def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=5, keep_state=True, call_depth=100, normalize=True) plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False) start_state = b.factory.blank_state(addr=addr, add_options={angr.sim_options.CONSERVATIVE_READ_STRATEGY} | angr.sim_options.resilience_options) start_state.stack_push(0x0) simgr = b.factory.simgr(start_state) simgr.use_technique(NormalizedSteps(cfg)) def check_loops(state): last = state.history.bbl_addrs[-1] c = 0 for p in state.history.bbl_addrs: if p == last: c += 1 return c > 1 def step_func(lsimgr): lsimgr.stash(filter_func=check_loops, from_stash='active', to_stash='looping') lsimgr.stash(filter_func=lambda state: state.addr == 0, from_stash='active', to_stash='found') print(lsimgr) return lsimgr simgr.run(step_func=step_func, until=lambda lsimgr: len(lsimgr.active) == 0, n=100) for stash in simgr.stashes: c = 0 for state in simgr.stashes[stash]: plot_cfg(cfg, "%s_cfg_%s_%d" % (name, stash, c), state=state, asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True) c += 1
def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True) cdg = b.analyses.CDG(cfg=cfg, start=addr) plot_cdg(cfg, cdg, "%s_cdg" % name, pd_edges=True, cg_edges=True)
def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) for addr, func in proj.kb.functions.items(): if func.name in ['main', 'verify']: plot_cfg(cfg, "%s_%s_cfg" % (name, func.name), asminst=True, vexinst=False, func_addr={addr: True}, debug_info=False, remove_imports=True, remove_path_terminator=True) plot_cfg(cfg, "%s_cfg_full" % (name), asminst=True, vexinst=True, debug_info=True, remove_imports=False, remove_path_terminator=False) plot_cfg(cfg, "%s_cfg_classic" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True) plot_cfg(cfg, "%s_cfg_classic" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True, format="raw") for style in ['thick', 'dark', 'light', 'black', 'kyle']: set_plot_style(style) plot_cfg(cfg, "%s_cfg_%s" % (name, style), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) for func in b.kb.functions.values(): if func.is_simprocedure: continue ri = b.analyses.RegionIdentifier(func) plot_func_graph(b, func.transition_graph, "%s" % (func.name), asminst=True, vexinst=False, structure=ri.region, color_depth=True)
def emulated_cg(project, func_addr): with hook0(project): return project.analyses.CFGEmulated( fail_fast=False, starts=[func_addr], context_sensitivity_level=1, enable_function_hints=False, keep_state=True, enable_advanced_backward_slicing=False, enable_symbolic_back_traversal=False, normalize=True)
def emulated_normal(project, func_addr): # 初始化状态机 start_state = AngrProj.project_start_state(project, func_addr) with hook0(project): return project.analyses.CFGEmulated(fail_fast=True, starts=[func_addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True)
def _cfg_emulated(self, start_addr=[0x0], initial_state=None): # 仿真模式生成 CFG with hook0(self.proj): cfg_emu = self.proj.analyses.CFGEmulated( fail_fast=False, context_sensitivity_level=1, starts=start_addr, initial_state=initial_state, enable_function_hints=False, keep_state=True, enable_advanced_backward_slicing=False, enable_symbolic_back_traversal=False, normalize=True) return cfg_emu
def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) for addr,func in proj.kb.functions.items(): if func.name in ['main','verify']: plot_cfg(cfg, "%s_%s_cfg" % (name, func.name), asminst=True, vexinst=False, func_addr={addr:True}, debug_info=False, remove_imports=True, remove_path_terminator=True) plot_cfg(cfg, "%s_cfg_full" % (name), asminst=True, vexinst=True, debug_info=True, remove_imports=False, remove_path_terminator=False) plot_cfg(cfg, "%s_cfg_classic" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True) plot_cfg(cfg, "%s_cfg_classic" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True, format="raw") for style in ['thick', 'dark', 'light', 'black', 'kyle']: set_plot_style(style) plot_cfg(cfg, "%s_cfg_%s" % (name, style), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True)
def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True, color_depth=True)
def test_angr_plot_graph(request): file_id, file_name, func_addr = ReqParams.many(request, ['file_id', 'file_name', 'func_addr.hex']) if len(file_id) == 0: if len(file_name) == 0: return sys_app_err_p('INVALID_REQ_PARAM', 'file_id 或 file_name 必填其一') file_path = os.path.join(MyPath.samples(), file_name) project = angr.Project(file_path, load_options={'auto_load_libs': False}) start_state = project.factory.blank_state(addr=func_addr) start_state.stack_push(0x0) with hook0(project): cfg = project.analyses.CFGEmulated(fail_fast=True, starts=[func_addr], initial_state=start_state, context_sensitivity_level=2, keep_state=True, call_depth=100, normalize=True) graph_file = os.path.join(MyPath.temporary(), StrUtils.uuid_str()) plot_cfg(cfg, graph_file, asminst=True, vexinst=False, func_addr={func_addr: True}, debug_info=False, remove_imports=True, remove_path_terminator=True) else: func_parse = FunctionParse(file_id, func_addr) content = func_parse.cfg_graph() return sys_app_ok()
def analyze(b, addr, name=None): start_state = b.factory.blank_state(addr=addr) start_state.stack_push(0x0) with hook0(b): cfg = b.analyses.CFGEmulated(fail_fast=True, starts=[addr], initial_state=start_state, context_sensitivity_level=5, keep_state=True, call_depth=100, normalize=True) plot_cfg(cfg, "%s_cfg" % (name), asminst=True, vexinst=False, debug_info=False, remove_imports=False, remove_path_terminator=False) start_state = b.factory.blank_state( addr=addr, add_options={angr.sim_options.CONSERVATIVE_READ_STRATEGY} | angr.sim_options.resilience_options) start_state.stack_push(0x0) simgr = b.factory.simgr(start_state) simgr.use_technique(NormalizedSteps(cfg)) def check_loops(state): last = state.history.bbl_addrs[-1] c = 0 for p in state.history.bbl_addrs: if p == last: c += 1 return c > 1 def step_func(lsimgr): lsimgr.stash(filter_func=check_loops, from_stash='active', to_stash='looping') lsimgr.stash(filter_func=lambda state: state.addr == 0, from_stash='active', to_stash='found') print(lsimgr) return lsimgr simgr.run(step_func=step_func, until=lambda lsimgr: len(lsimgr.active) == 0, n=100) for stash in simgr.stashes: c = 0 for state in simgr.stashes[stash]: plot_cfg(cfg, "%s_cfg_%s_%d" % (name, stash, c), state=state, asminst=True, vexinst=False, debug_info=False, remove_imports=True, remove_path_terminator=True) c += 1