# Manticore [![Build Status](https://travis-ci.com/trailofbits/manticore.svg?token=m4YsYkGcyttTxRXGVHMr&branch=master)](https://travis-ci.com/trailofbits/manticore) [![Slack Status](https://empireslacking.herokuapp.com/badge.svg)](https://empireslacking.herokuapp.com) Manticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation. ## Features - **Input Generation**: Manticore automatically generates inputs that trigger unique code paths - **Crash Discovery**: Manticore discovers inputs that crash programs via memory safety violations - **Execution Tracing**: Manticore records an instruction-level trace of execution for each generated input - **Programmatic Interface**: Manticore exposes programmatic access to its analysis engine via a Python API ## Scope Manticore supports binaries of the following formats, operating systems, and architectures. It has been primarily used on binaries compiled from C and C++. - OS/Formats: Linux ELF, Windows Minidump - Architectures: x86, x86_64, ARMv7 (partial) ## Requirements Manticore is officially supported on Linux and requires Python 2.7. ## Quick start Install and try Manticore in about ten shell commands: ``` # install z3 before beginning, see our README.md git clone git@github.com:trailofbits/manticore.git cd manticore pip install --user --no-binary capstone . # do this in a virtualenv if you want, but omit --user cd examples/linux make manticore basic cat mcore_*/*1.stdin | ./basic cat mcore_*/*2.stdin | ./basic cd ../script python count_instructions.py ../linux/helloworld # ok if the insn count is different ``` Here's an asciinema of what it should look like: https://asciinema.org/a/567nko3eh2yzit099s0nq4e8z ## Installation We recommend the use of Manticore in a virtual environment, though this is optional. To manage this, we recommend installing [virtualenvwrapper](https://virtualenvwrapper.readthedocs.io/en/latest/). Then, to set up a virtual environment, in the root of the Manticore repository, run ``` mkvirtualenv manticore ``` Then, from the root of the Manticore repository, run: ``` pip install . ```` or, if you would like to do a user install: ``` pip install --user . ``` This installs the Manticore CLI tool `manticore` and the Python API. Then, install the Z3 Theorem Prover. Download the [latest release](https://github.com/Z3Prover/z3/releases/latest) for your platform and place the `z3` binary in your `$PATH`. > Note: Due to a known [issue](https://github.com/aquynh/capstone/issues/445), Capstone may not install correctly. If you get this error message, "ImportError: ERROR: fail to load the dynamic library.", or another related to Capstone, try reinstalling via `pip install -I --no-binary capstone capstone` ## Usage ``` $ manticore ./path/to/binary # runs, and creates a directory with analysis results ``` or ```python # example Manticore script from manticore import Manticore hook_pc = 0x400ca0 m = Manticore('./path/to/binary') @m.hook(hook_pc) def hook(state): cpu = state.cpu print 'eax', cpu.EAX print cpu.read_int(cpu.SP) m.terminate() # tell Manticore to stop m.run() ``` ## For developers For a dev install, run: ``` pip install -e .[dev] ``` This installs a few other dependencies used for tests which you can run with some of the commands below: ``` cd /path/to/manticore/ # all tests nosetests # just one file nosetests tests/test_armv7cpu.py # just one test class nosetests tests/test_armv7cpu.py:Armv7CpuInstructions # just one test nosetests tests/test_armv7cpu.py:Armv7CpuInstructions.test_mov_imm_min ``` ## FAQ ### How does Manticore compare to angr? Manticore is simpler. It has a smaller codebase, fewer dependencies and features, and an easier learning curve. If you come from a reverse engineering or exploitation background, you may find Manticore intuitive due to its lack of intermediate representation and overall emphasis on staying close to machine abstractions. ### Was Manticore part of the Trail of Bits CRS? Not exactly. The [Trail of Bits CRS](https://blog.trailofbits.com/2015/07/15/how-we-fared-in-the-cyber-grand-challenge/) used [FrankenPSE](https://blog.trailofbits.com/2016/08/02/engineering-solutions-to-hard-program-analysis-problems/) to provide its binary symbolic execution capabilities. FrankenPSE and Manticore share the same heritage: [PySymEmu](https://github.com/feliam/pysymemu). The difference between the two stems for their respective use-cases. Manticore is designed so an expert user can guide it, and therefore supports flexible APIs that help its users achieve specific goals. Manticore also supports more architectures and binary file formats. FrankenPSE was designed to tightly integrate with the Trail of Bits CRS. This includes sharing the same program snapshot representation as the [GRR fuzzer](https://github.com/trailofbits/grr). FrankenPSE is also x86-only and uses [microx](https://github.com/trailofbits/microx), a lightweight, single-instruction x86 instruction JIT executor.