3 """A tool for looking for indirect jumps and calls in x86 binaries.
5 Helpful to verify whether or not retpoline mitigations are catching
6 all of the indirect branches in a binary and telling you which
7 functions the remaining ones are in (assembly, etc).
9 Depends on llvm-objdump being in your path and is tied to the
13 from __future__ import print_function
21 # Look for indirect calls/jmps in a binary. re: (call|jmp).*\*
22 def look_for_indirect(file):
23 args = ['llvm-objdump']
27 p = subprocess.Popen(args=args, stdin=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
28 (stdout,stderr) = p.communicate()
31 for line in stdout.splitlines():
32 if line.startswith(' ') == False:
34 result = re.search('(call|jmp).*\*', line)
36 # TODO: Perhaps use cxxfilt to demangle functions?
42 # No options currently other than the binary.
43 parser = optparse.OptionParser("%prog [options] <binary>")
44 (opts, args) = parser.parse_args(args)
46 parser.error("invalid number of arguments: %s" % len(args))
47 look_for_indirect(args[1])
49 if __name__ == '__main__':