Presentation

The ERESI Reverse Engineering Software Interface is a unified multi-architecture binary analysis framework targeting operating systems based on the Executable & Linking Format (ELF) such as Linux, *BSD, Solaris, HP-UX, IRIX and BeOS. While most of the features are available for user-land programs, it also provides functionalities to analyze the running Linux kernel.

ERESI is a general purpose hybrid framework : it includes both static and runtime analysis capabilities. These features are accessed via our custom scripting language. It brings an environment of choice for program analysis throught instrumentation, transformation, debugging, and tracing of binary programs. ERESI can also be used for security auditing, hooking, integrity checking or logging. The project prones modularity and reusability of code and allows users to create their own project on top of the ERESI language interpreter in just a few lines. Among other features, the base code can display program graphs on demand using its automated flow analysis primitives. Our tools are enhanced for hardened or raw systems which have no executable data segments and no native debug API or even explicit program information.

All these projects are part of ERESI:

  • elfsh : The ELF shell is an interactive and scriptable static program instrumentation tool for ELF binary files.
  • kernsh: The Kernel shell is an interactive and scriptable runtime kernel instrumentation tool for injecting, inspecting and modifying kernel structures directly in the ERESI language.
  • e2dbg : The Embedded ERESI debugger is an interactive and scriptable high-performance userland debugger that works without standard OS debug API (without ptrace).
  • etrace : The Embedded ELF tracer is a scriptable userland tracer that works at full frequency of execution without generating traps.

We currently focus on two new top-level components:

  • kedbg: A Kernel debugger taking the best of rr0d, interfaced with the GDB serial protocol, and improved with ERESI scripting capabilities.
  • evarista: A static analyzer entirely implemented in the ERESI language using program transformation and data-flow analysis on binary code.

Evarista is inspired from Chevarista, an aborted static analyzer project written in C++ as an IDA plugin.
For more info, consult our recent article: Automated vulnerability auditing in machine code.

Beside those top-level components, the ERESI framework contains various libraries that can be used from one of the previously mentioned tools, or in a standalone third-party program:

  • libelfsh : the binary manipulation library on which ELFsh, Kernsh, E2dbg, and Etrace are based.
  • libe2dbg : the embedded debugger library which operates from inside the debuggee program.
  • libasm : the smart disassembling engine (x86, sparc, mips) that gives both syntactic and semantic attributes to instructions and their operands.
  • libmjollnir : the control flow analysis and fingerprinting library.
  • librevm : the Reverse Engineering Vector Machine, that contains the ERESI meta-language interpreter.
  • libstderesi : the standard ERESI library containing more than 100 built-in analysis commands.
  • libaspect : the aspect library brings its API to reflect code and data structures in the ERESI language.
  • libedfmt : the ERESI debug format library which can convert dwarf and stabs debug formats to the ERESI debug format.
  • libetrace : the ERESI tracer library, on which Etrace is based.
  • libkernsh : the Kernel shell library is the kernel accessibility library on which Kernsh is based.

You can take a look at our visual overview of ERESI.

Download the sources by accessing our svn repository: 

 $> svn checkout http://svn.eresi-project.org/svn/trunk/ eresi

or browse them using SVN trunk. The current version is 0.81a11.

You can read technical articles if you are interested in the internals of ERESI.

Find more resources and API reference on each of these components on their respective page in the top-level menu.

You want to get involved in the ERESI development ?
Consult the project's Community page.

Latest News

October 13 2008 - EKOPARTY 2008 slides now available
You can now consult the presentation given at EKOPARTY'2008 about static binary analysis using program transformation and data-flow analysis. This work is entirely based on the Evarista and Chevarista static analyzers. Chevarista is an aborted project whose features are progressively reimplemented in Evarista, directly in the domain specific language of the ERESI framework. Enjoy!
August 28 2008 - First communication on the Evarista static analyzer
We will be presenting the Evarista static analyzer (entirely implemented in the ERESI domain-specific language) at the ekoparty conference, happening on October 2 in Buenos Aires, Argentina. Our talk will focus on program transformation and data-flow analysis, and more for those who offer us some beers :P
July 23 2008 - Control flow graphs now available for MIPS architecture
We have implemented call graphs and control flow graphs for the MIPS processors family. Improvements in libasm and libmjollnir now provide better binary program understanding on this architecture using the graph command.
July 5 2008 - New page about now packaged libetrace
The newborn ERESI library libetrace has appeared on the Wiki. Latest commits improved the usability of libetrace as a stand-alone library, clarifying the ERESI API for scriptable embedded tracing.
June 27 2008 - Libasm is now complete on MIPS
ERESI now features a complete libasm for the MIPS architecture (including support for disassembling all FPU instructions). The MIPS disassembler has been interfaced with the ERESI runtime system, allowing users to overload opcodes and operands handlers for static binary analysis on this new architecture directly in the ERESI language.
June 11 2008 - ERESI SSTIC'08 article and presentation now available
We have released a new article explaining the kernel-level features of the ERESI framework. The SSTIC conference happened last week in the University of Rennes, France. Paper is currently only available in french. See the article page !
May 23 2008 - More ERESI HOWTOS
We have finally started to link ERESI testsuite entries and examples on the HOWTO page. The list of implemented features has also been completed. Enforcing and publishing the testsuite is one more step towards a stable release.

For older news about ERESI, consult the news page.

Enjoy the framework & Happy Reversing

The ERESI team

Attachments