A library to detect changes in different versions of binaries in the Executable and Linking Format.
- Elfo is used to access the contents of ELF-files
- Dirty Little Helper provides the required standard library functions as well as the data structures (tree/hash set/map)
- Capstone is used to disassemble the binary sections
After ensuring all submodules are checked out (git submodule update --init --recursive),
just run make. This will create two static libraries:
libs/libbean.acontains the binary analyzerlibbean.aalso includes the Bean dependencies (Capstone and DLH)
The examples directory contains a few example programs, which can be built using
make examples
They are controlled with several similar parameters:
| Flag | Description |
|---|---|
-h |
print usage information including available parameters |
-r |
resolve (internal) relocations |
-R |
try to reconstruct certain relocations |
-d |
inherit incompatibility from dependencies |
-s |
also use (external) debug symbols in analyzer |
-k |
do not omit unused/empty symbols |
-b |
set base directory to search for debug files |
-v |
verbose output with address and names |
-vv |
... and include dissassembled code |
-vvv |
... and show all references and relocations |
(for a detailed list, use -h)
Generate the hash values for the symbols in the given ELF files using bean-hash:
./bean-hash libfoo.so.1.0.0
Use the verbose parameter (-v, -vv, -vvv) for a more detailed overview of the contents used for the hashes.
Disassembled instructions are color-coded to highlight excluded parts for the hashing.
Moreover, all references and relocations are taken into account.
Changed symbols of two given ELF files are highlighted in a diff typical manner by bean-diff.
Increase the verbosity level for additional information about the changed symbols:
./bean-diff -vvv -r -d libfoo.so.1.0.0 libfoo.so.1.0.1
The util bean-diffstat gives a summary of changed symbols between two given ELF files in JSON format:
./bean-diffstat -r -d libfoo.so.1.0.0 libfoo.so.1.0.1
To visualize the calls and dependencies of an executable, you can use the output of bean-graph piped to Graphviz dot utility.
./bean-graph -e -r -vv libfoo.so.1.0.0 | dot -Tx11
The parameter -e highlights external symbols, while -vv will cluster the symbols according to their section and show offsets in the call edges.
Check if an ELF file can be live-updated by another ELF file with bean-update
./bean-update -r -d -v libfoo.so.1.0.0 libfoo.so.1.0.1
This outputs all symbols with changes and exits with status 0 if updates can be applied.
the tools directory contains several helper scripts written in Bash and Python 3:
dbgsym.pytries to gather debug binaries for a given binary (according to GDB including the debuginfod service)dwarvars.pyextracts variables, datatypes, function declarations, etc. from debug information, employingdwarfparse.py(which itself uses the pyelftools to read the DWARF format.elfvars.pycalculates symbol hasheselfvarsd.shis a wrapper script to run the symbol hashing as a daemon listening on a socket/portcompare.pygives an overview of changes in multiple different versions of a binary
pip is used to install the requirements:
pip install -r requirements.txt
To install the examples and tools (prefixed with bean-) in $HOME/.local/bin run
make install
Please note: Partial units, used in compressed DWARF (see Appendix E of the DWARF4 Standard), are not supported yet.
Bean is part of the Luci-project, which is being developed by Bernhard Heinloth of the Department of Computer Science 4 at Friedrich-Alexander-Universität Erlangen-Nürnberg and is available under the GNU Affero General Public License, Version 3 (AGPL v3).