當前位置: 首頁>>代碼示例>>Python>>正文


Python angr.Project方法代碼示例

本文整理匯總了Python中angr.Project方法的典型用法代碼示例。如果您正苦於以下問題:Python angr.Project方法的具體用法?Python angr.Project怎麽用?Python angr.Project使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在angr的用法示例。


在下文中一共展示了angr.Project方法的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。

示例1: break_chall_resp_atoi

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def break_chall_resp_atoi():
    crash_input = b'-435982256\n-439864843\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
                  b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'

    bin_path = bin_location + "/tests/i386/chall_resp_atoi"
    cfg_fast = angr.Project(bin_path).analyses.CFGFast()
    atoi_addr = cfg_fast.functions["atoi"].addr
    itoa_addr = cfg_fast.functions["itoa"].addr
    f1 = FormatInfoIntToStr(addr=itoa_addr, func_name="itoa", int_arg_num=1, str_dst_num=0, base=10, base_arg=None)
    f2 = FormatInfoStrToInt(addr=atoi_addr, func_name="atoi", str_arg_num=0, base=10, base_arg=None,
                            allows_negative=True)
    crash = rex.Crash(bin_path, crash=crash_input, format_infos=[f1, f2], rop_cache_path=os.path.join(cache_location, "chall_resp_atoi"))
    exploit_f = crash.exploit()
    for e in exploit_f.register_setters:
        nose.tools.assert_true(_do_pov_test(e))
    for e in exploit_f.leakers:
        nose.tools.assert_true(_do_pov_test(e)) 
開發者ID:angr,項目名稱:rex,代碼行數:22,代碼來源:test_chall_resp.py

示例2: main

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def main(argv):
  path_to_binary = ???
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
  print_good_address = ???
  will_not_succeed_address = ???
  simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 
開發者ID:jakespringer,項目名稱:angr_ctf,代碼行數:23,代碼來源:scaffold01.py

示例3: main

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  # Explore the binary, but this time, instead of only looking for a state that
  # reaches the print_good_address, also find a state that does not reach 
  # will_not_succeed_address. The binary is pretty large, to save you some time,
  # everything you will need to look at is near the beginning of the address 
  # space.
  # (!)
  print_good_address = 0x080485e5
  will_not_succeed_address = 0x080485a8
  simulation.explore(find=print_good_address, avoid=will_not_succeed_address)

  if simulation.found:
    solution_state = simulation.found[0]
    print solution_state.posix.dumps(sys.stdin.fileno())
  else:
    raise Exception('Could not find the solution') 
開發者ID:jakespringer,項目名稱:angr_ctf,代碼行數:23,代碼來源:solve01.py

示例4: main

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)

  # You can either use a blank state or an entry state; just make sure to start
  # at the beginning of the program.
  initial_state = ???

  class ReplacementScanf(angr.SimProcedure):
    # Hint: scanf("%u %20s")
    def run(self, format_string, ...???):
      # %u
      scanf0 = claripy.BVS('scanf0', ???)
      
      # %20s
      scanf1 = claripy.BVS('scanf1', ???)

      for char in scanf1.chop(bits=8):
        self.state.add_constraints(char >= ???, char <= ???)

      scanf0_address = ???
      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
      ...

      self.state.globals['solutions'] = ??? 
開發者ID:jakespringer,項目名稱:angr_ctf,代碼行數:27,代碼來源:scaffold16.py

示例5: load_kernel_image

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def load_kernel_image(path,arch,base,segments=None):
    load_options = {}
    load_options['auto_load_libs'] = False
    load_options['main_opts'] = {'backend': 'blob', 'custom_arch': arch, 'custom_base_addr': base, 'segments':segments}

    #Use loader.provide_symbol() or loader.provide_symbol_batch() to import symbol table.
    #-----------------------------------------------------------------------------------
    #def provide_symbol(self, owner, name, offset, size=0, sym_type=None):
    #    return self.provide_symbol_batch(owner, {name: (offset, size, sym_type)})
    #-----------------------------------------------------------------------------------
    #Usage: owner --> the Backend object, we can use loader.main_bin
    #       offset --> the offset relative to 0, not actual kernel load address
    #       sym_type --> https://github.com/angr/cle/blob/master/cle/backends/__init__.py#L148
    b = angr.Project(path, load_options=load_options, arch=arch)
    
    #test_loader(b,base)
    return b; 
開發者ID:fiberx,項目名稱:fiber,代碼行數:19,代碼來源:utils_sig.py

示例6: run_tracker

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def run_tracker(track_mem, use_bp):
    p = angr.Project(os.path.join(test_location, 'x86_64', 'fauxware'), auto_load_libs=False)
    p.analyses.CFGFast()
    main = p.kb.functions['main']
    sp = p.arch.sp_offset
    regs = {sp}
    if use_bp:
        bp = p.arch.bp_offset
        regs.add(bp)
    sptracker = p.analyses.StackPointerTracker(main, regs, track_memory=track_mem)
    sp_result = sptracker.offset_after(0x4007d4, sp)
    if use_bp:
        bp_result = sptracker.offset_after(0x4007d4, bp)
        return sp_result, bp_result
    else:
        return sp_result 
開發者ID:angr,項目名稱:angr,代碼行數:18,代碼來源:test_stack_pointer_tracker.py

示例7: test_find_prototype

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def test_find_prototype():
    proj = angr.Project(os.path.join(test_location, 'x86_64', 'all'), auto_load_libs=False)

    cfg = proj.analyses.CFG()

    func = cfg.kb.functions.function(name='strcmp', plt=False)
    func.calling_convention = angr.calling_conventions.DEFAULT_CC[proj.arch.name](proj.arch)

    # Calling SimCC.arg_locs() should fail when the function prototype is not provided.
    nose.tools.assert_raises(ValueError, func.calling_convention.arg_locs)

    func.find_declaration()

    arg_locs = func.calling_convention.arg_locs()  # now it won't fail

    nose.tools.assert_equal(len(arg_locs), 2)
    nose.tools.assert_equal(arg_locs[0].reg_name, 'rdi')
    nose.tools.assert_equal(arg_locs[1].reg_name, 'rsi') 
開發者ID:angr,項目名稱:angr,代碼行數:20,代碼來源:test_prototypes.py

示例8: test_additional_edges

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def test_additional_edges():
    # Test the `additional_edges` parameter for CFG generation

    binary_path = os.path.join(test_location, 'x86_64', 'switch')
    proj = angr.Project(binary_path,
                        use_sim_procedures=True,
                        default_analysis_mode='symbolic',
                        load_options={'auto_load_libs': False})
    additional_edges = {
        0x400573 : [ 0x400580, 0x40058f, 0x40059e ]
    }
    cfg = proj.analyses.CFGEmulated(context_sensitivity_level=0, additional_edges=additional_edges, fail_fast=True,
                                    resolve_indirect_jumps=False,  # For this test case, we need to disable the
                                                                   # jump table resolving, otherwise CFGEmulated
                                                                   # can automatically find the node 0x4005ad.
                                    )

    nose.tools.assert_not_equal(cfg.get_any_node(0x400580), None)
    nose.tools.assert_not_equal(cfg.get_any_node(0x40058f), None)
    nose.tools.assert_not_equal(cfg.get_any_node(0x40059e), None)
    nose.tools.assert_equal(cfg.get_any_node(0x4005ad), None) 
開發者ID:angr,項目名稱:angr,代碼行數:23,代碼來源:test_cfgemulated.py

示例9: test_cfg_6

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def test_cfg_6():
    function_addresses = [0xfa630, 0xfa683, 0xfa6d4, 0xfa707, 0xfa754, 0xfa779, 0xfa7a9, 0xfa7d6, 0xfa844, 0xfa857,
                          0xfa8d9, 0xfa92f, 0xfa959, 0xfa9fb, 0xfabd6, 0xfac61, 0xfacc2, 0xfad29, 0xfaf94, 0xfbd07,
                          0xfc100, 0xfc101, 0xfc14f, 0xfc18e, 0xfc25e, 0xfc261, 0xfc3c6, 0xfc42f, 0xfc4a3, 0xfc4cf,
                          0xfc4db, 0xfc5ba, 0xfc5ef, 0xfc5fe, 0xfc611, 0xfc682, 0xfc6b7, 0xfc7fc, 0xfc8a8, 0xfc8e7,
                          0xfcb42, 0xfcb50, 0xfcb72, 0xfcc3b, 0xfcc7a, 0xfcc8b, 0xfccdc, 0xfd1a3, 0xff06e]

    # We need to add DO_CCALLS to resolve long jmp and support real mode
    o.modes['fastpath'] |= {o.DO_CCALLS}
    binary_path = test_location + "/i386/bios.bin.elf"
    proj = angr.Project(binary_path,
                        use_sim_procedures=True,
                        page_size=1)
    cfg = proj.analyses.CFGEmulated(context_sensitivity_level=1, fail_fast=True)  # pylint:disable=unused-variable
    nose.tools.assert_greater_equal(set(f for f in proj.kb.functions), set(function_addresses))
    o.modes['fastpath'] ^= {o.DO_CCALLS} 
開發者ID:angr,項目名稱:angr,代碼行數:18,代碼來源:test_cfgemulated.py

示例10: test_max_steps

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def test_max_steps():

    binary_path = os.path.join(test_location, "x86_64", "fauxware")
    b = angr.Project(binary_path, load_options={'auto_load_libs': False})
    cfg = b.analyses.CFGEmulated(max_steps=5, fail_fast=True)

    dfs_edges = networkx.dfs_edges(cfg.graph)

    depth_map = {}
    for src, dst in dfs_edges:
        if src not in depth_map:
            depth_map[src] = 0
        if dst not in depth_map:
            depth_map[dst] = depth_map[src] + 1
        depth_map[dst] = max(depth_map[src] + 1, depth_map[dst])

    nose.tools.assert_less_equal(max(depth_map.values()), 5) 
開發者ID:angr,項目名稱:angr,代碼行數:19,代碼來源:test_cfgemulated.py

示例11: test_abort_and_resume

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def test_abort_and_resume():

    angr.analyses.AnalysesHub.register_default('CFGEmulatedAborted', CFGEmulatedAborted)

    CFGEmulatedAborted.should_abort = False
    binary_path = os.path.join(test_location, "x86_64", "fauxware")
    b = angr.Project(binary_path, auto_load_libs=False)

    CFGEmulatedAborted.should_abort = True
    cfg = b.analyses.CFGEmulatedAborted()
    nose.tools.assert_greater(len(list(cfg.jobs)), 0)  # there should be left-over jobs

    CFGEmulatedAborted.should_abort = False
    cfg.resume()

    nose.tools.assert_equal(len(list(cfg.jobs)), 0)  # no left-over job 
開發者ID:angr,項目名稱:angr,代碼行數:18,代碼來源:test_cfgemulated.py

示例12: broken_cacher

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def broken_cacher():
    p = angr.Project(os.path.join(location, 'x86_64', 'fauxware'), load_options={'auto_load_libs': False})

    tmp_dir = tempfile.mkdtemp(prefix='test_cacher_container')
    container = os.path.join(tmp_dir, '%s.cache' % os.path.basename(p.filename))

    pg = p.factory.simulation_manager()
    pg.use_technique(angr.exploration_techniques.Cacher(when=0x4006ee, container=container))
    pg.run()

    pg2 = p.factory.simulation_manager()
    pg2.use_technique(angr.exploration_techniques.Cacher(container=container))
    nose.tools.assert_equal(pg2.active[0].addr, 0x4006ed)

    pg2.run()

    nose.tools.assert_equal(len(pg2.deadended), len(pg.deadended))
    nose.tools.assert_true(pg2.deadended[0].addr in [s.addr for s in pg.deadended])
    nose.tools.assert_true(pg2.deadended[1].addr in [s.addr for s in pg.deadended])
    nose.tools.assert_true(pg2.deadended[2].addr in [s.addr for s in pg.deadended]) 
開發者ID:angr,項目名稱:angr,代碼行數:22,代碼來源:test_cacher.py

示例13: test_jumptable_occupied_as_data

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def test_jumptable_occupied_as_data():

    # GitHub issue #1671

    p = angr.Project(os.path.join(test_location, "i386", "windows", "printenv.exe"), auto_load_libs=False)
    cfg = p.analyses.CFGFast()

    # it has a jump table at 0x402e4d with 10 entries
    assert 0x402e4d in cfg.indirect_jumps
    assert cfg.indirect_jumps[0x402e4d].jumptable is True
    assert cfg.indirect_jumps[0x402e4d].jumptable_addr == 0x402e54
    assert cfg.indirect_jumps[0x402e4d].jumptable_size == 4 * 10
    assert cfg.indirect_jumps[0x402e4d].jumptable_entry_size == 4

    # 40 bytes starting at 0x402e4d should be marked as "data"
    for addr in range(0x402e54, 0x402e54 + 40, 4):
        assert cfg._seg_list.occupied_by_sort(addr) == "data"

    # node 0x402e4d should have 10 successors
    assert len(cfg.model.get_any_node(0x402e4d).successors) == 10 
開發者ID:angr,項目名稱:angr,代碼行數:22,代碼來源:test_jumptables.py

示例14: angr_cfg

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def angr_cfg(sample):
    proj = angr.Project(samples_dir + sample, load_options={'auto_load_libs':False})
    main = proj.loader.main_object.get_symbol("main")
    addr = main.rebased_addr
    start_state = proj.factory.blank_state(addr=addr)
    start_state.stack_push(0x0)
    cfg = proj.analyses.CFGFast(fail_fast=True, function_starts=[addr], base_state=start_state, normalize=False)

    vis = AngrVisFactory().default_cfg_pipeline(cfg, asminst=True, vexinst=False)
    vis.set_output(DotOutput(sample + '_angr_asm', format="png"))
    vis.process(cfg.graph)

    vis = AngrVisFactory().default_cfg_pipeline(cfg, asminst=False, vexinst=True)
    vis.set_output(DotOutput(sample + '_angr_vex', format="png"))
    vis.process(cfg.graph) 
開發者ID:axt,項目名稱:bingraphvis,代碼行數:17,代碼來源:cfg.py

示例15: __init__

# 需要導入模塊: import angr [as 別名]
# 或者: from angr import Project [as 別名]
def __init__(self, binary, crash=None):
        """
        :param binary: path to the binary which crashed
        :param crash: string of input which crashed the binary
        """

        self.binary = binary
        self.crash = crash

        # verify it actually crashes the binary
        r = tracer.QEMURunner(self.binary, input=self.crash, record_core=True)
        if not r.crash_mode:
            raise CrashFuzzerException("input did not crash the binary")

        self._p = angr.Project(self.binary)

        self.orig_regs = r.reg_vals

        self.pool = None
        self.byte_analysis = dict()
        self._bases = dict()
        self.skip_bytes = set()
        self.skip_sets = set()
        self.regs_to_numbers = dict()
        self.used_bytes = set()
        self.byte_translation_funcs = list()
        self.byte_translation_calls = dict()
        self._bit_patterns = dict()

        self.make_bases()
        self.run() 
開發者ID:angr,項目名稱:rex,代碼行數:33,代碼來源:fuzzing_type_1.py


注:本文中的angr.Project方法示例由純淨天空整理自Github/MSDocs等開源代碼及文檔管理平台,相關代碼片段篩選自各路編程大神貢獻的開源項目,源碼版權歸原作者所有,傳播和使用請參考對應項目的License;未經允許,請勿轉載。