The ERESI Reverse Engineering Software Interface is a multi-architecture binary analysis framework providing a domain-specific language for reverse engineering. ERESI features OS-wide support for analysis, instrumentation, and debugging of INTEL, SPARC, MIPS, ALPHA and ARM binary programs. ERESI is enhanced for operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS, but it can also debug any OS in a virtual machine or emulator via the GDB protocol.
We prone modularity and reuse of code : ERESI allows users to create their own project on top of our language interpreter in just a few lines of code. Among a lot of other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools were primarily designed for working on hardened or raw systems without symbols, executable data segments or native debug API, but we are capable of using this information when it is available.
Our projects show how ERESI brings a common ground for different goals:
- elfsh : An interactive and scriptable static program instrumentation tool for ELF binary files.
- kernsh: An interactive and scriptable runtime kernel instrumentation tool for code injection, modification and redirection.
- e2dbg : An interactive and scriptable high-performance userland debugger that works without standard OS debug API (without ptrace).
- etrace : A scriptable userland tracer that works at full frequency of execution without generating traps.
- kedbg: A remote kernel debugger with ERESI scripting capabilities interfaced with the GDB server, VMware, Qemu, Boches and OpenOCD (JTAG) via the GDB serial protocol.
- Evarista?: A binary program transformer entirely implemented in the ERESI language.
Evarista is inspired from Chevarista, an aborted static analyzer project written in C++ as an IDA plugin.
. For more info on this research, consult our article: Automated vulnerability auditing in machine code.
Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:
- libelfsh : the binary manipulation library on which ELFsh, Kernsh, E2dbg, and Etrace are based.
- libe2dbg : the embedded debugger library which operates from inside the debuggee program.
- libasm : the smart disassembling engine (x86, sparc, mips) that gives both syntactic and semantic attributes to instructions and their operands.
- libmjollnir : the control flow analysis and fingerprinting library.
- librevm : the Reverse Engineering Vector Machine, that contains the ERESI meta-language interpreter.
- libstderesi : the standard ERESI library containing more than 100 built-in analysis commands.
- libaspect : the aspect library brings its API to reflect code and data structures in the ERESI language.
- libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format.
- libetrace : the ERESI tracer library, on which Etrace is based.
- libkernsh : the Kernel shell library is the kernel accessibility library on which Kernsh is based.
- libgdbwrap : The GDB serial protocol library, for compatibility between ERESI and GDB/VMware/Boches/QeMu/OpenOCD.