Repository files navigation

LLEF (pronounced ɬɛf - "hlyeff") is an LLDB plugin to make it more usable for low-level RE and VR. Similar toGEF, but for LLDB.

It uses LLDB's Python API to add extra status output and a few new commands, so that security researchers can more easily use LLDB to analyse software as it's running.

• x86_64
• arm
• aarch64 / arm64
• i386
• PowerPC

• LLDB 15+ (https://apt.llvm.org/)On macOS this is bundled with Xcode 14.3+

The instructions below will install LLEF so that it is used by LLDB by default.

1. Clone the repository.
2. cd <repo>
3. Run./install.sh
4. Select automatic (overwrites~/.lldbinit) or manual installation.

LLDB uses AT&T disassembly syntax for x86 binaries by default. The installer provides an option to override this.

lldb-15<optional binary to debug>

Various commands for setting, saving, loading and listing LLEF specific commands:

(lldb) llefsettings --helplist                list all settingssave                Save settings to config filereload              Reload settings from config file (retain session values)reset               Reload settings from config file (purge session values)set                 Set LLEF settings

Settings are stored in a file.llef located in your home directory formatted as following:

[LLEF]<llefsettings> = <value>

Allows setting LLEF GUI colors:

(lldb) llefcolorsettings --helplist                list all color settingssave                Save settings to config filereload              Reload settings from config file (retain session values)reset               Reload settings from config file (purge session values)set                 Set LLEF color settings

Supported colors: BLUE, GREEN, YELLOW, RED, PINK, CYAN, GREY

View memory contents with:

(lldb) hexdump type address [--size SIZE] [--reverse]

e.g.

(lldb) hexdump byte 0x7fffffffecc8 --size 0x380x7fffffffecc8    3d 2f 75 73 72 2f 6c 6f 63 61 6c 2f 73 62 69 6e    =/usr/local/sbin0x7fffffffecd8    3a 2f 75 73 72 2f 6c 6f 63 61 6c 2f 62 69 6e 3a    :/usr/local/bin:0x7fffffffece8    2f 75 73 72 2f 73 62 69 6e 3a 2f 75 73 72 2f 62    /usr/sbin:/usr/b0x7fffffffecf8    69 6e 3a 2f 73 62 69 6e                            in:/sbin(lldb) hexdump word 0x7fffffffecc8 --reverse0x7fffffffece6│+001e: 0x46540x7fffffffece4│+001c: 0x43610x7fffffffece2│+001a: 0x746f0x7fffffffece0│+0018: 0x4e230x7fffffffecde│+0016: 0x3f730x7fffffffecdc│+0014: 0x69680x7fffffffecda│+0012: 0x742d0x7fffffffecd8│+0010: 0x65640x7fffffffecd6│+000e: 0x6f630x7fffffffecd4│+000c: 0x65640x7fffffffecd2│+000a: 0x2d750x7fffffffecd0│+0008: 0x6f790x7fffffffecce│+0006: 0x2d640x7fffffffeccc│+0004: 0x69640x7fffffffecca│+0002: 0x2d790x7fffffffecc8│+0000: 0x6857

Refresh the LLEF GUI with:

(lldb) context

Refresh components of the LLEF GUI with:

(lldb) context [{registers,stack,code,threads,trace,all} ...]

(lldb) pattern create 10[+] Generating a pattern of 10 bytes (n=4)aaaabaaaca[+] Pattern saved in variable: $8(lldb) pattern create 100 -n 2[+] Generating a pattern of 100 bytes (n=2)aabacadaea[+] Pattern saved in variable: $9

(lldb) pattern search $rdx[+] Found in $10 at index 45 (big endian)(lldb) pattern search $8[+] Found in $10 at index 0 (little endian)(lldb) pattern search aaaabaaac[+] Found in $8 at index 0 (little endian)(lldb) pattern search 0x61616161626161616361[+] Found in $8 at index 0 (little endian)

This is automatic and prints all the currently implemented information at a break point.

Configurable with therebase_addresses setting the address rebasing feature performs a lookup for each code address presented in the output to display the associated binary and relative address. This relative address is offset by the value defined in settingrebase_offset which defaults to the Ghidra base address of0x100000. The result is an address output that can be easily copied and pasted into an IDE "Go To Address" feature without having to do the maths to convert from the runtime address.

Rebased addresses are shown in brackets after the runtime address:

LLDB comes bundled with python modules that are required for LLEF to run. If on launching LLDB with LLEF you encounterModuleNotFoundError messages it is likely you will need to manually add the LLDB python modules on your python path.

To do this run the following to establish your site-packages location:

python3 -m site --user-site

Then locate the LLDB python modules location. This is typically at a location such as/usr/lib/llvm-15/lib/python3.10/dist-packages but depends on your python version.

Finally, modify and execute the following to add the above LLDB module path into a new filelldb.pth in the site-packages location discovered above.

echo"/usr/lib/llvm-15/lib/python3.10/dist-packages">~/.local/lib/python3.10/site-packages/lldb.pth

Rendering LLEF output at each breakpoint has been observed to be slow on some platforms. The root cause of this has been traced to the underlyingGetMemoryRegions LLDB API call. Fortunately, this is only used to identify to whether register values point to code, stack or heap addresses.

To disable register coloring, and potentially significantly improve LLEF performance, disable theregister_coloring feature using the followingllefsettings command.

 llefsettings set register_coloring False

We’re obviously standing on the shoulders of giants here - we’d like to credithugsy forGEF in particular, from which this tool drawsheavy inspiration! Please consider this imitation as flattery 🙂

If you'd like to read a bit more about LLEF you could visit ourlaunch blog post.