Working with PE/Elf files¶
- Working with PE/Elf files
Bokken has the ability to detect and analyze PE/Elf files so, when one of those file formats is detected, the GUI shows all the information found on the analysis and offers many additional options to study the file.
Let's take a look at the main window once a PE/Elf file is loaded:
Some parts of the interface may vary depending on the backend used or the analysis options chosen. Let's view in depth some interface areas:
The menu bar contains all the configuration options and interface actions common to all target formats and backends. Open and save targets, change GUI appearance or open the help are some of the available options accesible from the menu.
Top buttons is one of the elements of the GUI that changes depending on the backend used, as it includes all the functionalities specific to each backend, like the plugins:
- At the top of the window are the top buttons that allows to:
- Open a new file/URL
- Launch the different plugins available
- Search inside the file in many formats
- Show the RCE Cheat Sheet
- Exit the application
The rest of the interface can be divided in two additional areas: the left and right panels.
The left panel contains different parsed information extracted from the file, in this case:
For all them you can double click in one element and it will be highlighted on the right panel.
By right clicking and selecting "Go to" you can get the same result, or, if you choose "Show graph" instead, the graph tab will be updated; only with Radare backend
The right panel is where the actual data of the file is shown and it is divided in many areas or tabs.
The available tabs will depend on the backend, the file format and the analysis options.
Let's see the different formats available:
In this view the executable sections of the file are disassembled or, if no executable sections are found, the whole file starting at offset 0.
Code navigation works by clicking on underlined code and, sometimes, even clicking on non-underlined code. The top bar with the arrow buttons and text entry can be used to go forward and backward on the navigation history and to seek directly a function or basic block by typing a name:
Also additional features can be found by right clicking on the code; depending on the backend used those features can be:
- Xrefs to/from of the function
- Add code coment over the clicked line
- Information of the opcode found in the clicked line
- Find: invoke the search bar at the bottom. Can also be invoked with the "Ctrl+F" key binding.
Finally the code tab has a right color bar aside the scroll bar; it's the sections bar and shows the different sections disassembled, their length and the relative position of the actual code beeing shown if compared with the scrollbar.
This tab will show different graphs depending on the bakend.
For Pyew backend it will only show the callgraph of the binary:
But if using the Radare backend then the flowgraph of the selected funcion will be shown:
The right tree shows the basic blocks of the function that, if double clicked, will move the graph to the selected basic block.
If right clicking over a graph node, a popup menu will show the Xrefs to and from for the current function.
Finally, the last button of the graph bar will switch between flow and call graphs of the current function:
Actually this view just shows the hexdump of the entire file without allowing (yet) editing the contents.
If some bytes are selected on the hexdump, the disassembly of these bytes will appear at the right text area of the view.
This view shows all the strings found in the file along with their offset.
All the views have a search panel that can be invoked with the key binding "Ctrl + F" and if clicked the string will be searched on the code tab.
[Captura del panel de busqueda]
Here you can see the whole file contents as a string mixing ASCII characters, when posible, with hexadecimal characters.
Interactive view is a special view that allows you to move along the file in different ways.
At the bottom of the Interactive view there is a collection of controls that allow you to:
- Move forward/backward on block size.
- Seek to a specific location/offset. Valid inputs are:
- Offset in decimal (1000) or hexadecimal (0x3E8)
- Function names or entry point (ep). While writing function names autocompletion will pop up.
- Set the desired buffer size, by default is set to 512.
- Switch between Hexadecimal and Disassembly views.
- Execute radare commands, of course only with radare backend.
When using Disassembly you can also seek to the code jumps marked with numbers in the code (; 1) by entering the number in the seek entry.
If you focus on the text view of the interactive mode some key bindings are available:
- Numbers from 0 to 9 to follow code jumps
- f/b keys to move forward/backward between code jumps or buffer size blocks.
Only available for radare backend, it will show a detailed view of the target information:
At the bottom of the window the status bar shows relevant file information as:
- File name
- File format
- File size
- Virtual address
- Entry point
- Processor type
- Bokken version
- Backend in use