DeforaNetworks/manticore
3
0
Fork 0
Code Releases Activity
92 Commits 7 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Mark Mossberg 531f245817 Fix arm PUSH (#141) 
If sp is in the list, it gets pushed incorrectly because it gets
updated by the stack_pushes for registers that occur before it
2017-04-18 14:00:13 -04:00
docs
Document state, cpu, issymbolic (#101)
2017-03-27 15:03:42 -04:00
examples
Add brief example descriptions to README (#120)
2017-04-10 14:31:51 -04:00
manticore
Fix arm PUSH (#141)
2017-04-18 14:00:13 -04:00
scripts
Add basic benchmarking script (#83)
2017-03-28 11:12:36 -05:00
tests
Fix memory._ceil, Fix linux.load (#134)
2017-04-13 18:45:18 -04:00
.gitignore
Remove ManticoreControl object [#180] (#4)
2017-02-14 14:54:52 -05:00
.travis.yml
Update README/travis (#126)
2017-04-10 17:22:02 -04:00
LICENSE
Add LICENSE file (#5)
2017-02-13 18:30:25 -05:00
README.md
README + Output updates (#139)
2017-04-17 16:58:34 -04:00
setup.py
Add docs (#61)
2017-03-22 15:44:03 -04:00

README.md

Manticore

Build Status Slack Status

Manticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.

Features

  • Input Generation: Manticore automatically generates inputs that trigger unique code paths
  • Crash Discovery: Manticore discovers inputs that crash programs via memory safety violations
  • Execution Tracing: Manticore records an instruction-level trace of execution for each generated input
  • Programmatic Interface: Manticore exposes programmatic access to its analysis engine via a Python API

Scope

Manticore supports binaries of the following formats, operating systems, and architectures. It has been primarily used on binaries compiled from C and C++.

  • OS/Formats: Linux ELF, Windows Minidump
  • Architectures: x86, x86_64, ARMv7 (partial)

Requirements

Manticore is officially supported on Linux and requires Python 2.7.

Quick start

Install and try Manticore in about ten shell commands:

# install z3 before beginning, see our README.md
git clone git@github.com:trailofbits/manticore.git
cd manticore
pip install --user --no-binary capstone . # do this in a virtualenv if you want, but omit --user
cd examples/linux
make
manticore basic
cat mcore_*/*1.stdin | ./basic
cat mcore_*/*2.stdin | ./basic
cd ../script
python count_instructions.py ../linux/helloworld # ok if the insn count is different

Here's an asciinema of what it should look like: https://asciinema.org/a/567nko3eh2yzit099s0nq4e8z

Installation

We recommend the use of Manticore in a virtual environment, though this is optional. To manage this, we recommend installing virtualenvwrapper. Then, to set up a virtual environment, in the root of the Manticore repository, run

mkvirtualenv manticore

Then, from the root of the Manticore repository, run:

pip install .

or, if you would like to do a user install:

pip install --user .

This installs the Manticore CLI tool manticore and the Python API.

Then, install the Z3 Theorem Prover. Download the latest release for your platform and place the z3 binary in your $PATH.

Note: Due to a known issue, Capstone may not install correctly. If you get this error message, "ImportError: ERROR: fail to load the dynamic library.", or another related to Capstone, try reinstalling via pip install -I --no-binary capstone capstone

Usage

$ manticore ./path/to/binary  # runs, and creates a directory with analysis results

or

# example Manticore script
from manticore import Manticore

hook_pc = 0x400ca0

m = Manticore('./path/to/binary')

@m.hook(hook_pc)
def hook(state):
  cpu = state.cpu
  print 'eax', cpu.EAX
  print cpu.read_int(cpu.SP)

  m.terminate()  # tell Manticore to stop

m.run()

For developers

For a dev install, run:

pip install -e .[dev]

This installs a few other dependencies used for tests which you can run with some of the commands below:

cd /path/to/manticore/
# all tests
nosetests
# just one file
nosetests tests/test_armv7cpu.py
# just one test class
nosetests tests/test_armv7cpu.py:Armv7CpuInstructions
# just one test
nosetests tests/test_armv7cpu.py:Armv7CpuInstructions.test_mov_imm_min

FAQ

How does Manticore compare to angr?

Manticore is simpler. It has a smaller codebase, fewer dependencies and features, and an easier learning curve. If you come from a reverse engineering or exploitation background, you may find Manticore intuitive due to its lack of intermediate representation and overall emphasis on staying close to machine abstractions.

Was Manticore part of the Trail of Bits CRS?

Not exactly. The Trail of Bits CRS used FrankenPSE to provide its binary symbolic execution capabilities. FrankenPSE and Manticore share the same heritage: PySymEmu. The difference between the two stems for their respective use-cases.

Manticore is designed so an expert user can guide it, and therefore supports flexible APIs that help its users achieve specific goals. Manticore also supports more architectures and binary file formats.

FrankenPSE was designed to tightly integrate with the Trail of Bits CRS. This includes sharing the same program snapshot representation as the GRR fuzzer. FrankenPSE is also x86-only and uses microx, a lightweight, single-instruction x86 instruction JIT executor.

Description
No description provided
Readme 12 MiB
Languages
Python 100%