當前位置: 首頁>>代碼示例>>Python>>正文


Python angr.SIM_PROCEDURES屬性代碼示例

本文整理匯總了Python中angr.SIM_PROCEDURES屬性的典型用法代碼示例。如果您正苦於以下問題:Python angr.SIM_PROCEDURES屬性的具體用法?Python angr.SIM_PROCEDURES怎麽用?Python angr.SIM_PROCEDURES使用的例子?那麽, 這裏精選的屬性代碼示例或許可以為您提供幫助。您也可以進一步了解該屬性所在angr的用法示例。


在下文中一共展示了angr.SIM_PROCEDURES屬性的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。

示例1: _convert_node

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def _convert_node(self, node: Definition, converted: Dict[Definition,QDepGraphBlock]) -> Optional[QDepGraphBlock]:
        if node in converted:
            return converted[node]

        # skip external
        if isinstance(node.codeloc, ExternalCodeLocation):
            return None

        if self.workspace.instance.project.is_hooked(node.codeloc.block_addr):
            hook = self.workspace.instance.project.hooked_by(node.codeloc.block_addr)
            if isinstance(hook, (SIM_PROCEDURES['stubs']['UnresolvableJumpTarget'],
                                 SIM_PROCEDURES['stubs']['UnresolvableCallTarget'])):
                return None

        new_node = QDepGraphBlock(False, self, definition=node, addr=node.codeloc.ins_addr)
        converted[node] = new_node
        return new_node 
開發者ID:angr,項目名稱:angr-management,代碼行數:19,代碼來源:dep_view.py

示例2: process_successors

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def process_successors(self, successors, **kwargs):
        state = self.state
        # we have at this point entered the next step so we need to check the previous jumpkind
        if not state.history or not state.history.parent or not state.history.parent.jumpkind or not state.history.parent.jumpkind.startswith('Ijk_Sys'):
            return super().process_successors(successors, **kwargs)

        l.debug("Invoking system call handler")
        sys_procedure = self.project.simos.syscall(state)

        if sys_procedure is None:
            if angr.sim_options.BYPASS_UNSUPPORTED_SYSCALL not in state.options:
                raise AngrUnsupportedSyscallError("Trying to perform a syscall on an emulated system which is not currently cofigured to support syscalls. To resolve this, make sure that your SimOS is a subclass of SimUserspace, or set the BYPASS_UNSUPPORTED_SYSCALL state option.")
            else:
                try:
                    cc = angr.SYSCALL_CC[state.arch.name][state.os_name](state.arch)
                except KeyError:
                    try:
                        l.warning("No syscall calling convention available for %s/%s", state.arch.name, state.os_name)
                        cc = angr.SYSCALL_CC[state.arch.name]['default'](state.arch)
                    except KeyError:
                        cc = None # some default will get picked down the line...

                sys_procedure = angr.SIM_PROCEDURES['stubs']['syscall'](cc=cc)

        return self.process_procedure(state, successors, sys_procedure, **kwargs) 
開發者ID:angr,項目名稱:angr,代碼行數:27,代碼來源:syscall.py

示例3: run

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def run(self, src, fmt, one, two, three): #pylint:disable=unused-argument
        memcpy = angr.SIM_PROCEDURES['libc']['memcpy']

        self.inline_call(memcpy, one, src, 5)
        self.state.memory.store(one+4, self.state.solver.BVV(0, 8))
        self.inline_call(memcpy, two, src+6, 8192)
        self.state.memory.store(two+8191, self.state.solver.BVV(0, 8))
        self.inline_call(memcpy, three, src+6+8193, 12)
        self.state.memory.store(three+11, self.state.solver.BVV(0, 8))

        #if angr.o.SYMBOLIC in self.state.options:
        #     #crazy_str = "index.asp?authorization=M3NhZG1pbjoyNzk4ODMwMw==&yan=yes\x00"
        #     #crazy_str = "index.asp?authorization=3sadmin:27988303&yan=yes\x00"
        #     crazy_str = "authorization=3sadmin:27988303\x00"
        #     self.state.add_constraints(self.state.memory.load(two, len(crazy_str)) == self.state.solver.BVV(crazy_str))

        return self.state.solver.BVV(3) 
開發者ID:angr,項目名稱:angr,代碼行數:19,代碼來源:crazy_scanf.py

示例4: test_clock_gettime

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def test_clock_gettime():
    proc = angr.SIM_PROCEDURES['posix']['clock_gettime']()

    s = angr.SimState(arch='amd64')
    s.regs.rdi = 0
    s.regs.rsi = 0x8000

    s.options.add(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert not s.mem[0x8000].qword.resolved.symbolic
    assert not s.mem[0x8008].qword.resolved.symbolic

    s.options.discard(angr.options.USE_SYSTEM_TIMES)
    proc.execute(s)
    assert s.mem[0x8000].qword.resolved.symbolic
    assert s.mem[0x8008].qword.resolved.symbolic 
開發者ID:angr,項目名稱:angr,代碼行數:18,代碼來源:test_sim_time.py

示例5: test_pwrite

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def test_pwrite():
    pwrite = SIM_PROCEDURES['posix']['pwrite64']()

    state = SimState(arch="AMD64", mode='symbolic')
    simfile = SimFile('concrete_file', content='hello world!\n')
    state.fs.insert('test', simfile)
    fd = state.posix.open(b"test", 1)

    buf_addr = 0xd0000000
    state.memory.store(buf_addr, b'test!')
    pwrite.execute(state, arguments=[fd, buf_addr, 5, 6])

    simfd = state.posix.get_fd(fd)
    simfd.seek(0)
    res = 0xc0000000
    simfd.read(res, 13)
    data = state.solver.eval(state.mem[res].string.resolved, cast_to=bytes)

    nose.tools.assert_true(data == b'hello test!!\n')

    state.posix.close(fd) 
開發者ID:angr,項目名稱:angr,代碼行數:23,代碼來源:test_pwrite_pread.py

示例6: test_pread

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def test_pread():
    pwrite = SIM_PROCEDURES['posix']['pread64']()

    state = SimState(arch="AMD64", mode='symbolic')
    simfile = SimFile('concrete_file', content='hello world!\n')
    state.fs.insert('test', simfile)
    fd = state.posix.open(b"test", 1)

    buf1_addr = 0xd0000000
    buf2_addr = 0xd0001000
    pwrite.execute(state, arguments=[fd, buf1_addr, 6, 6])
    pwrite.execute(state, arguments=[fd, buf2_addr, 5, 0])

    data1 = state.solver.eval(state.mem[buf1_addr].string.resolved, cast_to=bytes)
    data2 = state.solver.eval(state.mem[buf2_addr].string.resolved, cast_to=bytes)

    nose.tools.assert_true(data1 == b'world!')
    nose.tools.assert_true(data2 == b'hello')

    state.posix.close(fd) 
開發者ID:angr,項目名稱:angr,代碼行數:22,代碼來源:test_pwrite_pread.py

示例7: test_simproc_drilling

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def test_simproc_drilling():
    """
    Test drilling on the cgc binary palindrome with simprocedures.
    """

    binary = "tests/i386/driller_simproc"
    memcmp = angr.SIM_PROCEDURES['libc']['memcmp']()
    simprocs = {0x8048200: memcmp}

    # fuzzbitmap says every transition is worth satisfying.
    d = driller.Driller(os.path.join(bin_location, binary), b"A"*0x80, b"\xff"*65535, "whatever~", hooks=simprocs)

    new_inputs = d.drill()

    # Make sure driller produced a new input which satisfies the memcmp.
    password = b"the_secret_password_is_here_you_will_never_guess_it_especially_since_it_is_going_to_be_made_lower_case"
    nose.tools.assert_true(any(filter(lambda x: x[1].startswith(password), new_inputs))) 
開發者ID:shellphish,項目名稱:driller,代碼行數:19,代碼來源:test_driller.py

示例8: setup_project

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def setup_project():
    project = angr.Project('crypto.mod')

    # use libc functions as stand-ins for grub functions
    memset = angr.SIM_PROCEDURES['libc']['memset']
    getchar = angr.SIM_PROCEDURES['libc']['getchar']
    do_nothing = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained']

    project.hook_symbol('grub_memset', memset())
    project.hook_symbol('grub_getkey', getchar())

    # I don't know why, but grub_xputs is apparently not the function but a pointer to it?
    xputs_pointer_addr = project.loader.find_symbol('grub_xputs').rebased_addr
    xputs_func_addr = project.loader.extern_object.allocate()
    project.hook(xputs_func_addr, do_nothing())
    project.loader.memory.pack_word(xputs_pointer_addr, xputs_func_addr)

    return project 
開發者ID:angr,項目名稱:angr-doc,代碼行數:20,代碼來源:solve.py

示例9: main

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  initial_state = project.factory.entry_state()
 
  project.hook(0x804ed40, angr.SIM_PROCEDURES['libc']['printf']())
  project.hook(0x804ed80, angr.SIM_PROCEDURES['libc']['scanf']())
  project.hook(0x804f350, angr.SIM_PROCEDURES['libc']['puts']())
  project.hook(0x8048d10, angr.SIM_PROCEDURES['glibc']['__libc_start_main']())

  simulation = project.factory.simgr(initial_state)

  # Define a function that checks if you have found the state you are looking
  # for.
  def is_successful(state):
    # Dump whatever has been printed out by the binary so far into a string.
    stdout_output = state.posix.dumps(sys.stdout.fileno())

    # Return whether 'Good Job.' has been printed yet.
    # (!)
    return 'Good Job.' in stdout_output  # :boolean

  # Same as above, but this time check if the state should abort. If you return
  # False, Angr will continue to step the state. In this specific challenge, the
  # only time at which you will know you should abort is when the program prints
  # "Try again."
  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return 'Try again.' in stdout_output  # :boolean

  # Tell Angr to explore the binary and find any state that is_successful identfies
  # as a successful state by returning True.
  simulation.explore(find=is_successful, avoid=should_abort)
  
  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 
開發者ID:jakespringer,項目名稱:angr_ctf,代碼行數:42,代碼來源:solve13.py

示例10: search_simproc

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def search_simproc(name):
    import angr
    for libname in angr.SIM_PROCEDURES:
        if name in angr.SIM_PROCEDURES[libname]:
            return angr.SIM_PROCEDURES[libname][name]
        elif name.startswith("_") and name[1:] in angr.SIM_PROCEDURES[libname]:
            return angr.SIM_PROCEDURES[libname][name[1:]] 
開發者ID:andreafioraldi,項目名稱:IDAngr,代碼行數:9,代碼來源:hook_lib_funcs.py

示例11: _initialize_b_loc_table

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def _initialize_b_loc_table(self):
        """
        Initialize ptable for ctype

        See __ctype_b_loc.c in libc implementation
        """
        malloc = angr.SIM_PROCEDURES['libc']['malloc']
        table = self.inline_call(malloc, 768).ret_expr
        table_ptr = self.inline_call(malloc, self.state.arch.bytes).ret_expr

        for pos, c in enumerate(self.state.libc.LOCALE_ARRAY):
            # Each entry is 2 bytes
            self.state.memory.store(table + (pos*2),
                                    self.state.solver.BVV(c, 16),
                                    inspect=False,
                                    disable_actions=True,
                                    )
        # Offset for negative chars
        # 256 because 2 bytes each, -128 * 2
        table += 256
        self.state.memory.store(table_ptr,
                                table,
                                size=self.state.arch.bytes,
                                endness=self.state.arch.memory_endness,
                                inspect=False,
                                disable_actions=True,
                                )

        self.state.libc.ctype_b_loc_table_ptr = table_ptr 
開發者ID:angr,項目名稱:angr,代碼行數:31,代碼來源:__libc_start_main.py

示例12: _initialize_tolower_loc_table

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def _initialize_tolower_loc_table(self):
        """
        Initialize ptable for ctype

        See __ctype_tolower_loc.c in libc implementation
        """
        malloc = angr.SIM_PROCEDURES['libc']['malloc']
        # 384 entries, 4 bytes each
        table = self.inline_call(malloc, 384*4).ret_expr
        table_ptr = self.inline_call(malloc, self.state.arch.bytes).ret_expr

        for pos, c in enumerate(self.state.libc.TOLOWER_LOC_ARRAY):
            self.state.memory.store(table + (pos * 4),
                                    self.state.solver.BVV(c, 32),
                                    endness=self.state.arch.memory_endness,
                                    inspect=False,
                                    disable_actions=True,
                                    )

        # Offset for negative chars: -128 index (4 bytes per index)
        table += (128 * 4)
        self.state.memory.store(table_ptr,
                                table,
                                size=self.state.arch.bytes,
                                endness=self.state.arch.memory_endness,
                                inspect=False,
                                disable_actions=True,
                                )

        self.state.libc.ctype_tolower_loc_table_ptr = table_ptr 
開發者ID:angr,項目名稱:angr,代碼行數:32,代碼來源:__libc_start_main.py

示例13: _initialize_toupper_loc_table

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def _initialize_toupper_loc_table(self):
        """
        Initialize ptable for ctype

        See __ctype_toupper_loc.c in libc implementation
        """
        malloc = angr.SIM_PROCEDURES['libc']['malloc']
        # 384 entries, 4 bytes each
        table = self.inline_call(malloc, 384*4).ret_expr
        table_ptr = self.inline_call(malloc, self.state.arch.bytes).ret_expr

        for pos, c in enumerate(self.state.libc.TOUPPER_LOC_ARRAY):
            self.state.memory.store(table + (pos * 4),
                                    self.state.solver.BVV(c, 32),
                                    endness=self.state.arch.memory_endness,
                                    inspect=False,
                                    disable_actions=True,
                                    )

        # Offset for negative chars: -128 index (4 bytes per index)
        table += (128 * 4)
        self.state.memory.store(table_ptr,
                                table,
                                size=self.state.arch.bytes,
                                endness=self.state.arch.memory_endness,
                                inspect=False,
                                disable_actions=True,
                                )

        self.state.libc.ctype_toupper_loc_table_ptr = table_ptr 
開發者ID:angr,項目名稱:angr,代碼行數:32,代碼來源:__libc_start_main.py

示例14: _initialize_errno

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def _initialize_errno(self):
        malloc = angr.SIM_PROCEDURES['libc']['malloc']
        errno_loc = self.inline_call(malloc, self.state.arch.bytes).ret_expr

        self.state.libc.errno_location = errno_loc
        self.state.memory.store(errno_loc, self.state.solver.BVV(0, self.state.arch.bits)) 
開發者ID:angr,項目名稱:angr,代碼行數:8,代碼來源:__libc_start_main.py

示例15: run

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import SIM_PROCEDURES [as 別名]
def run(self):
        if self.state.arch.name == 'X86':
            ptr = self.state.regs.eax
            # use SIM_PROCEDURES so name-mangling doesn't fuck us :|
            return self.inline_call(angr.SIM_PROCEDURES['linux_loader']['__tls_get_addr'], ptr).ret_expr
        else:
            raise angr.errors.SimUnsupportedError("___tls_get_addr only implemented for x86. Talk to @rhelmot.") 
開發者ID:angr,項目名稱:angr,代碼行數:9,代碼來源:__tls_get_addr.py


注:本文中的angr.SIM_PROCEDURES屬性示例由純淨天空整理自Github/MSDocs等開源代碼及文檔管理平台,相關代碼片段篩選自各路編程大神貢獻的開源項目,源碼版權歸原作者所有,傳播和使用請參考對應項目的License;未經允許,請勿轉載。