Manticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.
- Input Generation: Manticore automatically generates inputs that trigger unique code paths
- Crash Discovery: Manticore discovers inputs that crash programs via memory safety violations
- Execution Tracing: Manticore records an instruction-level trace of execution for each generated input
- Programmatic Interface: Manticore exposes programmatic access to its analysis engine via a Python API
Manticore supports binaries of the following formats, operating systems, and
architectures. It has been primarily used on binaries compiled from C and C++.
Examples of practical manticore usage are also on github.
- OS/Formats: Linux ELF
- Architectures: x86, x86_64, ARMv7, and Ethereum Virtual Machine (EVM)
Manticore is supported on Linux, and requires Python 2.7. Ubuntu 16.04 is strongly recommended.
Ethereum APIs which compile Solidity source code require the
solc program in your
Install and try Manticore in a few shell commands (see an asciinema):
# Install system dependencies sudo apt-get update && sudo apt-get install python-pip -y python -m pip install -U pip # Install manticore and its dependencies sudo pip install manticore # Download and build the examples git clone https://github.com/trailofbits/manticore.git && cd manticore/examples/linux make # Use the Manticore CLI manticore basic cat mcore_*/*0.stdin | ./basic cat mcore_*/*1.stdin | ./basic # Use the Manticore API cd ../script python count_instructions.py ../linux/helloworld
Option 1: Perform a user install (requires
~/.local/bin in your
echo "PATH=\$PATH:~/.local/bin" >> ~/.profile source ~/.profile pip install --user manticore
pip install virtualenvwrapper echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.profile source ~/.profile mkvirtualenv manticore pip install manticore
Option 3: Perform a system install.
sudo pip install manticore
Once installed, the
manticore CLI tool and Python API will be available.
For installing a development version of Manticore, see our wiki.
If you'd like to use redis for state serialization (instead of disk), install
redis using your host package manager, then install manticore as above, but
[redis] appended to the name of the package, e.g.
pip install manticore[redis]
Note that this does not make manticore use redis automatically, and you'll still
have to manually set the workspace to the redis URI.
$ manticore ./path/to/binary # runs, and creates a mcore_* directory with analysis results $ manticore ./path/to/binary ab cd # use concrete strings "ab", "cd" as program arguments $ manticore ./path/to/binary ++ ++ # use two symbolic strings of length two as program arguments
# example Manticore script from manticore import Manticore hook_pc = 0x400ca0 m = Manticore('./path/to/binary') @m.hook(hook_pc) def hook(state): cpu = state.cpu print 'eax', cpu.EAX print cpu.read_int(cpu.ESP) m.terminate() # tell Manticore to stop m.run()
Further documentation is available in several places:
The wiki contains some
basic information about getting started with manticore and contributing
The examples directory has some very minimal examples that
showcase API features
repository has some more involved examples, for instance solving real CTF problems
The API reference has more
thorough and in-depth documentation on our API