This is an S2E based binary-to-LLVM translator. It converts any binary code to LLVM code. The resulting LLVM module contains functions. Some, control flow details are recovered.
The idea is to reuse components from S2E to achieve the translation to LLVM. Rougly, qemu translates from binary to TCG and S2E translates from TCG to LLVM. Plugins were added to perform the recursive disassembly of the binary. The raw LLVM code is then fed to a set of external LLVM passes. The purpose of these step is to add more details about the extracted code, concretely, basic blocks are grouped in functions. It is mainly tested on the ARM architecture. bin2llvm is a best effort tool, it will try to translate as much as possible and then link the LLVM code in a final file.
$ docker pull docker.io/cojocar/bin2llvm
$ # run one example binary
$ docker run --rm -t docker.io/cojocar/bin2llvm /bin/bash -c "/usr/local/bin2llvm/bin/bin2llvm.py --file /usr/local/bin2llvm/bin/ls-example"
$ # run the tests
$ docker run --rm -t docker.io/cojocar/bin2llvm /bin/bash -c "cd /usr/local/bin2llvm/tests; BIN2LLVM_INSTALL_DIR=/usr/local/bin2llvm make;"Consult the Dockerfile for the list of dependencies.
$ ./scripts/setup.sh # this will copy some dependencies in the third_party directory
$ ./scripts/build.sh ../bin2llvm-build
$ ./scripts/install.sh ../bin2llvm-build ../bin2llvm-install$ ./scripts/build_docker.shThis will result in bin2llvm-dev and in bin2llvm-release-squashed images.
$ cd ../bin2llvm-install && ./bin/bin2llvm.py --file ./bin/ls-example
Press Ctrl+C
INFO:bin2llvm:Using /tmp/bin2llvm-W4yJvU as temp_dir
INFO:bin2llvm:Use entry: 0x00009a74
INFO:bin2llvm:Use entry: 0x00009fa8
INFO:bin2llvm:Use entry: 0x0000c470
INFO:bin2llvm:Use entry: 0x0000c4d0
INFO:bin2llvm:Use entry: 0x0000c514
INFO:bin2llvm:Use entry: 0x0000c560
....
INFO:bin2llvm:Use entry: 0x00000000
WARNING:bin2llvm:(passes) crashed with entry: 0x00000000
INFO:bin2llvm:FINAL output is in /tmp/bin2llvm-W4yJvU/final.bc (370 functions)The final bit code is ${OUT_DIR}/final.bc
$ cd ./tests && BIN2LLVM_INSTALL_DIR=$(realpath ../../bin2llvm-install) makeSee the test directory for more details.
The following works are using bin2llvm:
- Cojocar, Lucian, Taddeus Kroes, and Herbert Bos. "JTR: A Binary Solution for Switch-Case Recovery" International Symposium on Engineering Secure Software and Systems. Springer, Cham, 2017.
- Cojocar, Lucian, et al. "Pie: parser identification in embedded systems." Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 2015.