Python angr.BP_AFTER Examples
The following are 9
code examples of angr.BP_AFTER().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
angr
, or try the search function
.
.
Example #1
| Source File: new_analysis.py From fidget with BSD 2-Clause "Simplified" License | 6 votes |
|
def __init__(self):
#self.cfg = self.project.analyses.CFGAccurate(keep_state=True, enable_symbolic_back_traversal=True, normalize=True)
self.cfg = self.project.analyses.CFGFast(collect_data_references=True, normalize=True)
self.accesses = {}
self.ty_backend = TypeBackend()
self.global_struct = SimStructAbstract(label='global')
#self.identer = Identifier(self.project, self.cfg)
#self.ident_result = list(self.identer.run())
self.struct_mapping = {}
self.struct_base = 0x40000000
self.pass_results = []
self.function_initial_regs = {}
self.function_return_vals = {}
self.syscall_mapping = self.project._simos.syscall_table
self.initial_state = self.project.factory.blank_state(remove_options={o.SIMPLIFY_MEMORY_WRITES, o.SIMPLIFY_REGISTER_WRITES}, add_options={o.UNSUPPORTED_BYPASS_ZERO_DEFAULT, o.BYPASS_UNSUPPORTED_IROP, o.BYPASS_UNSUPPORTED_IRCCALL, o.AVOID_MULTIVALUED_READS, o.AVOID_MULTIVALUED_WRITES})
self.initial_state.inspect.b('mem_read', when=angr.BP_AFTER, action=self._memory_access)
self.initial_state.inspect.b('mem_write', when=angr.BP_AFTER, action=self._memory_access)
self.initial_state.inspect.b('exit', when=angr.BP_BEFORE, action=self._exit_taken)
for func in self.real_functions(self.cfg):
l.info("Working on %s", func.name)
self._init_analysis(func)
Example #2
| Source File: spectre.py From pitchfork with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def arm(self, state):
"""
Setup hooks and breakpoints to perform Spectre gadget vulnerability detection.
Also set up concretization to ensure addresses are always made to be OOB when possible.
"""
state.inspect.b('mem_read', when=angr.BP_AFTER, condition=_tainted_read, action=detected_spectre_read)
state.inspect.b('mem_write', when=angr.BP_AFTER, condition=_tainted_write, action=detected_spectre_write)
state.inspect.b('exit', when=angr.BP_BEFORE, condition=_tainted_branch, action=detected_spectre_branch)
state.memory.read_strategies.insert(0, OOBStrategy())
state.memory.write_strategies.insert(0, OOBStrategy())
state.inspect.b('address_concretization', when=angr.BP_AFTER, condition=concretization_succeeded, action=log_concretization)
state.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
state.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)
state.options.add(angr.options.SYMBOLIC_INITIAL_VALUES)
state.options.add(angr.options.SPECIAL_MEMORY_FILL)
state._special_memory_filler = oob_memory_fill
state.options.add(angr.options.SYMBOLIC_WRITE_ADDRESSES)
self._armed = True
Example #3
| Source File: oob.py From pitchfork with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def arm(self, state):
"""
Setup hooks and breakpoints to perform bounds tracking.
Also set up concretization to ensure addresses are always made to be OOB when possible.
"""
state.inspect.b('mem_read', when=angr.BP_AFTER, condition=_read_can_be_oob, action=detected_oob_read)
state.inspect.b('mem_write', when=angr.BP_AFTER, condition=_write_can_be_oob, action=detected_oob_write)
state.memory.read_strategies.insert(0, OOBStrategy())
state.memory.write_strategies.insert(0, OOBStrategy())
state.options.add(angr.options.SYMBOLIC_WRITE_ADDRESSES)
state.inspect.b('address_concretization', when=angr.BP_AFTER, condition=concretization_succeeded, action=log_concretization)
self._armed = True
Example #4
| Source File: ct64_angr.py From angr-platforms with BSD 2-Clause "Simplified" License | 6 votes |
|
def state_blank(self, addr=None, **kwargs):
if addr is None:
addr = 0x1000
permissions_backer = (True, {(0, 0xffff): 7})
state = super(SimCT64K, self).state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs)
state.register_plugin('registers', state.memory)
state.memory.id = 'reg'
state.registers.store(0, addr)
state.registers.store(1, state.arch.initial_sp)
state.registers.store(2, state.arch.initial_sp)
state.inspect.b('reg_read', action=self.hard_checker_rd, when=angr.BP_AFTER)
state.inspect.b('reg_write', action=self.hard_checker_wr, when=angr.BP_AFTER)
return state
Example #5
| Source File: trace_additions.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def prep_tracer(state, format_infos=None):
format_infos = [] if format_infos is None else format_infos
state.inspect.b(
'exit',
angr.BP_BEFORE,
action=exit_hook
)
state.inspect.b(
'syscall',
angr.BP_AFTER,
action=syscall_hook
)
state.inspect.b(
'constraints',
angr.BP_BEFORE,
action=constraint_hook
)
if state.has_plugin("chall_resp_info"):
chall_resp_plugin = state.get_plugin("chall_resp_info")
else:
chall_resp_plugin = ChallRespInfo()
for f in format_infos:
chall_resp_plugin.format_infos[f.addr] = f
state.register_plugin("chall_resp_info", chall_resp_plugin)
for addr in chall_resp_plugin.format_infos:
state.project.hook(addr, generic_info_hook, length=0)
# THE ZEN HOOK
Example #6
| Source File: test_inspect.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_inspect_exit():
class counts: #pylint:disable=no-init
exit_before = 0
exit_after = 0
def handle_exit_before(state):
counts.exit_before += 1
exit_target = state.inspect.exit_target
nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
# change exit target
state.inspect.exit_target = 0x41414141
nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
nose.tools.assert_true(state.inspect.exit_guard.is_true())
def handle_exit_after(state): #pylint:disable=unused-argument
counts.exit_after += 1
s = SimState(arch="AMD64", mode="symbolic")
irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64())
# break on exit
s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
s.inspect.b('exit', BP_AFTER, action=handle_exit_after)
# step it
succ = HeavyVEXMixin(None).process(s, irsb=irsb).flat_successors
# check
nose.tools.assert_equal( succ[0].solver.eval(succ[0].ip), 0x41414141)
nose.tools.assert_equal(counts.exit_before, 1)
nose.tools.assert_equal(counts.exit_after, 1)
Example #7
| Source File: test_inspect.py From angr with BSD 2-Clause "Simplified" License | 5 votes |
|
def test_inspect_syscall():
class counts: #pylint:disable=no-init
exit_before = 0
exit_after = 0
def handle_syscall_before(state):
counts.exit_before += 1
syscall_name = state.inspect.syscall_name
nose.tools.assert_equal(syscall_name, "close")
def handle_syscall_after(state):
counts.exit_after += 1
syscall_name = state.inspect.syscall_name
nose.tools.assert_equal(syscall_name, "close")
s = SimState(arch="AMD64", mode="symbolic")
# set up to call so syscall close
s.regs.rax = 3
s.regs.rdi = 2
# break on syscall
s.inspect.b('syscall', BP_BEFORE, action=handle_syscall_before)
s.inspect.b('syscall', BP_AFTER, action=handle_syscall_after)
# step it
proc = SIM_PROCEDURES['posix']['close'](is_syscall=True)
ProcedureEngine(None).process(s, procedure=proc, ret_to=s.ip)
# check counts
nose.tools.assert_equal(counts.exit_before, 1)
nose.tools.assert_equal(counts.exit_after, 1)
Example #8
| Source File: inspect.py From angr-utils with BSD 2-Clause "Simplified" License | 5 votes |
|
def consolidate_reverse_exprs(initial_state):
"""
Tries to simplify the Reverse(Extract(Reverse())) pattern in expressions.
NOTE: Experimental! Maybe not working correctly, use it with care!
"""
initial_state.inspect.b('mem_read', when=angr.BP_AFTER, action=_read_consolidate)
initial_state.inspect.b('reg_read', when=angr.BP_AFTER, action=_read_consolidate)
Example #9
| Source File: test_inspect.py From angr with BSD 2-Clause "Simplified" License | 4 votes |
|
def test_inspect_engine_process():
p = angr.Project(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', '..', 'binaries', 'tests', 'x86_64', 'fauxware'))
constraints = []
def check_first_symbolic_fork(state):
succs = state.inspect.sim_successors.successors
succ_addr = [hex(s.addr) for s in succs]
nose.tools.assert_equal(len(succ_addr), 2)
nose.tools.assert_in('0x400692L', succ_addr)
nose.tools.assert_in('0x400699L', succ_addr)
print('Fork after:', hex(state.addr))
print('Successors:', succ_addr)
def check_second_symbolic_fork(state):
succs = state.inspect.sim_successors.successors
succ_addr = [hex(s.addr) for s in succs]
nose.tools.assert_equal(len(succ_addr), 2)
nose.tools.assert_in('0x4006dfL', succ_addr)
nose.tools.assert_in('0x4006e6L', succ_addr)
print('Fork after:', hex(state.addr))
print('Successors:', succ_addr)
def first_symbolic_fork(state):
return hex(state.addr) == '0x40068eL' \
and isinstance(state.inspect.sim_engine, HeavyVEXMixin)
# TODO: I think this latter check is meaningless with the eleventh hour refactor
def second_symbolic_fork(state):
return hex(state.addr) == '0x4006dbL' \
and isinstance(state.inspect.sim_engine, HeavyVEXMixin)
def check_state(state):
nose.tools.assert_in(hex(state.inspect.sim_successors.addr), ('0x40068eL', '0x4006dbL'))
state = p.factory.entry_state(addr=p.loader.find_symbol('main').rebased_addr)
pg = p.factory.simulation_manager(state)
state.inspect.b('engine_process',
when=BP_BEFORE,
action=check_state,
condition=first_symbolic_fork)
state.inspect.b('engine_process',
when=BP_AFTER,
action=check_first_symbolic_fork,
condition=first_symbolic_fork)
pg.run()
state = p.factory.entry_state(addr=p.loader.find_symbol('main').rebased_addr)
pg = p.factory.simulation_manager(state)
state.inspect.b('engine_process',
when=BP_BEFORE,
action=check_state,
condition=second_symbolic_fork)
state.inspect.b('engine_process',
when=BP_AFTER,
action=check_second_symbolic_fork,
condition=second_symbolic_fork)
pg.run()
