def main(): parser = argparse.ArgumentParser(description='Follow a concrete trace') parser.add_argument('-f', '--explore_from', help='Value of PC from which to explore symbolically', type=str) parser.add_argument('-t', '--explore_to', type=str, default=sys.maxsize, help="Value of PC until which to explore symbolically. (Probably don't want this set)") parser.add_argument('--verbose', '-v', action='count', default=0, help='Increase verbosity') parser.add_argument('cmd', type=str, nargs='+', help='Program and arguments. Use "--" to separate script arguments from target arguments') args = parser.parse_args(sys.argv[1:]) range = None if args.explore_from: range = (args.explore_from, args.explore_to) # Create a concrete Manticore and record it m1 = Manticore.linux(args.cmd[0], args.cmd[1:]) t = ExtendedTracer() r = TraceReceiver(t) m1.verbosity(args.verbose) m1.register_plugin(t) m1.register_plugin(r) m1.run(procs=1) time.sleep(3) # Create a symbolic Manticore and follow last trace symbolic_args = ['+'*len(arg) for arg in args.cmd[1:]] m2 = Manticore.linux(args.cmd[0], symbolic_args) f = Follower(r.trace) if range: f.add_symbolic_range(*range) m2.verbosity(args.verbose) m2.register_plugin(f) m2.run()
def symbolic_run_get_cons(trace): ''' Execute a symbolic run that follows a concrete run; return constraints generated and the stdin data produced ''' m2 = Manticore.linux(prog, workspace_url='mem:') f = Follower(trace) m2.verbosity(VERBOSITY) m2.register_plugin(f) def on_term_testcase(mcore, state, stateid, err): with m2.locked_context() as ctx: readdata = [] for name, fd, data in state.platform.syscall_trace: if name in ('_receive', '_read') and fd == 0: readdata.append(data) ctx['readdata'] = readdata ctx['constraints'] = list(state.constraints.constraints) m2.subscribe('will_terminate_state', on_term_testcase) m2.run() constraints = m2.context['constraints'] datas = m2.context['readdata'] return constraints, datas
def concrete_run_get_trace(inp): m1 = Manticore.linux(prog, concrete_start=inp, workspace_url='mem:') t = ExtendedTracer() r = TraceReceiver(t) m1.verbosity(VERBOSITY) m1.register_plugin(t) m1.register_plugin(r) m1.run(procs=1) return r.trace
def test_symbolic_argv_envp(self): self.m = Manticore.linux('tests/binaries/arguments_linux_amd64', argv=['+'], envp={'TEST': '+'}) state = self.m.initial_state ptr = state.cpu.read_int(state.cpu.RSP + (8*2)) # get argv[1] mem = state.cpu.read_bytes(ptr, 2) self.assertTrue(issymbolic(mem[0])) self.assertEqual(mem[1], '\0') ptr = state.cpu.read_int(state.cpu.RSP + (8*4)) # get envp[0] mem = state.cpu.read_bytes(ptr, 7) self.assertEqual(''.join(mem[:5]), 'TEST=') self.assertEqual(mem[6], '\0') self.assertTrue(issymbolic(mem[5]))
def test_symbolic_argv_envp(self): dirname = os.path.dirname(__file__) self.m = Manticore.linux(os.path.join(dirname, 'binaries', 'arguments_linux_amd64'), argv=['+'], envp={'TEST': '+'}) state = self.m.initial_state ptr = state.cpu.read_int(state.cpu.RSP + (8 * 2)) # get argv[1] mem = state.cpu.read_bytes(ptr, 2) self.assertTrue(issymbolic(mem[0])) self.assertEqual(mem[1], b'\0') ptr = state.cpu.read_int(state.cpu.RSP + (8 * 4)) # get envp[0] mem = state.cpu.read_bytes(ptr, 7) self.assertEqual(b''.join(mem[:5]), b'TEST=') self.assertEqual(mem[6], b'\0') self.assertTrue(issymbolic(mem[5]))