Pyrrha: A mapper collection for firmware analysis
Pyrrha is a filesystem cartography and correlation software focusing on visualization. It currently focuses on the relationship between executable files but aims at enabling anyone to map and visualize any relationship types. It uses the open-source code source explorer Sourcetrail to provide users with an easy way to navigate through and search for path to function.
An example of the symbols and libraries imported by libgcc_s.so.1
and of the symbols which reference this library.
An example of the symlinks which point on busybox
.
Installation
The installation is done in two parts:
- Installing
Pyrrha
as a Python module (pip install pyrrha-mapper
) or using its Docker image. - Installing
Sourcetrail
to be able to visualize Pyrrha's results. You can use its last release and its documentation.
Usage
The usage workflow is composed of two steps which allow you to separate DB creation and result visualization.
- Run Pyrrha to obtain Sourcetrail compatible files (
*.srctrlprj
for the project file and*.srctrldb
for the DB file). With the python package, you can just launch the command: or with the Docker - Visualize your results with Sourcetrail
The detailed documentation of each mapper is available in the documentation.
Publications
Pyrrha has been presented at two conferences listed below. These talks include live demo of the fs
parser which map links between libraries and executables files.
- [Pyrrha: navigate easily into your system binaries, Hack.lu'23. [slides] [video]
- Map your Firmware!, PTS'23. [slides] [video]
Authors
- Eloïse Brocas (@ebrocas), Quarkslab