SLEIGH

Table of Contents

• Overview
• Building SLEIGH
• Using SLEIGH
• The Basic SLEIGH Interface
• The SLEIGH Emulator

Key Classes

• Translate
• AssemblyEmit
• PcodeEmit
• LoadImage
• ContextDatabase

Overview

Welcome to SLEIGH, a machine language translation and dissassembly engine. SLEIGH is both a processor specification language and the associated library and tools for using such a specification to generate assembly and to generate pcode, a reverse engineering Register Transfer Language (RTL), from binary machine instructions.

SLEIGH was originally based on SLED, a Specification Language for Encoding and Decoding, designed by Norman Ramsey and Mary F. Fernandez, which performed disassembly (and assembly). SLEIGH extends SLED by providing semantic descriptions (via the RTL) of machine instructions and other practical enhancements for doing real world reverse engineering.

SLEIGH is part of Project GHIDRA. It provides the core of the GHIDRA disassembler and the data-flow and decompilation analysis. However, SLEIGH can serve as a standalone library for use in other applications for providing a generic disassembly and RTL translation interface.

Building SLEIGH

There are a couple of make targets for building the SLEIGH library from source. These are:

make libsla.a               # Build the main library

make libsla_dbg.a           # Build the library with debug symbols

The source code file sleighexample.cc has a complete example of initializing the Translate engine and using it to generate assembly and pcode. The source has a hard-coded file name, x86testcode, as the example binary executable it attempts to decode, but this can easily be changed. It also needs a SLEIGH specification file (.sla) to be present.

Building the example application can be done with something similar to the following makefile fragment.

# The C compiler
CXX=g++

# Debug flags
DBG_CXXFLAGS=-g -Wall -Wno-sign-compare

OPT_CXXFLAGS=-O2 -Wall -Wno-sign-compare

# libraries
INCLUDES=-I./src

LNK=src/libsla_dbg.a

sleighexample.o:      sleighexample.cc
      $(CXX) -c $(DBG_CXXFLAGS) -o sleighexample sleighexample.o $(LNK)

clean:
      rm -rf *.o sleighexample

Using SLEIGH

SLEIGH is a generic reverse engineering tool in the sense that the API is designed to be completely processor independent. In order to process binary executables for a specific processor, The library reads in a specification file, which describes how instructions are encoded and how they are interpreted by the processor. An application which needs to do disassembly or generate pcode can design to the SLEIGH API once, and then the application will automatically support any processor for which there is a specification.

For working with a single processor, the SLEIGH library needs to load a single compiled form of the processor specification, which is traditionally given a ".sla" suffix. Most common processors already have a ".sla" file available. So to use SLEIGH with these processors, the library merely needs to be made aware of the desired file. This documentation covers the use of the SLEIGH API, assuming that this specification file is available.

The ".sla" files themselves are created by running the compiler on a file written in the formal SLEIGH language. These files traditionally have the suffix ".slaspec" For those who want to design such a specification for a new processor, please refer to the document, "SLEIGH: A Language for Rapid Processor Specification."