从 Radare2 获取完整的二进制控制流图 [英] Getting full binary control flow graph from Radare2

问题描述

我想使用radare2获得二进制(恶意软件)的完整控制流图.
我关注了 这篇文章 来自关于 SO 的另一个问题.我想问一下是否有另一个命令代替 ag 提供整个二进制文件的控制流图，而不仅仅是一个函数的图.

I want to get a full control flow graph of a binary (malware) using radare2.
I followed this post from another question on SO. I wanted to ask if instead of ag there is another command that gives the control flow graph of the whole binary and not only the graph of one function.

推荐答案

首先，确保从 git 仓库安装radare2 并使用最新版本:

First of all, make sure to install radare2 from git repository and use the newest version:

$ git clone https://github.com/radare/radare2.git
$ cd radare2
$ ./sys/install.sh

下载并安装radare2后，打开二进制文件并使用aaa命令对其进行分析:

After you've downloaded and installed radare2, open your binary and perform analysis on it using the aaa command:

$ r2 /bin/ls
 -- We fix bugs while you sleep.
[0x004049a0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.

在radare 中几乎每个命令之后添加? 都会输出子命令.例如，您知道 ag 命令及其子命令可以帮助您输出可视化图形，因此通过将 ? 添加到 ag 您可以发现它的子命令:

Adding ? after almost every command in radare will output the subcommands. For example, you know that the ag command and its subcommands can help you to output the visual graphs so by adding ? to ag you can discover its subcommands:

[0x00000000]> ag?
Usage: ag<graphtype><format> [addr]  
Graph commands:
| aga[format]             Data references graph
| agA[format]             Global data references graph
| agc[format]             Function callgraph
| agC[format]             Global callgraph
| agd[format] [fcn addr]  Diff graph
... <truncated> ...

Output formats:
| <blank>                 Ascii art
| *                       r2 commands
| d                       Graphviz dot
| g                       Graph Modelling Language (gml)
| j                       json ('J' for formatted disassembly)
| k                       SDB key-value
| t                       Tiny ascii art
| v                       Interactive ascii art
| w [path]                Write to path or display graph image (see graph.gv.format     and graph.web)

您正在搜索 agCd 命令，该命令将以 dot 格式输出程序的完整调用图.

You're searching for the agCd command which will output a full call-graph of the program in dot format.

[0x004049a0]> agCd > output.dot

dot 实用程序是 Graphviz 软件的一部分，可以使用 sudo apt-get install graphviz 安装.
您可以在任何离线 dot 查看器中查看您的输出，粘贴输出到在线Graphviz查看器，甚至将dot文件转换为PNG:

The dot utility is part of the Graphviz software which can be installed using sudo apt-get install graphviz.
You can view your output in any offline dot viewer, paste the output into an online Graphviz viewer and even convert the dot file to PNG:

$ r2 /bin/ls
[0x004049a0]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x004049a0]> agCd > output.dot
[0x004049a0]> !!dot -Tpng -o callgraph.png output.dot

这篇关于从 Radare2 获取完整的二进制控制流图的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！