1. Advisor
  2. angr
  3. functions
  4. angr.SimProcedure
View all angr analysis

How to use the angr.SimProcedure function in angr

To help you get started, we’ve selected a few angr examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github fabros / angr-antievasion / testing / utilities / aux_simprocs.py View on Github external
import angr
from angr_antievasion import StdcallSimProcedure
import logging

l = logging.getLogger("testing.utilities")


# Auxiliary SimProcedures to perform tests
# (without them checks could fail for "accessory" reasons, e.g. string handling functions not working or not "present")
# Practically all of them assert we are handling concrete input, so they are not suitable for purely symbolic tests.

class toupper(angr.SimProcedure):
    def run(self, c):
        self.argument_types = {0: angr.sim_type.SimTypeInt(self.state.arch, True)}
        self.return_type = angr.sim_type.SimTypeInt(self.state.arch, True)

        ret_expr = self.state.solver.If(
            self.state.solver.And(c >= 97, c <= 122),  # a - z
            c - 32, c)
        l.info('{} @ {}: {} => {}'.format(
            self.display_name, self.state.memory.load(self.state.regs.esp, 4, endness=self.arch.memory_endness),
            c, ret_expr))
        return ret_expr


class tolower(angr.SimProcedure):
    def run(self, c):
        self.argument_types = {0: angr.sim_type.SimTypeInt(self.state.arch, True)}
github hase-project / hase / hase / symbex / procedures / syscall.py View on Github external
class getppid(SimProcedure):
    IS_SYSCALL = True

    def run(self) -> claripy.BVV:
        return self.state.solver.Unconstrained("getppid", 32, uninitialized=False)


class getgid(SimProcedure):
    IS_SYSCALL = True

    def run(self) -> claripy.BVV:
        return self.state.solver.Unconstrained("getgid", 32, uninitialized=False)


class getpgid(SimProcedure):
    IS_SYSCALL = True

    def run(self) -> claripy.BVV:
        return self.state.solver.Unconstrained("getpgid", 32, uninitialized=False)


class getuid(SimProcedure):
    IS_SYSCALL = True

    def run(self) -> claripy.BVV:
        return self.state.solver.Unconstrained("getuid", 32, uninitialized=False)


class getgrp(SimProcedure):
    IS_SYSCALL = True
github angr / angr / angr / procedures / posix / send.py View on Github external
import angr

######################################
# send
######################################

class send(angr.SimProcedure):
    #pylint:disable=arguments-differ

    def run(self, fd, src, length):
        data = self.state.memory.load(src, length)
        length = self.state.posix.write(fd, data, length)
        return length
github hase-project / hase / hase / symbex / procedures / fallback_operation.py View on Github external
def func(proc, *args, **kwargs):
        try:
            fn = SIM_PROCEDURES[lib][name]
            return proc.inline_call(fn, *args, **kwargs).ret_expr
        except Exception:
            if ret_expr:
                return ret_expr
            else:
                return proc.state.solver.Unconstrained(
                    name, ret_size, uninitialized=False
                )

    return func


class atoi(SimProcedure):
    def run(self, s) -> claripy.BVV:
        return self.state.solver.Unconstrained("atoi", 32, uninitialized=False)
github hase-project / hase / hase / symbex / procedures / syscall.py View on Github external
class fstatat(SimProcedure):
    IS_SYSCALL = True

    def run(self, dirfd, pathname, stat_buf, flags) -> claripy.BVV:
        return self.inline_call(stat, pathname, stat_buf).ret_expr


class newfstatat(SimProcedure):
    IS_SYSCALL = True

    def run(self, dirfd, pathname, stat_buf, flags) -> claripy.BVV:
        return self.inline_call(stat, pathname, stat_buf).ret_expr


class fcntl(SimProcedure):
    ARGS_MISMATCH = True
    IS_SYSCALL = True

    def run(self, fd, cmd) -> claripy.BVV:
        return self.state.solver.Unconstrained("fcntl", 32, uninitialized=False)


class fadvise64(SimProcedure):
    IS_SYSCALL = True

    def run(self, fd, offset, len, advise) -> claripy.BVV:
        return errno_success(self)


class statfs(SimProcedure):
    IS_SYSCALL = True
github angr / angr / angr / procedures / libc / fwrite.py View on Github external
import angr

from cle.backends.externs.simdata.io_file import io_file_data_for_arch

######################################
# fwrite
######################################

class fwrite(angr.SimProcedure):
    #pylint:disable=arguments-differ

    def run(self, src, size, nmemb, file_ptr):
        fd_offset = io_file_data_for_arch(self.state.arch)['fd']
        fileno = self.state.mem[file_ptr + fd_offset:].int.resolved
        simfd = self.state.posix.get_fd(fileno)
        if simfd is None:
            return -1
        return simfd.write(src, size*nmemb)
github angr / angr / angr / procedures / win32 / VirtualAlloc.py View on Github external
if prot & 0x04:
        return 3
    if prot & 0x08:
        return 3
    raise angr.errors.SimValueError("Unknown windows memory protection constant: %#x" % prot)

def deconvert_prot(prot):
    """
    Convert from a angr bitmask to a windows memory protection constant
    """
    if prot in (2, 6):
        raise angr.errors.SimValueError("Invalid memory protection for windows process")
    return [0x01, 0x02, None, 0x04, 0x10, 0x20, None, 0x40][prot]

# https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890(v=vs.85).aspx
class VirtualAlloc(angr.SimProcedure):
    def run(self, lpAddress, dwSize, flAllocationType, flProtect):
        l.debug("VirtualAlloc(%s, %s, %s, %s)", lpAddress, dwSize, flAllocationType, flProtect)
        addrs = self.state.solver.eval_upto(lpAddress, 2)
        if len(addrs) != 1:
            raise angr.errors.SimValueError("VirtualAlloc can't handle symbolic lpAddress")
        addr = addrs[0]
        addr &= ~0xfff

        size = self.state.solver.max_int(dwSize)
        if dwSize.symbolic and size > self.state.libc.max_variable_size:
            l.warning('symbolic VirtualAlloc dwSize %s has maximum %#x, greater than state.libc.max_variable_size %#x',
                      dwSize, size, self.state.libc.max_variable_size)
            size = self.state.libc.max_variable_size

        flagss = self.state.solver.eval_upto(flAllocationType, 2)
        if len(flagss) != 1:
github angr / angr / angr / procedures / posix / sim_time.py View on Github external
if self.state.solver.is_true(tv == 0):
            return -1

        if angr.options.USE_SYSTEM_TIMES in self.state.options:
            flt = time.time()
            result = {'tv_sec': int(flt), 'tv_usec': int(flt * 1000000)}
        else:
            result = {
                'tv_sec': self.state.solver.BVS('tv_sec', self.arch.bits, key=('api', 'gettimeofday', 'tv_sec')),
                'tv_usec': self.state.solver.BVS('tv_usec', self.arch.bits, key=('api', 'gettimeofday', 'tv_usec')),
            }

        self.state.mem[tv].struct.timeval = result
        return 0

class clock_gettime(angr.SimProcedure):
    def run(self, which_clock, timespec_ptr):
        if not self.state.solver.is_true(which_clock == 0):
            raise angr.errors.SimProcedureError("clock_gettime doesn't know how to deal with a clock other than CLOCK_REALTIME")

        if self.state.solver.is_true(timespec_ptr == 0):
            return -1

        if angr.options.USE_SYSTEM_TIMES in self.state.options:
            flt = time.time()
            result = {'tv_sec': int(flt), 'tv_nsec': int(flt * 1000000000)}
        else:
            result = {
                'tv_sec': self.state.solver.BVS('tv_sec', self.arch.bits, key=('api', 'clock_gettime', 'tv_sec')),
                'tv_nsec': self.state.solver.BVS('tv_nsec', self.arch.bits, key=('api', 'clock_gettime', 'tv_nsec')),
            }
github hase-project / hase / hase / symbex / procedures / memory_operation.py View on Github external
class iswspace(SimProcedure):
    def run(self, c) -> claripy.BVV:
        return self.state.solver.Unconstrained("iswspace", 32, uninitialized=False)


class isblank(SimProcedure):
    def run(self, c) -> claripy.BVV:
        return self.state.solver.Unconstrained("isblank", 32, uninitialized=False)


class iswblank(SimProcedure):
    def run(self, c) -> claripy.BVV:
        return self.state.solver.Unconstrained("iswblank", 32, uninitialized=False)


class isprint(SimProcedure):
    def run(self, c) -> claripy.BVV:
        return self.state.solver.Unconstrained("isprint", 32, uninitialized=False)


class iswprint(SimProcedure):
    def run(self, c) -> claripy.BVV:
        return self.state.solver.Unconstrained("iswprint", 32, uninitialized=False)


class ispunct(SimProcedure):
    def run(self, c) -> claripy.BVV:
        return self.state.solver.Unconstrained("ispunct", 32, uninitialized=False)


class iswpunct(SimProcedure):
    def run(self, c) -> claripy.BVV:
github angr / angr / angr / procedures / libc___so___6 / bcopy.py View on Github external
import angr
from angr.sim_type import SimTypeTop, SimTypeLength

import itertools
import logging
l = logging.getLogger("angr.procedures.libc___so___6.bcopy")

bcopy_counter = itertools.count()

class bcopy(angr.SimProcedure):
    #pylint:disable=arguments-differ

    def run(self, dst_addr, src_addr, limit):
        # TODO: some way to say that type(0) == type(1) ?
        self.argument_types = {0: self.ty_ptr(SimTypeTop()),
                               1: self.ty_ptr(SimTypeTop()),
                               2: SimTypeLength(self.state.arch)}

        return self.inline_call(angr.SIM_PROCEDURES['libc.so.6']['memcpy'], dst_addr, src_addr, limit).ret_expr

angr

A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries

GitHub
BSD-2-Clause
Latest version published 7 days ago

Package Health Score

88 / 100
Full package analysis

Popular angr functions

Similar packages