當前位置: 首頁>>代碼示例>>Python>>正文


Python angr.BP_AFTER屬性代碼示例

本文整理匯總了Python中angr.BP_AFTER屬性的典型用法代碼示例。如果您正苦於以下問題:Python angr.BP_AFTER屬性的具體用法?Python angr.BP_AFTER怎麽用?Python angr.BP_AFTER使用的例子?那麽, 這裏精選的屬性代碼示例或許可以為您提供幫助。您也可以進一步了解該屬性所在angr的用法示例。


在下文中一共展示了angr.BP_AFTER屬性的9個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。

示例1: __init__

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def __init__(self):
        #self.cfg = self.project.analyses.CFGAccurate(keep_state=True, enable_symbolic_back_traversal=True, normalize=True)
        self.cfg = self.project.analyses.CFGFast(collect_data_references=True, normalize=True)
        self.accesses = {}
        self.ty_backend = TypeBackend()
        self.global_struct = SimStructAbstract(label='global')
        #self.identer = Identifier(self.project, self.cfg)
        #self.ident_result = list(self.identer.run())

        self.struct_mapping = {}
        self.struct_base = 0x40000000
        self.pass_results = []
        self.function_initial_regs = {}
        self.function_return_vals = {}

        self.syscall_mapping = self.project._simos.syscall_table

        self.initial_state = self.project.factory.blank_state(remove_options={o.SIMPLIFY_MEMORY_WRITES, o.SIMPLIFY_REGISTER_WRITES}, add_options={o.UNSUPPORTED_BYPASS_ZERO_DEFAULT, o.BYPASS_UNSUPPORTED_IROP, o.BYPASS_UNSUPPORTED_IRCCALL, o.AVOID_MULTIVALUED_READS, o.AVOID_MULTIVALUED_WRITES})
        self.initial_state.inspect.b('mem_read', when=angr.BP_AFTER, action=self._memory_access)
        self.initial_state.inspect.b('mem_write', when=angr.BP_AFTER, action=self._memory_access)
        self.initial_state.inspect.b('exit', when=angr.BP_BEFORE, action=self._exit_taken)

        for func in self.real_functions(self.cfg):
            l.info("Working on %s", func.name)
            self._init_analysis(func) 
開發者ID:angr,項目名稱:fidget,代碼行數:27,代碼來源:new_analysis.py

示例2: arm

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def arm(self, state):
        """
        Setup hooks and breakpoints to perform Spectre gadget vulnerability detection.
        Also set up concretization to ensure addresses are always made to be OOB when possible.
        """
        state.inspect.b('mem_read',  when=angr.BP_AFTER, condition=_tainted_read, action=detected_spectre_read)
        state.inspect.b('mem_write', when=angr.BP_AFTER, condition=_tainted_write, action=detected_spectre_write)
        state.inspect.b('exit', when=angr.BP_BEFORE, condition=_tainted_branch, action=detected_spectre_branch)

        state.memory.read_strategies.insert(0, OOBStrategy())
        state.memory.write_strategies.insert(0, OOBStrategy())
        state.inspect.b('address_concretization', when=angr.BP_AFTER, condition=concretization_succeeded, action=log_concretization)

        state.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
        state.options.add(angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)
        state.options.add(angr.options.SYMBOLIC_INITIAL_VALUES)
        state.options.add(angr.options.SPECIAL_MEMORY_FILL)
        state._special_memory_filler = oob_memory_fill
        state.options.add(angr.options.SYMBOLIC_WRITE_ADDRESSES)

        self._armed = True 
開發者ID:cdisselkoen,項目名稱:pitchfork,代碼行數:23,代碼來源:spectre.py

示例3: arm

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def arm(self, state):
        """
        Setup hooks and breakpoints to perform bounds tracking.
        Also set up concretization to ensure addresses are always made to be OOB when possible.
        """
        state.inspect.b('mem_read',  when=angr.BP_AFTER, condition=_read_can_be_oob, action=detected_oob_read)
        state.inspect.b('mem_write', when=angr.BP_AFTER, condition=_write_can_be_oob, action=detected_oob_write)

        state.memory.read_strategies.insert(0, OOBStrategy())
        state.memory.write_strategies.insert(0, OOBStrategy())

        state.options.add(angr.options.SYMBOLIC_WRITE_ADDRESSES)

        state.inspect.b('address_concretization', when=angr.BP_AFTER, condition=concretization_succeeded, action=log_concretization)

        self._armed = True 
開發者ID:cdisselkoen,項目名稱:pitchfork,代碼行數:18,代碼來源:oob.py

示例4: state_blank

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def state_blank(self, addr=None, **kwargs):
        if addr is None:
            addr = 0x1000

        permissions_backer = (True, {(0, 0xffff): 7})
        state = super(SimCT64K, self).state_blank(addr=addr, permissions_backer=permissions_backer, **kwargs)

        state.register_plugin('registers', state.memory)
        state.memory.id = 'reg'

        state.registers.store(0, addr)
        state.registers.store(1, state.arch.initial_sp)
        state.registers.store(2, state.arch.initial_sp)

        state.inspect.b('reg_read', action=self.hard_checker_rd, when=angr.BP_AFTER)
        state.inspect.b('reg_write', action=self.hard_checker_wr, when=angr.BP_AFTER)
        return state 
開發者ID:angr,項目名稱:angr-platforms,代碼行數:19,代碼來源:ct64_angr.py

示例5: prep_tracer

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def prep_tracer(state, format_infos=None):
        format_infos = [] if format_infos is None else format_infos
        state.inspect.b(
            'exit',
            angr.BP_BEFORE,
            action=exit_hook
        )
        state.inspect.b(
            'syscall',
            angr.BP_AFTER,
            action=syscall_hook
        )
        state.inspect.b(
            'constraints',
            angr.BP_BEFORE,
            action=constraint_hook
        )

        if state.has_plugin("chall_resp_info"):
            chall_resp_plugin = state.get_plugin("chall_resp_info")
        else:
            chall_resp_plugin = ChallRespInfo()
        for f in format_infos:
            chall_resp_plugin.format_infos[f.addr] = f

        state.register_plugin("chall_resp_info", chall_resp_plugin)

        for addr in chall_resp_plugin.format_infos:
            state.project.hook(addr, generic_info_hook, length=0)


# THE ZEN HOOK 
開發者ID:angr,項目名稱:angr,代碼行數:34,代碼來源:trace_additions.py

示例6: test_inspect_exit

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def test_inspect_exit():
    class counts: #pylint:disable=no-init
        exit_before = 0
        exit_after = 0

    def handle_exit_before(state):
        counts.exit_before += 1
        exit_target = state.inspect.exit_target
        nose.tools.assert_equal(state.solver.eval(exit_target), 0x3f8)
        # change exit target
        state.inspect.exit_target = 0x41414141
        nose.tools.assert_equal(state.inspect.exit_jumpkind, "Ijk_Boring")
        nose.tools.assert_true(state.inspect.exit_guard.is_true())

    def handle_exit_after(state): #pylint:disable=unused-argument
        counts.exit_after += 1

    s = SimState(arch="AMD64", mode="symbolic")
    irsb = pyvex.IRSB(b"\x90\x90\x90\x90\xeb\x0a", mem_addr=1000, arch=archinfo.ArchAMD64())

    # break on exit
    s.inspect.b('exit', BP_BEFORE, action=handle_exit_before)
    s.inspect.b('exit', BP_AFTER, action=handle_exit_after)

    # step it
    succ = HeavyVEXMixin(None).process(s, irsb=irsb).flat_successors

    # check
    nose.tools.assert_equal( succ[0].solver.eval(succ[0].ip), 0x41414141)
    nose.tools.assert_equal(counts.exit_before, 1)
    nose.tools.assert_equal(counts.exit_after, 1) 
開發者ID:angr,項目名稱:angr,代碼行數:33,代碼來源:test_inspect.py

示例7: test_inspect_syscall

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def test_inspect_syscall():
    class counts: #pylint:disable=no-init
        exit_before = 0
        exit_after = 0

    def handle_syscall_before(state):
        counts.exit_before += 1
        syscall_name = state.inspect.syscall_name
        nose.tools.assert_equal(syscall_name, "close")

    def handle_syscall_after(state):
        counts.exit_after += 1
        syscall_name = state.inspect.syscall_name
        nose.tools.assert_equal(syscall_name, "close")

    s = SimState(arch="AMD64", mode="symbolic")
    # set up to call so syscall close
    s.regs.rax = 3
    s.regs.rdi = 2

    # break on syscall
    s.inspect.b('syscall', BP_BEFORE, action=handle_syscall_before)
    s.inspect.b('syscall', BP_AFTER, action=handle_syscall_after)

    # step it
    proc = SIM_PROCEDURES['posix']['close'](is_syscall=True)
    ProcedureEngine(None).process(s, procedure=proc, ret_to=s.ip)

    # check counts
    nose.tools.assert_equal(counts.exit_before, 1)
    nose.tools.assert_equal(counts.exit_after, 1) 
開發者ID:angr,項目名稱:angr,代碼行數:33,代碼來源:test_inspect.py

示例8: consolidate_reverse_exprs

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def consolidate_reverse_exprs(initial_state):
    """
    Tries to simplify the Reverse(Extract(Reverse())) pattern in expressions.
    
    NOTE: Experimental! Maybe not working correctly, use it with care!
    """
    initial_state.inspect.b('mem_read', when=angr.BP_AFTER, action=_read_consolidate)
    initial_state.inspect.b('reg_read', when=angr.BP_AFTER, action=_read_consolidate) 
開發者ID:axt,項目名稱:angr-utils,代碼行數:10,代碼來源:inspect.py

示例9: test_inspect_engine_process

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import BP_AFTER [as 別名]
def test_inspect_engine_process():
    p = angr.Project(os.path.join(os.path.dirname(os.path.realpath(__file__)), '..', '..', 'binaries', 'tests', 'x86_64', 'fauxware'))
    constraints = []
    def check_first_symbolic_fork(state):
        succs = state.inspect.sim_successors.successors
        succ_addr = [hex(s.addr) for s in succs]
        nose.tools.assert_equal(len(succ_addr), 2)
        nose.tools.assert_in('0x400692L', succ_addr)
        nose.tools.assert_in('0x400699L', succ_addr)
        print('Fork after:', hex(state.addr))
        print('Successors:', succ_addr)

    def check_second_symbolic_fork(state):
        succs = state.inspect.sim_successors.successors
        succ_addr = [hex(s.addr) for s in succs]
        nose.tools.assert_equal(len(succ_addr), 2)
        nose.tools.assert_in('0x4006dfL', succ_addr)
        nose.tools.assert_in('0x4006e6L', succ_addr)
        print('Fork after:', hex(state.addr))
        print('Successors:', succ_addr)

    def first_symbolic_fork(state):
        return hex(state.addr) == '0x40068eL' \
           and isinstance(state.inspect.sim_engine, HeavyVEXMixin)
        # TODO: I think this latter check is meaningless with the eleventh hour refactor

    def second_symbolic_fork(state):
        return hex(state.addr) == '0x4006dbL' \
           and isinstance(state.inspect.sim_engine, HeavyVEXMixin)

    def check_state(state):
        nose.tools.assert_in(hex(state.inspect.sim_successors.addr), ('0x40068eL', '0x4006dbL'))

    state = p.factory.entry_state(addr=p.loader.find_symbol('main').rebased_addr)
    pg = p.factory.simulation_manager(state)
    state.inspect.b('engine_process',
                    when=BP_BEFORE,
                    action=check_state,
                    condition=first_symbolic_fork)
    state.inspect.b('engine_process',
                    when=BP_AFTER,
                    action=check_first_symbolic_fork,
                    condition=first_symbolic_fork)
    pg.run()

    state = p.factory.entry_state(addr=p.loader.find_symbol('main').rebased_addr)
    pg = p.factory.simulation_manager(state)
    state.inspect.b('engine_process',
                    when=BP_BEFORE,
                    action=check_state,
                    condition=second_symbolic_fork)
    state.inspect.b('engine_process',
                    when=BP_AFTER,
                    action=check_second_symbolic_fork,
                    condition=second_symbolic_fork)
    pg.run() 
開發者ID:angr,項目名稱:angr,代碼行數:58,代碼來源:test_inspect.py


注:本文中的angr.BP_AFTER屬性示例由純淨天空整理自Github/MSDocs等開源代碼及文檔管理平台,相關代碼片段篩選自各路編程大神貢獻的開源項目,源碼版權歸原作者所有,傳播和使用請參考對應項目的License;未經允許,請勿轉載。