def do_run_test(project, test, apis, run_state, should_call_state): """Symbolically executes a single test function.""" if should_call_state: test_state = project.factory.call_state(test.ea, base_state=run_state) else: test_state = run_state mc = DeepAngr(state=test_state) # Tell the system that we're using symbolic execution. mc.write_uint32_t(apis["UsingSymExec"], 8589934591) mc.begin_test(test) del mc errored = [] test_manager = angr.SimulationManager(project=project, active_states=[test_state], errored=errored) try: test_manager.run() except Exception as e: L.error("Uncaught exception: {}\n{}".format(e, traceback.format_exc())) for state in test_manager.deadended: DeepAngr(state=state).report() for error in test_manager.errored: da = DeepAngr(state=error.state) da.crash_test() da.report()
def do_run_test(project, test, apis, run_state): """Symbolically executes a single test function.""" test_state = project.factory.call_state( test.ea, base_state=run_state) mc = DeepAngr(state=test_state) mc.begin_test(test) del mc errored = [] test_manager = angr.SimulationManager( project=project, active_states=[test_state], errored=errored) try: test_manager.run() except Exception as e: L.error("Uncaught exception: {}\n{}".format(e, traceback.format_exc())) for state in test_manager.deadended: DeepAngr(state=state).report() for error in test_manager.errored: da = DeepAngr(state=error.state) da.crash_test() da.report()
def main_take_over(args, project, takeover_symbol): takeover_ea = find_symbol_ea(project, takeover_symbol) if not args.klee: hook_function(project, takeover_ea, TakeOver) if not takeover_ea: L.critical("Cannot find symbol `{}` in binary `{}`".format( takeover_symbol, args.binary)) return 1 entry_state = project.factory.entry_state( add_options={ angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY, angr.options.STRICT_PAGE_ACCESS }) # addr_size_bits = entry_state.arch.bits # Concretely execute up until `DeepState_TakeOver`. concrete_manager = angr.SimulationManager(project=project, active_states=[entry_state]) concrete_manager.explore(find=takeover_ea) try: takeover_state = concrete_manager.found[0] except: L.critical("Execution never hit `{}` in binary `{}`".format( takeover_symbol, args.binary)) return 1 try: run_state = takeover_state.step().successors[0] except: L.critical("Unable to exit from `{}` in binary `{}`".format( takeover_symbol, args.binary)) return 1 # Read the API table, which will tell us about the location of various # symbols. Technically we can look these up with the `labels.lookup` API, # but we have the API table for Manticore-compatibility, so we may as well # use it. ea_of_api_table = find_symbol_ea(project, 'DeepState_API') if not ea_of_api_table: L.critical("Could not find API table in binary `{}`".format( args.binary)) return 1 _, apis = hook_apis(args, project, run_state) fake_test = TestInfo(takeover_ea, '_takeover_test', '_takeover_file', 0) return run_test(project, fake_test, apis, run_state, should_call_state=False)
def main_unit_test(args, project): setup_ea = find_symbol_ea(project, 'DeepState_Setup') if not setup_ea: L.critical( "Cannot find symbol `DeepState_Setup` in binary `{}`".format( args.binary)) return 1 entry_state = project.factory.entry_state( add_options={ angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY, angr.options.STRICT_PAGE_ACCESS }) addr_size_bits = entry_state.arch.bits # Concretely execute up until `DeepState_Setup`. concrete_manager = angr.SimulationManager(project=project, active_states=[entry_state]) concrete_manager.explore(find=setup_ea) try: run_state = concrete_manager.found[0] except: L.critical( "Execution never hit `DeepState_Setup` in binary `{}`".format( args.binary)) return 1 # Hook the DeepState API functions. mc, apis = hook_apis(project, run_state) # Find the test cases that we want to run. tests = mc.find_test_cases() del mc L.info("Running {} tests across {} workers".format(len(tests), args.num_workers)) pool = multiprocessing.Pool(processes=max(1, args.num_workers)) results = [] # For each test, create a simulation manager whose initial state calls into # the test case function. test_managers = [] for test in tests: res = pool.apply_async(run_test, (project, test, apis, run_state)) results.append(res) pool.close() pool.join() return 0
def main(): """Run DeepState.""" args = DeepAngr.parse_args() try: project = angr.Project( args.binary, use_sim_procedures=True, translation_cache=True, support_selfmodifying_code=False, auto_load_libs=True, exclude_sim_procedures_list=['printf', '__printf_chk', 'vprintf', '__vprintf_chk', 'fprintf', '__fprintf_chk', 'vfprintf', '__vfprintf_chk', 'puts', 'abort', '__assert_fail', '__stack_chk_fail']) except Exception as e: L.critical("Cannot create Angr instance on binary {}: {}".format( args.binary, e)) return 1 setup_ea = find_symbol_ea(project, 'DeepState_Setup') if not setup_ea: L.critical("Cannot find symbol `DeepState_Setup` in binary `{}`".format( args.binary)) return 1 entry_state = project.factory.entry_state( add_options={angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY, angr.options.STRICT_PAGE_ACCESS}) addr_size_bits = entry_state.arch.bits # Concretely execute up until `DeepState_Setup`. concrete_manager = angr.SimulationManager( project=project, active_states=[entry_state]) concrete_manager.explore(find=setup_ea) try: run_state = concrete_manager.found[0] except: L.critical("Execution never hit `DeepState_Setup` in binary `{}`".format( args.binary)) return 1 # Read the API table, which will tell us about the location of various # symbols. Technically we can look these up with the `labels.lookup` API, # but we have the API table for Manticore-compatibility, so we may as well # use it. ea_of_api_table = find_symbol_ea(project, 'DeepState_API') if not ea_of_api_table: L.critical("Could not find API table in binary `{}`".format(args.binary)) return 1 mc = DeepAngr(state=run_state) apis = mc.read_api_table(ea_of_api_table) # Hook various functions. hook_function(project, apis['IsSymbolicUInt'], IsSymbolicUInt) hook_function(project, apis['ConcretizeData'], ConcretizeData) hook_function(project, apis['ConcretizeCStr'], ConcretizeCStr) hook_function(project, apis['MinUInt'], MinUInt) hook_function(project, apis['MaxUInt'], MaxUInt) hook_function(project, apis['Assume'], Assume) hook_function(project, apis['Pass'], Pass) hook_function(project, apis['Crash'], Crash) hook_function(project, apis['Fail'], Fail) hook_function(project, apis['Abandon'], Abandon) hook_function(project, apis['SoftFail'], SoftFail) hook_function(project, apis['Log'], Log) hook_function(project, apis['StreamInt'], StreamInt) hook_function(project, apis['StreamFloat'], StreamFloat) hook_function(project, apis['StreamString'], StreamString) hook_function(project, apis['ClearStream'], ClearStream) hook_function(project, apis['LogStream'], LogStream) # Find the test cases that we want to run. tests = mc.find_test_cases() del mc L.info("Running {} tests across {} workers".format( len(tests), args.num_workers)) pool = multiprocessing.Pool(processes=max(1, args.num_workers)) results = [] # For each test, create a simulation manager whose initial state calls into # the test case function. test_managers = [] for test in tests: res = pool.apply_async(run_test, (project, test, apis, run_state)) results.append(res) pool.close() pool.join() return 0