本文整理汇总了Python中angr.Project方法的典型用法代码示例。如果您正苦于以下问题:Python angr.Project方法的具体用法?Python angr.Project怎么用?Python angr.Project使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类angr的用法示例。
在下文中一共展示了angr.Project方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: break_chall_resp_atoi
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def break_chall_resp_atoi():
crash_input = b'-435982256\n-439864843\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
bin_path = bin_location + "/tests/i386/chall_resp_atoi"
cfg_fast = angr.Project(bin_path).analyses.CFGFast()
atoi_addr = cfg_fast.functions["atoi"].addr
itoa_addr = cfg_fast.functions["itoa"].addr
f1 = FormatInfoIntToStr(addr=itoa_addr, func_name="itoa", int_arg_num=1, str_dst_num=0, base=10, base_arg=None)
f2 = FormatInfoStrToInt(addr=atoi_addr, func_name="atoi", str_arg_num=0, base=10, base_arg=None,
allows_negative=True)
crash = rex.Crash(bin_path, crash=crash_input, format_infos=[f1, f2], rop_cache_path=os.path.join(cache_location, "chall_resp_atoi"))
exploit_f = crash.exploit()
for e in exploit_f.register_setters:
nose.tools.assert_true(_do_pov_test(e))
for e in exploit_f.leakers:
nose.tools.assert_true(_do_pov_test(e)) 示例2: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def main(argv):
path_to_binary = ???
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
simulation = project.factory.simgr(initial_state)
# Explore the binary, but this time, instead of only looking for a state that
# reaches the print_good_address, also find a state that does not reach
# will_not_succeed_address. The binary is pretty large, to save you some time,
# everything you will need to look at is near the beginning of the address
# space.
# (!)
print_good_address = ???
will_not_succeed_address = ???
simulation.explore(find=print_good_address, avoid=will_not_succeed_address)
if simulation.found:
solution_state = simulation.found[0]
print solution_state.posix.dumps(sys.stdin.fileno())
else:
raise Exception('Could not find the solution') 示例3: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state()
simulation = project.factory.simgr(initial_state)
# Explore the binary, but this time, instead of only looking for a state that
# reaches the print_good_address, also find a state that does not reach
# will_not_succeed_address. The binary is pretty large, to save you some time,
# everything you will need to look at is near the beginning of the address
# space.
# (!)
print_good_address = 0x080485e5
will_not_succeed_address = 0x080485a8
simulation.explore(find=print_good_address, avoid=will_not_succeed_address)
if simulation.found:
solution_state = simulation.found[0]
print solution_state.posix.dumps(sys.stdin.fileno())
else:
raise Exception('Could not find the solution') 示例4: main
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def main(argv):
path_to_binary = argv[1]
project = angr.Project(path_to_binary)
# You can either use a blank state or an entry state; just make sure to start
# at the beginning of the program.
initial_state = ???
class ReplacementScanf(angr.SimProcedure):
# Hint: scanf("%u %20s")
def run(self, format_string, ...???):
# %u
scanf0 = claripy.BVS('scanf0', ???)
# %20s
scanf1 = claripy.BVS('scanf1', ???)
for char in scanf1.chop(bits=8):
self.state.add_constraints(char >= ???, char <= ???)
scanf0_address = ???
self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
...
self.state.globals['solutions'] = ??? 示例5: load_kernel_image
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def load_kernel_image(path,arch,base,segments=None):
load_options = {}
load_options['auto_load_libs'] = False
load_options['main_opts'] = {'backend': 'blob', 'custom_arch': arch, 'custom_base_addr': base, 'segments':segments}
#Use loader.provide_symbol() or loader.provide_symbol_batch() to import symbol table.
#-----------------------------------------------------------------------------------
#def provide_symbol(self, owner, name, offset, size=0, sym_type=None):
# return self.provide_symbol_batch(owner, {name: (offset, size, sym_type)})
#-----------------------------------------------------------------------------------
#Usage: owner --> the Backend object, we can use loader.main_bin
# offset --> the offset relative to 0, not actual kernel load address
# sym_type --> https://github.com/angr/cle/blob/master/cle/backends/__init__.py#L148
b = angr.Project(path, load_options=load_options, arch=arch)
#test_loader(b,base)
return b; 示例6: run_tracker
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def run_tracker(track_mem, use_bp):
p = angr.Project(os.path.join(test_location, 'x86_64', 'fauxware'), auto_load_libs=False)
p.analyses.CFGFast()
main = p.kb.functions['main']
sp = p.arch.sp_offset
regs = {sp}
if use_bp:
bp = p.arch.bp_offset
regs.add(bp)
sptracker = p.analyses.StackPointerTracker(main, regs, track_memory=track_mem)
sp_result = sptracker.offset_after(0x4007d4, sp)
if use_bp:
bp_result = sptracker.offset_after(0x4007d4, bp)
return sp_result, bp_result
else:
return sp_result 示例7: test_find_prototype
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def test_find_prototype():
proj = angr.Project(os.path.join(test_location, 'x86_64', 'all'), auto_load_libs=False)
cfg = proj.analyses.CFG()
func = cfg.kb.functions.function(name='strcmp', plt=False)
func.calling_convention = angr.calling_conventions.DEFAULT_CC[proj.arch.name](proj.arch)
# Calling SimCC.arg_locs() should fail when the function prototype is not provided.
nose.tools.assert_raises(ValueError, func.calling_convention.arg_locs)
func.find_declaration()
arg_locs = func.calling_convention.arg_locs() # now it won't fail
nose.tools.assert_equal(len(arg_locs), 2)
nose.tools.assert_equal(arg_locs[0].reg_name, 'rdi')
nose.tools.assert_equal(arg_locs[1].reg_name, 'rsi') 示例8: test_additional_edges
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def test_additional_edges():
# Test the `additional_edges` parameter for CFG generation
binary_path = os.path.join(test_location, 'x86_64', 'switch')
proj = angr.Project(binary_path,
use_sim_procedures=True,
default_analysis_mode='symbolic',
load_options={'auto_load_libs': False})
additional_edges = {
0x400573 : [ 0x400580, 0x40058f, 0x40059e ]
}
cfg = proj.analyses.CFGEmulated(context_sensitivity_level=0, additional_edges=additional_edges, fail_fast=True,
resolve_indirect_jumps=False, # For this test case, we need to disable the
# jump table resolving, otherwise CFGEmulated
# can automatically find the node 0x4005ad.
)
nose.tools.assert_not_equal(cfg.get_any_node(0x400580), None)
nose.tools.assert_not_equal(cfg.get_any_node(0x40058f), None)
nose.tools.assert_not_equal(cfg.get_any_node(0x40059e), None)
nose.tools.assert_equal(cfg.get_any_node(0x4005ad), None) 示例9: test_cfg_6
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def test_cfg_6():
function_addresses = [0xfa630, 0xfa683, 0xfa6d4, 0xfa707, 0xfa754, 0xfa779, 0xfa7a9, 0xfa7d6, 0xfa844, 0xfa857,
0xfa8d9, 0xfa92f, 0xfa959, 0xfa9fb, 0xfabd6, 0xfac61, 0xfacc2, 0xfad29, 0xfaf94, 0xfbd07,
0xfc100, 0xfc101, 0xfc14f, 0xfc18e, 0xfc25e, 0xfc261, 0xfc3c6, 0xfc42f, 0xfc4a3, 0xfc4cf,
0xfc4db, 0xfc5ba, 0xfc5ef, 0xfc5fe, 0xfc611, 0xfc682, 0xfc6b7, 0xfc7fc, 0xfc8a8, 0xfc8e7,
0xfcb42, 0xfcb50, 0xfcb72, 0xfcc3b, 0xfcc7a, 0xfcc8b, 0xfccdc, 0xfd1a3, 0xff06e]
# We need to add DO_CCALLS to resolve long jmp and support real mode
o.modes['fastpath'] |= {o.DO_CCALLS}
binary_path = test_location + "/i386/bios.bin.elf"
proj = angr.Project(binary_path,
use_sim_procedures=True,
page_size=1)
cfg = proj.analyses.CFGEmulated(context_sensitivity_level=1, fail_fast=True) # pylint:disable=unused-variable
nose.tools.assert_greater_equal(set(f for f in proj.kb.functions), set(function_addresses))
o.modes['fastpath'] ^= {o.DO_CCALLS} 示例10: test_max_steps
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def test_max_steps():
binary_path = os.path.join(test_location, "x86_64", "fauxware")
b = angr.Project(binary_path, load_options={'auto_load_libs': False})
cfg = b.analyses.CFGEmulated(max_steps=5, fail_fast=True)
dfs_edges = networkx.dfs_edges(cfg.graph)
depth_map = {}
for src, dst in dfs_edges:
if src not in depth_map:
depth_map[src] = 0
if dst not in depth_map:
depth_map[dst] = depth_map[src] + 1
depth_map[dst] = max(depth_map[src] + 1, depth_map[dst])
nose.tools.assert_less_equal(max(depth_map.values()), 5) 示例11: test_abort_and_resume
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def test_abort_and_resume():
angr.analyses.AnalysesHub.register_default('CFGEmulatedAborted', CFGEmulatedAborted)
CFGEmulatedAborted.should_abort = False
binary_path = os.path.join(test_location, "x86_64", "fauxware")
b = angr.Project(binary_path, auto_load_libs=False)
CFGEmulatedAborted.should_abort = True
cfg = b.analyses.CFGEmulatedAborted()
nose.tools.assert_greater(len(list(cfg.jobs)), 0) # there should be left-over jobs
CFGEmulatedAborted.should_abort = False
cfg.resume()
nose.tools.assert_equal(len(list(cfg.jobs)), 0) # no left-over job 示例12: broken_cacher
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def broken_cacher():
p = angr.Project(os.path.join(location, 'x86_64', 'fauxware'), load_options={'auto_load_libs': False})
tmp_dir = tempfile.mkdtemp(prefix='test_cacher_container')
container = os.path.join(tmp_dir, '%s.cache' % os.path.basename(p.filename))
pg = p.factory.simulation_manager()
pg.use_technique(angr.exploration_techniques.Cacher(when=0x4006ee, container=container))
pg.run()
pg2 = p.factory.simulation_manager()
pg2.use_technique(angr.exploration_techniques.Cacher(container=container))
nose.tools.assert_equal(pg2.active[0].addr, 0x4006ed)
pg2.run()
nose.tools.assert_equal(len(pg2.deadended), len(pg.deadended))
nose.tools.assert_true(pg2.deadended[0].addr in [s.addr for s in pg.deadended])
nose.tools.assert_true(pg2.deadended[1].addr in [s.addr for s in pg.deadended])
nose.tools.assert_true(pg2.deadended[2].addr in [s.addr for s in pg.deadended]) 示例13: test_jumptable_occupied_as_data
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def test_jumptable_occupied_as_data():
# GitHub issue #1671
p = angr.Project(os.path.join(test_location, "i386", "windows", "printenv.exe"), auto_load_libs=False)
cfg = p.analyses.CFGFast()
# it has a jump table at 0x402e4d with 10 entries
assert 0x402e4d in cfg.indirect_jumps
assert cfg.indirect_jumps[0x402e4d].jumptable is True
assert cfg.indirect_jumps[0x402e4d].jumptable_addr == 0x402e54
assert cfg.indirect_jumps[0x402e4d].jumptable_size == 4 * 10
assert cfg.indirect_jumps[0x402e4d].jumptable_entry_size == 4
# 40 bytes starting at 0x402e4d should be marked as "data"
for addr in range(0x402e54, 0x402e54 + 40, 4):
assert cfg._seg_list.occupied_by_sort(addr) == "data"
# node 0x402e4d should have 10 successors
assert len(cfg.model.get_any_node(0x402e4d).successors) == 10 示例14: angr_cfg
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def angr_cfg(sample):
proj = angr.Project(samples_dir + sample, load_options={'auto_load_libs':False})
main = proj.loader.main_object.get_symbol("main")
addr = main.rebased_addr
start_state = proj.factory.blank_state(addr=addr)
start_state.stack_push(0x0)
cfg = proj.analyses.CFGFast(fail_fast=True, function_starts=[addr], base_state=start_state, normalize=False)
vis = AngrVisFactory().default_cfg_pipeline(cfg, asminst=True, vexinst=False)
vis.set_output(DotOutput(sample + '_angr_asm', format="png"))
vis.process(cfg.graph)
vis = AngrVisFactory().default_cfg_pipeline(cfg, asminst=False, vexinst=True)
vis.set_output(DotOutput(sample + '_angr_vex', format="png"))
vis.process(cfg.graph) 示例15: __init__
# 需要导入模块: import angr [as 别名]
# 或者: from angr import Project [as 别名]
def __init__(self, binary, crash=None):
"""
:param binary: path to the binary which crashed
:param crash: string of input which crashed the binary
"""
self.binary = binary
self.crash = crash
# verify it actually crashes the binary
r = tracer.QEMURunner(self.binary, input=self.crash, record_core=True)
if not r.crash_mode:
raise CrashFuzzerException("input did not crash the binary")
self._p = angr.Project(self.binary)
self.orig_regs = r.reg_vals
self.pool = None
self.byte_analysis = dict()
self._bases = dict()
self.skip_bytes = set()
self.skip_sets = set()
self.regs_to_numbers = dict()
self.used_bytes = set()
self.byte_translation_funcs = list()
self.byte_translation_calls = dict()
self._bit_patterns = dict()
self.make_bases()
self.run()