├── .gitignore ├── LICENSE ├── README.md ├── setup.py └── symrepl.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | 49 | # Translations 50 | *.mo 51 | *.pot 52 | 53 | # Django stuff: 54 | *.log 55 | local_settings.py 56 | 57 | # Flask stuff: 58 | instance/ 59 | .webassets-cache 60 | 61 | # Scrapy stuff: 62 | .scrapy 63 | 64 | # Sphinx documentation 65 | docs/_build/ 66 | 67 | # PyBuilder 68 | target/ 69 | 70 | # Jupyter Notebook 71 | .ipynb_checkpoints 72 | 73 | # pyenv 74 | .python-version 75 | 76 | # celery beat schedule file 77 | celerybeat-schedule 78 | 79 | # SageMath parsed files 80 | *.sage.py 81 | 82 | # dotenv 83 | .env 84 | 85 | # virtualenv 86 | .venv 87 | venv/ 88 | ENV/ 89 | 90 | # Spyder project settings 91 | .spyderproject 92 | .spyproject 93 | 94 | # Rope project settings 95 | .ropeproject 96 | 97 | # mkdocs documentation 98 | /site 99 | 100 | # mypy 101 | .mypy_cache/ 102 | history.txt 103 | .vscode/settings.json 104 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Agustin Gianni 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # symrepl 2 | 3 | `symrepl` is a small utility that helps you investigate the type information 4 | inside binaries. It uses `lldb` in order to access the symbolic information 5 | inside a binary. 6 | 7 | The main use case of this little helper tool is to help vulnerability 8 | researchers find interesting things to use while exploiting software. 9 | 10 | ## Example 11 | The following example shows the loading of the `XUL` binary and how `symrepl` 12 | can be used to inspect the internals of the types used inside the binary. 13 | 14 | [![asciicast](https://asciinema.org/a/7GMPl01dTpP8rEmREI3lgtriC.png)](https://asciinema.org/a/7GMPl01dTpP8rEmREI3lgtriC) 15 | 16 | ## Caveats 17 | 18 | The script works only on macOS and Linux. On macOS, XCode is required. On 19 | Linux, `lldb` and `llvm-config` are required. 20 | 21 | ## Installation 22 | 23 | ``` 24 | # Install `pip` if not installed. 25 | $ easy_install pip 26 | 27 | # Install `virtualenv` if not installed. 28 | $ pip install virtualenv 29 | 30 | # Create a virtual python environment. 31 | $ virtualenv venv_symrepl 32 | 33 | # Activate the environment (POSIX system). 34 | $ source ./venv_symrepl/bin/activate 35 | 36 | # Install `symrepl` into the virtual environment. 37 | $ python setup.py install 38 | ``` 39 | 40 | ### Dependencies 41 | All the python requirements will be installed automatically using python's 42 | `setuptools`. 43 | 44 | - `XCode` 45 | - `python` 46 | - `pip` 47 | - `virtualenv (optional)` 48 | 49 | ## Usage 50 | 51 | Execute `symrepl` with `-h` to get help: 52 | 53 | ``` 54 | $ symrepl -h 55 | usage: symrepl.py [-h] [-f FILENAME] 56 | 57 | Symbol REPL. 58 | 59 | optional arguments: 60 | -h, --help show this help message and exit 61 | -f FILENAME, --file FILENAME 62 | Path to the file with symbols. 63 | ``` 64 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup 2 | 3 | setup( 4 | name="symrepl", 5 | version="1.0", 6 | url="https://github.com/agustingianni/symrepl", 7 | author="Agustin Gianni", 8 | author_email="agustin.gianni@gmail.com", 9 | description=("Symbol inspection REPL interface"), 10 | license="MIT", 11 | keywords="symbol repl", 12 | py_modules=["symrepl"], 13 | install_requires=[ 14 | "prompt_toolkit", 15 | "pygments" 16 | ], 17 | entry_points=""" 18 | [console_scripts] 19 | symrepl=symrepl:main 20 | """ 21 | ) -------------------------------------------------------------------------------- /symrepl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import argparse 4 | import os 5 | import platform 6 | import subprocess 7 | import sys 8 | 9 | from prompt_toolkit import prompt 10 | from prompt_toolkit.history import FileHistory 11 | from prompt_toolkit.auto_suggest import AutoSuggestFromHistory 12 | 13 | from pygments import highlight 14 | from pygments.lexers.c_cpp import CppLexer as Lexer 15 | from pygments.formatters import Terminal256Formatter as Formatter 16 | 17 | try: 18 | if platform.system() == 'Darwin': 19 | # macOS: Get the path to lldb's python bindings. 20 | developer = subprocess.check_output(['xcode-select', '-p']) 21 | xcode = os.path.split(developer)[0] 22 | bindings = os.path.join(xcode, 'SharedFrameworks', 'LLDB.framework', 'Resources', 'Python') 23 | sys.path.append(bindings) 24 | elif platform.system() == 'Linux': 25 | # 'lldb --python-path' should spit out the lldb python path, but this broken (?) 26 | # on linux. So we'll add it to our path anyways, incase its just my box that its 27 | # broken on... 28 | lldb_python_path = subprocess.check_output(['lldb', '--python-path']).strip() 29 | sys.path.append(lldb_python_path) 30 | 31 | # this is where the shit actually lives on my debian box. Introduces a dep on 'llvm-config' 32 | # but also like, works and stuff. 33 | llvm_lib_dir = subprocess.check_output(['llvm-config', '--libdir']).strip() 34 | llvm_python_path = os.path.join(llvm_lib_dir, 'python2.7', 'site-packages') 35 | lldb_python_path = os.path.join(llvm_python_path, 'lldb') 36 | 37 | sys.path.append(llvm_python_path) 38 | sys.path.append(lldb_python_path) 39 | else: 40 | print 'Failed determining platform, attempting to import lldb anyways...' 41 | 42 | import lldb 43 | 44 | except Exception, e: 45 | print "Failed importing lldb's python bindings." 46 | sys.exit(-1) 47 | 48 | 49 | class SYMRepl(object): 50 | def __init__(self, filename): 51 | # Create a debugger. 52 | self.debugger = lldb.SBDebugger.Create() 53 | self.debugger.SetAsync(False) 54 | 55 | architecture = lldb.LLDB_ARCH_DEFAULT 56 | target = self.debugger.CreateTargetWithFileAndArch( 57 | filename, architecture) 58 | if not target: 59 | sys.exit(-1) 60 | 61 | self.module = target.GetModuleAtIndex(0) 62 | if not self.module: 63 | sys.exit(-1) 64 | 65 | def getTypes(self, type_name): 66 | types = self.module.FindTypes(type_name) 67 | if not types.GetSize(): 68 | return [] 69 | 70 | return map(str, types) 71 | 72 | 73 | def repl_loop(filename): 74 | # Load the database of symbols. 75 | symrpl = SYMRepl(filename) 76 | 77 | while 1: 78 | query = str(prompt( 79 | u'symrepl> ', 80 | history=FileHistory('history.txt'), 81 | auto_suggest=AutoSuggestFromHistory(), 82 | lexer=Lexer, 83 | )) 84 | 85 | if query == 'quit': 86 | break 87 | 88 | # Query the DB. 89 | found_types = symrpl.getTypes(query) 90 | if not len(found_types): 91 | print 'Could not find any types that match `{}`'.format(query) 92 | continue 93 | 94 | # Display each type that matches. 95 | print 'Found {} types matching `{}`'.format(len(found_types), query) 96 | for output in found_types: 97 | print highlight(output, Lexer(), Formatter()) 98 | print 99 | 100 | 101 | def main(): 102 | parser = argparse.ArgumentParser(description='Symbol REPL.') 103 | parser.add_argument('-f', '--file', dest='filename', 104 | action='store', help='Path to the file with symbols.') 105 | 106 | args = parser.parse_args() 107 | if not args.filename: 108 | parser.print_help() 109 | sys.exit(-1) 110 | 111 | try: 112 | repl_loop(args.filename) 113 | 114 | except (EOFError, KeyboardInterrupt): 115 | pass 116 | 117 | 118 | if __name__ == '__main__': 119 | main() 120 | --------------------------------------------------------------------------------