error before "elfsh_Verdaux"
gmake: *** [dynamic.32.o] Error 1
*** Error code 2

Stop in /usr/home/xsbyme/eresi.

Ticket: 42 Reported by: xsz on Sat Mar 8 16:32:37 2008

Unsecure functions produce warning at compilation.

We should try to remove strcpy/strcat/sprintf/...

Ticket: 45 Reported by: enioh on Mon Mar 24 23:37:12 2008

/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41:32: fout: macro "xlate_dev_mem_ptr" vereist 2 argumenten, maar er werden er slechts 1 opgegeven
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c: In functie âkernsh_read_memâ:
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41: fout: âxlate_dev_mem_ptrâ undeclared (first use in this function)
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41: fout: (Each undeclared identifier is reported only once
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:41: fout: for each function it appears in.)
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:106:32: fout: macro "xlate_dev_mem_ptr" vereist 2 argumenten, maar er werden er slechts 1 opgegeven
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c: In functie âkernsh_write_memâ:
/root/eresi/libkernsh/kernel/arch/x86/linux/mem.c:106: fout: âxlate_dev_mem_ptrâ undeclared (first use in this function)

os is centos

Ticket: 48 Reported by: anonymous on Thu Mar 27 18:53:31 2008

The debugger misses some stuffs to work on MIPS/IRIX:

• e2dbg does use as entry point :
• __libc_start_main hijack on linux
• atexit hijack on BSD
• __fpstart hijack on solaris
  BUT
  We have no entry point for IRIX. See e2dbg/signal.c for the existing entry points.
  Hint: try to see around the GOT entry of the main function on IRIX.
• Various debugging handlers (see libe2dbg/dbghooks.c) related to the sigaction() system call
• THe MIPS breakpoint handler
• MIPS disassembly is not available

Ticket: 36 Reported by: jfv on Tue Jul 4 20:29:57 2006

It is not possible to use elfsh in c++ projects because some includes use reserved names:

• libelfsh.h: some functions have "new" parameters names.
• revm.h has a "new" field in revmio_t
  ...

Ticket: 4 Reported by: zadig on Fri Feb 2 23:32:55 2007

e.g.: add $a
$b
print $a

Should print the value of $a + $b

Ticket: 17 Reported by: jfv on Wed Sep 19 04:30:56 2007

(elfsh-0.8-a26-dev@local) load ./test-1

 [*] Wed Feb 20 00:49:48 2008 - New object loaded : ./test-1

(elfsh-0.8-a26-dev@local) sht

 [SECTION HEADER TABLE .::. SHT is not stripped]
 [Object ./test-1]

 [000] 0x00000000 -------                                foffset:00000000 size:00000128 link:00 info:0000 entsize:0000 align:0000 => NULL section
 [001] 0x08048080 a-x---- .text                          foffset:00000128 size:00000043 link:00 info:0000 entsize:0000 align:0016 => Program data
 [002] 0x080490AC aw----- .data                          foffset:00000172 size:00000014 link:00 info:0000 entsize:0000 align:0004 => Program data
 [003] 0x080490BA aw----- .bss                           foffset:00000186 size:00000002 link:00 info:0000 entsize:0000 align:0001 => BSS
 [004] 0x00000000 ------- .comment                       foffset:00000186 size:00000031 link:00 info:0000 entsize:0000 align:0001 => Program data
 [005] 0x00000000 ------- .shstrtab                      foffset:00000217 size:00000053 link:00 info:0000 entsize:0000 align:0001 => String table
 [006] 0x00000000 ------- .symtab                        foffset:00000270 size:00000080 link:07 info:0000 entsize:0016 align:0000 => Symbol table
 [007] 0x00000000 ------- .strtab                        foffset:00000350 size:00000034 link:06 info:0000 entsize:0000 align:0000 => String table

(elfsh-0.8-a26-dev@local) e


 [ELF HEADER]
 [Object ./test-1, MAGIC 0x464C457F]

 Architecture         :        Intel 80386   ELF Version          :              1
 Object type          :  Executable object   SHT strtab index     :              5
 Data encoding        :      Little endian   SHT foffset          :     0000000386
 PHT foffset          :         0000000052   SHT entries number   :              8
 PHT entries number   :                  2   SHT entry size       :             40
 PHT entry size       :                 32   ELF header size      :             52
 Runtime PHT offset   :         1179403657   Fingerprinted OS     :        FreeBSD
 Entry point          :         0x08048083   [?]
 {OLD PAX FLAGS = 0x0}
 PAX_PAGEEXEC         :           Disabled   PAX_EMULTRAMP        :   Not emulated
 PAX_MPROTECT         :         Restricted   PAX_RANDMAP          :     Randomized
 PAX_RANDEXEC         :     Not randomized   PAX_SEGMEXEC         :        Enabled

(elfsh-0.8-a26-dev@local) analyse

 [*] Now performing Control Flow Analysis
 [*] Registered new function starting at 0x08048080 
Calling location source 0x08048097
Calling location source 0x080480A6
Assertion failed: (new_size > 0), function mjr_block_split, file src/links.c, line 274.
Abort (core dumped)

$ objdump -d test-1 

test-1:     file format elf32-i386-freebsd

Disassembly of section .text:

08048080 <.text>:
 8048080:       cd 80                   int    $0x80
 8048082:       c3                      ret    
 8048083:       68 ac 90 04 08          push   $0x80490ac
 8048088:       68 ac 90 04 08          push   $0x80490ac
 804808d:       68 01 00 00 00          push   $0x1
 8048092:       b8 04 00 00 00          mov    $0x4,%eax
 8048097:       e8 e4 ff ff ff          call   0x8048080
 804809c:       68 00 00 00 00          push   $0x0
 80480a1:       b8 01 00 00 00          mov    $0x1,%eax
 80480a6:       e8 d5 ff ff ff          call   0x8048080

I have started to make testes on mjollnir. Starting with commit [855] I have found first bug.
It seems that libmjollnir can't handle this one.

Ticket: 39 Reported by: thorkill on Wed Feb 20 00:56:19 2008

All features of elfsh/e2dbg are not available for the MIPS architecture. Those features can be implemented
in hooks (vectors elements) very easily. The missing hooks for MIPS can be filled in existing vectors. The
list of vectors to be completed for the MIPS architecture is (by order of importance) :

• All the very small debugger hooks (GETPC, GETFP, NEXTFP, GETRET, GETREGS, SETREGS, SETSTEP, RESETSTEP)
• The breakpoint hook (SETBREAK)
• The backtrace hook (BT)
• THe 3 EXTPLT related hooks (ENCODEPLT, ENCODEPLT1, EXTPLT)
• The tracer related hook (ARGCOUNT)

Please respect the order of priority because some hooks depends on others.

Ticket: 21 Reported by: jfv on Tue Aug 1 17:16:19 2006

ELFsh is not capable to create a static binary. This would be useful when we extract a program from memory
so that we are able to analyse it as it was a real binary afterwards.

THere is no API for creating those things, the problem is not hard and brings lots of advantages,
so we have to support it soon.

Ticket: 7 Reported by: jfv on Sat Dec 30 21:26:19 2006

The relocation function for the MIPS architecture is in place and the main needed relocations are implemented. However
there is a bug in that function that makes the ET_REL injection to fail on this architecture.

See the comments and the code in libelfsh/mips32.c regarding that issue, in the relocate hook function for this
feature/arch.

Ticket: 37 Reported by: jfv on Sun Jul 30 18:22:06 2006

The kernel shell fails to handle the solaris kernel.

We need do:

• Create the .kernshrc for the solaris kernel
• Test ET_REL injection and function redirection on the solaris kernel

Enjoy

-jfv

Ticket: 27 Reported by: jfv on Mon Sep 17 02:48:08 2007

segfault when trying to analyse a quite big program

Ticket: 35 Reported by: jmp on Fri Aug 24 14:45:04 2007
attachment: 15_buganalyse/

The debugger on sparc architecture encounter problem of
cache coherency. Specifically, when writing in a code
section of a program (in e2dbg at runtime) being debugged,
the debuggee program crashes once this code is reached.

Have fun

-jfv

Ticket: 28 Reported by: jfv on Tue Sep 18 02:22:06 2007

Currently we do a linear read of the binary code for constructing the control flow graph, this is not good for multiple reasons:

• we cant do local analysis given an entry point (we HAVE to analyse a whole section at all the time, and it does not scale when analysing the kernel).
• we cant analyse efficiently the obfusfated code that jumps in the middle of instructions. In the new algorithm, an instruction (its bytes) can potentially be present in multiple basic blocks if this case happens.

Instead we should use an entry point and a max depth, and follow the control flow edge when constructing the CFG.

Ticket: 43 Reported by: may on Wed Mar 19 10:50:12 2008

kernimage.c mentioned in the Makefile at http://www.eresi-project.org/browser/trunk/libkernsh/user?rev=930 seems to be missing

Ticket: 47 Reported by: anonymous on Wed Mar 26 02:57:02 2008

If a binary is packed (for instance with UPX), elfsh will not be able to load it directly
in unpacked format. The goal is this feature is to load packed binaries transparently.

The ideas for doing this is to create a new vector for the file loading. Vectors (which
are now part of libaspect and not anymore of libelfsh) can make the file loading
dependant on parameters, so that the file loading function is looked up depending on
precise parameters (like fields in the headers, or any other information stored in
the binary)

Example of use of those vectors are in libelfsh/hooks.c

Vectors implementation stands in : libaspect/vectors.c

Enjoy

Ticket: 8 Reported by: jfv on Fri Dec 22 03:00:14 2006

The embedded ELF debugger does not have the feature that consist in recovering a file
from its image in memory. Some work has been done already about this topic in 2
different articles :

Silvio Cesare 'ELF executable reconstruction from a core image'
ilo (phrack 63) 'Process dump and binary reconstruction'

Enjoy

Ticket: 5 Reported by: jfv on Fri Dec 22 02:55:40 2006

Some binaries have broken headers which can't be easy analized,
changed etc.

Any ideas?

Ticket: 15 Reported by: thorkill on Thu Mar 16 14:20:00 2006

Kernsh is currently only available for OS based on Linux.

BSD port is currently in progress but we still do not have
any tests in the testsuite or any kernshrc for these OS.

BSD testing of kernsh must be integrated in ERESI

-jfv

Ticket: 24 Reported by: jfv on Mon Sep 17 02:45:37 2007

Maybe we can have an history for each program (elfsh, kernsh, e2dbg, etrace ...) ?

Actually there is only one history in .elfsh_history.

Ticket: 40 Reported by: pouik on Wed Feb 27 11:45:00 2008

Maybe we can have an history for each program (elfsh, kernsh, e2dbg, etrace ...) ?

Actually there is only one history in .elfsh_history.

Ticket: 40 Reported by: pouik on Wed Feb 27 11:45:00 2008

The current translation from ELIR to SSA supports only the minimal sets of
type for translating a SPARC binary program to ELIR to SSA.

Other types were introduced by Julio Auto for covering more constructs as
used in the INTEL instruction set. These types do not have conversion from
ELIR to SSA.

The evarista/lir2ssa.esh file contains the translation and should be extended
to cover these types.

Have fun

-jv

Ticket: 33 Reported by: jfv on Sat Sep 22 03:42:23 2007

port summary: into post-commit hook

Ticket: 38 Reported by: thorkill on Tue Feb 19 17:38:01 2008

On SPARC/Solaris, there are problems with the debug types conversion into the eresi types.

For instance, when librevm is loaded in the shell (which include libasm.a), we have
many asm_ types (including asm_operand) but we dont have asm_instruction. We need
this to be fixed so that we can acheive reflection on assembly instruction, thus allowing
binary code transformation directly from the ERESI language.

It seems like this bug only affects Solaris, further testing must determine it

-jfv

Ticket: 11 Reported by: jfv on Wed May 23 19:04:40 2007

I have a problem with e2dbg64 when loading libe2dbg64.so.
(Source from SVN)

Here an execution :
DEBUG: List frames allocated at 0x2b799a7a55a0 does not exists in hash : CREATING

[*] No configuration in ~/.eresirc

[*] Preloading /usr/local/lib//libe2dbg64.so
/local/code/txpthread/p_hello/p_hello: symbol lookup error: /usr/local/lib//libe2dbg64.so: undefined symbol: cmd_dbgstack

[E] Target binary not found

Syntax : ./e2dbg/e2dbg64 target_binary

I think it is a little bug.

Thank you for your great work and your future fix.

Ticket: 49 Reported by: [email protected] on Fri Mar 28 12:04:59 2008

E2dbg has a particularity since it is a debugger capable of debugging without stopping the program.

Right now, e2dbg has only 1 window, and the e2dbg prompt is not waiting for the debuggee to stop before showing the prompt again. While this can
be seen as an inconvenient on the lisibility/utilisability of the debugger, this is actually a very interresting feature if it is packaged a little
bit better.

The proposition is as follow : split the e2dbg interface (as implemented in libui) in multiple windows. The most important windows would be :

• One for the debugger input (where the user types the commands)
• One for the debugger output (where the debugger prints its messages)
• One for the debuggee output (where the program prints its output)

Optionally, we could do 2 more window :

• One that show the state of the register set
• One that show the assembly (or source code, or intrelaced source/asm code, depending on the user chosen configuration)

This way, the debugger will have a very user-friendly interface. We can think about the integration of such interface with the workspace system, as well, so we use the full features set of the interface all at the same time.

Ticket: 9 Reported by: jfv on Sat Jul 22 17:51:43 2006

The edfmt API is currently not used in e2dbg.

I will take care of this once the debug API can be used for local variables information.

-jfv

Ticket: 19 Reported by: jfv on Sat Sep 22 00:47:23 2007

e2dbg cannot debug static binaries yet. Make sure the static injection is compatible (e.g. we do not
take too much PT_LOAD in the host binary and that we keep beeing PaX compatible)

Ticket: 2 Reported by: jfv on Sun Nov 26 15:53:19 2006

Translation from ELIR (the subset of ELIR for the sparc architecture) to SSA
is missing support for 4 ELIR operation. This has to be finished, it should
not be a long job.

-jv

Ticket: 26 Reported by: jfv on Sat Sep 22 03:36:21 2007

The core file support was done on Linux and FreeBSD but there are lots
of additional information that can be fetched which is currently not
supported.

We need to make sure also to have a very clear core information API
so that it can be used by the debugger when inspecting core files.

-jfv

Ticket: 23 Reported by: jfv on Sun Nov 26 15:54:07 2006

The tracer needs to be ported on SPARC:

• Support sparc argcounting (ARGCOUNT vector)
• Support sparc relinking (EXTPLT vector)

Have fun

Ticket: 32 Reported by: jfv on Tue Nov 14 16:35:19 2006