PSHAPE (working title: Inspector Gadget) can be downloaded here.
We're still in the process of refactoring and testing the code, once this is finished, the tool will be put on GitHub.
PSHAPE has been accepted at the 12th International Workshop on Security and Trust Management (STM), co-located with ESORICS.
Information about the binaries we used in our experiments:
# pip install pyvex
# apt-get install python-capstone
git clone https://github.com/Z3Prover/z3
$ python scripts/mk_make.py --python
$ cd build
# sudo make install
git clone https://github.com/erocarrera/pefile
# apt-get install python-pyelftools
Note: you may have to update PYTHONPATH by adding /path/to/z3.git/build/
# pip install dill
PSHAPE produces four files:
filename.pkl is a blob containing all discovered gadgets. It can be read by PSHAPE, so gadget discovery has to be done only once.
filename_all_gadgets is a textfile containing all gadgets, even the ones PSHAPE cannot analyse properly due to jumps etc.
filename_gadgets is a textfile containing gadgets PSHAPE analyzed and uses for autochaining.
filename_summary is a textfile containing a summary of the analysis.
python InspectorGadget.py <parameters>
-b path and name of the binary (we support ELF and PE for now)
-maxlen maximum length of gadgets (in instructions)
-minlen minimum length of gadgets (in instructions)
-arg number of registers to initialize by the auto-chainer (Linux: 2 to 6; Windows: 2 to 4)
-p number of threads (greatly enhances gadget discovery and summaries! If you have a multicore CPU, use this)
-spm show effects on memory in output files
-a architecture (default is x86-64, x86 is experimental and only works for gadget discovery, not chaining)
python InspectorGadget.py -b /usr/bin/comm -maxlen 10 -arg 3
This finds all gadgets that contain up to 10 instructions in file "comm" stored in /usr/bin and creates a chain to initialize rdi, rsi, and rcx.
python InspectorGadget.py -b /usr/bin/comm.pkl -arg 4
Uses the file generated in the previous step (comm.pkl), so gadget discovery is skipped and a chain to initialize rdi, rsi, rcx, and rdx is generated.