1. Advisor
  2. archr
  3. functions
  4. archr.arsenal.QEMUTracerBow
View all archr analysis

How to use the archr.arsenal.QEMUTracerBow function in archr

To help you get started, we’ve selected a few archr examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github angr / rex / tests / broken_hammer_controller_docker.py View on Github external
def test_hammer_controller_qemu_tracer():
    build_docker()

    t = archr.targets.DockerImageTarget('rex_tests:hammer_controller').build().start()
    tb = archr.arsenal.QEMUTracerBow(t)

    crash = rex.Crash(t, b"\x41"*120 + b'\n', aslr=False, tracer_bow=tb)

    exploit = crash.exploit()
    assert 'rop_chess_control' in exploit.arsenal
    exploit.arsenal['rop_chess_control'].script()
    exploit.arsenal['rop_chess_control'].script("x2.py")
github angr / archr / tests / test_sync.py View on Github external
def do_qemu(self, t):
        with archr.arsenal.QEMUTracerBow(t).fire_context() as qbf:
            return qbf.process
github angr / archr / tests / test_bow_qemu.py View on Github external
def crash_on_input_checks(self, t):
        crashing = b"A"*120
        b = archr.arsenal.QEMUTracerBow(t)
        with b.fire_context(save_core=True) as flight:
            flight.default_channel.send(crashing)
            flight.default_channel.shutdown_wr()
            #flight.default_channel.recvall()

        assert flight.result.crashed
github angr / archr / tests / test_bow_qemu.py View on Github external
def test_arrow_injection_local(self):
        with archr.targets.LocalTarget([os.path.join(os.path.dirname(__file__), "dockers", "crasher", "crasher")]).build().start() as t:
            archr.arsenal.QEMUTracerBow(t)
            fire_path = os.path.join(t.tmpwd, "shellphish_qemu", "fire")
            assert t.retrieve_contents(fire_path).startswith(b"#!/bin/sh")
github angr / archr / tests / test_bow_qemu.py View on Github external
def crasher_checks(self, t):
        b = archr.arsenal.QEMUTracerBow(t)
        r = b.fire(save_core=True)

        # arbitrary check
        assert len(r.trace) > 100
        assert not r.timed_out
        assert r.crashed
        assert r.crash_address == 0x400000060a
        assert r.signal == signal.SIGSEGV
        assert os.path.exists(r.core_path)
        assert os.path.getsize(r.core_path) > 0
github angr / archr / tests / test_bow_qemu.py View on Github external
def shellcode_checks(self, t):
        crash = b"A" * 272
        b = archr.arsenal.QEMUTracerBow(t)

        with b.fire_context(save_core=True) as flight:
            flight.default_channel.send(crash)
            flight.default_channel.shutdown_wr()
            #flight.default_channel.recvall()

        assert not flight.result.timed_out
        assert flight.result.crashed
github angr / rex / rex / crash.py View on Github external
:param prev_state:          The predecessor of the final crash state.

        angrop-related settings:
        :param rop_cache_tuple:     A angrop tuple to load from.
        :param use_rop:             Whether or not to use rop.
        :param angrop_object:       An angrop object, should only be set by exploration methods.
        """

        self.target = target # type: archr.targets.Target
        self.constrained_addrs = [ ] if constrained_addrs is None else constrained_addrs
        self.hooks = {} if hooks is None else hooks
        self.use_crash_input = use_crash_input
        self.input_type = input_type
        self.target_port = port
        self.crash = crash
        self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target)

        self.explore_steps = explore_steps
        if self.explore_steps > 10:
            raise CannotExploit("Too many steps taken during crash exploration")

        self._use_rop = use_rop
        self._rop_fast_mode = fast_mode
        self._rop_cache_tuple = rop_cache_tuple

        self.angr_project_bow = None
        self.project = None
        self.binary = None
        self.rop = None
        self.initial_state = None
        self.state = None
        self.prev = None
github angr / rex / rex / crash.py View on Github external
The following parameters are deprecated. Use checkpoint_path instead.
        :param initial_state:       The initial state of exploitation.
        :param crash_state:         An already traced crash state.
        :param prev_path:           Path leading up to the crashing block.
        """

        self.target = target # type: archr.targets.Target
        self.constrained_addrs = [ ] if constrained_addrs is None else constrained_addrs
        self.hooks = {} if hooks is None else hooks
        self.explore_steps = explore_steps
        self.use_crash_input = use_crash_input
        self.input_type = input_type
        self.target_port = port
        self.crash = crash
        self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target)

        if self.explore_steps > 10:
            raise CannotExploit("Too many steps taken during crash exploration")

        # Initialize an angr Project
        dsb = archr.arsenal.DataScoutBow(self.target)
        self.angr_project_bow = archr.arsenal.angrProjectBow(self.target, dsb)
        self.project = self.angr_project_bow.fire()
        self.binary = self.target.resolve_local_path(self.target.target_path)

        # Add custom hooks
        for addr, proc in self.hooks.items():
            self.project.hook(addr, proc)
            l.debug("Hooking %#x -> %s...", addr, proc.display_name)

        # ROP-related stuff

archr

Target-centric program analysis.

GitHub
BSD-2-Clause
Latest version published 1 day ago

Package Health Score

75 / 100
Full package analysis

Popular archr functions

Similar packages