A tool for reverse engineering industrial control systems binaries.
ICSREF: ICS Reverse Engineering Framework
ICSREF
is a modular framework that automates the reverse engineering process of CODESYS_ binaries compiled with the CODESYS v2 compiler.
.. code-block:: none
_______________ ____ ____________
/ _/ ____/ ___// __ \/ ____/ ____/
/ // / \__ \/ /_/ / __/ / /_
_/ // /___ ___/ / _, _/ /___/ __/
/___/\____//____/_/ |_/_____/_/
by Tasos Keliris \@koukouviou
_
.. _\@koukouviou
: https://www.twitter.com/koukouviou
If you find our work interesting and use it in your (academic or not) research, please cite our NDSS'19 paper describing ICSREF:
Anastasis Keliris, and Michail Maniatakos, "ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries", in NDSS'19.
Bibtex:
.. code-block:: none
@inproceedings{keliris2019icsref,
title={{ICSREF}: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries},
author={Keliris, A. and Maniatakos, M.},
booktitle={Network and Distributed System Security Symposium (NDSS)},
year={2019}
}
.. raw:: html
<embed>
<a href="https://asciinema.org/a/9l96XWgNttz1WTdXGIngMAAKe" target="_blank"><img src="https://asciinema.org/a/9l96XWgNttz1WTdXGIngMAAKe.png" /></a>
</embed>
The framework can:
Perform core analysis of arbitrary PRG
programs. Core analysis includes:
Identify known library functions included statically in the binary:
Extract arguments passed to static functions. This is at the moment only implemented for the PID_FIXCYCLE CODESYS library function, but it is trivial to extend this to other functions of interest.
angr
Plot SVG graphs of the analyzed binary, including:
Graphs are powered by Graphviz_. Here's a neat example:
.. image:: docs/images/graph_hil.jpg :width: 500pt
.. _CODESYS: https://www.codesys.com/ .. _Graphviz: https://graphviz.org/
The framework supports an interactive mode, where all the processing modules are loaded. Users can further investigate and analyze their binaries by exploring the different options. The interactive environment also offers useful help
docstrings.
.. code-block:: none
(icsref) me@example:$ ./icsref.py
ICS Reverse Engineering Framework
_______________ ____ ____________
/ _/ ____/ ___// __ \/ ____/ ____/
/ // / \__ \/ /_/ / __/ / /_
_/ // /___ ___/ / _, _/ /___/ __/
/___/\____//____/_/ |_/_____/_/
author: Tasos Keliris (@koukouviou)
Type <help> if you need a nudge
reversing@icsref:$
reversing@icsref:$ help
Documented commands (type help <topic>):
========================================
__changepid changepid exp_pid_match history pyscript set
__replace_callname cleanup graphbuilder load quit shell
_relative_load cmdenvironment hashmatch pidargs run shortcuts
analyze edit help py save show
For the latest installation instructions see INSTALL.md_. For the legacy installation instructions see here_.
.. _INSTALL.md: INSTALL.md .. _here: INSTALL.rst
The ICSREF
API is documented in a Read the Docs style. Once you download the repository you can traverse the docs directory and open index.html in your favorite browser.
ICSREF
, as all things good in life, is based on the shoulder of giants. The framework relies on symbolic execution using angr
for performing the most interesting analyses such as calculating offsets for static calls and the arguments to function calls. Disassembly listings for the graphing module are generated using the amazing r2
. The interactive mode of the tool is powered by the cmd2
python tool. Beautiful documentation is generated with Sphinx and the sphinx_rtd_theme.
angr <http://angr.io/>
__radare2 <https://rada.re>
__cmd2 <https://github.com/python-cmd2/cmd2>
__Sphinx <http://sphinx-doc.org/>
__sphinx_rtd_theme <https://sphinx-rtd-theme.readthedocs.io/>
__A big thank you to everyone contributing on this project. See CONTRIBUTORS_
.. _CONTRIBUTORS: CONTRIBUTORS