libTriton  version 0.9 build 1499
Triton: Dynamic Binary Analysis Framework

Description

Triton is a dynamic binary analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a Taint engine, AST representations of the x86, x86-64, ARM32 and AArch64 instructions set architecture (ISA), SMT simplification passes, an SMT solver interface and, the last but not least, Python bindings.



Presentations and Publications

  • Symbolic Deobfuscation: From Virtualized Code Back to the Original
    Talk at DIMVA, Paris-Saclay, 2018. [paper] [slide] [bibtex]
    Abstract: Software protection has taken an important place during the last decade in order to protect legit software against reverse engineering or tampering. Virtualization is considered as one of the very best defenses against such attacks. We present a generic approach based on symbolic path exploration, taint and recompilation allowing to recover, from a virtualized code, a devirtualized code semantically identical to the original one and close in size. We define criteria and metrics to evaluate the relevance of the deobfuscated results in terms of correctness and precision. Finally we propose an open-source setup allowing to evaluate the proposed approach against several forms of virtualization.

  • Deobfuscation of VM based software protection
    Talk at SSTIC, Rennes, 2017. [french paper] [english slide] [french video] [bibtex]
    Abstract: In this presentation we describe an approach which consists to automatically analyze virtual machine based software protections and which recompiles a new version of the binary without such protections. This automated approach relies on a symbolic execution guide by a taint analysis and some concretization policies, then on a binary rewriting using LLVM transition.

  • How Triton can help to reverse virtual machine based software protections
    Talk at CSAW SOS, NYC, 2016. [slide]
    Abstract: The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.

  • Dynamic Binary Analysis and Obfuscated Codes
    Talk at St'Hack, Bordeaux, 2016. [slide]
    Abstract: At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.

  • How Triton may help to analyse obfuscated binaries
    MISC magazine 82, 2015. [french article]
    Abstract: Binary obfuscation is used to protect software's intellectual property. There exist different kinds of obfucation but roughly, it transforms a binary structure into another binary structure by preserving the same semantic. The aim of obfuscation is to ensure that the original information is "drown" in useless information that will make reverse engineering harder. In this article we will show how we can analyse an ofbuscated program and break some obfuscations using the Triton framework.

  • Triton: A Concolic Execution Framework
    Talk at SSTIC, Rennes, 2015. [french paper] [detailed english slide] [light french slide] [bibtex]
    Abstract: This talk is about the release of Triton, a concolic execution framework based on Pin. It provides components like a taint engine, a dynamic symbolic execution engine, a snapshot engine, translation of x64 instruction to SMT2, a Z3 interface to solve constraints and Python bindings. Based on these components, Triton offers the possibility to build tools for vulnerabilities research or reverse-engineering assistance.

  • Dynamic Behavior Analysis Using Binary Instrumentation
    Talk at St'Hack, Bordeaux, 2015. [slide]
    Abstract: This talk can be considered like the part 2 of our talk at SecurityDay. In the previous part, we talked about how it was possible to cover a targeted function in memory using the DSE (Dynamic Symbolic Execution) approach. Cover a function (or its states) doesn't mean find all vulnerabilities, some vulnerability doesn't crashes the program. That's why we must implement specific analysis to find specific bugs. These analysis are based on the binary instrumentation and the runtime behavior analysis of the program. In this talk, we will see how it's possible to find these following kind of bugs : off-by-one, stack / heap overflow, use-after-free, format string and {write, read}-what-where.

  • Covering a function using a Dynamic Symbolic Execution approach
    Talk at Security Day, Lille, 2015. [slide]
    Abstract: This talk is about binary analysis and instrumentation. We will see how it's possible to target a specific function, snapshot the context memory/registers before the function, translate the instrumentation into an intermediate representation,apply a taint analysis based on this IR, build/keep formulas for a Dynamic Symbolic Execution (DSE), generate a concrete value to go through a specific path, restore the context memory/register and generate another concrete value to go through another path then repeat this operation until the target function is covered.



Installation

To be able to compile Triton, you must install these libraries before:

lib name version
libboost >= 1.68
libpython == 2.7.x or 3.6.x
libz3 >= 4.6.0
libcapstone >= 4.0.x
Pin (optional) == 71313

Linux Installation

Once the libraries are installed, you can use cmake and make to build libTriton.

$ git clone https://github.com/JonathanSalwan/Triton.git
$ cd Triton
$ mkdir build
$ cd build
$ cmake ..
$ sudo make -j2 install

OSX Installation

On OSX cmake might have some difficulties finding the correct Python include/library paths. You can run the following to build independent of your Python version:

$ brew install boost capstone z3
$ git clone https://github.com/JonathanSalwan/Triton.git
$ cd Triton
$ mkdir build
$ cd build
$ cmake $(echo 'from os.path import abspath, join; from distutils.sysconfig import get_python_inc, get_python_lib; print "-DPYTHON_INCLUDE_DIR=%s -DPYTHON_LIBRARY=%s" % (get_python_inc(), abspath(join(get_python_lib(), "../../libpython2.7.dylib")))' | python) ..
$ sudo make -j2 install

Windows Installation

Once libraries installed, you can use cmake to generate the .sln file of libTriton.

> git clone https://github.com/JonathanSalwan/Triton.git
> cd Triton
> mkdir build
> cd build
> cmake -G "Visual Studio 14 2015 Win64" \
-DBOOST_ROOT="C:/Users/jonathan/Works/Tools/boost_1_61_0" \
-DPYTHON_INCLUDE_DIRS="C:/Python27/include" \
-DPYTHON_LIBRARIES="C:/Python27/libs/python27.lib" \
-DZ3_INCLUDE_DIRS="C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/include" \
-DZ3_LIBRARIES="C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/bin/libz3.lib" \
-DCAPSTONE_INCLUDE_DIRS="C:/Users/jonathan/Works/Tools/capstone-3.0.5-win64/include" \
-DCAPSTONE_LIBRARIES="C:/Users/jonathan/Works/Tools/capstone-3.0.5-win64/capstone.lib" ..

However, if you prefer to directly download precompiled libraries, check out our AppVeyor's artefacts. Note that if you use AppVeyor's artefacts, you probably have to install the Visual C++ Redistributable packages for Visual Studio 2012.


Pintool for Linux users

This project is also shipped with a Pintool tracer and may be compiled with these following commands:

$ cd pin-2.14-71313-gcc.4.4.7-linux/source/tools/
$ git clone https://github.com/JonathanSalwan/Triton.git
$ cd Triton
$ mkdir build
$ cd build
$ cmake -DPINTOOL=on ..
$ make -j2
$ cd ..
$ ./build/triton ./src/examples/pin/ir.py /usr/bin/id

It's not recommended to use the pintool on a kernel 4.x. The version 71313 of Pin doesn't support very well this branch (4.x). Anyway, if you feel lucky, you can compile the Triton pintool with the -DKERNEL4=on flag.

$ cmake -DPINTOOL=on -DKERNEL4=on ..
$ make

Note that only the version 71313 of Pin is supported.