How to use the angr.SIM_PROCEDURES function in angr
To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / angr / tests / test_memory.py View on Github 
def _individual_test(state, base, val, size):
# time it
start = time.time()
memset = SIM_PROCEDURES['libc']['memset']().execute(
state, arguments=[base, state.solver.BVV(val, 8), size]
)
elapsed = time.time() - start
# should be done within 1 second
nose.tools.assert_less_equal(elapsed, 5)
# the result should be good
byt_0 = memset.state.memory.load(base, 1)
nose.tools.assert_equal(s.solver.eval_upto(byt_0, 10), [val])
byt_1 = memset.state.memory.load(base+1, 1)
nose.tools.assert_equal(s.solver.eval_upto(byt_1, 10), [val])
byt_2 = memset.state.memory.load(base+size-1, 1)
nose.tools.assert_equal(s.solver.eval_upto(byt_2, 10), [val])def test_static_hooker():
test_file = os.path.join(test_location, 'x86_64', 'static')
p = angr.Project(test_file)
sh = p.analyses.StaticHooker('libc.so.6')
nose.tools.assert_in(4197616, sh.results)
nose.tools.assert_is(type(sh.results[4197616]), angr.SIM_PROCEDURES['glibc']['__libc_start_main'])
nose.tools.assert_is(type(p.hooked_by(4197616)), angr.SIM_PROCEDURES['glibc']['__libc_start_main'])('ARMEL', None),
('MIPS32', None),
('PPC32', None),
('PPC64', None),
]
# x86, cdecl
for arch, cc in arches:
s = SimState(arch=arch)
for reg, val, _, _ in s.arch.default_register_values:
s.registers.store(reg, val)
if cc is not None:
manyargs = SIM_PROCEDURES['testing']['manyargs'](cc=cc(s.arch)).execute(s)
else:
manyargs = SIM_PROCEDURES['testing']['manyargs']().execute(s)
# Simulate a call
if s.arch.call_pushes_ret:
s.regs.sp = s.regs.sp + s.arch.stack_change
manyargs.set_args(args)
for index, arg in enumerate(args):
nose.tools.assert_true(s.solver.is_true(manyargs.arg(index) == arg))def run(self):
self.return_type = SimTypeInt(32, True)
fgetc = angr.SIM_PROCEDURES['libc']['fgetc']
stdin = self.state.posix.get_fd(0)
data = self.inline_call(fgetc, 0, simfd=stdin).ret_expr
return datadef run(self, src, fmt, one, two, three): #pylint:disable=unused-argument
memcpy = angr.SIM_PROCEDURES['libc']['memcpy']
self.inline_call(memcpy, one, src, 5)
self.state.memory.store(one+4, self.state.solver.BVV(0, 8))
self.inline_call(memcpy, two, src+6, 8192)
self.state.memory.store(two+8191, self.state.solver.BVV(0, 8))
self.inline_call(memcpy, three, src+6+8193, 12)
self.state.memory.store(three+11, self.state.solver.BVV(0, 8))
#if angr.o.SYMBOLIC in self.state.options:
# #crazy_str = "index.asp?authorization=M3NhZG1pbjoyNzk4ODMwMw==&yan=yes\x00"
# #crazy_str = "index.asp?authorization=3sadmin:27988303&yan=yes\x00"
# crazy_str = "authorization=3sadmin:27988303\x00"
# self.state.add_constraints(self.state.memory.load(two, len(crazy_str)) == self.state.solver.BVV(crazy_str))
return self.state.solver.BVV(3)def run(self, file_ptr):
fseek = angr.SIM_PROCEDURES['libc.so.6']['fseek']
self.inline_call(fseek, file_ptr, 0, 0)
return Nonedef run(self, a_addr, b_addr, limit, a_len=None, b_len=None, wchar=False, ignore_case=False): #pylint:disable=arguments-differ
# TODO: smarter types here?
self.argument_types = {0: self.ty_ptr(SimTypeString()),
1: self.ty_ptr(SimTypeString()),
2: SimTypeLength(self.state.arch)}
self.return_type = SimTypeInt(32, True)
strlen = angr.SIM_PROCEDURES['libc']['strlen']
a_strlen = a_len if a_len is not None else self.inline_call(strlen, a_addr, wchar=wchar)
b_strlen = b_len if b_len is not None else self.inline_call(strlen, b_addr, wchar=wchar)
a_len = a_strlen.ret_expr
b_len = b_strlen.ret_expr
match_constraints = [ ]
variables = a_len.variables | b_len.variables | limit.variables
ret_expr = self.state.solver.Unconstrained("strncmp_ret", self.state.arch.bits, key=('api', 'strncmp'))
# determine the maximum number of bytes to compare
concrete_run = False
#if not self.state.solver.symbolic(a_len) and not self.state.solver.symbolic(b_len) and not self.state.solver.symbolic(limit):
if self.state.solver.single_valued(a_len) and self.state.solver.single_valued(b_len) and self.state.solver.single_valued(limit):
c_a_len = self.state.solver.eval(a_len)#pylint:disable=unused-variable
strlen = angr.SIM_PROCEDURES['libc']['strlen']
m_strlen = self.inline_call(strlen, m_addr)
m_expr = self.state.memory.load(m_addr, m_strlen.max_null_index, endness='Iend_BE')
mode = self.state.solver.eval(m_expr, cast_to=bytes)
# TODO: handle append and other mode subtleties
fd = self.state.solver.eval(fd_int)
if fd not in self.state.posix.fd:
# if file descriptor not found return NULL
return 0
else:
# Allocate a FILE struct in heap
malloc = angr.SIM_PROCEDURES['libc']['malloc']
io_file_data = io_file_data_for_arch(self.state.arch)
file_struct_ptr = self.inline_call(malloc, io_file_data['size']).ret_expr
# Write the fd
fd_bvv = self.state.solver.BVV(fd, 4 * 8) # int
self.state.memory.store(file_struct_ptr + io_file_data['fd'],
fd_bvv,
endness=self.state.arch.memory_endness)
return file_struct_ptrdef run(self, string):
self.argument_types = {0: self.ty_ptr(SimTypeString())}
self.return_type = SimTypeInt(32, True)
stdout = self.state.posix.get_fd(1)
if stdout is None:
return -1
strlen = angr.SIM_PROCEDURES['libc']['strlen']
length = self.inline_call(strlen, string).ret_expr
out = stdout.write(string, length)
stdout.write_data(self.state.solver.BVV(b'\n'))
return out + 1def run(self, haystack_addr, needle_addr, haystack_strlen=None, needle_strlen=None):
self.argument_types = { 0: self.ty_ptr(SimTypeString()),
1: self.ty_ptr(SimTypeString())}
self.return_type = self.ty_ptr(SimTypeString())
strlen = angr.SIM_PROCEDURES['libc']['strlen']
strncmp = angr.SIM_PROCEDURES['libc']['strncmp']
haystack_strlen = self.inline_call(strlen, haystack_addr) if haystack_strlen is None else haystack_strlen
needle_strlen = self.inline_call(strlen, needle_addr) if needle_strlen is None else needle_strlen
# naive approach
haystack_maxlen = haystack_strlen.max_null_index
needle_maxlen = needle_strlen.max_null_index
l.debug("strstr with size %d haystack and size %d needle...", haystack_maxlen, needle_maxlen)
if needle_maxlen == 0:
l.debug("... zero-length needle.")
return haystack_addr
elif haystack_maxlen == 0:
l.debug("... zero-length haystack.")
return self.state.solver.BVV(0, self.state.arch.bits)angr
A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
Package Health Score
88 / 100Popular angr functions
- angr.analyses.AnalysesHub.register_default
- angr.analyses.identifier.func.TestData
- angr.errors
- angr.errors.AngrError
- angr.errors.SimMemoryError
- angr.errors.SimMergeError
- angr.errors.SimValueError
- angr.exploration_techniques
- angr.options
- angr.Project
- angr.sim_options
- angr.SIM_PROCEDURES
- angr.sim_state.SimState
- angr.sim_state.SimState.register_default
- angr.sim_type.SimTypeInt
- angr.SimProcedure
- angr.SimState
- angr.state_plugins.plugin.SimStatePlugin
- angr.state_plugins.sim_action.SimActionData
- angr.storage.memory_object.SimMemoryObject