For responsive rdis help, drop by irc.freenode.net#haxathon
About/Why Rdis
Rdis is a binary analysis tool for linux developed by me, endeavor (aka rednovae) of rainbowsandpwnies. I wrote rdis because for a few reasons:
Rdis is a binary analysis tool for linux developed by me, endeavor (aka rednovae) of rainbowsandpwnies. I wrote rdis because for a few reasons:
- There were no affordable reversing tools that looked appealing to me.
- The closest thing to rdis for linux was radare (which is awesome), but lacked an interactive CFG.
- Why Rdis
Building Rdis
Rdis is developed in Arch Linux, but should build for any platform that supports GTK-3. Rdis requires the following libraries:
I haven't put anything together for rdis using autotools, so you may need to hand-patch some #include paths. Makefiles are included, and rdis builds to src/rdis.
git clone git://github.com/endeav0r/rdis.git
cd rdis
make -j
make install
Rdis is developed in Arch Linux, but should build for any platform that supports GTK-3. Rdis requires the following libraries:
- gtk-3
- luajit
- jansson
- udis86
I haven't put anything together for rdis using autotools, so you may need to hand-patch some #include paths. Makefiles are included, and rdis builds to src/rdis.
git clone git://github.com/endeav0r/rdis.git
cd rdis
make -j
make install
Rdis Internals
The internal state of rdis is included in a struct named _rdis. _rdis includes four important data structures.
Loading a binary in rdis takes part in four steps, one for each data structure:
Miscellaneous Internal Details
The internal state of rdis is included in a struct named _rdis. _rdis includes four important data structures.
- Loader Graph - A directional graph where each node (vertex) is a list of instructions.
- Function Map - A mapping of 64-bit addresses to information about the function found at that address
- Labels Map - A mapping of 64-bit addresses to textual labels which describe that address
- Memory Map - A mapping of 64-bit addresses to buffers which comprise the program's virtual address space in its current state.
Loading a binary in rdis takes part in four steps, one for each data structure:
- Request a memory map from the loader
- Feed the memory map back to the loader and request a function map
- Feed the memory map and function map back to the loader and request a loader graph
- Feed the memory map and function map back to the loader and request a label map
Miscellaneous Internal Details
- Comments are stored with instructions, not in the label map.
- Rdis does not use a 3rd party graph layout library.
- Rdis loaders use a memory map for tasks such as graphing functions as this allows an external process (IE: debugger/lua script) to update the rdis state.
- Updating a region of memory in the memory map causes different actions to fire, most importantly regraphing of select functions.
- Many rdis loader functions should be pure, allowing them to be used with rdis' internal threaded work queue.
- If you are considering hacking rdis, you should first familiarize yourself with rdis' internal object/container model.
Functions View
Clicking on "Functions" from the rdis view opens the functions view. This view combines information from the functions map and the labels map.
Right clicking a function gives two options: Mark Reachable and Call Graph. Call Graph creates a modified graph from the _rdis loader graph which includes information about the callable functions and displays this to the user. Mark Reachable is explained below.
While disassembling Go Binaries I noticed the go compiler both statically compiles the entire go standard library into each executable and includes symbol information for each of these functions. Many of these functions will never be used, but crowd the functions view with entries. Rdis will attempt to determine which functions are, "Reachable," and you can select a view to see only reachable functions. You can also mark a function as reachable. This is a recursive operation, and marking a function as reachable will cause rdis to mark all functions reachable by the given function as reachable.
Double-clicking a function's address brings up the graph for that function.
Clicking on a function's name allows the function to be renamed. This should trigger a callback and cause the function's name to be updated throughout other rdis views.
Clicking on "Functions" from the rdis view opens the functions view. This view combines information from the functions map and the labels map.
Right clicking a function gives two options: Mark Reachable and Call Graph. Call Graph creates a modified graph from the _rdis loader graph which includes information about the callable functions and displays this to the user. Mark Reachable is explained below.
While disassembling Go Binaries I noticed the go compiler both statically compiles the entire go standard library into each executable and includes symbol information for each of these functions. Many of these functions will never be used, but crowd the functions view with entries. Rdis will attempt to determine which functions are, "Reachable," and you can select a view to see only reachable functions. You can also mark a function as reachable. This is a recursive operation, and marking a function as reachable will cause rdis to mark all functions reachable by the given function as reachable.
Double-clicking a function's address brings up the graph for that function.
Clicking on a function's name allows the function to be renamed. This should trigger a callback and cause the function's name to be updated throughout other rdis views.
Graph View
Double-clicking on a function's address in the function view opens up the graph view for that function.
Holding the left mouse button on the graph view and dragging the mouse allows easy scrolling of the graph view.
Clicking on an instruction in the graph view will highlight the instruction. Pressing semi-colon, ;, allows you to enter a comment for the instruction. Press return when you are finished entering the comment.
Pressing the p key will highlight a node's predecessors, or all nodes in the graph whose control flow may lead to the current node.
Right-clicking an instruction and selecting, "User Function," will cause rdis to treat that instruction as the beginning of a function. There is no undo for this operation!
If rdis detects a reference for an instruction during the loading process, the referenced address will be shown in red after the instruction. You can place your mouse over the instruction and a pop-up will appear, showing the data in rdis' memory map at the given address. If a string is present, the string will show in blue. This screenshot shows an example of this functionality.
Double-clicking on a function's address in the function view opens up the graph view for that function.
Holding the left mouse button on the graph view and dragging the mouse allows easy scrolling of the graph view.
Clicking on an instruction in the graph view will highlight the instruction. Pressing semi-colon, ;, allows you to enter a comment for the instruction. Press return when you are finished entering the comment.
Pressing the p key will highlight a node's predecessors, or all nodes in the graph whose control flow may lead to the current node.
Right-clicking an instruction and selecting, "User Function," will cause rdis to treat that instruction as the beginning of a function. There is no undo for this operation!
If rdis detects a reference for an instruction during the loading process, the referenced address will be shown in red after the instruction. You can place your mouse over the instruction and a pop-up will appear, showing the data in rdis' memory map at the given address. If a string is present, the string will show in blue. This screenshot shows an example of this functionality.
Hex View
Clicking the Hex View button from the rdis window brings up the hex view. This view shows the contents of rdis' internal memory map.
The hex view is slow and may be buggy. You can create user functions from the hex view, but in its current state it is of limited use.
Clicking the Hex View button from the rdis window brings up the hex view. This view shows the contents of rdis' internal memory map.
The hex view is slow and may be buggy. You can create user functions from the hex view, but in its current state it is of limited use.