ERESI HOW-TO

This document shows how to use ERESI either using its C API or its scripting primitives. Everything that can be done in scripting can also be done using the C API. All features present on that page are known to work. If a link is missing, no testsuite is available for this feature, but the technique is used within the ERESI code as implemented by one of our tools.

ERESI language basics

Those features are provided by librevm, the Reverse Engineering Vector Machine, aka the interpreter of the ERESI language:

• Using variables and structures in ERESI
• Defining constants variables and bitfields
• Dynamic naming of variables
• Using function parameters
• Doing looping code
• Using linked lists and hash tables.
• Create and habitate manually defined types
• Declare and using union types
• Understanding variables copy-semantics with tables and loops.
• Understanding linearity constraints on variables within loops.
• Using recursive functions

Static binary instrumentation

Those features are part of libelfsh used in the ELF shell:

• Load, unload, and list binary files into the framework (load and unload commands)
• Display the content (syms, relocs, sections, dynamic, interp, versions, hashs ..) of an ELF file.
• Redirect constructors table entries.
• Redirect destructors table entries.
• Redirect functions by modifying the Global Offset Table.
• Adding symbols to an executable.
• Adding code sections to an executable
• Adding data sections to an executable.
• Adding unmapped sections to an executable.
• Inject compiled C code into an existing binary (ET_REL injection technique).
• Redirect imported functions using the ALTPLT technique.
• Redirect internal functions using the CFLOW technique.
• Redirect access to a basic block (flowjack command)
• Relinking dynamic binary programs (EXTPLT technique)
• Relinking static binary programs (EXTSTATIC technique)
• Remove sections from a binary.
• Manipulate binary content using strings, data and arithmetic operations on ELF objects.
• Strip the section header table (SHT) and rebuild it.

Static binary code analysis

Those features are part of libasm and libmjollnir used in the Evarista analyzer:

• Use the internal libasm API.
• Unstrip a missing symbol table.
• Disassemble fully resolved binary code using regular expressions.
• Plotting control flow graphs with clever color support.
• Fingerprint functions using md5.

Runtime embedded binary debugging

Those features are part of the Embedded ELF debugger. All those operations are implemented without the ptraceOS-level system call :

• Set and remove breakpoints in whole memory.
• Execute debug commands on breakpoint.
• See threads list and switching between threads.
• Backtrace monothread or multithread programs.
• Display and modify registers.
• Read and write memory during debug.
• Single-step programs without ptrace.
• Single-step program verbosely until next event.
• Show stack content during debug.
• Inject compiled code C directly into memory.
• Redirect functions directly into memory.
• Convert dwarf or stabs debug format to edfmt format.

Runtime embedded binary tracing

Those features are part of libetrace and used in the Embedded ELF tracer:

• Define sets of functions to be traced.

Runtime kernel instrumentation

Those features are part of libkernsh and used in the Kernel shell:

• Injecting compiled C code in the runtime kernel
• Redirect kernel functions
• Manipulating the syscall table
• Accessing the task structures

Interface builtins

Those features are part of libui and its interface in librevm/io/ :

• Use colors to alert on output events and dynamically change colors configuration.
• Create workspace and switch between workspaces.

You can request additional examples by contacting the ERESI team (see contact page).