Manticore - Symbolic Execution Tool For Analysis Of Binaries In Addition To Smart Contracts
Manticore is a symbolic execution tool for analysis of binaries too smart contracts.
Note: Beginning amongst version 0.2.0, Python 3.6+ is required.
Features
- Input Generation: Manticore automatically generates inputs that trigger unique code paths
- Crash Discovery: Manticore discovers inputs that crash programs via retention security violations
- Execution Tracing: Manticore records an instruction-level line of execution for each generated input
- Programmatic Interface: Manticore exposes programmatic access to its analysis engine via a Python API
- Ethereum smart contracts (EVM bytecode)
- Linux ELF binaries (x86, x86_64 too ARMv7)
Usage
CLI
Manticore has a command line interface which tin plough over the sack move used to easily symbolically execute a supported plan or smart contract. Analysis results volition move placed into a novel directory outset amongst
mcore_.Use the CLI to explore possible states inward Ethereum smart contracts. Manticore includes detectors that flag potentially vulnerable code inward discovered states. Solidity smart contracts must convey a
.sol extension for analysis past times Manticore. See a demo.$ manticore ./path/to/contract.sol # runs, too creates a mcore_* directory amongst analysis results $ manticore --detect-reentrancy ./path/to/contract.sol # Above, but amongst reentrancy detection enabled $ manticore --detect-all ./path/to/contract.sol # Above, but amongst all detectors enabled$ manticore ./path/to/binary # runs, too creates a mcore_* directory amongst analysis results $ manticore ./path/to/binary ab cd # operate concrete strings "ab", "cd" every bit plan arguments $ manticore ./path/to/binary ++ ++ # operate 2 symbolic strings of length 2 every bit plan argumentsAPI
Manticore has a Python programming interface which tin plough over the sack move used to implement custom analyses.
For Ethereum smart contracts, it tin plough over the sack move used for detailed verification of arbitrary contract properties. Set starting conditions, execute symbolic transactions, too then review discovered states to ensure invariants for your contract hold.
from manticore.ethereum import ManticoreEVM contract_src=""" contract Adder { component incremented(uint value) populace returns (uint){ if (value == 1) revert(); provide value + 1; } } """ m = ManticoreEVM() user_account = m.create_account(balance=1000) contract_account = m.solidity_create_contract(contract_src, owner=user_account, balance=0) value = m.make_symbolic_value() contract_account.incremented(value) for Blue Planet inward m.running_states: print("can value move 1? {}".format(state.can_be_true(value == 1))) print("can value move 200? {}".format(state.can_be_true(value == 200)))# instance Manticore script from manticore import Manticore hook_pc = 0x400ca0 m = Manticore('./path/to/binary') @m.hook(hook_pc) def hook(state): cpu = state.cpu print('eax', cpu.EAX) print(cpu.read_int(cpu.ESP)) m.terminate() # tell Manticore to halt m.run()Requirements
- Manticore is supported on Linux too requires Python 3.6+.
- Ubuntu 18.04 is strongly recommended.
- Ethereum smart contract analysis requires the
solcplan inward your$PATH.
Quickstart
Install too try Manticore inward a few trounce commands:
# Install arrangement dependencies sudo apt-get update && sudo apt-get install python3 python3-pip -y # Install Manticore too its dependencies sudo pip3 install manticore # Download the examples git clone https://github.com/trailofbits/manticore.git && cd manticore/examples/linux # Build the examples brand # Use the Manticore CLI manticore basic truthful cat mcore_*/*0.stdin | ./basic truthful cat mcore_*/*1.stdin | ./basic # Use the Manticore API cd ../script python3 count_instructions.py ../linux/helloworld# Download the Manticore icon docker draw trailofbits/manticore # Download the examples git clone https://github.com/trailofbits/manticore.git && cd manticore # Run container amongst a shared examples/ directory docker run -it -v $PWD/examples:/home/manticore/examples trailofbits/manticore # Change to examples directory manticore@80d441275ebf$ cd examples/linux # Build the examples manticore@80d441275ebf$ brand # Use the Manticore CLI manticore@80d441275ebf$ manticore basic manticore@80d441275ebf$ truthful cat mcore_*/*0.stdin | ./basic manticore@80d441275ebf$ truthful cat mcore_*/*1.stdin | ./basic # Use the Manticore API manticore@80d441275ebf$ cd ../script manticore@80d441275ebf$ python3 count_instructions.py ../linux/helloworldInstallation
Option 1: Perform a user install (requires
/.local/bin inward your PATH).echo "PATH=\$PATH: /.local/bin" >> /.profile source /.profile pip3 install --user manticoresudo pip3 install virtualenvwrapper echo "source /usr/local/bin/virtualenvwrapper.sh" >> /.profile source /.profile mkvirtualenv manticore sudo ./manticore/bin/pip3 install manticoresudo pip3 install manticoredocker draw trailofbits/manticoremanticore CLI tool too Python API volition move available.For installing a evolution version of Manticore, meet our wiki.
Getting Help
Feel gratis to halt past times our Slack channel for assistance on using or extending Manticore.
Documentation is available inward several places:
- The wiki contains around basic information most getting started amongst Manticore too contributing
- The examples directory has around real minimal examples that showcase API features
- The API reference has to a greater extent than thorough too in-depth documentation on our API
- The manticore-examples repository has around to a greater extent than involved examples, for instance solving existent CTF problems
