B2R2 : A Collection of Algorithms, Functions And Tools For Binary Analysis

B2R2 is a collection of useful algorithms, functions, and tools for binary analysis written purely in F# (in .NET lingo, it is purely managed code).

It has been named after R2-D2, a famous fictional robot appeared in the Star Wars. In fact, B2R2’s original name was B2-R2, but we decided to use the name B2R2 instead, because .NET does not allow dash (-) characters in identifiers (or namespaces).

The name essentially represents “binary” or “two”: “binary” itself means “two” states anyways. “B” and “2” mean “binary”, and “R” indicates reversing.

What is B2R2 ?

  1. It is analysis-friendly: it is written in F#, which provides all the syntactic goodies for writing program analyzers, such as pattern matching, algebraic data types, and etc.
  2. It is fast: it has a fast and efficient front-end engine for binary analysis, which is written purely in a functional way. Therefore, it naturally supports pure parallelism for binary disassembling, lifting and IR optimization.
  3. It is easy to play with: there is absolutely no dependency hell for B2R2 because it is a fully-managed library. All you need to do is to install .NET Core SDK, and you are ready to go! Native IntelliSense support is another plus!
  4. It is OS-Independent: it works on Linux, Mac, Windows, and etc. as long as .NET core supports it.
  5. It is interoperable: it is not bound to a specific language. Theoretically, you can use B2R2 APIs with any CLI supported languages.

Also Read – GiveMeSecrets : Use Regular Expressions To Get Sensitive Information

Features

  • Currently, our focus is on the front-end of binary analysis, which includes binary parser, lifter, and optimizer.
  • B2R2 natively supports parallel lifting, which is a new technique we introduced in 2019 NDSS Bar.
  • We also have our own back-end tools such as symbolic executor, but we are not planning to open-source them yet.
  • Nevertheless, B2R2 includes several useful middle-end or back-end features such as ROP chain compilation, CFG building, and automatic graph drawing, and etc.
  • B2R2 also comes with a simple command-line utility that we call BinExplorer, which can help explore such features using a simple command line interface.

Dependencies

B2R2 relies on a tiny set of external .NET libraries, and our design principle is to use a minimum number of libraries. Below is a list of libraries that we leverage.

  • System.Reflection.Metadata
  • Microsoft.FSharpLu.Json
  • FParsec

Example

Let’s try to use B2R2 APIs.

  • First we create an empty directory DIRNAME:

mkdir DIRNAME

  • We then create an empty console project with dotnet command line:

$ dotnet new console -lang F#

  • Add our nuget package B2R2.FrontEnd to the project:

$ dotnet add package B2R2.FrontEnd

  • Modify the Program.fs file with your favorite editor as follows:

open B2R2
open B2R2.FrontEnd
[<EntryPoint>]
let main argv =
let isa = ISA.OfString “amd64”
let bytes = [| 0x65uy; 0xffuy; 0x15uy; 0x10uy; 0x00uy; 0x00uy; 0x00uy |]
let handler = BinHandler.Init (isa, bytes)
let ins = BinHandler.ParseInstr handler 0UL
ins.Translate handler.TranslationContext |> printfn “%A”
0

  • We then just run it by typing: dotnet run. You will be able see lifted IR statements from your console. That’s it! You just lifted an Intel instruction with only few lines of F# code!

Build

Building B2R2 is fun and easy. All you need to do is to install .NET Core SDK 3.0 or above. Yea, that’s it!

  • To build B2R2 in release mode, type make release or dotnet build -c Release in the source root.
  • To build B2R2 in debug mode, type make, or dotnet build in the source root.

For your information, please visit the official web site of F# to get more tips about installing the development environment for F#:

Why Reinventing the Wheel

There are many other great tools available, but we wanted to build a functional-first binary analysis platform that is painless to install and runs on any platform without any hassle.

B2R2 is in its infancy stage, but we believe it provides a rich set of library functions for binary analysis.

It also has a strong front-end that is easily adaptable and extendible! Currently it reliably supports x86 and x86-64, meaning that we have heavily tested them; and it partially supports ARMv7 (and Thumb), ARMv8, MIPS32, and MIPS64, meaning that they work, but we haven’t tested them thorougly yet.

Features to be Added

Below is a list of features that we plan to add in the future: the list is totally incomplete. Some of them are work in progress, but we look forward your contributions!

  • Implement CFG recovery algorithms.
  • Implement assembler for currently supported ISAs using a parser combinator.
  • Support for floating point operations.
  • Support for more architectures such as PPC.

Credits: Members in SoftSec Lab

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

22 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

22 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago