Presentation

The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS.

ERESI is a general purpose hybrid framework : it includes both static analysis and runtime analysis capabilities. These features are accessed by primitives of the ERESI reverse engineering language which makes the framework more adaptable to the precise needs of her users. It brings an environment of choice for program analysis throught instrumentation, debugging, and tracing as it also provides more than ten exclusive major built-in features . ERESI can also be used for security auditing, hooking, integrity checking or logging binary programs. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

All these projects are based on ERESI:

  • elfsh : The ELF shell is an interactive and scriptable static program instrumentation tool for ELF binary files.
  • kernsh: The Kernel shell is an interactive and scriptable runtime kernel instrumentation tool for injecting, inspecting and modifying kernel structures directly in the ERESI language.
  • e2dbg : The Embedded ERESI debugger is an interactive and scriptable high-performance userland debugger that works without standard OS debug API (without ptrace).
  • etrace : The Embedded ELF tracer is a scriptable userland tracer that works at full frequency of execution without generating traps.

We currently focus on two new top-level components:

  • ke2dbg: A Kernel debugger based on rr0d (the Rasta Ring0 Debugger) improved with ERESI scripting capabilities.
  • evarista: A static analyzer entirely implemented in the ERESI language using program transformation and data-flow analysis on binary code.

Evarista is inspired from Chevarista, an aborted static analyzer project written in C++ as an IDA plugin.
For more info, consult our recent article: Automated vulnerability auditing in machine code.

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

  • libelfsh : the binary manipulation library on which ELFsh, Kernsh, E2dbg, and Etrace are based.
  • libe2dbg : the embedded debugger library which operates from inside the debuggee program.
  • libasm : the smart disassembling engine (x86, sparc, mips) that gives both syntactic and semantic attributes to instructions and their operands.
  • libmjollnir : the control flow analysis and fingerprinting library.
  • librevm : the Reverse Engineering Vector Machine, that contains the ERESI meta-language interpreter.
  • libstderesi : the standard ERESI library containing more than 100 built-in analysis commands.
  • libaspect : the aspect library brings its API to reflect code and data structures in the ERESI language.
  • libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format.
  • libetrace : the ERESI tracer library, on which Etrace is based.
  • libkernsh : the Kernel shell library is the kernel accessibility library on which Kernsh is based.

You can take a look at our visual overview of ERESI.

Download the sources by accessing our svn repository: 

 $> svn checkout http://svn.eresi-project.org/svn/trunk/ eresi

or browse them using SVN trunk. The current version is 0.81a11.

You can read technical articles if you are interested in the internals of ERESI.

Find more resources and API reference on each of these components on their respective page in the top-level menu.

Latest News

July 5 2008 - New page about now packaged libetrace
The newborn ERESI library libetrace has appeared on the Wiki. Latest commits improved the usability of libetrace as a stand-alone library, clarifying the ERESI API for scriptable embedded tracing.
June 27 2008 - Libasm is now complete on MIPS
ERESI now features a complete libasm for the MIPS architecture (including support for disassembling all FPU instructions). The MIPS disassembler has been interfaced with the ERESI runtime system, allowing users to overload opcodes and operands handlers for static binary analysis on this new architecture directly in the ERESI language.
June 11 2008 - ERESI SSTIC'08 article and presentation now available
We have released a new article explaining the kernel-level features of the ERESI framework. The SSTIC conference happened last week in the University of Rennes, France. Paper is currently only available in french. See the article page !
May 23 2008 - More ERESI HOWTOS
We have finally started to link ERESI testsuite entries and examples on the HOWTO page. The list of implemented features has also been completed. Enforcing and publishing the testsuite is one more step towards a stable release.

For older news about ERESI, consult the news page.

Enjoy the framework & Happy Reversing

The ERESI team