Radare2 - Reverse Engineering Framework
Radare2 steht als eines der leistungsfähigsten und vielseitigsten Open-Source-Reverse-Engineering-Frameworks, die heute verfügbar sind, und stellt einen kompletten Paradigmenwechsel dar, wie Sicherheitsforscher, Malware-Analysten und Softwareentwickler eine binäre Analyse angehen. Im Gegensatz zu herkömmlichen GUI-basierten Disassemblern umfasst Radare2 eine Kommandozeilen-Interface-Philosophie, die Automatisierung, Skriptfähigkeit und tiefe Anpassungsfähigkeiten priorisiert. Dieser umfassende Rahmen bietet eine umfangreiche Palette von Werkzeugen für die Demontage, Debugging, binäre Analyse, Forensik und Ausbeutung Entwicklung, alle unter einer konsequenten und leistungsstarken Kommandostruktur vereint. Was Radare2 besonders überzeugend macht, ist seine modulare Architektur, die es Anwendern ermöglicht, verschiedene Analysetechniken nahtlos zu kombinieren, von statischer Demontage und dynamischem Debugging bis hin zur binären Diffing und Exploit-Entwicklung. Das Engagement des Frameworks für Open-Source-Prinzipien, kombiniert mit seinem umfangreichen Plugin-Ökosystem und der aktiven Community-Entwicklung, hat es als ein wesentliches Werkzeug für Sicherheitsexperten etabliert, die sowohl Tiefe als auch Flexibilität in ihren Analyse-Workflows benötigen.
Installation und Inbetriebnahme
Cross-Platform Installation
```bash
Ubuntu/Debian Installation
sudo apt update sudo apt install radare2
Alternative: Install latest version from source
git clone https://github.com/radareorg/radare2 cd radare2 sys/install.sh
macOS Installation via Homebrew
brew install radare2
Windows Installation
Download from https://github.com/radareorg/radare2/releases
Or use package managers:
Chocolatey: choco install radare2
Scoop: scoop install radare2
Arch Linux Installation
sudo pacman -S radare2
CentOS/RHEL/Fedora Installation
sudo dnf install radare2
or
sudo yum install radare2
Build from Source (Latest Features)
git clone https://github.com/radareorg/radare2 cd radare2 ./configure --prefix=/usr/local make -j$(nproc) sudo make install
Verify Installation
r2 -v radare2 -v
Update Radare2
r2pm update r2pm upgrade
Install Additional Packages
r2pm -i r2dec # Decompiler plugin r2pm -i r2ghidra # Ghidra decompiler integration r2pm -i r2frida # Frida integration r2pm -i r2pipe # Programming language bindings ```_
Konfiguration und Umwelt-Setup
```bash
Radare2 Configuration Directory
Linux/macOS: ~/.config/radare2/
# Windows: %APPDATA%\radare2\
Main Configuration File
~/.config/radare2/radare2rc
Basic Configuration Options
echo 'e scr.color=3' >> ~/.config/radare2/radare2rc # Enable colors echo 'e asm.syntax=intel' >> ~/.config/radare2/radare2rc # Intel syntax echo 'e asm.describe=true' >> ~/.config/radare2/radare2rc # Show descriptions echo 'e bin.strings=true' >> ~/.config/radare2/radare2rc # Auto-detect strings
Environment Variables
export R2_NOPLUGINS=0 # Enable plugins export R2_DEBUG=0 # Disable debug output export R2_MAGICPATH=/usr/share/radare2/magic
Plugin Management
r2pm init # Initialize package manager r2pm update # Update package database r2pm list # List available packages r2pm search keyword # Search for packages r2pm install package_name # Install package r2pm uninstall package_name # Remove package
Essential Plugins
r2pm -i r2dec # Decompiler r2pm -i r2ghidra-dec # Ghidra decompiler r2pm -i r2pipe-py # Python bindings r2pm -i r2pipe-js # JavaScript bindings r2pm -i r2frida # Dynamic instrumentation r2pm -i r2yara # YARA integration
Custom Plugin Directory
mkdir -p ~/.config/radare2/plugins export R2_USER_PLUGINS=~/.config/radare2/plugins ```_
Basic Radar2 Verwendung
Belastung und Erstanalyse
```bash
Basic File Loading
r2 /path/to/binary # Load binary for analysis r2 -A /path/to/binary # Load with automatic analysis r2 -AA /path/to/binary # Load with extended analysis r2 -AAA /path/to/binary # Load with experimental analysis
Loading Options
r2 -d /path/to/binary # Load in debug mode r2 -w /path/to/binary # Load in write mode r2 -n /path/to/binary # Load without parsing headers r2 -B 0x1000 /path/to/binary # Set base address
Remote Analysis
r2 - # Read from stdin r2 http://example.com/file # Load from URL r2 rap://host:port/file # Remote access protocol
Multiple File Analysis
r2 -m 0x400000 file1 file2 # Load multiple files
Project Management
Ps project_name # Save current session as project Po project_name # Open existing project Pd project_name # Delete project Pl # List projects
Session Management
. script.r2 # Execute r2 script q # Quit radare2 q! # Force quit without saving ```_
Navigation und Information
```bash
Basic Navigation
s address # Seek to address s+10 # Seek forward 10 bytes s-10 # Seek backward 10 bytes s++ # Seek to next function s-- # Seek to previous function
Address Formats
s 0x401000 # Hexadecimal address s main # Symbol name s entry0 # Entry point s +100 # Relative offset
Information Commands
i # File information ii # Imports iE # Exports iz # Strings iS # Sections ih # Headers ic # Classes (for OOP binaries)
Binary Information
ib # Basic file info iI # Binary info iH # Headers iM # Main function ie # Entry points ir # Relocations
Architecture Information
iA # Architecture info e asm.arch # Current architecture e asm.bits # Current bit mode e asm.cpu # CPU type
Memory Layout
dm # Memory maps dmi # Memory map info dmh # Heap info dms # Stack info ```_
Demontage und Codeanalyse
```bash
Basic Disassembly
pd # Print disassembly pd 10 # Print 10 instructions pd @main # Print disassembly at main pD 100 # Print 100 bytes as disassembly
Disassembly Modes
pda # Print disassembly with addresses pdb # Print disassembly with bytes pdc # Print disassembly with comments pdi # Print disassembly with inline comments pdj # Print disassembly as JSON
Function Analysis
afl # List all functions afi # Function information afn new_name # Rename function afc # Function calling convention afv # Function variables afa # Function arguments
Code Analysis
aa # Analyze all aaa # Analyze all (experimental) aab # Analyze basic blocks aac # Analyze function calls aad # Analyze data references aan # Analyze function names
Cross-References
axt # Cross-references to axf # Cross-references from ax # List all cross-references axg # Cross-reference graph
Control Flow Analysis
agf # Function call graph agc # Function call graph (compact) agg # Global call graph VV # Visual graph mode ```_
Erweiterte Analysefunktionen
Funktionsanalyse und Manipulation
```bash
Function Creation and Management
af # Analyze function at current address af @address # Analyze function at specific address af- @address # Delete function at address afr new_name @address # Rename function
Function Signatures
afs signature # Set function signature afs int main(int argc, char **argv) # Example signature afts # Show function signature
Function Variables and Arguments
afv # List function variables afvn old_name new_name # Rename variable afvt var_name type # Set variable type afva addr name type # Add function argument
Function Calling Conventions
afc # Show calling convention afc cdecl # Set calling convention afc stdcall # Windows standard call afc fastcall # Fast calling convention
Function Analysis Options
e anal.calls=true # Analyze function calls e anal.jmp.tbl=true # Analyze jump tables e anal.pushret=true # Analyze push/ret sequences e anal.hasnext=true # Analyze function continuations
Advanced Function Analysis
aab # Analyze basic blocks aae # Analyze ESIL expressions aai # Analyze imports aar # Analyze references aas # Analyze symbols aat # Analyze types
Function Diffing
cc # Compare functions ccc # Compare code ccf # Compare functions ```_
Datenanalyse und Strukturen
```bash
Data Type Analysis
t # List types t- # Remove type tk # List type kinds tl # List type links
Structure Definition
ts struct_name # Define structure ts- struct_name # Remove structure ts struct_name field_type field_name # Add field to structure
Example Structure Definition
ts Person ts Person int age ts Person char name[32] ts Person float height
Apply Structure to Data
tss struct_name @address # Apply structure at address Ct struct_name @address # Cast to structure type
Array Analysis
ta array_name type size # Define array type ta int_array int 10 # Array of 10 integers
Enum Definition
te enum_name # Define enumeration te Colors RED=1 GREEN=2 BLUE=3
String Analysis
iz # List strings izz # List all strings (including data) izzz # Deep string search iz~keyword # Filter strings by keyword
String Operations
ps @address # Print string at address psz @address # Print zero-terminated string psu @address # Print UTF-16 string psw @address # Print wide string
Data Visualization
px 100 # Print 100 bytes as hex pxw 20 # Print as 32-bit words pxq 10 # Print as 64-bit words pf format @address # Print formatted data ```_
Speicher und binäre Analyse
```bash
Memory Operations
dm # List memory maps dmi # Memory map information dmm # Memory map with permissions dmp # Memory protection
Memory Search
/ pattern # Search for pattern /x 41424344 # Search for hex bytes /i pattern # Case-insensitive search // pattern # Repeat last search
Advanced Search
/R # Search for ROP gadgets /a # Search for AES keys /c # Search for crypto constants /r # Search for references
Binary Operations
p8 100 # Print 100 bytes as raw pb 100 # Print 100 bytes as binary pc 100 # Print 100 bytes as C array pj 100 # Print 100 bytes as JSON
Binary Modification
w hello # Write string wx 41424344 # Write hex bytes wa "mov eax, 1" # Write assembly wf file.bin # Write file contents
Binary Comparison
c # Compare cc # Compare code cd # Compare data cg # Compare graphs
Entropy Analysis
p=e 1000 # Show entropy graph phe # Print entropy histogram ```_
Debugging und dynamische Analyse
Operationen im Debug-Modus
```bash
Starting Debug Session
r2 -d /path/to/binary # Load in debug mode r2 -d -A /path/to/binary # Load with analysis in debug mode
Process Attachment
r2 -d pid://1234 # Attach to process ID r2 -d gdb://localhost:1234 # Connect to GDB server
Debug Information
dp # List processes dpt # List threads dpr # Show registers drr # Show register references
Execution Control
dc # Continue execution ds # Step one instruction dso # Step over dsu address # Step until address dt # Trace execution
Breakpoints
db address # Set breakpoint db- address # Remove breakpoint dbc address # Set conditional breakpoint dbt # Backtrace dbl # List breakpoints
Memory Breakpoints
dbh address # Hardware breakpoint dbw address # Write breakpoint dbr address # Read breakpoint
Watchpoints
dw address # Set watchpoint dw- address # Remove watchpoint dwl # List watchpoints
Register Manipulation
dr # Show all registers dr eax # Show specific register dr eax=0x1234 # Set register value drt # Show register types ```_
Erweiterte Debugging-Funktionen
```bash
Memory Analysis During Debug
dm # Memory maps dmi # Memory info dmh # Heap analysis dms # Stack analysis
Dynamic Memory Operations
dma address size # Allocate memory dmf # Free memory dmd address # Dump memory
Tracing and Logging
dt # Trace execution dtl # Trace with logging dts # Trace syscalls dte # Trace events
Advanced Tracing
e dbg.trace=true # Enable tracing e dbg.trace.tag=1 # Tag traced instructions dtt # Trace to file
Signal Handling
dk # Send signal dk 9 # Send SIGKILL dko # Signal handling options
Process Information
dpl # List loaded libraries dpj # Process info as JSON dpp # Process permissions
Remote Debugging
r2 -d rap://host:port # Remote debugging =!rarun2 # Use rarun2 for debugging ```_
ESIL (Evaluable Strings Intermediate Language)
```bash
ESIL Introduction
ESIL is Radare2's intermediate language for emulation
Allows platform-independent analysis and emulation
ESIL Operations
aei # Initialize ESIL VM aeim # Initialize ESIL memory aeip # Initialize ESIL stack
ESIL Execution
aes # Step one ESIL instruction aeso # Step over ESIL instruction aesu address # Step until address aec # Continue ESIL execution
ESIL State
aer # Show ESIL registers aer reg=value # Set ESIL register aets # Show ESIL stack aem # Show ESIL memory
ESIL Analysis
aea # Analyze with ESIL aef # Analyze function with ESIL aeg # Generate ESIL graph
ESIL Emulation
e asm.emu=true # Enable emulation e emu.str=true # Emulate string operations e emu.write=true # Enable write emulation
ESIL Debugging
aed # Debug ESIL aedc # Continue ESIL debugging aeds # Step ESIL debugging ```_
Skript und Automatisierung
R2Pipe Programmierschnittstelle
```python
Python R2Pipe Example
import r2pipe
Open binary
r2 = r2pipe.open("/path/to/binary")
Execute commands
info = r2.cmd("i") functions = r2.cmdj("aflj") # JSON output disasm = r2.cmd("pd 10")
Analysis automation
r2.cmd("aaa") # Analyze all strings = r2.cmdj("izj") # Get strings as JSON
Function analysis
for func in functions: print(f"Function: \\{func['name']\\} at \\{hex(func['offset'])\\}")
Search operations
xrefs = r2.cmdj("axtj @main") # Cross-references to main
Close session
r2.quit() ```_
R2 Scripting Language
```bash
R2 Script Basics (.r2 files)
Comments start with
Commands are executed sequentially
Example analysis script
!/usr/bin/env r2 -i
Auto-analysis script
Load and analyze
aaa
Find interesting functions
afl~main afl~crypto afl~password
Search for strings
iz~password iz~key iz~secret
Generate function graph
agf @main > main_graph.dot
Export analysis
Ps analysis_project ```_
Erweiterte Skripttechniken
```bash
Conditional Execution
?e "Starting analysis" ? eax==0x1234; ?e "EAX is 0x1234"
Loops and Iteration
Iterate through functions
afl~[0]|while read addr; do echo "Analyzing function at $addr" s $addr pdf done
Macros
(macro_name arg1 arg2; command1; command2) (analyze_func addr; s $addr; af; pdf)
Variables
$var=value ?e $var
Environment Variables
e var.name=value ?e $var.name
Function Hooks
e cmd.hit=px 32 # Execute on breakpoint hit e cmd.load=aaa # Execute on file load
Custom Commands
"(custom_cmd arg; echo Custom command with $arg)" ```_
Plugin-Entwicklung
```c // Basic R2 Plugin Structure (C)
include
static int r2_cmd_example(void user, const char input) \\{ RCore core = (RCore )user;
switch (*input) \\\\{
case '?':
r_cons_printf("Usage: example [args]\n");
break;
case ' ':
// Handle arguments
r_cons_printf("Example command executed\n");
break;
default:
r_cons_printf("Unknown command\n");
break;
\\\\}
return true;
\\}
RCorePlugin r_core_plugin_example = \\{ .name = "example", .desc = "Example plugin", .license = "MIT", .call = r2_cmd_example, \\};
ifndef CORELIB
RLibStruct radare_plugin = \\{ .type = R_LIB_TYPE_CORE, .data = &r;_core_plugin_example, .version = R2_VERSION \\};
endif
```_
Malware-Analyse mit Radare2
Strategische Malware-Analyse
```bash
Initial Triage
i # Basic file information iI # Detailed binary info ih # File headers iS # Sections analysis ie # Entry points
Packer Detection
rabin2 -I /path/to/binary # Binary information rabin2 -S /path/to/binary # Sections rabin2 -z /path/to/binary # Strings
Entropy Analysis
p=e 1000 # Entropy visualization rahash2 -a entropy file # Calculate entropy
Import/Export Analysis
ii # Imports iE # Exports ir # Relocations
String Analysis
iz # Strings in data sections izz # All strings izzz # Deep string search iz~http # Filter HTTP-related strings iz~password # Filter password-related strings
Cryptographic Constants
/x 67452301 # MD5 constants /x 01234567 # SHA constants /x 61707865 # "apxe" (expand 32-byte k)
Suspicious API Detection
ii~CreateFile ii~WriteFile ii~RegOpenKey ii~socket ii~connect ```_
Dynamische Malware-Analyse
```bash
Safe Analysis Environment Setup
Use isolated VM with network monitoring
Snapshot VM before analysis
Debug Mode Analysis
r2 -d /path/to/malware # Load in debug mode aaa # Analyze all
API Monitoring
dcs # Syscall tracing dt # Trace execution dtl # Trace with logging
Breakpoint Strategy
db sym.CreateFileA # Break on file creation db sym.RegOpenKeyA # Break on registry access db sym.socket # Break on network activity
Memory Analysis
dm # Memory maps dmi # Memory info dmh # Heap analysis
Network Behavior
Monitor with external tools while debugging
Wireshark, netstat, etc.
Unpacking Analysis
Set breakpoint at entry point
db entry0 dc # Continue to entry
Step through unpacking routine
ds # Step instruction
Look for jumps to unpacked code
Dump unpacked code when found
```_
Erweiterte Malware-Techniken
```bash
Anti-Analysis Detection
Look for anti-debugging checks
/x 64A118000000 # PEB access (Windows) /x 0F31 # RDTSC instruction ii~IsDebuggerPresent # Debugger detection API
Obfuscation Analysis
Control flow obfuscation
agf # Function graph VV # Visual graph mode
String Obfuscation
Look for string decryption routines
afl~decrypt afl~decode afl~xor
Code Injection Detection
ii~VirtualAlloc ii~VirtualProtect ii~WriteProcessMemory ii~CreateRemoteThread
Persistence Mechanisms
iz~Run # Registry run keys iz~Service # Windows services iz~Task # Scheduled tasks
Communication Analysis
iz~http iz~tcp iz~udp ii~socket ii~connect ii~send ii~recv
Evasion Techniques
VM detection
iz~VMware iz~VirtualBox iz~QEMU iz~Xen
Sandbox evasion
iz~sleep iz~delay ii~GetTickCount ii~timeGetTime ```_
Binary Exploitation und Reverse Engineering
Schwachstellenanalyse
```bash
Buffer Overflow Detection
Look for dangerous functions
ii~strcpy ii~strcat ii~sprintf ii~gets
Format String Vulnerabilities
ii~printf ii~sprintf ii~fprintf iz~%s iz~%x iz~%n
Integer Overflow Detection
Look for arithmetic operations
/x 01C0 # add eax, eax /x 29C0 # sub eax, eax /x F7E0 # mul eax
Use-After-Free Detection
ii~free ii~malloc ii~realloc
Stack Analysis
afv # Function variables afc # Calling convention K # Show stack frame
ROP Gadget Search
/R # Search ROP gadgets /R pop # Search specific gadgets /R ret # Search return gadgets
Shellcode Analysis
Look for shellcode patterns
/x 31C0 # xor eax, eax /x 50 # push eax /x 68 # push immediate ```_
Entwicklung nutzen
```bash
Pattern Generation
ragg2 -P 100 -r # Generate pattern ragg2 -q 0x41414141 # Find pattern offset
Address Calculation
? 0x401000+0x100 # Calculate addresses ? 0x7fff0000-0x7ffe0000 # Calculate offsets
Shellcode Generation
ragg2 -a x86 -b 64 -i exec # Generate shellcode ragg2 -a x86 -b 32 -i connect # Network shellcode
Binary Patching
wa "nop" # Write NOP instruction wx 90 # Write NOP byte wa "jmp 0x401234" # Write jump
Exploit Testing
r2 -d ./vulnerable_app # Debug target dc # Continue execution dr # Check registers after crash
ASLR Bypass
dm # Check memory layout dmi libc # Find libc base ? libc_base+system_offset # Calculate system address ```_
Die umfangreichen Funktionen von Radare2, leistungsstarke Kommandozeilenschnittstelle und umfangreiche Automatisierungsfunktionen machen es zu einem unverzichtbaren Werkzeug für die moderne Reverse Engineering- und Sicherheitsanalyse. Seine Open-Source-Natur, kombiniert mit aktiver Community-Entwicklung und umfangreichem Plugin-Ökosystem, sorgt dafür, dass es an der Spitze der binären Analysetechnologie bleibt. Ob für Malware-Analysen, Schwachstellenforschung, Entwicklung oder allgemeine Reverse Engineering-Aufgaben verwendet, Radare2 bietet die Tiefe, Flexibilität und Leistung, die Sicherheitsexperten für ihre herausforderndste Analysearbeit benötigen. Das Engagement des Frameworks für Skriptfähigkeit und Automatisierung macht es besonders wertvoll für groß angelegte Analyseprojekte und die Integration in Sicherheitsworkflows, die es als Eckpfeiler im Toolkit des modernen Sicherheitsanalytikers etablieren.