Maat is an open-source Dynamic Symbolic Execution and Binary Analysis framework. It provides various functionalities such as symbolic execution, taint analysis, constraint solving, binary loading, environment simulation, and leverages Ghidra’s sleigh library for assembly lifting: https://maat.re

Key Features

• Fast & Portable: Designed to scale to real-world applications. Fully written in C++ for good runtime performance. There are hardly any runtime dependencies, and most of them are optional
• User-friendly: Maat has a flexible debugger-like API, and its features are configurable to adapt to many different use-cases. As any self-respecting modern framework, it comes with Python bindings
• Multi-arch: With lifting and emulation based on Ghidra’s awesome sleigh library, Maat has the potential to emulate many architectures, including exotic ones

Installation

To install Maat’s python module:

python3 -m pip install pymaat

To install Maat’s native SDK and use the C++ API, check out BUILDING.md

Example

from maat import *
Create a symbolic engine for Linux X86-32bits
engine = MaatEngine(ARCH.X86, OS.LINUX)
Load a binary with one command line argument
engine.load(“./some_binary”, BIN.ELF32, args=[engine.vars.new_symbolic_buffer(“some_arg”, 20)])
Get current eax value
engine.cpu.eax
Read 4 bytes at the top of the stack
engine.mem.read(engine.cpu.esp, 4)
Set a callback displaying every memory read
def show_mem_access(engine):
mem_access = engine.info.mem_access
print(f”Instruction at {engine.info.addr} reads {mem_access.size} bytes at {mem_access.addr}”)
engine.hooks.add(EVENT.MEM_R, WHEN.BEFORE, callbacks=[show_mem_access])
Take and restore snapshots
snap = engine.take_snapshot()
engine.restore_snapshot(snap)
Run the binary
engine.run()