Pyrrha is a filesystem cartography and correlation software focusing on visualization. It currently focuses on the relationship between executable files but aims at enabling anyone to map and visualize any relationship types. It uses the open-source code source explorer Sourcetrail to provide users with an easy way to navigate through and search for path to function.
An example of the symbols and libraries imported by libgcc_s.so.1 and of the symbols which reference this library.
An example of the symlinks which point on busybox.
The installation is done in two parts:
- Installing
Pyrrhaas a Python module (pip install pyrrha-mapper) or using its Docker image. - Installing
Sourcetrailto be able to visualize Pyrrha's results. You can use its last release and its documentation.
The usage workflow is composed of two steps which allow you to separate DB creation and result visualization.
- Run Pyrrha to obtain Sourcetrail compatible files (
*.srctrlprjfor the project file and*.srctrldbfor the DB file). With the python package, you can just launch the command:or with the Docker$ pyrrha Usage: pyrrha [OPTIONS] COMMAND [ARGS]... Mapper collection for firmware analysis. Options: -h, --help Show this message and exit. Commands: fs Map PE and ELF files of a filesystem into a sourcetrail-compatible db.$ docker run --rm -t -v $PWD:/tmp/pyrrha ghcr.io/quarkslab/pyrrha:latest [OPTIONS] COMMAND [ARGS]... - Visualize your results with Sourcetrail
$ sourcetrail PROJECT_NAME.srctrlprj
The detailed documentation of each mapper is available in the documentation.
Pyrrha has been presented at two conferences listed below. These talks include live demo of the fs parser which map links between libraries and executables files.
- [Pyrrha: navigate easily into your system binaries, Hack.lu'23. [slides] [video]
- Map your Firmware!, PTS'23. [slides] [video]
- Eloïse Brocas (@ebrocas), Quarkslab