MCPcopy Create free account
hub / github.com/JonathanSalwan/Triton

github.com/JonathanSalwan/Triton @v0.9

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.9 ↗ · + Follow
3,390 symbols 20,396 edges 296 files 632 documented · 19% updated 17d agov0.9 · 2022-02-09★ 4,22633 open issues

Browse by type

Functions 3,104 Types & classes 286
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Triton is a dynamic binary analysis framework. It provides internal components like a dynamic symbolic execution engine, a dynamic taint analysis engine, AST representation of the x86, x86-64, ARM32 and AArch64 ISA semantic, an expressions synthesis engine, some SMT simplification passes, SMT solver interface to Z3 and Bitwuzla and, the last but not least, Python bindings. Based on these components, you are able to build your program analysis tools, automate reverse engineering, perform software verification or just emulate code.

<img src="http://triton.quarkslab.com/files/triton_v09_architecture.svg" width="80%"/>


<img src="http://triton.quarkslab.com/files/triton_multi_os.png"/>

As Triton is a kind of a part-time project, please, don't blame us if it is not fully reliable. Open issues or pull requests are always better than trolling =). However, you can follow the development on twitter @qb_triton.

      Codecov      

Quick start

Getting started

from triton import *

>>> # Create the Triton context with a defined architecture
>>> ctx = TritonContext(ARCH.X86_64)

>>> # Define concrete values (optional)
>>> ctx.setConcreteRegisterValue(ctx.registers.rip, 0x40000)

>>> # Symbolize data (optional)
>>> ctx.symbolizeRegister(ctx.registers.rax, 'my_rax')

>>> # Execute instructions
>>> ctx.processing(Instruction(b"\x48\x35\x34\x12\x00\x00")) # xor rax, 0x1234
>>> ctx.processing(Instruction(b"\x48\x89\xc1")) # mov rcx, rax

>>> # Get the symbolic expression
>>> rcx_expr = ctx.getSymbolicRegister(ctx.registers.rcx)
>>> print(rcx_expr)
(define-fun ref!8 () (_ BitVec 64) ref!1) ; MOV operation - 0x40006: mov rcx, rax

>>> # Solve constraint
>>> ctx.getModel(rcx_expr.getAst() == 0xdead)
{0: my_rax:64 = 0xcc99}

>>> # 0xcc99 XOR 0x1234 is indeed equal to 0xdead
>>> hex(0xcc99 ^ 0x1234)
'0xdead'

Install

Triton relies on the following dependencies:

* libboost                   >= 1.68
* libpython                  >= 3.6
* libcapstone                >= 4.0.x   https://github.com/capstone-engine/capstone
* libz3         (optional)   >= 4.6.0   https://github.com/Z3Prover/z3
* libbitwuzla   (optional)   n/a        https://github.com/bitwuzla/bitwuzla
* llvm          (optional)   >= 12

Linux and OS X

$ git clone https://github.com/JonathanSalwan/Triton
$ cd Triton
$ mkdir build ; cd build
$ cmake ..
$ make -j3
$ sudo make install

Windows

You can use cmake to generate the .sln file of libTriton.

> git clone https://github.com/JonathanSalwan/Triton.git
> cd Triton
> mkdir build
> cd build
> cmake -G "Visual Studio 14 2015 Win64" \
  -DBOOST_ROOT="C:/Users/jonathan/Works/Tools/boost_1_61_0" \
  -DPYTHON_INCLUDE_DIRS="C:/Python36/include" \
  -DPYTHON_LIBRARIES="C:/Python36/libs/python36.lib" \
  -DZ3_INCLUDE_DIRS="C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/include" \
  -DZ3_LIBRARIES="C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/bin/libz3.lib" \
  -DCAPSTONE_INCLUDE_DIRS="C:/Users/jonathan/Works/Tools/capstone-4.0.2-win64/include" \
  -DCAPSTONE_LIBRARIES="C:/Users/jonathan/Works/Tools/capstone-4.0.2-win64/capstone.lib" ..

However, if you prefer to directly download the precompiled library, check out our AppVeyor's artefacts. Note that if you use AppVeyor's artefacts, you probably have to install the Visual C++ Redistributable packages for Visual Studio 2012.

Contributors

Triton is strongly powered by Quarkslab for years but also by several strong contributors:

They already used Triton

Tools

  • Ponce: IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
  • QSynthesis: Greybox Synthesizer geared for deobfuscation of assembly instructions.
  • Pimp: Triton based R2 plugin for concolic execution and total control.
  • Exrop: Automatic ROPChain Generation.

Papers and conference

  • Greybox Program Synthesis: A New Approach to Attack Dataflow Obfuscation Talk at: Blackhat USA, Las Vegas, Nevada, 2021. [slide] Authors: Robin David Abstract: This talk presents the latest advances in program synthesis applied for deobfuscation. It aims at demystifying this analysis technique by showing how it can be put into action on obfuscation. Especially the implementation Qsynthesis released for this talk shows a complete end-to-end workflow to deobfuscate assembly instructions back in optimized (deobfuscated) instructions reassembled back in the binary.
  • From source code to crash test-case through software testing automation Talk at: C&ESAR, Rennes, France, 2021. [paper] [slide] Authors: Robin David, Jonathan Salwan, Justin Bourroux Abstract: This paper present an approach automating the software testing process from a source code to the dynamic testing of the compiled program. More specifically, from a static analysis report indicating alerts on source lines it enables testing to cover these lines dynamically and opportunistically checking whether whether or not they can trigger a crash. The result is a test corpus allowing to cover alerts and to trigger them if they happen to be true positives. This paper discuss the methodology employed to track alerts down in the compiled binary, the testing engines selection process and the results obtained on a TCP/IP stack implementation for embedded and IoT systems.
  • Symbolic Security Predicates: Hunt Program Weaknesses Talk at: Ivannikov ISP RAS Open Conference, Moscow, Russia, 2021. [paper] [slide] Authors: A.Vishnyakov, V.Logunova, E.Kobrin, D.Kuts, D.Parygina, A.Fedotov Abstract: Dynamic symbolic execution (DSE) is a powerful method for path exploration during hybrid fuzzing and automatic bug detection. We propose security predicates to effectively detect undefined behavior and memory access violation errors. Initially, we symbolically execute program on paths that don’t trigger any errors (hybrid fuzzing may explore these paths). Then we construct a symbolic security predicate to verify some error condition. Thus, we may change the program data flow to entail null pointer dereference, division by zero, out-of-bounds access, or integer overflow weaknesses. Unlike static analysis, dynamic symbolic execution does not only report errors but also generates new input data to reproduce them. Furthermore, we introduce function semantics modeling for common C/C++ standard library functions. We aim to model the control flow inside a function with a single symbolic formula. This assists bug detection, speeds up path exploration, and overcomes overconstraints in path predicate. We implement the proposed techniques in our dynamic symbolic execution tool Sydr. Thus, we utilize powerful methods from Sydr such as path predicate slicing that eliminates irrelevant constraints. We present Juliet Dynamic to measure dynamic bug detection tools accuracy. The testing system also verifies that generated inputs trigger sanitizers. We evaluate Sydr accuracy for 11 CWEs from Juliet test suite. Sydr shows 95.59% overall accuracy. We make Sydr evaluation artifacts publicly available to facilitate results reproducibility.
  • Towards Symbolic Pointers Reasoning in Dynamic Symbolic Execution Talk at: Ivannikov Memorial Workshop, Nizhny Novgorod, Russia, 2021. [paper] [slide] Authors: Daniil Kuts Abstract: Dynamic symbolic execution is a widely used technique for automated software testing, designed for execution paths exploration and program errors detection. A hybrid approach has recently become widespread, when the main goal of symbolic execution is helping fuzzer increase program coverage. The more branches symbolic executor can invert, the more useful it is for fuzzer. A program control flow often depends on memory values, which are obtained by computing address indexes from user input. However, most DSE tools don't support such dependencies, so they miss some desired program branches. We implement symbolic addresses reasoning on memory reads in our dynamic symbolic execution tool Sydr. Possible memory access regions are determined by either analyzing memory address symbolic expressions, or binary searching with SMT-solver. We propose an enhanced linearization technique to model memory accesses. Different memory modeling methods are compared on the set of programs. Our evaluation shows that symbolic addresses handling allows to discover new symbolic branches and increase the program coverage.
  • QSynth: A Program Synthesis based Approach for Binary Code Deobfuscation Talk at: BAR, San Diego, California, 2020. [paper] Authors: Robin David, Luigi Coniglio, Mariano Ceccato Abstract: We present a generic approach leveraging both DSE and program synthesis to successfully synthesize programs obfuscated with Mixed-Boolean-Arithmetic, Data-Encoding or Virtualization. The synthesis algorithm proposed is an offline enumerate synthesis primitive guided by top-down breath-first search. We shows its effectiveness against a state-of-the-art obfuscator and its scalability as it supersedes other similar approaches based on synthesis. We also show its effectiveness in presence of composite obfuscation (combination of various techniques). This ongoing work enlightens the effectiveness of synthesis to target certain kinds of obfuscations and opens the way to more robust algorithms and simplification strategies.
  • Sydr: Cutting Edge Dynamic Symbolic Execution Talk at: Ivannikov ISP RAS Open Conference, Moscow, Russia, 2020. [paper] [slide] [video] Authors: A.Vishnyakov, A.Fedotov, D.Kuts, A.Novikov, D.Parygina, E.Kobrin, V.Logunova, P.Belecky, S.Kurmangaleev Abstract: Dynamic symbolic execution (DSE) has enormous amount of applications in computer security (fuzzing, vulnerability discovery, reverse-engineering, etc.). We propose several performance and accuracy improvements for dynamic symbolic execution. Skipping non-symbolic instructions allows to build a pa

Core symbols most depended-on inside this repo

Shape

Method 2,000
Function 1,104
Class 268
Enum 18

Languages

C++62%
Python35%
C4%

Modules by API surface

src/libtriton/arch/x86/x86Semantics.cpp424 symbols
src/libtriton/arch/arm/aarch64/aarch64Semantics.cpp121 symbols
src/libtriton/api/api.cpp118 symbols
src/libtriton/bindings/python/objects/pyTritonContext.cpp109 symbols
src/libtriton/arch/arm/arm32/arm32Semantics.cpp105 symbols
src/testers/unittests/test_ast_simplification.py98 symbols
src/libtriton/ast/ast.cpp88 symbols
src/libtriton/bindings/python/objects/pyAstContext.cpp63 symbols
src/libtriton/ast/astContext.cpp63 symbols
src/libtriton/includes/triton/ast.hpp62 symbols
src/testers/unittests/test_github_issues.py58 symbols
src/libtriton/arch/instruction.cpp53 symbols

For agents

$ claude mcp add Triton \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page