Filsesystem binaries mapper tool
Project description
Pyrrha
Introduction
Pyrrha is a filesystem cartography and correlation software focusing on visualization. It currently focuses on the relationship between executable files but aims at enabling anyone to map and visualize any relationship types. It uses the open-source code source explorer Sourcetrail to provide users with an easy way to navigate through and search for path to function.
An example of the symbols and libraries imported by libgcc_s.so.1 and of the symbols which reference this library.
An example of the symlinks which point on busybox.
Installation
The installation is done in two parts:
- installing
Pyrrha(as a Python module); - installing
Sourcetrailto be able to visualize Pyrrha's results.
Sourcetrail installation
Sourcetrail can be installed using its last release and its documentation.
Pyrrha installation
Pyrrha requires a Python version >= 3.10.
It is recommended to install the Python package inside a virtualenv. You can use pip to install it.
pip install pyrrha-mapper
If you prefer using sources to install Pyrrha, do the following:
# Do not forget to activate your virtualenv
$ pip install 'pyrrha @ git+https://github.com/quarkslab/pyrrha'
# If you prefer, you can manually clone the repository and then install the package
$ git clone https://github.com/quarkslab/pyrrha
$ cd pyrrha
$ pip install '.'
Tested for Linux and Windows. For Windows systems, installation should be run from MSVC Developer shell to build the wheel.
Docker
pyrrha can be used with a docker. It provides Pyrrha but you still need to install Sourcetrail on your system as described in the Sourcetrail Installation section.
$ cd ROOT_DIRECTORY/..
$ docker run --rm -t -v $PWD:/tmp/pyrrha ghcr.io/quarkslab/pyrrha:latest fs [OPTIONS] ROOT_DIRECTORY
A docker image is directly available from our Github registry, but you can also build it from the sources.
$ git clone PYRRHA_URL && cd pyrrha
$ docker build -t pyrrha .
Usage
Mapping with Pyrrha
First, create your db with pyrrha. The ROOT_DIRECTORY should contain the whole filesystem you want to map, it should be already extracted or mounted. ROOT_DIRECTORY will be considered by Pyrrha as the filesystem root for all the symlink resolutions.
Usage: pyrrha fs [OPTIONS] ROOT_DIRECTORY
Map a filesystem into a sourcetrail-compatible db.
Options:
--db PATH Sourcetrail DB file path (.srctrldb). [default: pyrrha.srctrldb]
-e, --json Create a JSON export of the resulting mapping.
-h, --help Show this message and exit.
You can also export your Pyrrha results as a JSON file (option -j) to be able to postprocess them. For example, you can diff the results between two versions of the same system and list the binaries added/removed and which symbols has been added/removed (cf example script in example).
Visualization with Sourcetrail
Open the resulting project with sourcetrail. You can now navigate on the resulting cartography. The user interface is described in depth in the Sourcetrail documentation.
To match the Sourcetrail language, the binaries, the exported functions and symbols, and the symlinks are represented as follows in Sourcetrail.
| Binaries | Exported functions | Exported symbols | Symlinks |
|---|---|---|---|
 |
 |
 |
 |
Do not hesitate to take a look at Sourcetrail documentation to explore all the possibilities offered by Sourcetrail. Custom Trails could be really useful in a lot of cases.
Quick Start—Usage Example
Let's take the example of an OpenWRT firmware which is a common Linux distribution for embedded targets like routers.
First, download the firmware and extract its root-fs into a directory. Here we download the last OpenWRT version for generic x86_64 systems.
$ wget https://downloads.openwrt.org/releases/22.03.5/targets/x86/64/openwrt-22.03.5-x86-64-rootfs.tar.gz -O openwrt_rootfs.tar.gz
$ mkdir openwrt_root_fs && cd openwrt_root_fs
$ tar -xf ../openwrt_rootfs.tar.gz
$ cd .. && rm openwrt_rootfs.tar.gz
Then we can run Pyrrha on it. It will produce some logs indicating which symlinks or imports cannot be solved directly by the tool. (Do not forget to activate your virtualenv if you have created one for Pyrrha installation.)
$ pyrrha fs --db openwrt_db openwrt_root_fs
$ ls
openwrt_root_fs openwrt_db.srctrldb openwrt_db.srctrlprj
You can now navigate into the resulting cartography with Sourcetrail.
$ sourcetrail openwrt_db.srctrlprj
Pyrrha result opened with Sourcetrail.
Authors
- Eloïse Brocas (@ebrocas), Quarkslab
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pyrrha-mapper-0.4.1.tar.gz.
File metadata
- Download URL: pyrrha-mapper-0.4.1.tar.gz
- Upload date:
- Size: 460.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e78d698aa7f47f785686b6f9d0d7b094162ec54b5c2d185ac7f3f9224bfd01d9 |
|
| MD5 | 93e987c1321921b0a78ddbaf900d06fa |
|
| BLAKE2b-256 | 469ca2ea27109f3dc1edf7ea5c1d9b3851c5b25ba8f2a17e78ddeeb01b242f0e |
File details
Details for the file pyrrha_mapper-0.4.1-py3-none-any.whl.
File metadata
- Download URL: pyrrha_mapper-0.4.1-py3-none-any.whl
- Upload date:
- Size: 14.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7577ca015c79cb238275d9b8567f24ac610f75c271e885f3d4b410eba22e755d |
|
| MD5 | 8ce36dc229ee42a3524980745357bca5 |
|
| BLAKE2b-256 | b89155cb1bfc46f90e96e397c99e1dca4a1dced19886d1366d51c2930aea411c |
