Skip to content

enferex/binema

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

binema: Executable to callgraph generator
=========================================


What
====
binema takes as input an executable and generates the resulting callgraph in dot
notation.  dot can be used to easily visualize a graph.  For more information on
the dot language (graphviz) see: <http://www.graphviz.org/>

Callgraph generation typically takes place during compile time allowing the
compiler to make certain decisions necessary for generating an executable from
source.  Callgraphs can also be used/generated by security auditing/analysis
tools and debuggers; binema operates from the latter approach.  Instead of
acting as a compiler, which would transform the input source code into a
callgraph, binema takes an already compiled executable and generates the
callgraph.  This is not unique, as disassemblers can perform just this very
task.  What is nifty about binema is that it is not a full-fledged disassembler,
rather it is a simple and low-dependency program that generates a callgraph in
dot notation.  Why dot?  Because graphs look super-duper-sexxy.

Also, I would say that binema is a good (simple) example of using libbfd and
libopcodes.


Limitations
===========
binema does not resolve jumps or indirect control flow redirections.  Simply,
binema only looks for an explicit 'call' instruction and the following operand.
If the operand is a symbol, then binema will attempt to resolve the symbol to a
human readable name.  If the operand (target of the call instruction) is not a
symbol, then the address is displayed.

If an indirect address is displayed such as 'call *(%rax)' then that operand is
displayed as presented in the disassembled output.  If two nodes call such an
indirect adderess, then both edges (the control flow) will point to the same
node (the indirect address instructions).  That is not accurate as the indirect
addresses might point to two different functions at runtime.

Stripped binaries are not processed since binema displays caller and callee
(e.g., what function is calling what other function).  The aforementioned data
is obtained via libbfd.


Dependencies
============
libbfd: Comes with binutils (objdump, addr2line, etc., rely on this)
libopcodes: Also from binutils
<http://www.gnu.org/software/binutils/>


Thanks
======
How to use libbfd and libopcodes came from tons of "web searching" and looking
at the sources for objdump and addr2line (both provided by binutils).

Another very valuable resource is the following:
<http://www.toothycat.net/wiki/wiki.pl?Binutils/libopcodes>


Contact
=======
Matt Davis (enferex)
mattdavis9@gmail.com

About

Binary to callgraph generator

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published