本文整理汇总了Python中angr.BP_AFTER属性的典型用法代码示例。如果您正苦于以下问题:Python angr.BP_AFTER属性的具体用法?Python angr.BP_AFTER怎么用?Python angr.BP_AFTER使用的例子?那么恭喜您, 这里精选的属性代码示例或许可以为您提供帮助。您也可以进一步了解该属性所在类angr的用法示例。
在下文中一共展示了angr.BP_AFTER属性的9个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def __init__(self):
#self.cfg = self.project.analyses.CFGAccurate(keep_state=True, enable_symbolic_back_traversal=True, normalize=True)
self.cfg = self.project.analyses.CFGFast(collect_data_references=True, normalize=True)
self.accesses = {}
self.ty_backend = TypeBackend()
self.global_struct = SimStructAbstract(label='global')
#self.identer = Identifier(self.project, self.cfg)
#self.ident_result = list(self.identer.run())
self.struct_mapping = {}
self.struct_base = 0x40000000
self.pass_results = []
self.function_initial_regs = {}
self.function_return_vals = {}
self.syscall_mapping = self.project._simos.syscall_table
self.initial_state = self.project.factory.blank_state(remove_options={o.SIMPLIFY_MEMORY_WRITES, o.SIMPLIFY_REGISTER_WRITES}, add_options={o.UNSUPPORTED_BYPASS_ZERO_DEFAULT, o.BYPASS_UNSUPPORTED_IROP, o.BYPASS_UNSUPPORTED_IRCCALL, o.AVOID_MULTIVALUED_READS, o.AVOID_MULTIVALUED_WRITES})
self.initial_state.inspect.b('mem_read', when=angr.BP_AFTER, action=self._memory_access)
self.initial_state.inspect.b('mem_write', when=angr.BP_AFTER, action=self._memory_access)
self.initial_state.inspect.b('exit', when=angr.BP_BEFORE, action=self._exit_taken)
for func in self.real_functions(self.cfg):
l.info("Working on %s", func.name)
self._init_analysis(func) 示例2: arm
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def arm(self, state):
"""
Setup hooks and breakpoints to perform Spectre gadget vulnerability detection.
Also set up concretization to ensure addresses are always made to be OOB when possible.
"""
state.inspect.b('mem_read', when=angr.BP_AFTER, condition=_tainted_read, action=detected_spectre_read)
state.inspect.b('mem_write', when=angr.BP_AFTER, condition=_tainted_write, action=detected_spectre_write)
state.inspect.b('exit', when=angr.BP_BEFORE, condition=_tainted_branch, action=detected_spectre_branch)
state.memory.read_strategies.insert(0, OOBStrategy())
state.memory.write_strategies.insert(0, OOBStrategy())
state.inspect.b('address_concretization', when=angr.BP_AFTER, condition=concretization_succeeded, action=log_concretization)
state.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
state.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)
state.options.add(angr.options.SYMBOLIC_INITIAL_VALUES)
state.options.add(angr.options.SPECIAL_MEMORY_FILL)
state._special_memory_filler = oob_memory_fill
state.options.add(angr.options.SYMBOLIC_WRITE_ADDRESSES)
self._armed = True 示例3: arm
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def arm(self, state):
"""
Setup hooks and breakpoints to perform bounds tracking.
Also set up concretization to ensure addresses are always made to be OOB when possible.
"""
state.inspect.b('mem_read', when=angr.BP_AFTER, condition=_read_can_be_oob, action=detected_oob_read)
state.inspect.b('mem_write', when=angr.BP_AFTER, condition=_write_can_be_oob, action=detected_oob_write)
state.memory.read_strategies.insert(0, OOBStrategy())
state.memory.write_strategies.insert(0, OOBStrategy())
state.options.add(angr.options.SYMBOLIC_WRITE_ADDRESSES)
state.inspect.b('address_concretization', when=angr.BP_AFTER, condition=concretization_succeeded, action=log_concretization)
self._armed = True 示例4: state_blank
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def state_blank(self, addr=None, **kwargs):
if addr is None:
addr = 0x1000
permissions_backer = (True, {(0, 0xffff): 7})
state = super(SimCT64K, self).state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs)
state.register_plugin('registers', state.memory)
state.memory.id = 'reg'
state.registers.store(0, addr)
state.registers.store(1, state.arch.initial_sp)
state.registers.store(2, state.arch.initial_sp)
state.inspect.b('reg_read', action=self.hard_checker_rd, when=angr.BP_AFTER)
state.inspect.b('reg_write', action=self.hard_checker_wr, when=angr.BP_AFTER)
return state 示例5: prep_tracer
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def prep_tracer(state, format_infos=None):
format_infos = [] if format_infos is None else format_infos
state.inspect.b(
'exit',
angr.BP_BEFORE,
action=exit_hook
)
state.inspect.b(
'syscall',
angr.BP_AFTER,
action=syscall_hook
)
state.inspect.b(
'constraints',
angr.BP_BEFORE,
action=constraint_hook
)
if state.has_plugin("chall_resp_info"):
chall_resp_plugin = state.get_plugin("chall_resp_info")
else:
chall_resp_plugin = ChallRespInfo()
for f in format_infos:
chall_resp_plugin.format_infos[f.addr] = f
state.register_plugin("chall_resp_info", chall_resp_plugin)
for addr in chall_resp_plugin.format_infos:
state.project.hook(addr, generic_info_hook, length=0)
# THE ZEN HOOK 示例6: test_inspect_exit
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def test_inspect_exit():
class counts: #pylint:disable=no-init
exit_before = 0
exit_after = 0
def handle_exit_before(state):
counts.exit_before += 1
exit_target = state.inspect.exit_target
nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
# change exit target
state.inspect.exit_target = 0x41414141
nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
nose.tools.assert_true(state.inspect.exit_guard.is_true())
def handle_exit_after(state): #pylint:disable=unused-argument
counts.exit_after += 1
s = SimState(arch="AMD64", mode="symbolic")
irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64())
# break on exit
s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
s.inspect.b('exit', BP_AFTER, action=handle_exit_after)
# step it
succ = HeavyVEXMixin(None).process(s, irsb=irsb).flat_successors
# check
nose.tools.assert_equal( succ[0].solver.eval(succ[0].ip), 0x41414141)
nose.tools.assert_equal(counts.exit_before, 1)
nose.tools.assert_equal(counts.exit_after, 1) 示例7: test_inspect_syscall
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def test_inspect_syscall():
class counts: #pylint:disable=no-init
exit_before = 0
exit_after = 0
def handle_syscall_before(state):
counts.exit_before += 1
syscall_name = state.inspect.syscall_name
nose.tools.assert_equal(syscall_name, "close")
def handle_syscall_after(state):
counts.exit_after += 1
syscall_name = state.inspect.syscall_name
nose.tools.assert_equal(syscall_name, "close")
s = SimState(arch="AMD64", mode="symbolic")
# set up to call so syscall close
s.regs.rax = 3
s.regs.rdi = 2
# break on syscall
s.inspect.b('syscall', BP_BEFORE, action=handle_syscall_before)
s.inspect.b('syscall', BP_AFTER, action=handle_syscall_after)
# step it
proc = SIM_PROCEDURES['posix']['close'](is_syscall=True)
ProcedureEngine(None).process(s, procedure=proc, ret_to=s.ip)
# check counts
nose.tools.assert_equal(counts.exit_before, 1)
nose.tools.assert_equal(counts.exit_after, 1) 示例8: consolidate_reverse_exprs
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def consolidate_reverse_exprs(initial_state):
"""
Tries to simplify the Reverse(Extract(Reverse())) pattern in expressions.
NOTE: Experimental! Maybe not working correctly, use it with care!
"""
initial_state.inspect.b('mem_read', when=angr.BP_AFTER, action=_read_consolidate)
initial_state.inspect.b('reg_read', when=angr.BP_AFTER, action=_read_consolidate) 示例9: test_inspect_engine_process
# 需要导入模块: import angr [as 别名]
# 或者: from angr import BP_AFTER [as 别名]
def test_inspect_engine_process():
p = angr.Project(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', '..', 'binaries', 'tests', 'x86_64', 'fauxware'))
constraints = []
def check_first_symbolic_fork(state):
succs = state.inspect.sim_successors.successors
succ_addr = [hex(s.addr) for s in succs]
nose.tools.assert_equal(len(succ_addr), 2)
nose.tools.assert_in('0x400692L', succ_addr)
nose.tools.assert_in('0x400699L', succ_addr)
print('Fork after:', hex(state.addr))
print('Successors:', succ_addr)
def check_second_symbolic_fork(state):
succs = state.inspect.sim_successors.successors
succ_addr = [hex(s.addr) for s in succs]
nose.tools.assert_equal(len(succ_addr), 2)
nose.tools.assert_in('0x4006dfL', succ_addr)
nose.tools.assert_in('0x4006e6L', succ_addr)
print('Fork after:', hex(state.addr))
print('Successors:', succ_addr)
def first_symbolic_fork(state):
return hex(state.addr) == '0x40068eL' \
and isinstance(state.inspect.sim_engine, HeavyVEXMixin)
# TODO: I think this latter check is meaningless with the eleventh hour refactor
def second_symbolic_fork(state):
return hex(state.addr) == '0x4006dbL' \
and isinstance(state.inspect.sim_engine, HeavyVEXMixin)
def check_state(state):
nose.tools.assert_in(hex(state.inspect.sim_successors.addr), ('0x40068eL', '0x4006dbL'))
state = p.factory.entry_state(addr=p.loader.find_symbol('main').rebased_addr)
pg = p.factory.simulation_manager(state)
state.inspect.b('engine_process',
when=BP_BEFORE,
action=check_state,
condition=first_symbolic_fork)
state.inspect.b('engine_process',
when=BP_AFTER,
action=check_first_symbolic_fork,
condition=first_symbolic_fork)
pg.run()
state = p.factory.entry_state(addr=p.loader.find_symbol('main').rebased_addr)
pg = p.factory.simulation_manager(state)
state.inspect.b('engine_process',
when=BP_BEFORE,
action=check_state,
condition=second_symbolic_fork)
state.inspect.b('engine_process',
when=BP_AFTER,
action=check_second_symbolic_fork,
condition=second_symbolic_fork)
pg.run()