本文整理汇总了Python中angr.SIM_PROCEDURES属性的典型用法代码示例。如果您正苦于以下问题:Python angr.SIM_PROCEDURES属性的具体用法?Python angr.SIM_PROCEDURES怎么用?Python angr.SIM_PROCEDURES使用的例子?那么恭喜您, 这里精选的属性代码示例或许可以为您提供帮助。您也可以进一步了解该属性所在类angr的用法示例。
在下文中一共展示了angr.SIM_PROCEDURES属性的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _convert_node
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def _convert_node(self, node: Definition, converted: Dict[Definition,QDepGraphBlock]) -> Optional[QDepGraphBlock]:
if node in converted:
return converted[node]
# skip external
if isinstance(node.codeloc, ExternalCodeLocation):
return None
if self.workspace.instance.project.is_hooked(node.codeloc.block_addr):
hook = self.workspace.instance.project.hooked_by(node.codeloc.block_addr)
if isinstance(hook, (SIM_PROCEDURES['stubs']['UnresolvableJumpTarget'],
SIM_PROCEDURES['stubs']['UnresolvableCallTarget'])):
return None
new_node = QDepGraphBlock(False, self, definition=node, addr=node.codeloc.ins_addr)
converted[node] = new_node
return new_node 示例2: process_successors
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def process_successors(self, successors, **kwargs):
state = self.state
# we have at this point entered the next step so we need to check the previous jumpkind
if not state.history or not state.history.parent or not state.history.parent.jumpkind or not state.history.parent.jumpkind.startswith('Ijk_Sys'):
return super().process_successors(successors, **kwargs)
l.debug("Invoking system call handler")
sys_procedure = self.project.simos.syscall(state)
if sys_procedure is None:
if angr.sim_options.BYPASS_UNSUPPORTED_SYSCALL not in state.options:
raise AngrUnsupportedSyscallError("Trying to perform a syscall on an emulated system which is not currently cofigured to support syscalls. To resolve this, make sure that your SimOS is a subclass of SimUserspace, or set the BYPASS_UNSUPPORTED_SYSCALL state option.")
else:
try:
cc = angr.SYSCALL_CC[state.arch.name][state.os_name](state.arch)
except KeyError:
try:
l.warning("No syscall calling convention available for %s/%s", state.arch.name, state.os_name)
cc = angr.SYSCALL_CC[state.arch.name]['default'](state.arch)
except KeyError:
cc = None # some default will get picked down the line...
sys_procedure = angr.SIM_PROCEDURES['stubs']['syscall'](cc=cc)
return self.process_procedure(state, successors, sys_procedure, **kwargs) 示例3: run
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def run(self, src, fmt, one, two, three): #pylint:disable=unused-argument
memcpy = angr.SIM_PROCEDURES['libc']['memcpy']
self.inline_call(memcpy, one, src, 5)
self.state.memory.store(one+4, self.state.solver.BVV(0, 8))
self.inline_call(memcpy, two, src+6, 8192)
self.state.memory.store(two+8191, self.state.solver.BVV(0, 8))
self.inline_call(memcpy, three, src+6+8193, 12)
self.state.memory.store(three+11, self.state.solver.BVV(0, 8))
#if angr.o.SYMBOLIC in self.state.options:
# #crazy_str = "index.asp?authorization=M3NhZG1pbjoyNzk4ODMwMw==&yan=yes\x00"
# #crazy_str = "index.asp?authorization=3sadmin:27988303&yan=yes\x00"
# crazy_str = "authorization=3sadmin:27988303\x00"
# self.state.add_constraints(self.state.memory.load(two, len(crazy_str)) == self.state.solver.BVV(crazy_str))
return self.state.solver.BVV(3) 示例4: test_clock_gettime
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def test_clock_gettime():
proc = angr.SIM_PROCEDURES['posix']['clock_gettime']()
s = angr.SimState(arch='amd64')
s.regs.rdi = 0
s.regs.rsi = 0x8000
s.options.add(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert not s.mem[0x8000].qword.resolved.symbolic
assert not s.mem[0x8008].qword.resolved.symbolic
s.options.discard(angr.options.USE_SYSTEM_TIMES)
proc.execute(s)
assert s.mem[0x8000].qword.resolved.symbolic
assert s.mem[0x8008].qword.resolved.symbolic 示例5: test_pwrite
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def test_pwrite():
pwrite = SIM_PROCEDURES['posix']['pwrite64']()
state = SimState(arch="AMD64", mode='symbolic')
simfile = SimFile('concrete_file', content='hello world!\n')
state.fs.insert('test', simfile)
fd = state.posix.open(b"test", 1)
buf_addr = 0xd0000000
state.memory.store(buf_addr, b'test!')
pwrite.execute(state, arguments=[fd, buf_addr, 5, 6])
simfd = state.posix.get_fd(fd)
simfd.seek(0)
res = 0xc0000000
simfd.read(res, 13)
data = state.solver.eval(state.mem[res].string.resolved, cast_to=bytes)
nose.tools.assert_true(data == b'hello test!!\n')
state.posix.close(fd) 示例6: test_pread
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def test_pread():
pwrite = SIM_PROCEDURES['posix']['pread64']()
state = SimState(arch="AMD64", mode='symbolic')
simfile = SimFile('concrete_file', content='hello world!\n')
state.fs.insert('test', simfile)
fd = state.posix.open(b"test", 1)
buf1_addr = 0xd0000000
buf2_addr = 0xd0001000
pwrite.execute(state, arguments=[fd, buf1_addr, 6, 6])
pwrite.execute(state, arguments=[fd, buf2_addr, 5, 0])
data1 = state.solver.eval(state.mem[buf1_addr].string.resolved, cast_to=bytes)
data2 = state.solver.eval(state.mem[buf2_addr].string.resolved, cast_to=bytes)
nose.tools.assert_true(data1 == b'world!')
nose.tools.assert_true(data2 == b'hello')
state.posix.close(fd) 示例7: test_simproc_drilling
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def test_simproc_drilling():
"""
Test drilling on the cgc binary palindrome with simprocedures.
"""
binary = "tests/i386/driller_simproc"
memcmp = angr.SIM_PROCEDURES['libc']['memcmp']()
simprocs = {0x8048200: memcmp}
# fuzzbitmap says every transition is worth satisfying.
d = driller.Driller(os.path.join(bin_location, binary), b"A"*0x80, b"\xff"*65535, "whatever~", hooks=simprocs)
new_inputs = d.drill()
# Make sure driller produced a new input which satisfies the memcmp.
password = b"the_secret_password_is_here_you_will_never_guess_it_especially_since_it_is_going_to_be_made_lower_case"
nose.tools.assert_true(any(filter(lambda x: x[1].startswith(password), new_inputs))) 示例8: setup_project
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def setup_project():
project = angr.Project('crypto.mod')
# use libc functions as stand-ins for grub functions
memset = angr.SIM_PROCEDURES['libc']['memset']
getchar = angr.SIM_PROCEDURES['libc']['getchar']
do_nothing = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained']
project.hook_symbol('grub_memset', memset())
project.hook_symbol('grub_getkey', getchar())
# I don't know why, but grub_xputs is apparently not the function but a pointer to it?
xputs_pointer_addr = project.loader.find_symbol('grub_xputs').rebased_addr
xputs_func_addr = project.loader.extern_object.allocate()
project.hook(xputs_func_addr, do_nothing())
project.loader.memory.pack_word(xputs_pointer_addr, xputs_func_addr)
return project 示例9: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
project.hook(0x804ed40, angr.SIM_PROCEDURES['libc']['printf']())
project.hook(0x804ed80, angr.SIM_PROCEDURES['libc']['scanf']())
project.hook(0x804f350, angr.SIM_PROCEDURES['libc']['puts']())
project.hook(0x8048d10, angr.SIM_PROCEDURES['glibc']['__libc_start_main']())
simulation = project.factory.simgr(initial_state)
# Define a function that checks if you have found the state you are looking
# for.
def is_successful(state):
# Dump whatever has been printed out by the binary so far into a string.
stdout_output = state.posix.dumps(sys.stdout.fileno())
# Return whether 'Good Job.' has been printed yet.
# (!)
return 'Good Job.' in stdout_output # :boolean
# Same as above, but this time check if the state should abort. If you return
# False, Angr will continue to step the state. In this specific challenge, the
# only time at which you will know you should abort is when the program prints
# "Try again."
def should_abort(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return 'Try again.' in stdout_output # :boolean
# Tell Angr to explore the binary and find any state that is_successful identfies
# as a successful state by returning True.
simulation.explore(find=is_successful, avoid=should_abort)
if simulation.found:
solution_state = simulation.found[0]
print solution_state.posix.dumps(sys.stdin.fileno())
else:
raise Exception('Could not find the solution') 示例10: search_simproc
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def search_simproc(name):
import angr
for libname in angr.SIM_PROCEDURES:
if name in angr.SIM_PROCEDURES[libname]:
return angr.SIM_PROCEDURES[libname][name]
elif name.startswith("_") and name[1:] in angr.SIM_PROCEDURES[libname]:
return angr.SIM_PROCEDURES[libname][name[1:]] 示例11: _initialize_b_loc_table
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def _initialize_b_loc_table(self):
"""
Initialize ptable for ctype
See __ctype_b_loc.c in libc implementation
"""
malloc = angr.SIM_PROCEDURES['libc']['malloc']
table = self.inline_call(malloc, 768).ret_expr
table_ptr = self.inline_call(malloc, self.state.arch.bytes).ret_expr
for pos, c in enumerate(self.state.libc.LOCALE_ARRAY):
# Each entry is 2 bytes
self.state.memory.store(table + (pos*2),
self.state.solver.BVV(c, 16),
inspect=False,
disable_actions=True,
)
# Offset for negative chars
# 256 because 2 bytes each, -128 * 2
table += 256
self.state.memory.store(table_ptr,
table,
size=self.state.arch.bytes,
endness=self.state.arch.memory_endness,
inspect=False,
disable_actions=True,
)
self.state.libc.ctype_b_loc_table_ptr = table_ptr 示例12: _initialize_tolower_loc_table
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def _initialize_tolower_loc_table(self):
"""
Initialize ptable for ctype
See __ctype_tolower_loc.c in libc implementation
"""
malloc = angr.SIM_PROCEDURES['libc']['malloc']
# 384 entries, 4 bytes each
table = self.inline_call(malloc, 384*4).ret_expr
table_ptr = self.inline_call(malloc, self.state.arch.bytes).ret_expr
for pos, c in enumerate(self.state.libc.TOLOWER_LOC_ARRAY):
self.state.memory.store(table + (pos * 4),
self.state.solver.BVV(c, 32),
endness=self.state.arch.memory_endness,
inspect=False,
disable_actions=True,
)
# Offset for negative chars: -128 index (4 bytes per index)
table += (128 * 4)
self.state.memory.store(table_ptr,
table,
size=self.state.arch.bytes,
endness=self.state.arch.memory_endness,
inspect=False,
disable_actions=True,
)
self.state.libc.ctype_tolower_loc_table_ptr = table_ptr 示例13: _initialize_toupper_loc_table
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def _initialize_toupper_loc_table(self):
"""
Initialize ptable for ctype
See __ctype_toupper_loc.c in libc implementation
"""
malloc = angr.SIM_PROCEDURES['libc']['malloc']
# 384 entries, 4 bytes each
table = self.inline_call(malloc, 384*4).ret_expr
table_ptr = self.inline_call(malloc, self.state.arch.bytes).ret_expr
for pos, c in enumerate(self.state.libc.TOUPPER_LOC_ARRAY):
self.state.memory.store(table + (pos * 4),
self.state.solver.BVV(c, 32),
endness=self.state.arch.memory_endness,
inspect=False,
disable_actions=True,
)
# Offset for negative chars: -128 index (4 bytes per index)
table += (128 * 4)
self.state.memory.store(table_ptr,
table,
size=self.state.arch.bytes,
endness=self.state.arch.memory_endness,
inspect=False,
disable_actions=True,
)
self.state.libc.ctype_toupper_loc_table_ptr = table_ptr 示例14: _initialize_errno
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def _initialize_errno(self):
malloc = angr.SIM_PROCEDURES['libc']['malloc']
errno_loc = self.inline_call(malloc, self.state.arch.bytes).ret_expr
self.state.libc.errno_location = errno_loc
self.state.memory.store(errno_loc, self.state.solver.BVV(0, self.state.arch.bits)) 示例15: run
# 需要导入模块: import angr [as 别名]
# 或者: from angr import SIM_PROCEDURES [as 别名]
def run(self):
if self.state.arch.name == 'X86':
ptr = self.state.regs.eax
# use SIM_PROCEDURES so name-mangling doesn't fuck us :|
return self.inline_call(angr.SIM_PROCEDURES['linux_loader']['__tls_get_addr'], ptr).ret_expr
else:
raise angr.errors.SimUnsupportedError("___tls_get_addr only implemented for x86. Talk to @rhelmot.")