介绍
Triton 是一款动态二进制分析框架,它支持符号执行和污点分析,同时提供了 pintools 的 python 接口,我们可以使用 python 来使用 pintools 的功能。 Triton 支持的架构有 x86, x64, AArch64.
官方文档:
https://triton-library.github.io/
安装
首先需要安装依赖
sudo apt-get install libz3-dev libcapstone-dev libboost-dev libopenmpi-dev
然后根据官网教程进行安装
$ git clone https://github.com/JonathanSalwan/Triton.git
$ cd Triton
$ mkdir build
$ cd build
$ cmake ..
$ sudo make -j install
可能需要指定python版 比如在mac下编译命令
cmake -DPYTHON_INCLUDE_DIR=/opt/homebrew/Cellar/python@3.9/3.9.13_1/Frameworks/Python.framework/Headers -DPYTHON_LIBRARY=/opt/homebrew/Cellar/python@3.9/3.9.13_1/Frameworks/Python.framework/Versions/3.9/lib/libpython3.9.dylib ..还报错
ld: cannot link directly with dylib/framework, your binary is not an allowed client of /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/usr/lib/libpython.tbd for architecture arm64或者建议直接修改cmake文件
set(PYTHON_INCLUDE_DIRS "/opt/homebrew/Cellar/[email protected]/3.9.13_1/Frameworks/Python.framework/Headers")set(PYTHON_LIBRARYS "/opt/homebrew/Cellar/[email protected]/3.9.13_1/Frameworks/Python.framework/Versions/3.9/lib/libpython3.9.dylib")set(CMAKE_C_FLAGS "-lpython3.9")set(CMAKE_CXX_FLAGS "-lpython3.9")
编译xcode版本
sudo rm -rf /Library/Developer/CommandLineToolsxcode-select --installbrew install Boostcmake -G "Xcode" .. -DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++
安装完后用
运行第一个案例
#!/usr/bin/env python3## -*- coding: utf-8 -*-#### Output#### $ python3 ir.py## 400000: mov rax, qword ptr [rip + 0x13b8]## ref!0 = (concat ((_ extract 7 0) (_ bv0 8)) ((_ extract 7 0) (_ bv49 8)) ((_ extract 7 0) (_ bv0 8)) ((_ extract 7 0) (_ bv50 8)) ((_ extract 7 0) (_ bv0 8)) ((_ extract 7 0) (_ bv51 8)) ((_ extract 7 0) (_ bv0 8)) ((_ extract 7 0) (_ bv52 8))) ; MOV operation## ref!1 = (_ bv4194311 64) ; Program Counter#### 400007: lea rsi, qword ptr [rbx + rax*8]## ref!2 = (bvadd (_ bv0 64) (bvadd (_ bv67890 64) (bvmul ((_ extract 63 0) ref!0) (_ bv8 64)))) ; LEA operation## ref!3 = (_ bv4194315 64) ; Program Counter#### 40000b: lea rsi, dword ptr [ebx + eax*8 + 0xa]## ref!4 = ((_ zero_extend 32) (bvadd (_ bv10 32) (bvadd (_ bv67890 32) (bvmul ((_ extract 31 0) ref!0) (_ bv8 32))))) ; LEA operation## ref!5 = (_ bv4194321 64) ; Program Counter#### 400011: pmovmskb edx, xmm1## ref!6 = ((_ zero_extend 32) ((_ zero_extend 16) (concat ((_ extract 127 127) (_ bv0 128)) ((_ extract 119 119) (_ bv0 128)) ((_ extract 111 111) (_ bv0 128)) ((_ extract 103 103) (_ bv0 128)) ((_ extract 95 95) (_ bv0 128)) ((_ extract 87 87) (_ bv0 128)) ((_ extract 79 79) (_ bv0 128)) ((_ extract 71 71) (_ bv0 128)) ((_ extract 63 63) (_ bv0 128)) ((_ extract 55 55) (_ bv0 128)) ((_ extract 47 47) (_ bv0 128)) ((_ extract 39 39) (_ bv0 128)) ((_ extract 31 31) (_ bv0 128)) ((_ extract 23 23) (_ bv0 128)) ((_ extract 15 15) (_ bv0 128)) ((_ extract 7 7) (_ bv0 128))))) ; PMOVMSKB operation## ref!7 = (_ bv4194325 64) ; Program Counter#### 400015: mov eax, edx## ref!8 = ((_ zero_extend 32) ((_ extract 31 0) ref!6)) ; MOV operation## ref!9 = (_ bv4194327 64) ; Program Counter#### 400017: xor ah, 0x99## ref!10 = (concat ((_ extract 63 16) ((_ extract 63 0) ref!8)) (concat (bvxor ((_ extract 15 8) ref!8) (_ bv153 8)) ((_ extract 7 0) ((_ extract 63 0) ref!8)))) ; XOR operation## ref!11 = (_ bv0 1) ; Clears carry flag## ref!12 = (_ bv0 1) ; Clears overflow flag## ref!13 = (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor (bvxor (_ bv1 1) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv0 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv1 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv2 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv3 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv4 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv5 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv6 8)))) ((_ extract 0 0) (bvlshr ((_ extract 15 8) ref!10) (_ bv7 8)))) ; Parity flag## ref!14 = ((_ extract 15 15) ref!10) ; Sign flag## ref!15 = (ite (= ((_ extract 15 8) ref!10) (_ bv0 8)) (_ bv1 1) (_ bv0 1)) ; Zero flag## ref!16 = (_ bv4194330 64) ; Program Counter##from __future__ import print_functionfrom triton import TritonContext, ARCH, Instruction, REG, MemoryAccessimport syscode = [(0x400000, b"x48x8bx05xb8x13x00x00"), # mov rax, QWORD PTR [rip+0x13b8](0x400007, b"x48x8dx34xc3"), # lea rsi, [rbx+rax*8](0x40000b, b"x67x48x8Dx74xC3x0A"), # lea rsi, [ebx+eax*8+0xa](0x400011, b"x66x0FxD7xD1"), # pmovmskb edx, xmm1(0x400015, b"x89xd0"), # mov eax, edx(0x400017, b"x80xf4x99"), # xor ah, 0x99(0x40001a, b"xC5xFDx6FxCA"), # vmovdqa ymm1, ymm2]if __name__ == '__main__':Triton = TritonContext()Triton.setArchitecture(ARCH.X86_64)for (addr, opcode) in code:# Build an instructioninst = Instruction()# Setup opcodeinst.setOpcode(opcode)# Setup Addressinst.setAddress(addr)# Process everythingTriton.processing(inst)# Display instructionprint(inst)# Display symbolic expressionsfor expr in inst.getSymbolicExpressions():print('t', expr)print()sys.exit(0)
运行效果
更多的详细教程
# Triton视频教程## Triton介绍与环境搭建* 1.课程介绍* 2.学习必备条件* 3.Triton编译与安装* 4.简单使用与源码框架了解* 5.实现一个最简单的my_qemu(kvm)* 6.xcode调试环境搭建* 7.python运行环境问题(Mac)* 8.第一个Triton简单程序(cpp)* 9.第二个Triton简单程序(python)* 10.shellcode模拟执行## 模拟x86_64架构* 11.模拟单个参数函数与获取返回值* 12.模拟多个参数函数* 13.模拟获取全局变量函数* 14.外部符合libc库函数调用模拟* 15.模拟多个函数调用链* 16.复杂结体参数传递### 模拟常用算法(x86_64)* 17.Triton模拟base64编码* 18.Triton模拟aes算法* 19.Triton模拟rc4算法* 20.Triton模拟des算法* 21.Triton其它算法模拟思路### 跟unicorn对比* 22.模拟执行对比unicorn* 23.设计构架对比unicorn* 24.hook指令对比unicorn* 25.事件回调对比unicorn* 26.高级话题对比unicorn## arm64架构模拟* 27.arm64函数参数与返回值模拟* 28.arm64模拟多个参数函数* 29.arm64模拟获取全局变量函数* 30.arm64构架中的算法模拟* 31.android中模拟与JNI交互* 32.JNI模拟call java函数## 高级部分* 33.可执行文件加载* 34.hook库函数(libc)* 35.符号执行介绍* 39.符号执行简单案例* 40.符号执行-代码约束* 41.符号执行-状态约束* 42.符号化寄存器* 43.符号化寄存器* 44.符号化栈上的值* 45.符号化内存* 46.符号化动态内存* 47.符号化文件内容* 48.符号执行-内存约束* 49.符号执行-函数地址hook* 50.符号执行-函数名称hook* 51.符号执行-scanf函数hook* 52.符号执行-静态库函数hook* 53.符号执行-动态库函数hook* 54.混合符号执行* 55.符号执行-任意地址读* 56.符号执行-任意地址写* 57.符号执行-任意地址跳转* 36.污点分析介绍* 58.污点分析案例* 59.Triton反混淆
其它学习教程。
原文始发于微信公众号(安全狗的自我修养):逆向分析与漏洞挖掘工具之Triton 安装与使用
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论