How to use angr - 10 common examples
To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / angr / storage / paged_memory.py View on Github 
def _update_mappings(self, actual_addr, cnt):
if options.MEMORY_SYMBOLIC_BYTES_MAP in self.state.options:
page_num = actual_addr // self._page_size
page_idx = actual_addr
if self.state.solver.symbolic(cnt):
self._symbolic_addrs[page_num].add(page_idx)
else:
self._symbolic_addrs[page_num].discard(page_idx)
if not (options.REVERSE_MEMORY_NAME_MAP in self.state.options or
options.REVERSE_MEMORY_HASH_MAP in self.state.options):
return
if (options.REVERSE_MEMORY_HASH_MAP not in self.state.options) and \
len(self.state.solver.variables(cnt)) == 0:
return
l.debug("Updating mappings at address 0x%x", actual_addr)def permissions(self, addr, permissions=None):
"""
Returns the permissions for a page at address `addr`.
If optional argument permissions is given, set page permissions to that prior to returning permissions.
"""
if self.state.solver.symbolic(addr):
raise SimMemoryError("page permissions cannot currently be looked up for symbolic addresses")
if isinstance(addr, claripy.ast.bv.BV):
addr = self.state.solver.eval(addr)
page_num = addr // self._page_size
try:
page = self._get_page(page_num)
except KeyError:
raise SimMemoryMissingError("page does not exist at given address")
# Set permissions for the page
if permissions is not None:
if isinstance(permissions, int):
permissions = claripy.BVV(permissions, 3)If optional argument permissions is given, set page permissions to that prior to returning permissions.
"""
if self.state.solver.symbolic(addr):
raise SimMemoryError(
"page permissions cannot currently be looked up for symbolic addresses")
if isinstance(addr, claripy.ast.bv.BV):
addr = self.state.solver.eval(addr)
page_num = addr // self._page_size
try:
page = self._get_page(page_num)
except KeyError:
raise SimMemoryError("page does not exist at given address")
# Set permissions for the page
if permissions is not None:
if isinstance(permissions, (int, long)):
permissions = claripy.BVV(permissions, 3)
if not isinstance(permissions, claripy.ast.bv.BV):
raise SimMemoryError(
"Unknown permissions argument type of {0}.".format(
type(permissions)))
page.permissions = permissions
return page.permissions
addr = self.state.solver.eval(addr)
page_num = addr // self._page_size
try:
page = self._get_page(page_num)
except KeyError:
raise SimMemoryError("page does not exist at given address")
# Set permissions for the page
if permissions is not None:
if isinstance(permissions, (int, long)):
permissions = claripy.BVV(permissions, 3)
if not isinstance(permissions, claripy.ast.bv.BV):
raise SimMemoryError(
"Unknown permissions argument type of {0}.".format(
type(permissions)))
page.permissions = permissions
return page.permissionsdef run(self, nBufferLength, lpBuffer):
try:
length = self.state.solver.eval_one(nBufferLength)
except angr.errors.SimValueError:
raise angr.errors.SimProcedureError("Can't handle symbolic nBufferLength in GetTempPath")
copy_len = min(self.RESULT.length//8, length - 1)
self.state.memory.store(lpBuffer, self.RESULT[self.RESULT.length - 1 : self.RESULT.length - copy_len*8].concat(claripy.BVV(0, 8)))
return self.RESULT.length // 8def SimIRExpr_Get(_, state, expr):
size_in_bits = get_type_size(expr.ty)
size = size_in_bits // state.arch.byte_width
# get it!
result = state.registers.load(expr.offset, size)
if expr.type.startswith('Ity_F'):
result = result.raw_to_fp()
# finish it and save the register references
if o.TRACK_REGISTER_ACTIONS in state.options:
r = SimActionData(state, state.registers.id, SimActionData.READ, addr=expr.offset,
size=size_in_bits, data=result
)
state.history.add_action(r)
return resultsize_in_bits = get_type_size(expr.descr.elemTy)
size = size_in_bits // state.arch.byte_width
array_base = expr.descr.base
array_index = (ix + expr.bias) % expr.descr.nElems
offset = array_base + array_index*size
# get it!
result = state.registers.load(offset, size)
if expr.descr.elemTy.startswith('Ity_F'):
result = result.raw_to_fp()
# finish it and save the register references
if o.TRACK_REGISTER_ACTIONS in state.options:
r = SimActionData(state, state.registers.id, SimActionData.READ, addr=offset, size=size_in_bits, data=result)
state.history.add_action(r)
return resultdef run_longinit(arch):
p = angr.Project(os.path.join(test_location, 'binaries', 'tests', arch, 'longinit'))
s_unicorn = p.factory.entry_state(add_options=so.unicorn, remove_options={so.SHORT_READS})
pg = p.factory.simulation_manager(s_unicorn, save_unconstrained=True, save_unsat=True)
pg.explore()
s = pg.deadended[0]
(first, _), (second, _) = s.posix.stdin.content
s.add_constraints(first == s.solver.BVV(b'A'*9))
s.add_constraints(second == s.solver.BVV(b'B'*9))
nose.tools.assert_equal(s.posix.dumps(1), b"You entered AAAAAAAAA and BBBBBBBBB!\n")def _individual_test(state, base, val, size):
# time it
start = time.time()
memset = SIM_PROCEDURES['libc']['memset']().execute(
state, arguments=[base, state.solver.BVV(val, 8), size]
)
elapsed = time.time() - start
# should be done within 1 second
nose.tools.assert_less_equal(elapsed, 5)
# the result should be good
byt_0 = memset.state.memory.load(base, 1)
nose.tools.assert_equal(s.solver.eval_upto(byt_0, 10), [val])
byt_1 = memset.state.memory.load(base+1, 1)
nose.tools.assert_equal(s.solver.eval_upto(byt_1, 10), [val])
byt_2 = memset.state.memory.load(base+size-1, 1)
nose.tools.assert_equal(s.solver.eval_upto(byt_2, 10), [val]) @classmethod
def setup_class(cls):
cls.project = angr.Project(os.path.join(TEST_LOCATION, "x86_64", "fauxware"))angr
A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Package Health Score
88 / 100Popular angr functions
- angr.analyses.AnalysesHub.register_default
- angr.analyses.identifier.func.TestData
- angr.errors
- angr.errors.AngrError
- angr.errors.SimMemoryError
- angr.errors.SimMergeError
- angr.errors.SimValueError
- angr.exploration_techniques
- angr.options
- angr.Project
- angr.sim_options
- angr.SIM_PROCEDURES
- angr.sim_state.SimState
- angr.sim_state.SimState.register_default
- angr.sim_type.SimTypeInt
- angr.SimProcedure
- angr.SimState
- angr.state_plugins.plugin.SimStatePlugin
- angr.state_plugins.sim_action.SimActionData
- angr.storage.memory_object.SimMemoryObject