`angr` — Analysis and Coordination

Project

angr.project.load_shellcode(shellcode, arch, start_offset=0, load_address=0, thumb=False, **kwargs)

Load a new project based on a snippet of assembly or bytecode.

Parameters

shellcode – The data to load, as either a bytestring of instructions or a string of assembly text
arch – The name of the arch to use, or an archinfo class
start_offset – The offset into the data to start analysis (default 0)
load_address – The address to place the data in memory (default 0)
thumb – Whether this is ARM Thumb shellcode

class angr.project.Project(thing, default_analysis_mode=None, ignore_functions=None, use_sim_procedures=True, exclude_sim_procedures_func=None, exclude_sim_procedures_list=(), arch=None, simos=None, engine=None, load_options: Optional[Dict[str, Any]] = None, translation_cache=True, support_selfmodifying_code=False, store_function=None, load_function=None, analyses_preset=None, concrete_target=None, **kwargs)

Bases: object

This is the main class of the angr module. It is meant to contain a set of binaries and the relationships between them, and perform analyses on them.

Parameters: thing – The path to the main executable object to analyze, or a CLE Loader object.

The following parameters are optional.

Parameters

default_analysis_mode – The mode of analysis to use by default. Defaults to ‘symbolic’.
ignore_functions – A list of function names that, when imported from shared libraries, should never be stepped into in analysis (calls will return an unconstrained value).
use_sim_procedures – Whether to replace resolved dependencies for which simprocedures are available with said simprocedures.
exclude_sim_procedures_func – A function that, when passed a function name, returns whether or not to wrap it with a simprocedure.
exclude_sim_procedures_list – A list of functions to not wrap with simprocedures.
arch – The target architecture (auto-detected otherwise).
simos – a SimOS class to use for this project.
engine – The SimEngine class to use for this project.
translation_cache (bool) – If True, cache translated basic blocks rather than re-translating them.
support_selfmodifying_code (bool) – Whether we aggressively support self-modifying code. When enabled, emulation will try to read code from the current state instead of the original memory, regardless of the current memory protections.
store_function – A function that defines how the Project should be stored. Default to pickling.
load_function – A function that defines how the Project should be loaded. Default to unpickling.
analyses_preset (angr.misc.PluginPreset) – The plugin preset for the analyses provider (i.e. Analyses instance).

Any additional keyword arguments passed will be passed onto cle.Loader.

Variables

analyses – The available analyses.
entry – The program entrypoint.
factory – Provides access to important analysis elements such as path groups and symbolic execution results.
filename – The filename of the executable.
loader – The program loader.
storage – Dictionary of things that should be loaded/stored with the Project.

arch: archinfo.arch.Arch

analyses: angr.analyses.analysis.AnalysesHub

hook(addr, hook=None, length=0, kwargs=None, replace=False)

Hook a section of code with a custom function. This is used internally to provide symbolic summaries of library functions, and can be used to instrument execution or to modify control flow.

When hook is not specified, it returns a function decorator that allows easy hooking. Usage:

# Assuming proj is an instance of angr.Project, we will add a custom hook at the entry
# point of the project.
@proj.hook(proj.entry)
def my_hook(state):
    print("Welcome to execution!")

Parameters

addr – The address to hook.
hook – A angr.project.Hook describing a procedure to run at the given address. You may also pass in a SimProcedure class or a function directly and it will be wrapped in a Hook object for you.
length – If you provide a function for the hook, this is the number of bytes that will be skipped by executing the hook by default.
kwargs – If you provide a SimProcedure for the hook, these are the keyword arguments that will be passed to the procedure’s run method eventually.
replace – Control the behavior on finding that the address is already hooked. If true, silently replace the hook. If false (default), warn and do not replace the hook. If none, warn and replace the hook.

is_hooked(addr) → bool

Returns True if addr is hooked.

Parameters: addr – An address.
Returns: True if addr is hooked, False otherwise.

hooked_by(addr) → Optional[angr.sim_procedure.SimProcedure]

Returns the current hook for addr.

Parameters: addr – An address.
Returns: None if the address is not hooked.

unhook(addr)

Remove a hook.

Parameters: addr – The address of the hook.

hook_symbol(symbol_name, simproc, kwargs=None, replace=None)

Resolve a dependency in a binary. Looks up the address of the given symbol, and then hooks that address. If the symbol was not available in the loaded libraries, this address may be provided by the CLE externs object.

Additionally, if instead of a symbol name you provide an address, some secret functionality will kick in and you will probably just hook that address, UNLESS you’re on powerpc64 ABIv1 or some yet-unknown scary ABI that has its function pointers point to something other than the actual functions, in which case it’ll do the right thing.

Parameters

symbol_name – The name of the dependency to resolve.
simproc – The SimProcedure instance (or function) with which to hook the symbol
kwargs – If you provide a SimProcedure for the hook, these are the keyword arguments that will be passed to the procedure’s run method eventually.
replace – Control the behavior on finding that the address is already hooked. If true, silently replace the hook. If false, warn and do not replace the hook. If none (default), warn and replace the hook.

Returns

The address of the new symbol.

Return type

int

is_symbol_hooked(symbol_name)

Check if a symbol is already hooked.

Parameters: symbol_name (str) – Name of the symbol.
Returns: True if the symbol can be resolved and is hooked, False otherwise.
Return type: bool

unhook_symbol(symbol_name): Remove the hook on a symbol. This function will fail if the symbol is provided by the extern object, as that would result in a state where analysis would be unable to cope with a call to this symbol.

rehook_symbol(new_address, symbol_name, stubs_on_sync): Move the hook for a symbol to a specific address :param new_address: the new address that will trigger the SimProc execution :param symbol_name: the name of the symbol (f.i. strcmp ) :return: None

execute(*args, **kwargs)

This function is a symbolic execution helper in the simple style supported by triton and manticore. It designed to be run after setting up hooks (see Project.hook), in which the symbolic state can be checked.

This function can be run in three different ways:

When run with no parameters, this function begins symbolic execution from the entrypoint.

It can also be run with a “state” parameter specifying a SimState to begin symbolic execution from.

Finally, it can accept any arbitrary keyword arguments, which are all passed to project.factory.full_init_state.

If symbolic execution finishes, this function returns the resulting simulation manager.

terminate_execution(): Terminates a symbolic execution that was started with Project.execute().

class angr.factory.AngrObjectFactory(project, default_engine=None)

Bases: object

This factory provides access to important analysis elements.

snippet(addr, jumpkind=None, **block_opts)

successors(*args, engine=None, **kwargs)

Perform execution using an engine. Generally, return a SimSuccessors object classifying the results of the run.

Parameters

state – The state to analyze
engine – The engine to use. If not provided, will use the project default.
addr – optional, an address to execute at instead of the state’s ip
jumpkind – optional, the jumpkind of the previous exit
inline – This is an inline execution. Do not bother copying the state.

Additional keyword arguments will be passed directly into each engine’s process method.

blank_state(**kwargs)

Returns a mostly-uninitialized state object. All parameters are optional.

Parameters

addr – The address the state should start at instead of the entry point.
initial_prefix – If this is provided, all symbolic registers will hold symbolic values with names prefixed by this string.
fs – A dictionary of file names with associated preset SimFile objects.
concrete_fs – bool describing whether the host filesystem should be consulted when opening files.
chroot – A path to use as a fake root directory, Behaves similarly to a real chroot. Used only when concrete_fs is set to True.
kwargs – Any additional keyword args will be passed to the SimState constructor.

Returns

The blank state.

Return type

SimState

entry_state(**kwargs) → angr.sim_state.SimState

Returns a state object representing the program at its entry point. All parameters are optional.

Parameters

addr – The address the state should start at instead of the entry point.
initial_prefix – If this is provided, all symbolic registers will hold symbolic values with names prefixed by this string.
fs – a dictionary of file names with associated preset SimFile objects.
concrete_fs – boolean describing whether the host filesystem should be consulted when opening files.
chroot – a path to use as a fake root directory, behaves similar to a real chroot. used only when concrete_fs is set to True.
argc – a custom value to use for the program’s argc. May be either an int or a bitvector. If not provided, defaults to the length of args.
args – a list of values to use as the program’s argv. May be mixed strings and bitvectors.
env – a dictionary to use as the environment for the program. Both keys and values may be mixed strings and bitvectors.

Returns

The entry state.

Return type

SimState

full_init_state(**kwargs)

Very much like entry_state(), except that instead of starting execution at the program entry point, execution begins at a special SimProcedure that plays the role of the dynamic loader, calling each of the initializer functions that should be called before execution reaches the entry point.

It can take any of the arguments that can be provided to entry_state, except for addr.

call_state(addr, *args, **kwargs)

Returns a state object initialized to the start of a given function, as if it were called with given parameters.

Parameters

addr – The address the state should start at instead of the entry point.
args – Any additional positional arguments will be used as arguments to the function call.

The following parametrs are optional.

Parameters

base_state – Use this SimState as the base for the new state instead of a blank state.
cc – Optionally provide a SimCC object to use a specific calling convention.
ret_addr – Use this address as the function’s return target.
stack_base – An optional pointer to use as the top of the stack, circa the function entry point
alloc_base – An optional pointer to use as the place to put excess argument data
grow_like_stack – When allocating data at alloc_base, whether to allocate at decreasing addresses
toc – The address of the table of contents for ppc64
initial_prefix – If this is provided, all symbolic registers will hold symbolic values with names prefixed by this string.
fs – A dictionary of file names with associated preset SimFile objects.
concrete_fs – bool describing whether the host filesystem should be consulted when opening files.
chroot – A path to use as a fake root directory, Behaves similarly to a real chroot. Used only when concrete_fs is set to True.
kwargs – Any additional keyword args will be passed to the SimState constructor.

Returns

The state at the beginning of the function.

Return type

SimState

The idea here is that you can provide almost any kind of python type in args and it’ll be translated to a binary format to be placed into simulated memory. Lists (representing arrays) must be entirely elements of the same type and size, while tuples (representing structs) can be elements of any type and size. If you’d like there to be a pointer to a given value, wrap the value in a SimCC.PointerWrapper. Any value that can’t fit in a register will be automatically put in a PointerWrapper.

If stack_base is not provided, the current stack pointer will be used, and it will be updated. If alloc_base is not provided, the current stack pointer will be used, and it will be updated. You might not like the results if you provide stack_base but not alloc_base.

grow_like_stack controls the behavior of allocating data at alloc_base. When data from args needs to be wrapped in a pointer, the pointer needs to point somewhere, so that data is dumped into memory at alloc_base. If you set alloc_base to point to somewhere other than the stack, set grow_like_stack to False so that sequencial allocations happen at increasing addresses.

simulation_manager(thing: Optional[Union[List[angr.sim_state.SimState], angr.sim_state.SimState]] = None, **kwargs) → angr.sim_manager.SimulationManager

Constructs a new simulation manager.

Parameters

thing – Optional - What to put in the new SimulationManager’s active stash (either a SimState or a list of SimStates).
kwargs – Any additional keyword arguments will be passed to the SimulationManager constructor

Returns

The new SimulationManager

Return type

angr.sim_manager.SimulationManager

Many different types can be passed to this method:

If nothing is passed in, the SimulationManager is seeded with a state initialized for the program entry point, i.e. entry_state().
If a SimState is passed in, the SimulationManager is seeded with that state.
If a list is passed in, the list must contain only SimStates and the whole list will be used to seed the SimulationManager.

simgr(*args, **kwargs): Alias for simulation_manager to save our poor fingers

callable(addr, prototype=None, concrete_only=False, perform_merge=True, base_state=None, toc=None, cc=None)

A Callable is a representation of a function in the binary that can be interacted with like a native python function.

Parameters

addr – The address of the function to use
prototype – The prototype of the call to use, as a string or a SimTypeFunction
concrete_only – Throw an exception if the execution splits into multiple states
perform_merge – Merge all result states into one at the end (only relevant if concrete_only=False)
base_state – The state from which to do these runs
toc – The address of the table of contents for ppc64
cc – The SimCC to use for a calling convention

Returns

A Callable object that can be used as a interface for executing guest code like a python function.

Return type

angr.callable.Callable

cc()

Return a SimCC (calling convention) parametrized for this project.

Relevant subclasses of SimFunctionArgument are SimRegArg and SimStackArg, and shortcuts to them can be found on this cc object.

For stack arguments, offsets are relative to the stack pointer on function entry.

block(addr: int, size=None, max_size=None, byte_string=None, vex=None, thumb=False, backup_state=None, extra_stop_points=None, opt_level=None, num_inst=None, traceflags=0, insn_bytes=None, insn_text=None, strict_block_end=None, collect_data_refs=False, cross_insn_opt=True, load_from_ro_regions=False, initial_regs=None) → Block
block(addr: archinfo.arch_soot.SootAddressDescriptor, size=None, max_size=None, byte_string=None, vex=None, thumb=False, backup_state=None, extra_stop_points=None, opt_level=None, num_inst=None, traceflags=0, insn_bytes=None, insn_text=None, strict_block_end=None, collect_data_refs=False, cross_insn_opt=True) → SootBlock

fresh_block(addr, size, backup_state=None)

class angr.block.DisassemblerBlock(addr, insns, thumb, arch)

Bases: object

Helper class to represent a block of dissassembled target architecture instructions

addr

insns

thumb

arch

pp()

class angr.block.DisassemblerInsn

Bases: object

Helper class to represent a disassembled target architecture instruction

property size: int

property address: int

property mnemonic: str

property op_str: str

class angr.block.CapstoneBlock(addr, insns, thumb, arch)

Bases: angr.block.DisassemblerBlock

Deep copy of the capstone blocks, which have serious issues with having extended lifespans outside of capstone itself

class angr.block.CapstoneInsn(capstone_insn)

Bases: angr.block.DisassemblerInsn

Represents a capstone instruction.

insn

property size: int

property address: int

property mnemonic: str

property op_str: str

class angr.block.Block(addr, project=None, arch=None, size=None, byte_string=None, vex=None, thumb=False, backup_state=None, extra_stop_points=None, opt_level=None, num_inst=None, traceflags=0, strict_block_end=None, collect_data_refs=False, cross_insn_opt=True, load_from_ro_regions=False, initial_regs=None)

Bases: angr.serializable.Serializable

Represents a basic block in a binary or a program.

BLOCK_MAX_SIZE = 4096

arch

thumb

addr

size

pp(**kwargs)

set_initial_regs()

static reset_initial_regs()

property vex: pyvex.block.IRSB

property vex_nostmt

property disassembly: angr.block.DisassemblerBlock: Provide a disassembly object using whatever disassembler is available

property capstone

property codenode

property bytes

property instructions

property instruction_addrs

serialize_to_cmessage()

classmethod parse_from_cmessage(cmsg)

class angr.block.SootBlock(addr, project=None, arch=None)

Bases: object

Represents a Soot IR basic block.

property soot

property size

property codenode

Plugin Ecosystem

class angr.misc.plugins.PluginHub

Bases: object

A plugin hub is an object which contains many plugins, as well as the notion of a “preset”, or a backer that can provide default implementations of plugins which cater to a certain circumstance.

Objects in angr like the SimState, the Analyses hub, the SimEngine selector, etc all use this model to unify their mechanisms for automatically collecting and selecting components to use. If you’re familiar with design patterns this is a configurable Strategy Pattern.

Each PluginHub subclass should have a corresponding Plugin subclass, and perhaps a PluginPreset subclass if it wants its presets to be able to specify anything more interesting than a list of defaults.

classmethod register_default(name, plugin_cls, preset='default')

classmethod register_preset(name, preset): Register a preset instance with the class of the hub it corresponds to. This allows individual plugin objects to automatically register themselves with a preset by using a classmethod of their own with only the name of the preset to register with.

property plugin_preset: Get the current active plugin preset

property has_plugin_preset: bool: Check whether or not there is a plugin preset in use on this hub right now

use_plugin_preset(preset)

Apply a preset to the hub. If there was a previously active preset, discard it.

Preset can be either the string name of a preset or a PluginPreset instance.

discard_plugin_preset(): Discard the current active preset. Will release any active plugins that could have come from the old preset.

get_plugin(name: str) → SimStatePlugin: Get the plugin named name. If no such plugin is currently active, try to activate a new one using the current preset.

has_plugin(name): Return whether or not a plugin with the name name is curently active.

register_plugin(name: str, plugin): Add a new plugin plugin with name name to the active plugins.

release_plugin(name): Deactivate and remove the plugin with name name.

class angr.misc.plugins.PluginPreset

Bases: object

A plugin preset object contains a mapping from name to a plugin class. A preset can be active on a hub, which will cause it to handle requests for plugins which are not already present on the hub.

Unlike Plugins and PluginHubs, instances of PluginPresets are defined on the module level for individual presets. You should register the preset instance with a hub to allow plugins to easily add themselves to the preset without an explicit reference to the preset itself.

activate(hub): This method is called when the preset becomes active on a hub.

deactivate(hub): This method is called when the preset is discarded from the hub.

add_default_plugin(name, plugin_cls): Add a plugin to the preset.

list_default_plugins(): Return a list of the names of available default plugins.

request_plugin(name: str) → Type[SimStatePlugin]: Return the plugin class which is registered under the name name, or raise NoPlugin if the name isn’t available.

copy(): Return a copy of self.

class angr.misc.plugins.PluginVendor

Bases: angr.misc.plugins.PluginHub

A specialized hub which serves only as a plugin vendor, never having any “active” plugins. It will directly return the plugins provided by the preset instead of instanciating them.

release_plugin(name)

register_plugin(name, plugin)

class angr.misc.plugins.VendorPreset

Bases: angr.misc.plugins.PluginPreset

A specialized preset class for use with the PluginVendor.

Program State

angr.sim_state.arch_overrideable(f)

class angr.sim_state.SimState(project=None, arch=None, plugins=None, mode=None, options=None, add_options=None, remove_options=None, special_memory_filler=None, os_name=None, plugin_preset='default', cle_memory_backer=None, dict_memory_backer=None, permissions_map=None, default_permissions=3, stack_perms=None, stack_end=None, stack_size=None, regioned_memory_cls=None, **kwargs)

Bases: angr.misc.plugins.PluginHub

The SimState represents the state of a program, including its memory, registers, and so forth.

Parameters

project (angr.Project) – The project instance.
arch (archinfo.Arch|str) – The architecture of the state.

Variables

regs – A convenient view of the state’s registers, where each register is a property
mem – A convenient view of the state’s memory, a angr.state_plugins.view.SimMemView
registers – The state’s register file as a flat memory region
memory – The state’s memory as a flat memory region
solver – The symbolic solver and variable manager for this state
inspect – The breakpoint manager, a angr.state_plugins.inspect.SimInspector
log – Information about the state’s history
scratch – Information about the current execution step
posix – MISNOMER: information about the operating system or environment model
fs – The current state of the simulated filesystem
libc – Information about the standard library we are emulating
cgc – Information about the cgc environment
uc_manager – Control of under-constrained symbolic execution
unicorn – Control of the Unicorn Engine

solver: SimSolver

posix: SimSystemPosix

registers: MemoryMixin

regs: SimRegNameView

memory: MemoryMixin

callstack: CallStack

mem: SimMemView

history: SimStateHistory

inspect: SimInspector

jni_references: SimStateJNIReferences

scratch: SimStateScratch

property plugins

property se: Deprecated alias for solver

property ip

Get the instruction pointer expression, trigger SimInspect breakpoints, and generate SimActions. Use _ip to not trigger breakpoints or generate actions.

Returns: an expression

property addr

Get the concrete address of the instruction pointer, without triggering SimInspect breakpoints or generating SimActions. An integer is returned, or an exception is raised if the instruction pointer is symbolic.

Returns: an int

property arch: archinfo.arch.Arch

T: alias of TypeVar(‘T’)

get_plugin(name)

has_plugin(name)

register_plugin(name, plugin, inhibit_init=False)

property javavm_memory

In case of an JavaVM with JNI support, a state can store the memory plugin twice; one for the native and one for the java view of the state.

Returns: The JavaVM view of the memory plugin.

property javavm_registers

In case of an JavaVM with JNI support, a state can store the registers plugin twice; one for the native and one for the java view of the state.

Returns: The JavaVM view of the registers plugin.

simplify(*args): Simplify this state’s constraints.

add_constraints(*args, **kwargs)

Add some constraints to the state.

You may pass in any number of symbolic booleans as variadic positional arguments.

satisfiable(**kwargs): Whether the state’s constraints are satisfiable

downsize(): Clean up after the solver engine. Calling this when a state no longer needs to be solved on will reduce memory usage.

step(**kwargs)

Perform a step of symbolic execution using this state. Any arguments to AngrObjectFactory.successors can be passed to this.

Returns: A SimSuccessors object categorizing the results of the step.

block(*args, **kwargs)

Represent the basic block at this state’s instruction pointer. Any arguments to AngrObjectFactory.block can ba passed to this.

Returns: A Block object describing the basic block of code at this point.

copy(): Returns a copy of the state.

merge(*others, **kwargs)

Merges this state with the other states. Returns the merging result, merged state, and the merge flag.

Parameters

states – the states to merge
merge_conditions – a tuple of the conditions under which each state holds
common_ancestor – a state that represents the common history between the states being merged. Usually it is only available when EFFICIENT_STATE_MERGING is enabled, otherwise weak-refed states might be dropped from state history instances.
plugin_whitelist – a list of plugin names that will be merged. If this option is given and is not None, any plugin that is not inside this list will not be merged, and will be created as a fresh instance in the new state.
common_ancestor_history – a SimStateHistory instance that represents the common history between the states being merged. This is to allow optimal state merging when EFFICIENT_STATE_MERGING is disabled.

Returns

(merged state, merge flag, a bool indicating if any merging occurred)

widen(*others): Perform a widening between self and other states :param others: :return:

reg_concrete(*args, **kwargs): Returns the contents of a register but, if that register is symbolic, raises a SimValueError.

mem_concrete(*args, **kwargs): Returns the contents of a memory but, if the contents are symbolic, raises a SimValueError.

stack_push(thing): Push ‘thing’ to the stack, writing the thing to memory and adjusting the stack pointer.

stack_pop(): Pops from the stack and returns the popped thing. The length will be the architecture word size.

stack_read(offset, length, bp=False)

Reads length bytes, at an offset into the stack.

Parameters

offset – The offset from the stack pointer.
length – The number of bytes to read.
bp – If True, offset from the BP instead of the SP. Default: False.

make_concrete_int(expr)

prepare_callsite(retval, args, cc='wtf')

dbg_print_stack(depth=None, sp=None): Only used for debugging purposes. Return the current stack info in formatted string. If depth is None, the current stack frame (from sp to bp) will be printed out.

set_mode(mode)

property thumb

property with_condition

class angr.sim_state_options.StateOption(name, types, default='_NO_DEFAULT_VALUE', description=None)

Bases: object

Describes a state option.

name

types

default

description

property has_default_value

one_type()

class angr.sim_state_options.SimStateOptions(thing)

Bases: object

A per-state manager of state options. An option can be either a key-valued entry or a Boolean switch (which can be seen as a key-valued entry whose value can only be either True or False).

Parameters: thing – Either a set of Boolean switches to enable, or an existing SimStateOptions instance.

OPTIONS = {'ABSTRACT_MEMORY': <O ABSTRACT_MEMORY[bool]>, 'ABSTRACT_SOLVER': <O ABSTRACT_SOLVER[bool]>, 'ACTION_DEPS': <O ACTION_DEPS[bool]>, 'ALLOW_SEND_FAILURES': <O ALLOW_SEND_FAILURES[bool]>, 'ALL_FILES_EXIST': <O ALL_FILES_EXIST[bool]>, 'APPROXIMATE_FIRST': <O APPROXIMATE_FIRST[bool]>, 'APPROXIMATE_GUARDS': <O APPROXIMATE_GUARDS[bool]>, 'APPROXIMATE_MEMORY_INDICES': <O APPROXIMATE_MEMORY_INDICES[bool]>, 'APPROXIMATE_MEMORY_SIZES': <O APPROXIMATE_MEMORY_SIZES[bool]>, 'APPROXIMATE_SATISFIABILITY': <O APPROXIMATE_SATISFIABILITY[bool]>, 'AST_DEPS': <O AST_DEPS[bool]>, 'AUTO_REFS': <O AUTO_REFS[bool]>, 'AVOID_MULTIVALUED_READS': <O AVOID_MULTIVALUED_READS[bool]>, 'AVOID_MULTIVALUED_WRITES': <O AVOID_MULTIVALUED_WRITES[bool]>, 'BEST_EFFORT_MEMORY_STORING': <O BEST_EFFORT_MEMORY_STORING[bool]>, 'BYPASS_ERRORED_IRCCALL': <O BYPASS_ERRORED_IRCCALL[bool]>, 'BYPASS_ERRORED_IROP': <O BYPASS_ERRORED_IROP[bool]>, 'BYPASS_ERRORED_IRSTMT': <O BYPASS_ERRORED_IRSTMT[bool]>, 'BYPASS_UNSUPPORTED_IRCCALL': <O BYPASS_UNSUPPORTED_IRCCALL[bool]>, 'BYPASS_UNSUPPORTED_IRDIRTY': <O BYPASS_UNSUPPORTED_IRDIRTY[bool]>, 'BYPASS_UNSUPPORTED_IREXPR': <O BYPASS_UNSUPPORTED_IREXPR[bool]>, 'BYPASS_UNSUPPORTED_IROP': <O BYPASS_UNSUPPORTED_IROP[bool]>, 'BYPASS_UNSUPPORTED_IRSTMT': <O BYPASS_UNSUPPORTED_IRSTMT[bool]>, 'BYPASS_UNSUPPORTED_SYSCALL': <O BYPASS_UNSUPPORTED_SYSCALL[bool]>, 'BYPASS_VERITESTING_EXCEPTIONS': <O BYPASS_VERITESTING_EXCEPTIONS[bool]>, 'CACHELESS_SOLVER': <O CACHELESS_SOLVER[bool]>, 'CALLLESS': <O CALLLESS[bool]>, 'CGC_ENFORCE_FD': <O CGC_ENFORCE_FD[bool]>, 'CGC_NON_BLOCKING_FDS': <O CGC_NON_BLOCKING_FDS[bool]>, 'CGC_NO_SYMBOLIC_RECEIVE_LENGTH': <O CGC_NO_SYMBOLIC_RECEIVE_LENGTH[bool]>, 'COMPOSITE_SOLVER': <O COMPOSITE_SOLVER[bool]>, 'CONCRETIZE': <O CONCRETIZE[bool]>, 'CONCRETIZE_SYMBOLIC_FILE_READ_SIZES': <O CONCRETIZE_SYMBOLIC_FILE_READ_SIZES[bool]>, 'CONCRETIZE_SYMBOLIC_WRITE_SIZES': <O CONCRETIZE_SYMBOLIC_WRITE_SIZES[bool]>, 'CONSERVATIVE_READ_STRATEGY': <O CONSERVATIVE_READ_STRATEGY[bool]>, 'CONSERVATIVE_WRITE_STRATEGY': <O CONSERVATIVE_WRITE_STRATEGY[bool]>, 'CONSTRAINT_TRACKING_IN_SOLVER': <O CONSTRAINT_TRACKING_IN_SOLVER[bool]>, 'COPY_STATES': <O COPY_STATES[bool]>, 'CPUID_SYMBOLIC': <O CPUID_SYMBOLIC[bool]>, 'DOWNSIZE_Z3': <O DOWNSIZE_Z3[bool]>, 'DO_CCALLS': <O DO_CCALLS[bool]>, 'DO_RET_EMULATION': <O DO_RET_EMULATION[bool]>, 'EFFICIENT_STATE_MERGING': <O EFFICIENT_STATE_MERGING[bool]>, 'ENABLE_NX': <O ENABLE_NX[bool]>, 'EXCEPTION_HANDLING': <O EXCEPTION_HANDLING[bool]>, 'EXTENDED_IROP_SUPPORT': <O EXTENDED_IROP_SUPPORT[bool]>, 'FAST_MEMORY': <O FAST_MEMORY[bool]>, 'FAST_REGISTERS': <O FAST_REGISTERS[bool]>, 'FILES_HAVE_EOF': <O FILES_HAVE_EOF[bool]>, 'HYBRID_SOLVER': <O HYBRID_SOLVER[bool]>, 'JAVA_IDENTIFY_GETTER_SETTER': <O JAVA_IDENTIFY_GETTER_SETTER[bool]>, 'JAVA_TRACK_ATTRIBUTES': <O JAVA_TRACK_ATTRIBUTES[bool]>, 'KEEP_IP_SYMBOLIC': <O KEEP_IP_SYMBOLIC[bool]>, 'KEEP_MEMORY_READS_DISCRETE': <O KEEP_MEMORY_READS_DISCRETE[bool]>, 'LAZY_SOLVES': <O LAZY_SOLVES[bool]>, 'MEMORY_CHUNK_INDIVIDUAL_READS': <O MEMORY_CHUNK_INDIVIDUAL_READS[bool]>, 'MEMORY_FIND_STRICT_SIZE_LIMIT': <O MEMORY_FIND_STRICT_SIZE_LIMIT[bool]>, 'MEMORY_SYMBOLIC_BYTES_MAP': <O MEMORY_SYMBOLIC_BYTES_MAP[bool]>, 'NO_CROSS_INSN_OPT': <O NO_CROSS_INSN_OPT[bool]>, 'NO_IP_CONCRETIZATION': <O NO_IP_CONCRETIZATION[bool]>, 'NO_SYMBOLIC_JUMP_RESOLUTION': <O NO_SYMBOLIC_JUMP_RESOLUTION[bool]>, 'NO_SYMBOLIC_SYSCALL_RESOLUTION': <O NO_SYMBOLIC_SYSCALL_RESOLUTION[bool]>, 'OPTIMIZE_IR': <O OPTIMIZE_IR[bool]>, 'PRODUCE_ZERODIV_SUCCESSORS': <O PRODUCE_ZERODIV_SUCCESSORS[bool]>, 'REGION_MAPPING': <O REGION_MAPPING[bool]>, 'REPLACEMENT_SOLVER': <O REPLACEMENT_SOLVER[bool]>, 'REVERSE_MEMORY_HASH_MAP': <O REVERSE_MEMORY_HASH_MAP[bool]>, 'REVERSE_MEMORY_NAME_MAP': <O REVERSE_MEMORY_NAME_MAP[bool]>, 'SHORT_READS': <O SHORT_READS[bool]>, 'SIMPLIFY_CONSTRAINTS': <O SIMPLIFY_CONSTRAINTS[bool]>, 'SIMPLIFY_EXIT_GUARD': <O SIMPLIFY_EXIT_GUARD[bool]>, 'SIMPLIFY_EXIT_STATE': <O SIMPLIFY_EXIT_STATE[bool]>, 'SIMPLIFY_EXIT_TARGET': <O SIMPLIFY_EXIT_TARGET[bool]>, 'SIMPLIFY_EXPRS': <O SIMPLIFY_EXPRS[bool]>, 'SIMPLIFY_MEMORY_READS': <O SIMPLIFY_MEMORY_READS[bool]>, 'SIMPLIFY_MEMORY_WRITES': <O SIMPLIFY_MEMORY_WRITES[bool]>, 'SIMPLIFY_REGISTER_READS': <O SIMPLIFY_REGISTER_READS[bool]>, 'SIMPLIFY_REGISTER_WRITES': <O SIMPLIFY_REGISTER_WRITES[bool]>, 'SIMPLIFY_RETS': <O SIMPLIFY_RETS[bool]>, 'SPECIAL_MEMORY_FILL': <O SPECIAL_MEMORY_FILL[bool]>, 'STRICT_PAGE_ACCESS': <O STRICT_PAGE_ACCESS[bool]>, 'STRINGS_ANALYSIS': <O STRINGS_ANALYSIS[bool]>, 'SUPER_FASTPATH': <O SUPER_FASTPATH[bool]>, 'SUPPORT_FLOATING_POINT': <O SUPPORT_FLOATING_POINT[bool]>, 'SYMBION_KEEP_STUBS_ON_SYNC': <O SYMBION_KEEP_STUBS_ON_SYNC[bool]>, 'SYMBION_SYNC_CLE': <O SYMBION_SYNC_CLE[bool]>, 'SYMBOLIC': <O SYMBOLIC[bool]>, 'SYMBOLIC_INITIAL_VALUES': <O SYMBOLIC_INITIAL_VALUES[bool]>, 'SYMBOLIC_MEMORY_NO_SINGLEVALUE_OPTIMIZATIONS': <O SYMBOLIC_MEMORY_NO_SINGLEVALUE_OPTIMIZATIONS[bool]>, 'SYMBOLIC_TEMPS': <O SYMBOLIC_TEMPS[bool]>, 'SYMBOLIC_WRITE_ADDRESSES': <O SYMBOLIC_WRITE_ADDRESSES[bool]>, 'SYMBOL_FILL_UNCONSTRAINED_MEMORY': <O SYMBOL_FILL_UNCONSTRAINED_MEMORY[bool]>, 'SYMBOL_FILL_UNCONSTRAINED_REGISTERS': <O SYMBOL_FILL_UNCONSTRAINED_REGISTERS[bool]>, 'SYNC_CLE_BACKEND_CONCRETE': <O SYNC_CLE_BACKEND_CONCRETE[bool]>, 'TRACK_ACTION_HISTORY': <O TRACK_ACTION_HISTORY[bool]>, 'TRACK_CONSTRAINTS': <O TRACK_CONSTRAINTS[bool]>, 'TRACK_CONSTRAINT_ACTIONS': <O TRACK_CONSTRAINT_ACTIONS[bool]>, 'TRACK_JMP_ACTIONS': <O TRACK_JMP_ACTIONS[bool]>, 'TRACK_MEMORY_ACTIONS': <O TRACK_MEMORY_ACTIONS[bool]>, 'TRACK_MEMORY_MAPPING': <O TRACK_MEMORY_MAPPING[bool]>, 'TRACK_OP_ACTIONS': <O TRACK_OP_ACTIONS[bool]>, 'TRACK_REGISTER_ACTIONS': <O TRACK_REGISTER_ACTIONS[bool]>, 'TRACK_SOLVER_VARIABLES': <O TRACK_SOLVER_VARIABLES[bool]>, 'TRACK_TMP_ACTIONS': <O TRACK_TMP_ACTIONS[bool]>, 'TRUE_RET_EMULATION_GUARD': <O TRUE_RET_EMULATION_GUARD[bool]>, 'UNDER_CONSTRAINED_SYMEXEC': <O UNDER_CONSTRAINED_SYMEXEC[bool]>, 'UNICORN': <O UNICORN[bool]>, 'UNICORN_AGGRESSIVE_CONCRETIZATION': <O UNICORN_AGGRESSIVE_CONCRETIZATION[bool]>, 'UNICORN_HANDLE_CGC_RECEIVE_SYSCALL': <O UNICORN_HANDLE_CGC_RECEIVE_SYSCALL[bool]>, 'UNICORN_HANDLE_CGC_TRANSMIT_SYSCALL': <O UNICORN_HANDLE_CGC_TRANSMIT_SYSCALL[bool]>, 'UNICORN_SYM_REGS_SUPPORT': <O UNICORN_SYM_REGS_SUPPORT[bool]>, 'UNICORN_THRESHOLD_CONCRETIZATION': <O UNICORN_THRESHOLD_CONCRETIZATION[bool]>, 'UNICORN_TRACK_BBL_ADDRS': <O UNICORN_TRACK_BBL_ADDRS[bool]>, 'UNICORN_TRACK_STACK_POINTERS': <O UNICORN_TRACK_STACK_POINTERS[bool]>, 'UNICORN_ZEROPAGE_GUARD': <O UNICORN_ZEROPAGE_GUARD[bool]>, 'UNINITIALIZED_ACCESS_AWARENESS': <O UNINITIALIZED_ACCESS_AWARENESS[bool]>, 'UNSUPPORTED_BYPASS_ZERO_DEFAULT': <O UNSUPPORTED_BYPASS_ZERO_DEFAULT[bool]>, 'USE_SIMPLIFIED_CCALLS': <O USE_SIMPLIFIED_CCALLS[bool]>, 'USE_SYSTEM_TIMES': <O USE_SYSTEM_TIMES[bool]>, 'VALIDATE_APPROXIMATIONS': <O VALIDATE_APPROXIMATIONS[bool]>, 'ZERO_FILL_UNCONSTRAINED_MEMORY': <O ZERO_FILL_UNCONSTRAINED_MEMORY[bool]>, 'ZERO_FILL_UNCONSTRAINED_REGISTERS': <O ZERO_FILL_UNCONSTRAINED_REGISTERS[bool]>, 'jumptable_symbolic_ip_max_targets': <O jumptable_symbolic_ip_max_targets[int]: The maximum number of concrete addresses a symbolic instruction pointer can be concretized to if it is part of a jump table.>, 'symbolic_ip_max_targets': <O symbolic_ip_max_targets[int]: The maximum number of concrete addresses a symbolic instruction pointer can be concretized to.>}

add(boolean_switch)

[COMPATIBILITY] Enable a Boolean switch.

Parameters: boolean_switch (str) – Name of the Boolean switch.
Returns: None

update(boolean_switches)

[COMPATIBILITY] In order to be compatible with the old interface, you can enable a collection of Boolean switches at the same time by doing the following:

>>> state.options.update({sim_options.SYMBOLIC, sim_options.ABSTRACT_MEMORY})

or

>>> state.options.update(sim_options.unicorn)

Parameters: boolean_switches (set) – A collection of Boolean switches to enable.
Returns: None

remove(name)

Drop a state option if it exists, or raise a KeyError if the state option is not set.

[COMPATIBILITY] Remove a Boolean switch.

Parameters: name (str) – Name of the state option.
Returns: NNone

discard(name)

Drop a state option if it exists, or silently return if the state option is not set.

[COMPATIBILITY] Disable a Boolean switch.

Parameters: name (str) – Name of the Boolean switch.
Returns: None

difference(boolean_switches)

[COMPATIBILITY] Make a copy of the current instance, and then discard all options that are in boolean_switches.

Parameters: boolean_switches (set) – A collection of Boolean switches to disable.
Returns: A new SimStateOptions instance.

copy()

Get a copy of the current SimStateOptions instance.

Returns: A new SimStateOptions instance.
Return type: SimStateOptions

tally(exclude_false=True, description=False)

Return a string representation of all state options.

Parameters

exclude_false (bool) – Whether to exclude Boolean switches that are disabled.
description (bool) – Whether to display the description of each option.

Returns

A string representation.

Return type

str

classmethod register_option(name, types, default=None, description=None)

Register a state option.

Parameters

name (str) – Name of the state option.
types – A collection of allowed types of this state option.
default – The default value of this state option.
description (str) – The description of this state option.

Returns

None

classmethod register_bool_option(name, description=None)

Register a Boolean switch as state option. This is equivalent to cls.register_option(name, set([bool]), description=description)

Parameters

name (str) – Name of the state option.
description (str) – The description of this state option.

Returns

None

class angr.state_plugins.plugin.SimStatePlugin

Bases: object

This is a base class for SimState plugins. A SimState plugin will be copied along with the state when the state is branched. They are intended to be used for things such as tracking open files, tracking heap details, and providing storage and persistence for SimProcedures.

STRONGREF_STATE = False

set_state(state): Sets a new state (for example, if the state has been branched)

set_strongref_state(state)

copy(_memo)

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

The base implementation of this function constructs a new instance of the plugin’s class without calling its initializer. If you super-call down to it, make sure you instanciate all the fields in your copy method!

Parameters: memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.

static memo(f): A decorator function you should apply to copy

merge(others, merge_conditions, common_ancestor=None)

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

Note that when multiple instances of a single plugin object (for example, a file) are referenced in the state, it is important that merge only ever be called once. This should be solved by designating one of the plugin’s referees as the “real owner”, who should be the one to actually merge it. This technique doesn’t work to resolve the similar issue that arises during copying because merging doesn’t produce a new reference to insert.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g. self.foo.merge([o.foo for o in others], merge_conditions, common_ancestor=common_ancestor.foo if common_ancestor is not None else None).

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

There is a utility state.solver.ite_cases which will help with constructing arbitrarily large merged ASTs. Use it like self.bar = self.state.solver.ite_cases(zip(conditions[1:], [o.bar for o in others]), self.bar)

Parameters

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns

True if the state plugins are actually merged.

Return type

bool

widen(others)

The widening operation for plugins. Widening is a special kind of merging that produces a more general state from several more specific states. It is used only during intensive static analysis. The same behavior regarding copying and mutation from merge should be followed.

Parameters: others – the other state plugin
Returns: True if the state plugin is actually widened.
Return type: bool

classmethod register_default(name, xtr=None)

init_state(): Use this function to perform any initialization on the state at plugin-add time

class angr.state_plugins.inspect.BP(when='before', enabled=None, condition=None, action=None, **kwargs)

Bases: object

A breakpoint.

check(state, when)

Checks state state to see if the breakpoint should fire.

Parameters

state – The state.
when – Whether the check is happening before or after the event.

Returns

A boolean representing whether the checkpoint should fire.

fire(state)

Trigger the breakpoint.

Parameters: state – The state.

class angr.state_plugins.inspect.SimInspector

Bases: angr.state_plugins.plugin.SimStatePlugin

The breakpoint interface, used to instrument execution. For usage information, look here: https://docs.angr.io/core-concepts/simulation#breakpoints

BP_AFTER = 'after'

BP_BEFORE = 'before'

BP_BOTH = 'both'

action(event_type, when, **kwargs): Called from within SimuVEX when events happens. This function checks all breakpoints registered for that event and fires the ones whose conditions match.

make_breakpoint(event_type, *args, **kwargs)

Creates and adds a breakpoint which would trigger on event_type. Additional arguments are passed to the BP constructor.

Returns: The created breakpoint, so that it can be removed later.

b(event_type, *args, **kwargs)

Creates and adds a breakpoint which would trigger on event_type. Additional arguments are passed to the BP constructor.

Returns: The created breakpoint, so that it can be removed later.

add_breakpoint(event_type, bp)

Adds a breakpoint which would trigger on event_type.

Parameters

event_type – The event type to trigger on
bp – The breakpoint

Returns

The created breakpoint.

remove_breakpoint(event_type, bp=None, filter_func=None)

Removes a breakpoint.

Parameters

bp – The breakpoint to remove.
filter_func – A filter function to specify whether each breakpoint should be removed or not.

copy(memo=None, **kwargs)

downsize()

Remove previously stored attributes from this plugin instance to save memory. This method is supposed to be called by breakpoint implementors. A typical workflow looks like the following :

>>> # Add `attr0` and `attr1` to `self.state.inspect`
>>> self.state.inspect(xxxxxx, attr0=yyyy, attr1=zzzz)
>>> # Get new attributes out of SimInspect in case they are modified by the user
>>> new_attr0 = self.state._inspect.attr0
>>> new_attr1 = self.state._inspect.attr1
>>> # Remove them from SimInspect
>>> self.state._inspect.downsize()

merge(others, merge_conditions, common_ancestor=None)

widen(others)

set_state(state)

class angr.state_plugins.libc.SimStateLibc

Bases: angr.state_plugins.plugin.SimStatePlugin

This state plugin keeps track of various libc stuff:

LOCALE_ARRAY = [b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x03 ', b'\x02 ', b'\x02 ', b'\x02 ', b'\x02 ', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x01`', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x02\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00']

TOLOWER_LOC_ARRAY = [128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 4294967295, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]

TOUPPER_LOC_ARRAY = [128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 4294967295, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

property errno

ret_errno(val)

class angr.state_plugins.posix.PosixDevFS

Bases: angr.state_plugins.filesystem.SimMount

get(path)

insert(path, simfile)

delete(path)

lookup(_)

merge(others, conditions, common_ancestor=None)

widen(others)

copy(_)

class angr.state_plugins.posix.PosixProcFS

Bases: angr.state_plugins.filesystem.SimMount

The virtual file system mounted at /proc (as of now, on Linux).

get(path)

insert(path, simfile)

delete(path)

lookup(_)

merge(others, conditions, common_ancestor=None)

widen(others)

copy(_)

class angr.state_plugins.posix.SimSystemPosix(stdin=None, stdout=None, stderr=None, fd=None, sockets=None, socket_queue=None, argv=None, argc=None, environ=None, auxv=None, tls_modules=None, sigmask=None, pid=None, ppid=None, uid=None, gid=None, brk=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

Data storage and interaction mechanisms for states with an environment conforming to posix. Available as state.posix.

SIG_BLOCK = 0

SIG_UNBLOCK = 1

SIG_SETMASK = 2

EPERM = 1

ENOENT = 2

ESRCH = 3

EINTR = 4

EIO = 5

ENXIO = 6

E2BIG = 7

ENOEXEC = 8

EBADF = 9

ECHILD = 10

EAGAIN = 11

ENOMEM = 12

EACCES = 13

EFAULT = 14

ENOTBLK = 15

EBUSY = 16

EEXIST = 17

EXDEV = 18

ENODEV = 19

ENOTDIR = 20

EISDIR = 21

EINVAL = 22

ENFILE = 23

EMFILE = 24

ENOTTY = 25

ETXTBSY = 26

EFBIG = 27

ENOSPC = 28

ESPIPE = 29

EROFS = 30

EMLINK = 31

EPIPE = 32

EDOM = 33

ERANGE = 34

copy(memo=None, **kwargs)

property closed_fds

init_state()

set_brk(new_brk)

set_state(state)

open(name, flags, preferred_fd=None)

Open a symbolic file. Basically open(2).

Parameters

name (string or bytes) – Path of the symbolic file, as a string or bytes.
flags – File operation flags, a bitfield of constants from open(2), as an AST
preferred_fd – Assign this fd if it’s not already claimed.

Returns

The file descriptor number allocated (maps through posix.get_fd to a SimFileDescriptor) or None if the open fails.

mode from open(2) is unsupported at present.

open_socket(ident)

get_fd(fd): Looks up the SimFileDescriptor associated with the given number (an AST). If the number is concrete and does not map to anything, return None. If the number is symbolic, constrain it to an open fd and create a new file for it.

close(fd): Closes the given file descriptor (an AST). Returns whether the operation succeeded (a concrete boolean)

fstat(sim_fd)

sigmask(sigsetsize=None)

Gets the current sigmask. If it’s blank, a new one is created (of sigsetsize).

Parameters: sigsetsize – the size (in bytes of the sigmask set)
Returns: the sigmask

sigprocmask(how, new_mask, sigsetsize, valid_ptr=True)

Updates the signal mask.

Parameters

how – the “how” argument of sigprocmask (see manpage)
new_mask – the mask modification to apply
sigsetsize – the size (in bytes of the sigmask set)
valid_ptr – is set if the new_mask was not NULL

merge(others, merge_conditions, common_ancestor=None)

widen(_)

dump_file_by_path(path, **kwargs)

Returns the concrete content for a file by path.

Parameters

path – file path as string
kwargs – passed to state.solver.eval

Returns

file contents as string

dumps(fd, **kwargs)

Returns the concrete content for a file descriptor.

BACKWARD COMPATIBILITY: if you ask for file descriptors 0 1 or 2, it will return the data from stdin, stdout, or stderr as a flat string.

Parameters: fd – A file descriptor.
Returns: The concrete content.
Return type: str

class angr.state_plugins.filesystem.Stat(st_dev, st_ino, st_nlink, st_mode, st_uid, st_gid, st_rdev, st_size, st_blksize, st_blocks, st_atime, st_atimensec, st_mtime, st_mtimensec, st_ctime, st_ctimensec)

Bases: tuple

Create new instance of Stat(st_dev, st_ino, st_nlink, st_mode, st_uid, st_gid, st_rdev, st_size, st_blksize, st_blocks, st_atime, st_atimensec, st_mtime, st_mtimensec, st_ctime, st_ctimensec)

property st_atime: Alias for field number 10

property st_atimensec: Alias for field number 11

property st_blksize: Alias for field number 8

property st_blocks: Alias for field number 9

property st_ctime: Alias for field number 14

property st_ctimensec: Alias for field number 15

property st_dev: Alias for field number 0

property st_gid: Alias for field number 5

property st_ino: Alias for field number 1

property st_mode: Alias for field number 3

property st_mtime: Alias for field number 12

property st_mtimensec: Alias for field number 13

property st_nlink: Alias for field number 2

property st_rdev: Alias for field number 6

property st_size: Alias for field number 7

property st_uid: Alias for field number 4

class angr.state_plugins.filesystem.SimFilesystem(files=None, pathsep=None, cwd=None, mountpoints=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

angr’s emulated filesystem. Available as state.fs. When constructing, all parameters are optional.

Parameters

files – A mapping from filepath to SimFile
pathsep – The character used to separate path elements, default forward slash.
cwd – The path of the current working directory to use
mountpoints – A mapping from filepath to SimMountpoint

Variables

pathsep – The current pathsep
cwd – The current working directory
unlinks – A list of unlink operations, tuples of filename and simfile. Be careful, this list is shallow-copied from successor to successor, so don’t mutate anything in it without copying.

copy(memo=None, **kwargs)

property unlinks

set_state(state)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

chdir(path): Changes the current directory to the given path

get(path): Get a file from the filesystem. Returns a SimFile or None.

insert(path, simfile): Insert a file into the filesystem. Returns whether the operation was successful.

delete(path)

Remove a file from the filesystem. Returns whether the operation was successful.

This will add a fs_unlink event with the path of the file and also the index into the unlinks list.

mount(path, mount): Add a mountpoint to the filesystem.

unmount(path): Remove a mountpoint from the filesystem.

get_mountpoint(path)

Look up the mountpoint servicing the given path.

Returns: A tuple of the mount and a list of path elements traversing from the mountpoint to the specified file.

class angr.state_plugins.filesystem.SimMount

Bases: angr.state_plugins.plugin.SimStatePlugin

This is the base class for “mount points” in angr’s simulated filesystem. Subclass this class and give it to the filesystem to intercept all file creations and opens below the mountpoint. Since this a SimStatePlugin you may also want to implement set_state, copy, merge, etc.

get(path_elements)

Implement this function to instrument file lookups.

Parameters: path_elements – A list of path elements traversing from the mountpoint to the file
Returns: A SimFile, or None

insert(path_elements, simfile)

Implement this function to instrument file creation.

Parameters

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns

A bool indicating whether the insert occurred

delete(path_elements)

Implement this function to instrument file deletion.

Parameters: path_elements – A list of path elements traversing from the mountpoint to the file
Returns: A bool indicating whether the delete occurred

lookup(sim_file)

Look up the path of a SimFile in the mountpoint

Parameters: sim_file – A SimFile object needs to be looked up
Returns: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

class angr.state_plugins.filesystem.SimConcreteFilesystem(pathsep='/')

Bases: angr.state_plugins.filesystem.SimMount

Abstract SimMount allowing the user to import files from some external source into the guest

Parameters: pathsep (str) – The host path separator character, default os.path.sep

get(path_elements)

insert(path_elements, simfile)

delete(path_elements)

lookup(sim_file)

copy(memo=None, **kwargs)

set_state(state)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

class angr.state_plugins.filesystem.SimHostFilesystem(host_path=None, **kwargs)

Bases: angr.state_plugins.filesystem.SimConcreteFilesystem

Simulated mount that makes some piece from the host filesystem available to the guest.

Parameters

host_path (str) – The path on the host to mount
pathsep (str) – The host path separator character, default os.path.sep

copy(memo=None, **kwargs)

angr.state_plugins.solver.timed_function(f)

angr.state_plugins.solver.enable_timing()

angr.state_plugins.solver.disable_timing()

angr.state_plugins.solver.error_converter(f)

angr.state_plugins.solver.concrete_path_bool(f)

angr.state_plugins.solver.concrete_path_not_bool(f)

angr.state_plugins.solver.concrete_path_scalar(f)

angr.state_plugins.solver.concrete_path_tuple(f)

angr.state_plugins.solver.concrete_path_list(f)

class angr.state_plugins.solver.SimSolver(solver=None, all_variables=None, temporal_tracked_variables=None, eternal_tracked_variables=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

This is the plugin you’ll use to interact with symbolic variables, creating them and evaluating them. It should be available on a state as state.solver.

Any top-level variable of the claripy module can be accessed as a property of this object.

reload_solver(constraints=None)

Reloads the solver. Useful when changing solver options.

Parameters: constraints (list) – A new list of constraints to use in the reloaded solver instead of the current one

get_variables(*keys)

Iterate over all variables for which their tracking key is a prefix of the values provided.

Elements are a tuple, the first element is the full tracking key, the second is the symbol.

>>> list(s.solver.get_variables('mem'))
[(('mem', 0x1000), <BV64 mem_1000_4_64>), (('mem', 0x1008), <BV64 mem_1008_5_64>)]

>>> list(s.solver.get_variables('file'))
[(('file', 1, 0), <BV8 file_1_0_6_8>), (('file', 1, 1), <BV8 file_1_1_7_8>), (('file', 2, 0), <BV8 file_2_0_8_8>)]

>>> list(s.solver.get_variables('file', 2))
[(('file', 2, 0), <BV8 file_2_0_8_8>)]

>>> list(s.solver.get_variables())
[(('mem', 0x1000), <BV64 mem_1000_4_64>), (('mem', 0x1008), <BV64 mem_1008_5_64>), (('file', 1, 0), <BV8 file_1_0_6_8>), (('file', 1, 1), <BV8 file_1_1_7_8>), (('file', 2, 0), <BV8 file_2_0_8_8>)]

register_variable(v, key, eternal=True)

Register a value with the variable tracking system

Parameters

v – The BVS to register
key – A tuple to register the variable under

Parma eternal

Whether this is an eternal variable, default True. If False, an incrementing counter will be appended to the key.

describe_variables(v): Given an AST, iterate over all the keys of all the BVS leaves in the tree which are registered.

Unconstrained(name, bits, uninitialized=True, inspect=True, events=True, key=None, eternal=False, **kwargs)

Creates an unconstrained symbol or a default concrete value (0), based on the state options.

Parameters

name – The name of the symbol.
bits – The size (in bits) of the symbol.
uninitialized – Whether this value should be counted as an “uninitialized” value in the course of an analysis.
inspect – Set to False to avoid firing SimInspect breakpoints
events – Set to False to avoid generating a SimEvent for the occasion
key – Set this to a tuple of increasingly specific identifiers (for example, ('mem', 0xffbeff00) or ('file', 4, 0x20) to cause it to be tracked, i.e. accessable through solver.get_variables.
eternal – Set to True in conjunction with setting a key to cause all states with the same ancestry to retrieve the same symbol when trying to create the value. If False, a counter will be appended to the key.

Returns

an unconstrained symbol (or a concrete value of 0).

BVS(name, size, min=None, max=None, stride=None, uninitialized=False, explicit_name=None, key=None, eternal=False, inspect=True, events=True, **kwargs)

Creates a bit-vector symbol (i.e., a variable). Other keyword parameters are passed directly on to the constructor of claripy.ast.BV.

Parameters

name – The name of the symbol.
size – The size (in bits) of the bit-vector.
min – The minimum value of the symbol. Note that this only work when using VSA.
max – The maximum value of the symbol. Note that this only work when using VSA.
stride – The stride of the symbol. Note that this only work when using VSA.
uninitialized – Whether this value should be counted as an “uninitialized” value in the course of an analysis.
explicit_name – Set to True to prevent an identifier from appended to the name to ensure uniqueness.
key – Set this to a tuple of increasingly specific identifiers (for example, ('mem', 0xffbeff00) or ('file', 4, 0x20) to cause it to be tracked, i.e. accessable through solver.get_variables.
eternal – Set to True in conjunction with setting a key to cause all states with the same ancestry to retrieve the same symbol when trying to create the value. If False, a counter will be appended to the key.
inspect – Set to False to avoid firing SimInspect breakpoints
events – Set to False to avoid generating a SimEvent for the occasion

Returns

A BV object representing this symbol.

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

downsize(): Frees memory associated with the constraint solver by clearing all of its internal caches.

property constraints: Returns the constraints of the state stored by the solver.

eval_to_ast(e, n, extra_constraints=(), exact=None)

Evaluate an expression, using the solver if necessary. Returns AST objects.

Parameters

e – the expression
n – the number of desired solutions
extra_constraints – extra constraints to apply to the solver
exact – if False, returns approximate solutions

Returns

a tuple of the solutions, in the form of claripy AST nodes

Return type

tuple

max(e, extra_constraints=(), exact=None)

Return the maximum value of expression e.

:param e : expression (an AST) to evaluate :param extra_constraints: extra constraints (as ASTs) to add to the solver for this solve :param exact : if False, return approximate solutions. :return: the maximum possible value of e (backend object)

min(e, extra_constraints=(), exact=None)

Return the minimum value of expression e.

:param e : expression (an AST) to evaluate :param extra_constraints: extra constraints (as ASTs) to add to the solver for this solve :param exact : if False, return approximate solutions. :return: the minimum possible value of e (backend object)

solution(e, v, extra_constraints=(), exact=None)

Return True if v is a solution of expr with the extra constraints, False otherwise.

Parameters

e – An expression (an AST) to evaluate
v – The proposed solution (an AST)
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns

True if v is a solution of expr, False otherwise

is_true(e, extra_constraints=(), exact=None)

If the expression provided is absolutely, definitely a true boolean, return True. Note that returning False doesn’t necessarily mean that the expression can be false, just that we couldn’t figure that out easily.

Parameters

e – An expression (an AST) to evaluate
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns

True if v is definitely true, False otherwise

is_false(e, extra_constraints=(), exact=None)

If the expression provided is absolutely, definitely a false boolean, return True. Note that returning False doesn’t necessarily mean that the expression can be true, just that we couldn’t figure that out easily.

Parameters

e – An expression (an AST) to evaluate
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns

True if v is definitely false, False otherwise

unsat_core(extra_constraints=())

This function returns the unsat core from the backend solver.

Parameters: extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
Returns: The unsat core.

satisfiable(extra_constraints=(), exact=None)

This function does a constraint check and checks if the solver is in a sat state.

Parameters

extra_constraints – Extra constraints (as ASTs) to add to s for this solve
exact – If False, return approximate solutions.

Returns

True if sat, otherwise false

add(*constraints)

Add some constraints to the solver.

Parameters: constraints – Pass any constraints that you want to add (ASTs) as varargs.

T: alias of TypeVar(‘T’, int, bytes)

CastTarget: alias of TypeVar(‘CastTarget’)

eval_upto(e, n: int, cast_to: None = None, **kwargs) → Any

eval_upto(e, n: int, cast_to: CastTarget = None, **kwargs) → CastTarget

Evaluate an expression, using the solver if necessary. Returns primitives as specified by the cast_to parameter. Only certain primitives are supported, check the implementation of _cast_to to see which ones.

Parameters

e – the expression
n – the number of desired solutions
extra_constraints – extra constraints to apply to the solver
exact – if False, returns approximate solutions
cast_to – A type to cast the resulting values to

Returns

a tuple of the solutions, in the form of Python primitives

Return type

tuple

eval(e, cast_to: None = None, **kwargs) → Any

eval(e, cast_to: CastTarget = None, **kwargs) → CastTarget

Evaluate an expression to get any possible solution. The desired output types can be specified using the cast_to parameter. extra_constraints can be used to specify additional constraints the returned values must satisfy.

Parameters

e – the expression to get a solution for
kwargs – Any additional kwargs will be passed down to eval_upto

Raises

SimUnsatError – if no solution could be found satisfying the given constraints

Returns

eval_one(e, **kwargs)

Evaluate an expression to get the only possible solution. Errors if either no or more than one solution is returned. A kwarg parameter default can be specified to be returned instead of failure!

Parameters

e – the expression to get a solution for
default – A value can be passed as a kwarg here. It will be returned in case of failure.
kwargs – Any additional kwargs will be passed down to eval_upto

Raises

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if more than one solution was found to satisfy the given constraints

Returns

The value for e

eval_atmost(e, n, **kwargs)

Evaluate an expression to get at most n possible solutions. Errors if either none or more than n solutions are returned.

Parameters

e – the expression to get a solution for
n – the inclusive upper limit on the number of solutions
kwargs – Any additional kwargs will be passed down to eval_upto

Raises

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if more than n solutions were found to satisfy the given constraints

Returns

The solutions for e

eval_atleast(e, n, **kwargs)

Evaluate an expression to get at least n possible solutions. Errors if less than n solutions were found.

Parameters

e – the expression to get a solution for
n – the inclusive lower limit on the number of solutions
kwargs – Any additional kwargs will be passed down to eval_upto

Raises

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if less than n solutions were found to satisfy the given constraints

Returns

The solutions for e

eval_exact(e, n, **kwargs)

Evaluate an expression to get exactly the n possible solutions. Errors if any number of solutions other than n was found to exist.

Parameters

e – the expression to get a solution for
n – the inclusive lower limit on the number of solutions
kwargs – Any additional kwargs will be passed down to eval_upto

Raises

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if any number of solutions other than n were found to satisfy the given constraints

Returns

The solutions for e

min_int(e, extra_constraints=(), exact=None)

Return the minimum value of expression e.

:param e : expression (an AST) to evaluate :param extra_constraints: extra constraints (as ASTs) to add to the solver for this solve :param exact : if False, return approximate solutions. :return: the minimum possible value of e (backend object)

max_int(e, extra_constraints=(), exact=None)

Return the maximum value of expression e.

:param e : expression (an AST) to evaluate :param extra_constraints: extra constraints (as ASTs) to add to the solver for this solve :param exact : if False, return approximate solutions. :return: the maximum possible value of e (backend object)

unique(e, **kwargs): Returns True if the expression e has only one solution by querying the constraint solver. It does also add that unique solution to the solver’s constraints.

symbolic(e): Returns True if the expression e is symbolic.

single_valued(e): Returns True whether e is a concrete value or is a value set with only 1 possible value. This differs from unique in that this does not query the constraint solver.

simplify(e=None): Simplifies e. If e is None, simplifies the constraints of this state.

variables(e): Returns the symbolic variables present in the AST of e.

class angr.state_plugins.log.SimStateLog(log=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

property actions

add_event(event_type, **kwargs)

add_action(action)

extend_actions(new_actions)

events_of_type(event_type)

actions_of_type(action_type)

property fresh_constraints

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

clear()

class angr.state_plugins.callstack.CallStack(call_site_addr=0, func_addr=0, stack_ptr=0, ret_addr=0, jumpkind='Ijk_Call', next_frame: Optional[angr.state_plugins.callstack.CallStack] = None, invoke_return_variable=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

Stores the address of the function you’re in and the value of SP at the VERY BOTTOM of the stack, i.e. points to the return address.

copy(memo=None, **kwargs)

set_state(state)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

property current_function_address

Address of the current function.

Returns: the address of the function
Return type: int

property current_stack_pointer

Get the value of the stack pointer.

Returns: Value of the stack pointer
Return type: int

property current_return_target

Get the return target.

Returns: The address of return target.
Return type: int

static stack_suffix_to_string(stack_suffix): Convert a stack suffix to a human-readable string representation. :param tuple stack_suffix: The stack suffix. :return: A string representation :rtype: str

property top

Returns the element at the top of the callstack without removing it.

Returns: A CallStack.

push(cf): Push the frame cf onto the stack. Return the new stack.

pop(): Pop the top frame from the stack. Return the new stack.

call(callsite_addr, addr, retn_target=None, stack_pointer=None)

Push a stack frame into the call stack. This method is called when calling a function in CFG recovery.

Parameters

callsite_addr (int) – Address of the call site
addr (int) – Address of the call target
retn_target (int or None) – Address of the return target
stack_pointer (int) – Value of the stack pointer

Returns

None

ret(retn_target=None)

Pop one or many call frames from the stack. This method is called when returning from a function in CFG recovery.

Parameters: retn_target (int) – The target to return to.
Returns: None

dbg_repr()

Debugging representation of this CallStack object.

Returns: Details of this CalLStack
Return type: str

stack_suffix(context_sensitivity_level)

Generate the stack suffix. A stack suffix can be used as the key to a SimRun in CFG recovery.

Parameters: context_sensitivity_level (int) – Level of context sensitivity.
Returns: A tuple of stack suffix.
Return type: tuple

class angr.state_plugins.callstack.CallStackAction(callstack_hash, callstack_depth, action, callframe=None, ret_site_addr=None)

Bases: object

Used in callstack backtrace, which is a history of callstacks along a path, to record individual actions occurred each time the callstack is changed.

class angr.state_plugins.light_registers.SimLightRegisters(reg_map=None, registers=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

copy(memo=None, **kwargs)

set_state(state)

resolve_register(offset, size)

load(offset, size=None, **kwargs)

store(offset, value, size=None, endness=None, **kwargs)

class angr.state_plugins.history.SimStateHistory(parent=None, clone=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

This class keeps track of historically-relevant information for paths.

STRONGREF_STATE = True

init_state()

set_strongref_state(state)

property addr

merge(others, merge_conditions, common_ancestor=None)

widen(others)

copy(memo=None, **kwargs)

trim(): Discard the ancestry of this state.

filter_actions(start_block_addr=None, end_block_addr=None, block_stmt=None, insn_addr=None, read_from=None, write_to=None)

Filter self.actions based on some common parameters.

[start_block_addr, end_block_addr]

Parameters

start_block_addr – Only return actions generated in blocks starting at this address.
end_block_addr – Only return actions generated in blocks ending at this address.
block_stmt – Only return actions generated in the nth statement of each block.
insn_addr – Only return actions generated in the assembly instruction at this address.
read_from – Only return actions that perform a read from the specified location.
write_to – Only return actions that perform a write to the specified location.

Notes: If IR optimization is turned on, reads and writes may not occur in the instruction they originally came from. Most commonly, If a register is read from twice in the same block, the second read will not happen, instead reusing the temp the value is already stored in.

Valid values for read_from and write_to are the string literals ‘reg’ or ‘mem’ (matching any read or write to registers or memory, respectively), any string (representing a read or write to the named register), and any integer (representing a read or write to the memory at this address).

demote(): Demotes this history node, causing it to drop the strong state reference.

reachable()

add_event(event_type, **kwargs)

add_action(action)

extend_actions(new_actions)

subscribe_actions()

property recent_constraints

property recent_actions

property block_count

property lineage

property parents

property events

property actions

property jumpkinds

property jump_guards

property jump_targets

property jump_sources

property descriptions

property bbl_addrs

property ins_addrs

property stack_actions

closest_common_ancestor(other)

Find the common ancestor between this history node and ‘other’.

Parameters: other – the PathHistory to find a common ancestor with.
Returns: the common ancestor SimStateHistory, or None if there isn’t one

constraints_since(other)

Returns the constraints that have been accumulated since other.

Parameters: other – a prior PathHistory object
Returns: a list of constraints

make_child()

class angr.state_plugins.history.TreeIter(start, end=None)

Bases: object

property hardcopy

count(v): Count occurrences of value v in the entire history. Note that the subclass must implement the __reversed__ method, otherwise an exception will be thrown. :param object v: The value to look for :return: The number of occurrences :rtype: int

class angr.state_plugins.history.HistoryIter(start, end=None): Bases: angr.state_plugins.history.TreeIter

class angr.state_plugins.history.LambdaAttrIter(start, f, **kwargs): Bases: angr.state_plugins.history.TreeIter

class angr.state_plugins.history.LambdaIterIter(start, f, reverse=True, **kwargs): Bases: angr.state_plugins.history.LambdaAttrIter

class angr.state_plugins.gdb.GDB(omit_fp=False, adjust_stack=False)

Bases: angr.state_plugins.plugin.SimStatePlugin

Initialize or update a state from gdb dumps of the stack, heap, registers and data (or arbitrary) segments.

Parameters

omit_fp – The frame pointer register is used for something else. (i.e. –omit_frame_pointer)
adjust_stack – Use different stack addresses than the gdb session (not recommended).

set_stack(stack_dump, stack_top)

Stack dump is a dump of the stack from gdb, i.e. the result of the following gdb command :

dump binary memory [stack_dump] [begin_addr] [end_addr]

We set the stack to the same addresses as the gdb session to avoid pointers corruption.

Parameters

stack_dump – The dump file.
stack_top – The address of the top of the stack in the gdb session.

set_heap(heap_dump, heap_base)

Heap dump is a dump of the heap from gdb, i.e. the result of the following gdb command:

dump binary memory [stack_dump] [begin] [end]

Parameters

heap_dump – The dump file.
heap_base – The start address of the heap in the gdb session.

set_data(addr, data_dump): Update any data range (most likely use is the data segments of loaded objects)

set_regs(regs_dump)

Initialize register values within the state

Parameters: regs_dump – The output of info registers in gdb.

copy(memo=None, **kwargs)

class angr.state_plugins.cgc.SimStateCGC

Bases: angr.state_plugins.plugin.SimStatePlugin

This state plugin keeps track of CGC state.

EBADF = 1

EFAULT = 2

EINVAL = 3

ENOMEM = 4

ENOSYS = 5

EPIPE = 6

FD_SETSIZE = 1024

max_allocation = 268435456

copy(memo=None, **kwargs)

peek_input()

discard_input(num_bytes)

peek_output()

discard_output(num_bytes)

addr_invalid(a)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

get_max_sinkhole(length)

Find a sinkhole which is large enough to support length bytes.

This uses first-fit. The first sinkhole (ordered in descending order by their address) which can hold length bytes is chosen. If there are more than length bytes in the sinkhole, a new sinkhole is created representing the remaining bytes while the old sinkhole is removed.

add_sinkhole(address, length)

Add a sinkhole.

Allow the possibility for the program to reuse the memory represented by the address length pair.

angr.state_plugins.trace_additions.l = <Logger angr.state_plugins.trace_additions (WARNING)>

This file contains objects to track additional information during a trace or modify symbolic variables during a trace.

The ChallRespInfo plugin tracks variables in stdin and stdout to enable handling of challenge response It handles atoi/int2str in a special manner since path constraints will usually prevent their values from being modified

The Zen plugin simplifies expressions created from variables in the flag page (losing some accuracy) to avoid situations where they become to complex for z3, but the actual equation doesn’t matter much. This can happen in challenge response if all of the values in the flag page are multiplied together before being printed.

class angr.state_plugins.trace_additions.FormatInfo

Bases: object

copy()

compute(state)

get_type()

class angr.state_plugins.trace_additions.FormatInfoStrToInt(addr, func_name, str_arg_num, base, base_arg, allows_negative)

Bases: angr.state_plugins.trace_additions.FormatInfo

copy()

compute(state)

get_type()

class angr.state_plugins.trace_additions.FormatInfoIntToStr(addr, func_name, int_arg_num, str_dst_num, base, base_arg)

Bases: angr.state_plugins.trace_additions.FormatInfo

copy()

compute(state)

get_type()

class angr.state_plugins.trace_additions.FormatInfoDontConstrain(addr, func_name, check_symbolic_arg)

Bases: angr.state_plugins.trace_additions.FormatInfo

copy()

compute(state)

get_type()

angr.state_plugins.trace_additions.int2base(x, base)

angr.state_plugins.trace_additions.generic_info_hook(state)

angr.state_plugins.trace_additions.end_info_hook(state)

angr.state_plugins.trace_additions.exit_hook(state)

angr.state_plugins.trace_additions.syscall_hook(state)

angr.state_plugins.trace_additions.constraint_hook(state)

class angr.state_plugins.trace_additions.ChallRespInfo

Bases: angr.state_plugins.plugin.SimStatePlugin

This state plugin keeps track of the reads and writes to symbolic addresses

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

static get_byte(var_name)

lookup_original(replacement)

pop_from_backup()

get_stdin_indices(variable)

get_stdout_indices(variable)

get_real_len(input_val, base, result_bv, allows_negative)

get_possible_len(input_val, base, allows_negative)

get_same_length_constraints()

static atoi_dumps(state, require_same_length=True)

static prep_tracer(state, format_infos=None)

angr.state_plugins.trace_additions.zen_hook(state, expr)

angr.state_plugins.trace_additions.zen_memory_write(state)

angr.state_plugins.trace_additions.zen_register_write(state)

class angr.state_plugins.trace_additions.ZenPlugin(max_depth=13)

Bases: angr.state_plugins.plugin.SimStatePlugin

static get_flag_rand_args(expr)

get_expr_depth(expr)

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

get_flag_bytes(ast)

filter_constraints(constraints)

analyze_transmit(state, buf)

static prep_tracer(state)

class angr.state_plugins.globals.SimStateGlobals(backer=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

set_state(state)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

keys()

values()

items()

get(k, alt=None)

pop(k, alt=None)

copy(memo=None, **kwargs)

class angr.state_plugins.uc_manager.SimUCManager(man=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

assign(dst_addr_ast)

Assign a new region for under-constrained symbolic execution.

Parameters: dst_addr_ast – the symbolic AST which address of the new allocated region will be assigned to.
Returns: as ast of memory address that points to a new region

copy(memo=None, **kwargs)

get_alloc_depth(addr)

is_bounded(ast)

Test whether an AST is bounded by any existing constraint in the related solver.

Parameters: ast – an claripy.AST object
Returns: True if there is at least one related constraint, False otherwise

set_state(state)

class angr.state_plugins.scratch.SimStateScratch(scratch=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

Implements the scratch state plugin.

property priv

push_priv(priv)

pop_priv()

set_tyenv(tyenv)

tmp_expr(tmp)

Returns the Claripy expression of a VEX temp value.

Parameters

tmp – the number of the tmp
simplify – simplify the tmp before returning it

Returns

a Claripy expression of the tmp

store_tmp(tmp, content, reg_deps=None, tmp_deps=None, deps=None, **kwargs)

Stores a Claripy expression in a VEX temp value. If in symbolic mode, this involves adding a constraint for the tmp’s symbolic variable.

Parameters

tmp – the number of the tmp
content – a Claripy expression of the content
reg_deps – the register dependencies of the content
tmp_deps – the temporary value dependencies of the content

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

clear()

class angr.state_plugins.preconstrainer.SimStatePreconstrainer(constrained_addrs=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

This state plugin manages the concept of preconstraining - adding constraints which you would like to remove later.

:param constrained_addrs : SimActions for memory operations whose addresses should be constrained during crash analysis

merge(others, merge_conditions, common_ancestor=None)

widen(others)

copy(memo=None, **kwargs)

preconstrain(value, variable)

Add a preconstraint that variable == value to the state.

Parameters

value – The concrete value. Can be a bitvector or a bytestring or an integer.
variable – The BVS to preconstrain.

preconstrain_file(content, simfile, set_length=False)

Preconstrain the contents of a file.

Parameters

content – The content to preconstrain the file to. Can be a bytestring or a list thereof.
simfile – The actual simfile to preconstrain

preconstrain_flag_page(magic_content)

Preconstrain the data in the flag page.

Parameters: magic_content – The content of the magic page as a bytestring.

remove_preconstraints(to_composite_solver=True, simplify=True)

Remove the preconstraints from the state.

If you are using the zen plugin, this will also use that to filter the constraints.

Parameters

to_composite_solver – Whether to convert the replacement solver to a composite solver. You probably want this if you’re switching from tracing to symbolic analysis.
simplify – Whether to simplify the resulting set of constraints.

reconstrain(): Split the solver. If any of the subsolvers time out after a short timeout (10 seconds), re-add the preconstraints associated with each of its variables. Hopefully these constraints still allow us to do meaningful things to the state.

class angr.state_plugins.unicorn_engine.MEM_PATCH

Bases: _ctypes.Structure

struct mem_update_t

address: Structure/Union member

length: Structure/Union member

next: Structure/Union member

class angr.state_plugins.unicorn_engine.TRANSMIT_RECORD

Bases: _ctypes.Structure

struct transmit_record_t

count: Structure/Union member

data: Structure/Union member

class angr.state_plugins.unicorn_engine.TaintEntityEnum

Bases: object

taint_entity_enum_t

TAINT_ENTITY_REG = 0

TAINT_ENTITY_TMP = 1

TAINT_ENTITY_MEM = 2

TAINT_ENTITY_NONE = 3

class angr.state_plugins.unicorn_engine.MemoryValue

Bases: _ctypes.Structure

struct memory_value_t

address: Structure/Union member

is_value_symbolic: Structure/Union member

size: Structure/Union member

value: Structure/Union member

class angr.state_plugins.unicorn_engine.RegisterValue

Bases: _ctypes.Structure

struct register_value_t

offset: Structure/Union member

size: Structure/Union member

value: Structure/Union member

class angr.state_plugins.unicorn_engine.InstrDetails

Bases: _ctypes.Structure

struct sym_instr_details_t

has_memory_dep: Structure/Union member

instr_addr: Structure/Union member

memory_values: Structure/Union member

memory_values_count: Structure/Union member

class angr.state_plugins.unicorn_engine.BlockDetails

Bases: _ctypes.Structure

struct sym_block_details_ret_t

block_addr: Structure/Union member

block_size: Structure/Union member

register_values: Structure/Union member

register_values_count: Structure/Union member

symbolic_instrs: Structure/Union member

symbolic_instrs_count: Structure/Union member

class angr.state_plugins.unicorn_engine.STOP

Bases: object

enum stop_t

STOP_NORMAL = 0

STOP_STOPPOINT = 1

STOP_ERROR = 2

STOP_SYSCALL = 3

STOP_EXECNONE = 4

STOP_ZEROPAGE = 5

STOP_NOSTART = 6

STOP_SEGFAULT = 7

STOP_ZERO_DIV = 8

STOP_NODECODE = 9

STOP_HLT = 10

STOP_VEX_LIFT_FAILED = 11

STOP_SYMBOLIC_CONDITION = 12

STOP_SYMBOLIC_PC = 13

STOP_SYMBOLIC_READ_ADDR = 14

STOP_SYMBOLIC_READ_SYMBOLIC_TRACKING_DISABLED = 15

STOP_SYMBOLIC_WRITE_ADDR = 16

STOP_SYMBOLIC_BLOCK_EXIT_CONDITION = 17

STOP_SYMBOLIC_BLOCK_EXIT_TARGET = 18

STOP_UNSUPPORTED_STMT_PUTI = 19

STOP_UNSUPPORTED_STMT_STOREG = 20

STOP_UNSUPPORTED_STMT_LOADG = 21

STOP_UNSUPPORTED_STMT_CAS = 22

STOP_UNSUPPORTED_STMT_LLSC = 23

STOP_UNSUPPORTED_STMT_DIRTY = 24

STOP_UNSUPPORTED_EXPR_GETI = 25

STOP_UNSUPPORTED_STMT_UNKNOWN = 26

STOP_UNSUPPORTED_EXPR_UNKNOWN = 27

STOP_UNKNOWN_MEMORY_WRITE_SIZE = 28

STOP_SYMBOLIC_MEM_DEP_NOT_LIVE = 29

STOP_SYSCALL_ARM = 30

STOP_SYMBOLIC_MEM_DEP_NOT_LIVE_CURR_BLOCK = 31

STOP_X86_CPUID = 32

stop_message = {0: 'Reached maximum steps', 1: 'Hit a stop point', 2: 'Something wrong', 3: 'Unable to handle syscall', 4: 'Fetching empty page', 5: 'Accessing zero page', 6: 'Failed to start', 7: 'Permissions or mapping error', 8: 'Divide by zero', 9: 'Instruction decoding error', 10: 'hlt instruction encountered', 11: 'Failed to lift block to VEX', 12: 'Symbolic condition for ITE', 13: 'Instruction pointer became symbolic', 14: 'Attempted to read from symbolic address', 15: 'Attempted to read symbolic data from memory but symbolic tracking is disabled', 16: 'Attempted to write to symbolic address', 17: "Guard condition of block's exit statement is symbolic", 18: 'Target of default exit of block is symbolic', 19: 'Symbolic taint propagation for PutI statement not yet supported', 20: 'Symbolic taint propagation for StoreG statement not yet supported', 21: 'Symbolic taint propagation for LoadG statement not yet supported', 22: 'Symbolic taint propagation for CAS statement not yet supported', 23: 'Symbolic taint propagation for LLSC statement not yet supported', 24: 'Symbolic taint propagation for Dirty statement not yet supported', 25: 'Symbolic taint propagation for GetI expression not yet supported', 26: 'Canoo propagate symbolic taint for unsupported VEX statement type', 27: 'Cannot propagate symbolic taint for unsupported VEX expression', 28: "Cannot determine size of memory write; likely because unicorn didn't", 29: 'A symbolic memory dependency on stack is no longer in scope', 30: 'ARM syscalls are currently not supported by SimEngineUnicorn', 31: 'An instruction in current block overwrites a symbolic value needed for re-executing some instruction in same block', 32: 'Block executes cpuid which should be handled in VEX engine'}

symbolic_stop_reasons = [12, 13, 14, 15, 16, 17, 18, 30, 31, 32]

unsupported_reasons = [19, 20, 21, 22, 23, 24, 26, 27, 11]

static name_stop(num)

static get_stop_msg(stop_reason)

class angr.state_plugins.unicorn_engine.StopDetails

Bases: _ctypes.Structure

struct stop_details_t

block_addr: Structure/Union member

block_size: Structure/Union member

stop_reason: Structure/Union member

class angr.state_plugins.unicorn_engine.SimOSEnum

Bases: object

enum simos_t

SIMOS_CGC = 0

SIMOS_LINUX = 1

SIMOS_OTHER = 2

exception angr.state_plugins.unicorn_engine.MemoryMappingError: Bases: Exception

exception angr.state_plugins.unicorn_engine.AccessingZeroPageError: Bases: angr.state_plugins.unicorn_engine.MemoryMappingError

exception angr.state_plugins.unicorn_engine.FetchingZeroPageError: Bases: angr.state_plugins.unicorn_engine.MemoryMappingError

exception angr.state_plugins.unicorn_engine.SegfaultError: Bases: angr.state_plugins.unicorn_engine.MemoryMappingError

exception angr.state_plugins.unicorn_engine.MixedPermissonsError: Bases: angr.state_plugins.unicorn_engine.MemoryMappingError

class angr.state_plugins.unicorn_engine.AggressiveConcretizationAnnotation(addr): Bases: claripy.annotation.SimplificationAvoidanceAnnotation

class angr.state_plugins.unicorn_engine.Uniwrapper(arch, cache_key, thumb=False)

Bases: unicorn.unicorn.Uc

hook_add(htype, callback, user_data=None, begin=1, end=0, arg1=0)

hook_del(h)

mem_map(addr, size, perms=7)

mem_map_ptr(addr, size, perms, ptr)

mem_unmap(addr, size)

mem_reset()

hook_reset()

reset()

class angr.state_plugins.unicorn_engine.Unicorn(syscall_hooks=None, cache_key=None, unicount=None, symbolic_var_counts=None, symbolic_inst_counts=None, concretized_asts=None, always_concretize=None, never_concretize=None, concretize_at=None, concretization_threshold_memory=None, concretization_threshold_registers=None, concretization_threshold_instruction=None, cooldown_symbolic_stop=2, cooldown_unsupported_stop=2, cooldown_nonunicorn_blocks=100, cooldown_stop_point=1, max_steps=1000000)

Bases: angr.state_plugins.plugin.SimStatePlugin

setup the unicorn engine for a state

Initializes the Unicorn plugin for angr. This plugin handles communication with UnicornEngine.

UC_CONFIG = {}

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

set_state(state)

property uc

static delete_uc()

set_last_block_details(details)

set_stops(stop_points)

set_tracking(track_bbls, track_stack)

hook()

uncache_region(addr, length)

clear_page_cache()

setup()

start(step=None)

finish()

destroy()

set_regs(): setting unicorn registers

setup_flags()

setup_gdt(fs, gs)

read_msr(msr=3221225728)

write_msr(val, msr=3221225728)

get_regs(): loading registers from unicorn

class angr.state_plugins.loop_data.SimStateLoopData(back_edge_trip_counts=None, header_trip_counts=None, current_loop=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

This class keeps track of loop-related information for states. Note that we have 2 counters for loop iterations (trip counts): the first recording the number of times one of the back edges (or continue edges) of a loop is taken, whereas the second recording the number of times the loop header (or loop entry) is executed. These 2 counters may differ since compilers usually optimize loops hence completely change the loop structure at the binary level. This is supposed to be used with LoopSeer exploration technique, which monitors loop execution. For the moment, the only thing we want to analyze is loop trip counts, but nothing prevents us from extending this plugin for other loop analyses.

Parameters

back_edge_trip_counts – Dictionary that stores back edge based trip counts for each loop. Keys are address of loop headers.
header_trip_counts – Dictionary that stores header based trip counts for each loop. Keys are address of loop headers.
current_loop – List of currently running loops. Each element is a tuple (loop object, list of loop exits).

merge(others, merge_conditions, common_ancestor=None)

widen(others)

copy(memo=None, **kwargs)

class angr.state_plugins.concrete.Concrete(segment_registers_initialized=False, segment_registers_callback_initialized=False, whitelist=None, fs_register_bp=None, already_sync_objects_addresses=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

copy(_memo)

merge(_others, _merge_conditions, _common_ancestor=None)

widen(_others)

set_state(state)

sync()

Handle the switch between the concrete execution and angr. This method takes care of: 1- Synchronize registers. 2- Set a concrete target to the memory backer so the memory reads are redirected in the concrete process memory. 3- If possible restore the SimProcedures with the real addresses inside the concrete process. 4- Set an inspect point to sync the segments register as soon as they are read during the symbolic execution. 5- Flush all the pages loaded until now.

Returns

class angr.state_plugins.javavm_classloader.SimJavaVmClassloader(initialized_classes=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

JavaVM Classloader is used as an interface for resolving and initializing Java classes.

get_class(class_name, init_class=False, step_func=None)

Get a class descriptor for the class.

Parameters

class_name (str) – Name of class.
init_class (bool) – Whether the class initializer <clinit> should be executed.
step_func (func) – Callback function executed at every step of the simulation manager during the execution of the main <clinit> method

get_superclass(class_): Get the superclass of the class.

get_class_hierarchy(base_class): Walks up the class hierarchy and returns a list of all classes between base class (inclusive) and java.lang.Object (exclusive).

is_class_initialized(class_): Indicates whether the classes initializing method <clinit> was already executed on the state.

init_class(class_, step_func=None)

This method simulates the loading of a class by the JVM, during which parts of the class (e.g. static fields) are initialized. For this, we run the class initializer method <clinit> (if available) and update the state accordingly.

Note: Initialization is skipped, if the class has already been: initialized (or if it’s not loaded in CLE).

property initialized_classes: List of all initialized classes.

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

class angr.state_plugins.jni_references.SimStateJNIReferences(local_refs=None, global_refs=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

Management of the mapping between opaque JNI references and the corresponding Java objects.

lookup(opaque_ref): Lookups the object that was used for creating the reference.

create_new_reference(obj, global_ref=False)

Create a new reference thats maps to the given object.

Parameters

obj – Object which gets referenced.
global_ref (bool) – Whether a local or global reference is created.

clear_local_references(): Clear all local references.

delete_reference(opaque_ref, global_ref=False)

Delete the stored mapping of a reference.

Parameters

opaque_ref – Reference which should be removed.
global_ref (bool) – Whether opaque_ref is a local or global reference.

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

class angr.state_plugins.heap.heap_base.SimHeapBase(heap_base=None, heap_size=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

This is the base heap class that all heap implementations should subclass. It defines a few handlers for common heap functions (the libc memory management functions). Heap implementations are expected to override these functions regardless of whether they implement the SimHeapLibc interface. For an example, see the SimHeapBrk implementation, which is based on the original libc SimProcedure implementations.

Variables

heap_base – the address of the base of the heap in memory
heap_size – the total size of the main memory region managed by the heap in memory
mmap_base – the address of the region from which large mmap allocations will be made

copy(memo)

init_state()

class angr.state_plugins.heap.heap_brk.SimHeapBrk(heap_base=None, heap_size=None)

Bases: angr.state_plugins.heap.heap_base.SimHeapBase

SimHeapBrk represents a trivial heap implementation based on the Unix brk system call. This type of heap stores virtually no metadata, so it is up to the user to determine when it is safe to release memory. This also means that it does not properly support standard heap operations like realloc.

This heap implementation is a holdover from before any more proper implementations were modelled. At the time, various libc (or win32) SimProcedures handled the heap in the same way that this plugin does now. To make future heap implementations plug-and-playable, they should implement the necessary logic themselves, and dependent SimProcedures should invoke a method by the same name as theirs (prepended with an underscore) upon the heap plugin. Depending on the heap implementation, if the method is not supported, an error should be raised.

Out of consideration for the original way the heap was handled, this plugin implements functionality for all relevant SimProcedures (even those that would not normally be supported together in a single heap implementation).

Variables: heap_location – the address of the top of the heap, bounding the allocations made starting from heap_base

copy(memo=None, **kwargs)

allocate(sim_size)

The actual allocation primitive for this heap implementation. Increases the position of the break to allocate space. Has no guards against the heap growing too large.

Parameters: sim_size – a size specifying how much to increase the break pointer by
Returns: a pointer to the previous break position, above which there is now allocated space

release(sim_size)

The memory release primitive for this heap implementation. Decreases the position of the break to deallocate space. Guards against releasing beyond the initial heap base.

Parameters: sim_size – a size specifying how much to decrease the break pointer by (may be symbolic or not)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

class angr.state_plugins.heap.heap_freelist.Chunk(base, sim_state)

Bases: object

The sort of chunk as would typically be found in a freelist-style heap implementation. Provides a representation of a chunk via a view into the memory plugin. Chunks may be adjacent, in different senses, to as many as four other chunks. For any given chunk, two of these chunks are adjacent to it in memory, and are referred to as the “previous” and “next” chunks throughout this implementation. For any given free chunk, there may also be two significant chunks that are adjacent to it in some linked list of free chunks. These chunks are referred to the “backward” and “foward” chunks relative to the chunk in question.

Variables

base – the location of the base of the chunk in memory
state – the program state that the chunk is resident in

get_size(): Returns the actual size of a chunk (as opposed to the entire size field, which may include some flags).

get_data_size(): Returns the size of the data portion of a chunk.

set_size(size): Sets the size of the chunk, preserving any flags.

data_ptr(): Returns the address of the payload of the chunk.

is_free(): Returns a concrete determination as to whether the chunk is free.

next_chunk(): Returns the chunk immediately following (and adjacent to) this one.

prev_chunk(): Returns the chunk immediately prior (and adjacent) to this one.

fwd_chunk(): Returns the chunk following this chunk in the list of free chunks.

set_fwd_chunk(fwd)

Sets the chunk following this chunk in the list of free chunks.

Parameters: fwd – the chunk to follow this chunk in the list of free chunks

bck_chunk(): Returns the chunk backward from this chunk in the list of free chunks.

set_bck_chunk(bck)

Sets the chunk backward from this chunk in the list of free chunks.

Parameters: bck – the chunk to precede this chunk in the list of free chunks

class angr.state_plugins.heap.heap_freelist.SimHeapFreelist(heap_base=None, heap_size=None)

Bases: angr.state_plugins.heap.heap_libc.SimHeapLibc

A freelist-style heap implementation. Distinguishing features of such heaps include chunks containing heap metadata in addition to user data and at least (but often more than) one linked list of free chunks.

chunks(): Returns an iterator over all the chunks in the heap.

allocated_chunks(): Returns an iterator over all the allocated chunks in the heap.

free_chunks(): Returns an iterator over all the free chunks in the heap.

chunk_from_mem(ptr)

Given a pointer to a user payload, return the chunk associated with that payload.

Parameters: ptr – a pointer to the base of a user payload in the heap
Returns: the associated heap chunk

print_heap_state()

print_all_chunks()

class angr.state_plugins.heap.heap_libc.SimHeapLibc(heap_base=None, heap_size=None)

Bases: angr.state_plugins.heap.heap_base.SimHeapBase

A class of heap that implements the major libc heap management functions.

malloc(sim_size)

A somewhat faithful implementation of libc malloc.

Parameters: sim_size – the amount of memory (in bytes) to be allocated
Returns: the address of the allocation, or a NULL pointer if the allocation failed

free(ptr)

A somewhat faithful implementation of libc free.

Parameters: ptr – the location in memory to be freed

calloc(sim_nmemb, sim_size)

A somewhat faithful implementation of libc calloc.

Parameters

sim_nmemb – the number of elements to allocated
sim_size – the size of each element (in bytes)

Returns

the address of the allocation, or a NULL pointer if the allocation failed

realloc(ptr, size)

A somewhat faithful implementation of libc realloc.

Parameters

ptr – the location in memory to be reallocated
size – the new size desired for the allocation

Returns

the address of the allocation, or a NULL pointer if the allocation was freed or if no new allocation was made

angr.state_plugins.heap.heap_ptmalloc.silence_logger()

angr.state_plugins.heap.heap_ptmalloc.unsilence_logger(level)

class angr.state_plugins.heap.heap_ptmalloc.PTChunk(base, sim_state, heap=None)

Bases: angr.state_plugins.heap.heap_freelist.Chunk

A chunk, inspired by the implementation of chunks in ptmalloc. Provides a representation of a chunk via a view into the memory plugin. For the chunk definitions and docs that this was loosely based off of, see glibc malloc/malloc.c, line 1033, as of commit 5a580643111ef6081be7b4c7bd1997a5447c903f. Alternatively, take the following link. https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=67cdfd0ad2f003964cd0f7dfe3bcd85ca98528a7;hb=5a580643111ef6081be7b4c7bd1997a5447c903f#l1033

Variables

base – the location of the base of the chunk in memory
state – the program state that the chunk is resident in
heap – the heap plugin that the chunk is managed by

get_size()

get_data_size()

set_size(size, is_free=None)

Use this to set the size on a chunk. When the chunk is new (such as when a free chunk is shrunk to form an allocated chunk and a remainder free chunk) it is recommended that the is_free hint be used since setting the size depends on the chunk’s freeness, and vice versa.

Parameters

size – size of the chunk
is_free – boolean indicating the chunk’s freeness

set_prev_freeness(is_free)

Sets (or unsets) the flag controlling whether the previous chunk is free.

Parameters: is_free – if True, sets the previous chunk to be free; if False, sets it to be allocated

is_prev_free()

Returns a concrete state of the flag indicating whether the previous chunk is free or not. Issues a warning if that flag is symbolic and has multiple solutions, and then assumes that the previous chunk is free.

Returns: True if the previous chunk is free; False otherwise

prev_size(): Returns the size of the previous chunk, masking off what would be the flag bits if it were in the actual size field. Performs NO CHECKING to determine whether the previous chunk size is valid (for example, when the previous chunk is not free, its size cannot be determined).

is_free()

data_ptr()

next_chunk()

Returns the chunk immediately following (and adjacent to) this one, if it exists.

Returns: The following chunk, or None if applicable

prev_chunk()

Returns the chunk immediately prior (and adjacent) to this one, if that chunk is free. If the prior chunk is not free, then its base cannot be located and this method raises an error.

Returns: If possible, the previous chunk; otherwise, raises an error

fwd_chunk()

Returns the chunk following this chunk in the list of free chunks. If this chunk is not free, then it resides in no such list and this method raises an error.

Returns: If possible, the forward chunk; otherwise, raises an error

set_fwd_chunk(fwd)

bck_chunk()

Returns the chunk backward from this chunk in the list of free chunks. If this chunk is not free, then it resides in no such list and this method raises an error.

Returns: If possible, the backward chunk; otherwise, raises an error

set_bck_chunk(bck)

class angr.state_plugins.heap.heap_ptmalloc.PTChunkIterator(chunk, cond=<function PTChunkIterator.<lambda>>): Bases: object

class angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc(heap_base=None, heap_size=None)

Bases: angr.state_plugins.heap.heap_freelist.SimHeapFreelist

A freelist-style heap implementation inspired by ptmalloc. The chunks used by this heap contain heap metadata in addition to user data. While the real-world ptmalloc is implemented using multiple lists of free chunks (corresponding to their different sizes), this more basic model uses a single list of chunks and searches for free chunks using a first-fit algorithm.

NOTE: The plugin must be registered using register_plugin with name heap in order to function properly.

Variables

heap_base – the address of the base of the heap in memory
heap_size – the total size of the main memory region managed by the heap in memory
mmap_base – the address of the region from which large mmap allocations will be made
free_head_chunk – the head of the linked list of free chunks in the heap

copy(memo=None, **kwargs)

chunks()

allocated_chunks()

free_chunks()

chunk_from_mem(ptr)

Given a pointer to a user payload, return the base of the chunk associated with that payload (i.e. the chunk pointer). Returns None if ptr is null.

Parameters: ptr – a pointer to the base of a user payload in the heap
Returns: a pointer to the base of the associated heap chunk, or None if ptr is null

malloc(sim_size)

free(ptr)

calloc(sim_nmemb, sim_size)

realloc(ptr, size)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

init_state()

angr.state_plugins.heap.utils.concretize(x, solver, sym_handler)

For now a lot of naive concretization is done when handling heap metadata to keep things manageable. This idiom showed up a lot as a result, so to reduce code repetition this function uses a callback to handle the one or two operations that varied across invocations.

Parameters

x – the item to be concretized
solver – the solver to evaluate the item with
sym_handler – the handler to be used when the item may take on more than one value

Returns

a concrete value for the item

class angr.state_plugins.symbolizer.SimSymbolizer

Bases: angr.state_plugins.plugin.SimStatePlugin

The symbolizer state plugin ensures that pointers that are stored in memory are symbolic. This allows for the tracking of and reasoning over these pointers (for example, to reason about memory disclosure).

init_state()

set_symbolization_for_all_pages(): Sets the symbolizer to symbolize pointers to all pages as they are written to memory..

set_symbolized_target_range(base, length)

All pointers to the target range will be symbolized as they are written to memory.

Due to optimizations, the _pages_ containing this range will be set as symbolization targets, not just the range itself.

resymbolize(): Re-symbolizes all pointers in memory. This can be called to symbolize any pointers to target regions that were written (and not mangled beyond recognition) before symbolization was set.

copy(memo=None, **kwargs)

Storage

class angr.state_plugins.view.SimRegNameView

Bases: angr.state_plugins.plugin.SimStatePlugin

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

get(reg_name)

class angr.state_plugins.view.SimMemView(ty=None, addr=None, state=None)

Bases: angr.state_plugins.plugin.SimStatePlugin

This is a convenient interface with which you can access a program’s memory.

The interface works like this:

You first use [array index notation] to specify the address you’d like to load from

If at that address is a pointer, you may access the deref property to return a SimMemView at the address present in memory.

You then specify a type for the data by simply accesing a property of that name. For a list of supported types, look at state.mem.types.

You can then refine the type. Any type may support any refinement it likes. Right now the only refinements supported are that you may access any member of a struct by its member name, and you may index into a string or array to access that element.

If the address you specified initially points to an array of that type, you can say .array(n) to view the data as an array of n elements.

Finally, extract the structured data with .resolved or .concrete. .resolved will return bitvector values, while .concrete will return integer, string, array, etc values, whatever best represents the data.

Alternately, you may store a value to memory, by assigning to the chain of properties that you’ve constructed. Note that because of the way python works, x = s.mem[...].prop; x = val will NOT work, you must say s.mem[...].prop = val.

For example:

>>> s.mem[0x601048].long
<long (64 bits) <BV64 0x4008d0> at 0x601048>
>>> s.mem[0x601048].long.resolved
<BV64 0x4008d0>
>>> s.mem[0x601048].deref
<<untyped> <unresolvable> at 0x4008d0>
>>> s.mem[0x601048].deref.string.concrete
'SOSNEAKY'

set_state(state)

types = {'CharT': char, '_Bool': bool, '__int128': int128_t, '__int256': int256_t, 'basic_string': string_t, 'bool': bool, 'byte': uint8_t, 'char': char, 'double': double, 'dword': uint32_t, 'float': float, 'int': int, 'int16_t': int16_t, 'int32_t': int32_t, 'int64_t': int64_t, 'int8_t': int8_t, 'long': long, 'long double': double, 'long int': long, 'long long': long long, 'long long int': long long, 'long signed': long, 'long unsigned int': unsigned long, 'ptrdiff_t': long, 'qword': uint64_t, 'short': short, 'short int': short, 'signed': int, 'signed char': char, 'signed int': int, 'signed long': long, 'signed long int': long, 'signed long long': long long, 'signed long long int': long long, 'signed short': short, 'signed short int': short, 'size_t': size_t, 'ssize': size_t, 'ssize_t': size_t, 'string': string_t, 'struct iovec': struct iovec, 'struct timespec': struct timespec, 'struct timeval': struct timeval, 'time_t': long, 'uint16_t': uint16_t, 'uint32_t': uint32_t, 'uint64_t': uint64_t, 'uint8_t': uint8_t, 'uintptr_t': unsigned long, 'unsigned': unsigned int, 'unsigned __int128': uint128_t, 'unsigned __int256': uint256_t, 'unsigned char': char, 'unsigned int': unsigned int, 'unsigned long': unsigned long, 'unsigned long int': unsigned long, 'unsigned long long': unsigned long long, 'unsigned long long int': unsigned long long, 'unsigned short': unsigned short, 'unsigned short int': unsigned short, 'va_list': struct va_list, 'void': void, 'word': uint16_t, 'wstring': wstring_t}

state = None

struct: angr.state_plugins.view.StructMode

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(others)

property resolvable

property resolved

property concrete

property deref: angr.state_plugins.view.SimMemView

array(n) → angr.state_plugins.view.SimMemView

store(value)

class angr.state_plugins.view.StructMode(view): Bases: object

class angr.storage.file.Flags

Bases: object

O_RDONLY = 0

O_WRONLY = 1

O_RDWR = 2

O_ACCMODE = 3

O_APPEND = 1024

O_ASYNC = 8192

O_CLOEXEC = 524288

O_CREAT = 64

O_DIRECT = 16384

O_DIRECTORY = 65536

O_DSYNC = 4096

O_EXCL = 128

O_LARGEFILE = 32768

O_NOATIME = 262144

O_NOCTTY = 256

O_NOFOLLOW = 131072

O_NONBLOCK = 2048

O_NDELAY = 2048

O_PATH = 2097152

O_SYNC = 1052672

O_TMPFILE = 4259840

O_TRUNC = 512

class angr.storage.file.SimFileBase(name=None, writable=True, ident=None, concrete=False, **kwargs)

Bases: angr.state_plugins.plugin.SimStatePlugin

SimFiles are the storage mechanisms used by SimFileDescriptors.

Different types of SimFiles can have drastically different interfaces, and as a result there’s not much that can be specified on this base class. All the read and write methods take a pos argument, which may have different semantics per-class. 0 will always be a valid position to use, though, and the next position you should use is part of the return tuple.

Some simfiles are “streams”, meaning that the position that reads come from is determined not by the position you pass in (it will in fact be ignored), but by an internal variable. This is stored as .pos if you care to read it. Don’t write to it. The same lack-of-semantics applies to this field as well.

Variables

name – The name of the file. Purely for cosmetic purposes
ident – The identifier of the file, typically autogenerated from the name and a nonce. Purely for cosmetic purposes, but does appear in symbolic values autogenerated in the file.
seekable – Bool indicating whether seek operations on this file should succeed. If this is True, then pos must be a number of bytes from the start of the file.
writable – Bool indicating whether writing to this file is allowed.
pos – If the file is a stream, this will be the current position. Otherwise, None.
concrete – Whether or not this file contains mostly concrete data. Will be used by some SimProcedures to choose how to handle variable-length operations like fgets.

seekable = False

pos = None

static make_ident(name)

concretize(**kwargs): Return a concretization of the contents of the file. The type of the return value of this method will vary depending on which kind of SimFile you’re using.

read(pos, size, **kwargs)

Read some data from the file.

Parameters

pos – The offset in the file to read from.
size – The size to read. May be symbolic.

Returns

A tuple of the data read (a bitvector of the length that is the maximum length of the read), the actual size of the read, and the new file position pointer.

write(pos, data, size=None, **kwargs)

Write some data to the file.

Parameters

pos – The offset in the file to write to. May be ignored if the file is a stream or device.
data – The data to write as a bitvector
size – The optional size of the data to write. If not provided will default to the length of the data. Must be constrained to less than or equal to the size of the data.

Returns

The new file position pointer.

property size: The number of data bytes stored by the file at present. May be a symbolic value.

copy(memo=None, **kwargs)

class angr.storage.file.SimFile(name=None, content=None, size=None, has_end=None, seekable=True, writable=True, ident=None, concrete=None, **kwargs)

Bases: angr.storage.file.SimFileBase, angr.storage.memory_mixins.DefaultMemory

The normal SimFile is meant to model files on disk. It subclasses SimSymbolicMemory so loads and stores to/from it are very simple.

Parameters

name – The name of the file
content – Optional initial content for the file as a string or bitvector
size – Optional size of the file. If content is not specified, it defaults to zero
has_end – Whether the size boundary is treated as the end of the file or a frontier at which new content will be generated. If unspecified, will pick its value based on options.FILES_HAVE_EOF. Another caveat is that if the size is also unspecified this value will default to False.
seekable – Optional bool indicating whether seek operations on this file should succeed, default True.
writable – Whether writing to this file is allowed
concrete – Whether or not this file contains mostly concrete data. Will be used by some SimProcedures to choose how to handle variable-length operations like fgets.

Variables

has_end – Whether this file has an EOF

property category

set_state(state)

property size

concretize(**kwargs): Return a concretization of the contents of the file, as a flat bytestring.

read(pos, size, **kwargs)

write(pos, data, size=None, events=True, **kwargs)

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(_)

class angr.storage.file.SimFileStream(name=None, content=None, pos=0, **kwargs)

Bases: angr.storage.file.SimFile

A specialized SimFile that uses a flat memory backing, but functions as a stream, tracking its position internally.

The pos argument to the read and write methods will be ignored, and will return None. Instead, there is an attribute pos on the file itself, which will give you what you want.

Parameters

name – The name of the file, for cosmetic purposes
pos – The initial position of the file, default zero
kwargs – Any other keyword arguments will go on to the SimFile constructor.

Variables

pos – The current position in the file.

set_state(state)

read(pos, size, **kwargs)

write(_, data, size=None, **kwargs)

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

class angr.storage.file.SimPackets(name, write_mode=None, content=None, writable=True, ident=None, **kwargs)

Bases: angr.storage.file.SimFileBase

The SimPackets is meant to model inputs whose content is delivered a series of asynchronous chunks. The data is stored as a list of read or write results. For symbolic sizes, state.libc.max_packet_size will be respected. If the SHORT_READS option is enabled, reads will return a symbolic size constrained to be less than or equal to the requested size.

A SimPackets cannot be used for both reading and writing - for socket objects that can be both read and written to you should use a file descriptor to multiplex the read and write operations into two separate file storage mechanisms.

Parameters

name – The name of the file, for cosmetic purposes
write_mode – Whether this file is opened in read or write mode. If this is unspecified it will be autodetected.
content – Some initial content to use for the file. Can be a list of bytestrings or a list of tuples of content ASTs and size ASTs.

Variables

write_mode – See the eponymous parameter
content – A list of packets, as tuples of content ASTs and size ASTs.

set_state(state)

property size

concretize(**kwargs): Returns a list of the packets read or written as bytestrings.

read(pos, size, **kwargs)

Read a packet from the stream.

Parameters

pos (int) – The packet number to read from the sequence of the stream. May be None to append to the stream.
size – The size to read. May be symbolic.
short_reads – Whether to replace the size with a symbolic value constrained to less than or equal to the original size. If unspecified, will be chosen based on the state option.

Returns

A tuple of the data read (a bitvector of the length that is the maximum length of the read) and the actual size of the read.

write(pos, data, size=None, events=True, **kwargs)

Write a packet to the stream.

Parameters

pos (int) – The packet number to write in the sequence of the stream. May be None to append to the stream.
data – The data to write, as a string or bitvector.
size – The optional size to write. May be symbolic; must be constrained to at most the size of data.

Returns

The next packet to use after this

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(_)

class angr.storage.file.SimPacketsStream(name, pos=0, **kwargs)

Bases: angr.storage.file.SimPackets

A specialized SimPackets that tracks its position internally.

The pos argument to the read and write methods will be ignored, and will return None. Instead, there is an attribute pos on the file itself, which will give you what you want.

Parameters

name – The name of the file, for cosmetic purposes
pos – The initial position of the file, default zero
kwargs – Any other keyword arguments will go on to the SimPackets constructor.

Variables

pos – The current position in the file.

read(pos, size, **kwargs)

write(_, data, size=None, **kwargs)

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

class angr.storage.file.SimFileDescriptorBase

Bases: angr.state_plugins.plugin.SimStatePlugin

The base class for implementations of POSIX file descriptors.

All file descriptors should respect the CONCRETIZE_SYMBOLIC_{READ,WRITE}_SIZES state options.

read(pos, size, **kwargs)

Reads some data from the file, storing it into memory.

Parameters

pos – The address to write the read data into memory
size – The requested length of the read

Returns

The real length of the read

write(pos, size, **kwargs)

Writes some data, loaded from the state, into the file.

Parameters

pos – The address to read the data to write from in memory
size – The requested size of the write

Returns

The real length of the write

read_data(size, **kwargs)

Reads some data from the file, returning the data.

Parameters: size – The requested length of the read
Returns: A tuple of the data read and the real length of the read

write_data(data, size=None, **kwargs)

Write some data, provided as an argument into the file.

Parameters

data – A bitvector to write into the file
size – The requested size of the write (may be symbolic)

Returns

The real length of the write

seek(offset, whence='start')

Seek the file descriptor to a different position in the file.

Parameters

offset – The offset to seek to, interpreted according to whence
whence – What the offset is relative to; one of the strings “start”, “current”, or “end”

Returns

A symbolic boolean describing whether the seek succeeded or not

tell(): Return the current position, or None if the concept doesn’t make sense for the given file.

eof(): Return the EOF status. May be a symbolic boolean.

size(): Return the size of the data stored in the file in bytes, or None if the concept doesn’t make sense for the given file.

property read_storage: Return the SimFile backing reads from this fd

property write_storage: Return the SimFile backing writes to this fd

property read_pos

Return the current position of the read file pointer.

If the underlying read file is a stream, this will return the position of the stream. Otherwise, will return the position of the file descriptor in the file.

property write_pos

Return the current position of the read file pointer.

If the underlying read file is a stream, this will return the position of the stream. Otherwise, will return the position of the file descriptor in the file.

concretize(**kwargs)

Return a concretizeation of the data in the underlying file. Has different return types to represent differnt data structures on a per-class basis.

Any arguments passed to this will be passed onto state.solver.eval.

class angr.storage.file.SimFileDescriptor(simfile, flags=0)

Bases: angr.storage.file.SimFileDescriptorBase

A simple file descriptor forwarding reads and writes to a SimFile. Contains information about the current opened state of the file, such as the flags or (if relevant) the current position.

Variables

file – The SimFile described to by this descriptor
flags – The mode that the file descriptor was opened with, a bitfield of flags

read_data(size, **kwargs)

write_data(data, size=None, **kwargs)

seek(offset, whence='start')

eof()

tell()

size()

concretize(**kwargs): Return a concretization of the underlying file. Returns whatever format is preferred by the file.

property read_storage

property write_storage

property read_pos

property write_pos

set_state(state)

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(_)

class angr.storage.file.SimFileDescriptorDuplex(read_file, write_file)

Bases: angr.storage.file.SimFileDescriptorBase

A file descriptor that refers to two file storage mechanisms, one to read from and one to write to. As a result, operations like seek, eof, etc no longer make sense.

Parameters

read_file – The SimFile to read from
write_file – The SimFile to write to

read_data(size, **kwargs)

write_data(data, size=None, **kwargs)

set_state(state)

eof()

tell()

seek(offset, whence='start')

size()

concretize(**kwargs): Return a concretization of the underlying files, as a tuple of (read file, write file).

property read_storage

property write_storage

property read_pos

property write_pos

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(_)

class angr.storage.file.SimPacketsSlots(name, read_sizes, ident=None, **kwargs)

Bases: angr.storage.file.SimFileBase

SimPacketsSlots is the new SimDialogue, if you’ve ever seen that before.

The idea is that in some cases, the only thing you really care about is getting the lengths of reads right, and some of them should be short reads, and some of them should be truncated. You provide to this class a list of read lengths, and it figures out the length of each read, and delivers some content.

This class will NOT respect the position argument you pass it - this storage is not stateless.

seekable = False

concretize(**kwargs)

read(pos, size, **kwargs)

write(pos, data, size=None, **kwargs)

property size

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None)

widen(_)

angr.storage.memory_object.obj_bit_size(o)

class angr.storage.memory_object.SimMemoryObject(obj, base, endness, length=None, byte_width=8)

Bases: object

A SimMemoryObject is a reference to a byte or several bytes in a specific object in memory. It should be used only by the bottom layer of memory.

is_bytes

base

object

length

endness

size()

property variables

property cache_key

property symbolic

property last_addr

includes(x)

bytes_at(addr, length, allow_concrete=False, endness='Iend_BE')

class angr.storage.memory_object.SimLabeledMemoryObject(obj, base, endness, length=None, byte_width=8, label=None)

Bases: angr.storage.memory_object.SimMemoryObject

label

angr.storage.memory_object.bv_slice(value, offset, size, rev, bw)

Extremely cute utility to pretend you’ve serialized a value to stored bytes, sliced it a la python slicing, and then deserialized those bytes to an integer again.

Parameters

value – The bitvector to slice
offset – The byte offset from the first stored byte to slice from, or a negative offset from the end.
size – The number of bytes to return. If None, return all bytes from the offset to the end. If larger than the number of bytes from the offset to the end, return all bytes from the offset to the end.
rev – Whether the pretend-serialization should be little-endian
bw – The byte width

Returns

The new bitvector

class angr.storage.pcap.PCAP(path, ip_port_tup, init=True)

Bases: object

initialize(path)

recv(length)

copy()

class angr.concretization_strategies.SimConcretizationStrategy(filter=None, exact=True)

Bases: object

Concretization strategies control the resolution of symbolic memory indices in SimuVEX. By subclassing this class and setting it as a concretization strategy (on state.memory.read_strategies and state.memory.write_strategies), SimuVEX’s memory index concretization behavior can be modified.

Initializes the base SimConcretizationStrategy.

Parameters

filter – A function, taking arguments of (SimMemory, claripy.AST) that determins if this strategy can handle resolving the provided AST.
exact – A flag (default: True) that determines if the convenience resolution functions provided by this class use exact or approximate resolution.

concretize(memory, addr, **kwargs): Concretizes the address into a list of values. If this strategy cannot handle this address, returns None.

copy(): Returns a copy of the strategy, if there is data that should be kept separate between states. If not, returns self.

merge(others): Merges this strategy with others (if there is data that should be kept separate between states. If not, is a no-op.

Memory Mixins

class angr.storage.memory_mixins.MemoryMixin(memory_id=None, endness='Iend_BE')

Bases: angr.state_plugins.plugin.SimStatePlugin

SUPPORTS_CONCRETE_LOAD = False

copy(memo)

property category

reg, mem, or file.

Type: Return the category of this SimMemory instance. It can be one of the three following categories

property variable_key_prefix

find(addr, data, max_search, **kwargs)

load(addr, **kwargs)

store(addr, data, **kwargs)

merge(others, merge_conditions, common_ancestor=None) → bool

widen(others)

permissions(addr, permissions=None, **kwargs)

map_region(addr, length, permissions, init_zero=False, **kwargs)

unmap_region(addr, length, **kwargs)

concrete_load(addr, size, writing=False, **kwargs) → memoryview

Set SUPPORTS_CONCRETE_LOAD to True and implement concrete_load if reading concrete bytes is faster in this memory model.

Parameters

addr – The address to load from.
size – Size of the memory read.
writing –

Returns

A memoryview into the loaded bytes.

erase(addr, size=None, **kwargs) → None

Set [addr:addr+size) to uninitialized. In many cases this will be faster than overwriting those locations with new values. This is commonly used during static data flow analysis.

Parameters

addr – The address to start erasing.
size – The number of bytes for erasing.

Returns

None

replace_all(old: claripy.ast.bv.BV, new: claripy.ast.bv.BV)

copy_contents(dst, src, size, condition=None, **kwargs)

Override this method to provide faster copying of large chunks of data.

Parameters

dst – The destination of copying.
src – The source of copying.
size – The size of copying.
condition – The storing condition.
kwargs – Other parameters.

Returns

None

class angr.storage.memory_mixins.DefaultMemory(*args, **kwargs): Bases: angr.storage.memory_mixins.hex_dumper_mixin.HexDumperMixin, angr.storage.memory_mixins.smart_find_mixin.SmartFindMixin, angr.storage.memory_mixins.unwrapper_mixin.UnwrapperMixin, angr.storage.memory_mixins.name_resolution_mixin.NameResolutionMixin, angr.storage.memory_mixins.bvv_conversion_mixin.DataNormalizationMixin, angr.storage.memory_mixins.simplification_mixin.SimplificationMixin, angr.storage.memory_mixins.clouseau_mixin.InspectMixinHigh, angr.storage.memory_mixins.actions_mixin.ActionsMixinHigh, angr.storage.memory_mixins.underconstrained_mixin.UnderconstrainedMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeConcretizationMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin, angr.storage.memory_mixins.address_concretization_mixin.AddressConcretizationMixin, angr.storage.memory_mixins.actions_mixin.ActionsMixinLow, angr.storage.memory_mixins.conditional_store_mixin.ConditionalMixin, angr.storage.memory_mixins.convenient_mappings_mixin.ConvenientMappingsMixin, angr.storage.memory_mixins.dirty_addrs_mixin.DirtyAddrsMixin, angr.storage.memory_mixins.paged_memory.stack_allocation_mixin.StackAllocationMixin, angr.storage.memory_mixins.paged_memory.page_backer_mixins.ClemoryBackerMixin, angr.storage.memory_mixins.paged_memory.page_backer_mixins.DictBackerMixin, angr.storage.memory_mixins.paged_memory.privileged_mixin.PrivilegedPagingMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.UltraPagesMixin, angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin, angr.storage.memory_mixins.symbolic_merger_mixin.SymbolicMergerMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

class angr.storage.memory_mixins.DefaultListPagesMemory(*args, **kwargs): Bases: angr.storage.memory_mixins.hex_dumper_mixin.HexDumperMixin, angr.storage.memory_mixins.smart_find_mixin.SmartFindMixin, angr.storage.memory_mixins.unwrapper_mixin.UnwrapperMixin, angr.storage.memory_mixins.name_resolution_mixin.NameResolutionMixin, angr.storage.memory_mixins.bvv_conversion_mixin.DataNormalizationMixin, angr.storage.memory_mixins.simplification_mixin.SimplificationMixin, angr.storage.memory_mixins.actions_mixin.ActionsMixinHigh, angr.storage.memory_mixins.underconstrained_mixin.UnderconstrainedMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeConcretizationMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin, angr.storage.memory_mixins.clouseau_mixin.InspectMixinHigh, angr.storage.memory_mixins.address_concretization_mixin.AddressConcretizationMixin, angr.storage.memory_mixins.actions_mixin.ActionsMixinLow, angr.storage.memory_mixins.conditional_store_mixin.ConditionalMixin, angr.storage.memory_mixins.convenient_mappings_mixin.ConvenientMappingsMixin, angr.storage.memory_mixins.dirty_addrs_mixin.DirtyAddrsMixin, angr.storage.memory_mixins.paged_memory.stack_allocation_mixin.StackAllocationMixin, angr.storage.memory_mixins.paged_memory.page_backer_mixins.ClemoryBackerMixin, angr.storage.memory_mixins.paged_memory.page_backer_mixins.DictBackerMixin, angr.storage.memory_mixins.paged_memory.privileged_mixin.PrivilegedPagingMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.ListPagesMixin, angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin, angr.storage.memory_mixins.symbolic_merger_mixin.SymbolicMergerMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

class angr.storage.memory_mixins.FastMemory(uninitialized_read_handler=None, **kwargs): Bases: angr.storage.memory_mixins.name_resolution_mixin.NameResolutionMixin, angr.storage.memory_mixins.simple_interface_mixin.SimpleInterfaceMixin, angr.storage.memory_mixins.simplification_mixin.SimplificationMixin, angr.storage.memory_mixins.clouseau_mixin.InspectMixinHigh, angr.storage.memory_mixins.conditional_store_mixin.ConditionalMixin, angr.storage.memory_mixins.default_filler_mixin.ExplicitFillerMixin, angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin, angr.storage.memory_mixins.slotted_memory.SlottedMemoryMixin

class angr.storage.memory_mixins.AbstractMemory(*args, **kwargs): Bases: angr.storage.memory_mixins.unwrapper_mixin.UnwrapperMixin, angr.storage.memory_mixins.name_resolution_mixin.NameResolutionMixin, angr.storage.memory_mixins.bvv_conversion_mixin.DataNormalizationMixin, angr.storage.memory_mixins.simplification_mixin.SimplificationMixin, angr.storage.memory_mixins.clouseau_mixin.InspectMixinHigh, angr.storage.memory_mixins.actions_mixin.ActionsMixinHigh, angr.storage.memory_mixins.underconstrained_mixin.UnderconstrainedMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeConcretizationMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin, angr.storage.memory_mixins.actions_mixin.ActionsMixinLow, angr.storage.memory_mixins.conditional_store_mixin.ConditionalMixin, angr.storage.memory_mixins.regioned_memory.regioned_address_concretization_mixin.RegionedAddressConcretizationMixin, angr.storage.memory_mixins.regioned_memory.regioned_memory_mixin.RegionedMemoryMixin

class angr.storage.memory_mixins.RegionedMemory(related_function_addr=None, **kwargs): Bases: angr.storage.memory_mixins.regioned_memory.region_category_mixin.RegionCategoryMixin, angr.storage.memory_mixins.regioned_memory.region_meta_mixin.MemoryRegionMetaMixin, angr.storage.memory_mixins.regioned_memory.static_find_mixin.StaticFindMixin, angr.storage.memory_mixins.unwrapper_mixin.UnwrapperMixin, angr.storage.memory_mixins.name_resolution_mixin.NameResolutionMixin, angr.storage.memory_mixins.bvv_conversion_mixin.DataNormalizationMixin, angr.storage.memory_mixins.simplification_mixin.SimplificationMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeConcretizationMixin, angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin, angr.storage.memory_mixins.address_concretization_mixin.AddressConcretizationMixin, angr.storage.memory_mixins.convenient_mappings_mixin.ConvenientMappingsMixin, angr.storage.memory_mixins.dirty_addrs_mixin.DirtyAddrsMixin, angr.storage.memory_mixins.paged_memory.page_backer_mixins.ClemoryBackerMixin, angr.storage.memory_mixins.paged_memory.page_backer_mixins.DictBackerMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.UltraPagesMixin, angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin, angr.storage.memory_mixins.regioned_memory.abstract_merger_mixin.AbstractMergerMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

class angr.storage.memory_mixins.LabeledMemory(*args, top_func=None, **kwargs)

Bases: angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.ListPagesWithLabelsMixin, angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin, angr.storage.memory_mixins.top_merger_mixin.TopMergerMixin, angr.storage.memory_mixins.label_merger_mixin.LabelMergerMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

LabeledMemory is used in static analysis. It allows storing values with labels, such as Definition.

class angr.storage.memory_mixins.MultiValuedMemory(*args, skip_missing_values_during_merging=False, **kwargs): Bases: angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.MVListPagesMixin, angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin, angr.storage.memory_mixins.multi_value_merger_mixin.MultiValueMergerMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

class angr.storage.memory_mixins.KeyValueMemory(*args, **kwargs): Bases: angr.storage.memory_mixins.keyvalue_memory.keyvalue_memory_mixin.KeyValueMemoryMixin

class angr.storage.memory_mixins.JavaVmMemory(memory_id='mem', stack=None, heap=None, vm_static_table=None, load_strategies=None, store_strategies=None, max_array_size=1000, **kwargs): Bases: angr.storage.memory_mixins.javavm_memory.javavm_memory_mixin.JavaVmMemoryMixin

class angr.storage.memory_mixins.name_resolution_mixin.NameResolutionMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

This mixin allows you to provide register names as load addresses, and will automatically translate this to an offset and size.

store(addr, data, size=None, **kwargs)

load(addr, size=None, **kwargs)

class angr.storage.memory_mixins.smart_find_mixin.SmartFindMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

find(addr, needle, max_search, default=None, endness=None, chunk_size=None, max_symbolic_bytes=None, condition=None, char_size=1, **kwargs)

class angr.storage.memory_mixins.default_filler_mixin.DefaultFillerMixin(memory_id=None, endness='Iend_BE'): Bases: angr.storage.memory_mixins.MemoryMixin

class angr.storage.memory_mixins.default_filler_mixin.SpecialFillerMixin(special_memory_filler=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

copy(memo)

class angr.storage.memory_mixins.default_filler_mixin.ExplicitFillerMixin(uninitialized_read_handler=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

copy(memo)

class angr.storage.memory_mixins.bvv_conversion_mixin.DataNormalizationMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

Normalizes the data field for a store and the fallback field for a load to be BVs.

store(addr, data, size=None, **kwargs)

load(addr, size=None, fallback=None, **kwargs)

class angr.storage.memory_mixins.hex_dumper_mixin.HexDumperMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

hex_dump(start, size, word_size=4, words_per_row=4, endianness='Iend_BE', symbolic_char='?', unprintable_char='.', solve=False, extra_constraints=None, inspect=False, disable_actions=True)

Returns a hex dump as a string. The solver, if enabled, is called once for every byte potentially making this function very slow. It is meant to be used mainly as a “visualization” for debugging.

Warning: May read and display more bytes than size due to rounding. Particularly, if size is less than, or not a multiple of word_size*words_per_line.

Parameters

start – starting address from which to print
size – number of bytes to display
word_size – number of bytes to group together as one space-delimited unit
words_per_row – number of words to display per row of output
endianness – endianness to use when displaying each word (ASCII representation is unchanged)
symbolic_char – the character to display when a byte is symbolic and has multiple solutions
unprintable_char – the character to display when a byte is not printable
solve – whether or not to attempt to solve (warning: can be very slow)
extra_constraints – extra constraints to pass to the solver is solve is True
inspect – whether or not to trigger SimInspect breakpoints for the memory load
disable_actions – whether or not to disable SimActions for the memory load

Returns

hex dump as a string

class angr.storage.memory_mixins.underconstrained_mixin.UnderconstrainedMixin(*args, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

copy(memo=None, **kwargs)

load(addr, **kwargs)

store(addr, data, **kwargs)

class angr.storage.memory_mixins.simple_interface_mixin.SimpleInterfaceMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

load(addr, size=None, endness=None, condition=None, fallback=None, **kwargs)

store(addr, data, size=None, endness=None, condition=None, **kwargs)

class angr.storage.memory_mixins.actions_mixin.ActionsMixinHigh(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

load(addr, size=None, condition=None, fallback=None, disable_actions=False, action=None, **kwargs)

store(addr, data, size=None, disable_actions=False, action=None, condition=None, **kwargs)

class angr.storage.memory_mixins.actions_mixin.ActionsMixinLow(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

load(addr, action=None, **kwargs)

store(addr, data, action: Optional[angr.state_plugins.sim_action.SimActionData] = None, **kwargs)

class angr.storage.memory_mixins.symbolic_merger_mixin.SymbolicMergerMixin(memory_id=None, endness='Iend_BE'): Bases: angr.storage.memory_mixins.MemoryMixin

class angr.storage.memory_mixins.size_resolution_mixin.SizeNormalizationMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

Provides basic services related to normalizing sizes. After this mixin, sizes will always be a plain int. Assumes that the data is a BV.

load will throw a TypeError if no size is provided
store will default to len(data)//byte_width if no size is provided

load(addr, size=None, **kwargs)

store(addr, data, size=None, **kwargs)

class angr.storage.memory_mixins.size_resolution_mixin.SizeConcretizationMixin(concretize_symbolic_write_size: bool = False, max_concretize_count: Optional[int] = 256, max_symbolic_size: int = 4194304, raise_memory_limit_error: bool = False, size_limit: int = 257, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

This mixin allows memory to process symbolic sizes. It will not touch any sizes which are not ASTs with non-BVV ops. Assumes that the data is a BV.

symbolic load sizes will be concretized as their maximum and a warning will be logged
symbolic store sizes will be dispatched as several conditional stores with concrete sizes

copy(memo)

load(addr, size=None, **kwargs)

store(addr, data, size=None, condition=None, **kwargs)

class angr.storage.memory_mixins.dirty_addrs_mixin.DirtyAddrsMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

store(addr, data, size=None, **kwargs)

class angr.storage.memory_mixins.address_concretization_mixin.MultiwriteAnnotation

Bases: claripy.annotation.Annotation

property eliminatable

property relocateable

class angr.storage.memory_mixins.address_concretization_mixin.AddressConcretizationMixin(read_strategies=None, write_strategies=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

The address concretization mixin allows symbolic reads and writes to be handled sanely by dispatching them as a number of conditional concrete reads/writes. It provides a “concretization strategies” interface allowing the process of serializing symbolic addresses into concrete ones to be specified.

set_state(state)

copy(memo=None, **kwargs)

merge(others, merge_conditions, common_ancestor=None) → bool

concretize_write_addr(addr, strategies=None, condition=None)

Concretizes an address meant for writing.

Parameters

addr – An expression for the address.
strategies – A list of concretization strategies (to override the default).
condition – Any extra constraints that should be observed when determining address satisfiability

Returns

A list of concrete addresses.

concretize_read_addr(addr, strategies=None, condition=None)

Concretizes an address meant for reading.

Parameters

addr – An expression for the address.
strategies – A list of concretization strategies (to override the default).

Returns

A list of concrete addresses.

load(addr, size=None, condition=None, **kwargs)

store(addr, data, size=None, condition=None, **kwargs)

permissions(addr, permissions=None, **kwargs)

map_region(addr, length, permissions, **kwargs)

unmap_region(addr, length, **kwargs)

concrete_load(addr, size, *args, **kwargs)

class angr.storage.memory_mixins.clouseau_mixin.InspectMixinHigh(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

store(addr, data, size=None, condition=None, endness=None, inspect=True, **kwargs)

load(addr, size=None, condition=None, endness=None, inspect=True, **kwargs)

class angr.storage.memory_mixins.conditional_store_mixin.ConditionalMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

load(addr, condition=None, fallback=None, **kwargs)

store(addr, data, size=None, condition=None, **kwargs)

class angr.storage.memory_mixins.label_merger_mixin.LabelMergerMixin(*args, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

A memory mixin for merging labels. Labels come from SimLabeledMemoryObject.

copy(memo=None)

class angr.storage.memory_mixins.simplification_mixin.SimplificationMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

store(addr, data, **kwargs)

class angr.storage.memory_mixins.unwrapper_mixin.UnwrapperMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

This mixin processes SimActionObjects by passing on their .ast field.

store(addr, data, size=None, condition=None, **kwargs)

load(addr, size=None, condition=None, fallback=None, **kwargs)

find(addr, what, max_search, default=None, **kwargs)

copy_contents(dst, src, size, condition=None, **kwargs)

class angr.storage.memory_mixins.convenient_mappings_mixin.ConvenientMappingsMixin(**kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

Implements mappings between names and hashes of symbolic variables and these variables themselves.

copy(memo)

store(addr, data, size=None, **kwargs)

get_symbolic_addrs()

addrs_for_name(n): Returns addresses that contain expressions that contain a variable named n.

addrs_for_hash(h): Returns addresses that contain expressions that contain a variable with the hash of h.

replace_all(old: claripy.ast.bv.BV, new: claripy.ast.bv.BV)

Replaces all instances of expression old with expression new.

Parameters

old – A claripy expression. Must contain at least one named variable (to make it possible to use the name index for speedup).
new – The new variable to replace it with.

class angr.storage.memory_mixins.paged_memory.pages.mv_list_page.MVListPage(memory=None, content=None, sinkhole=None, mo_cmp=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.pages.cooperation.MemoryObjectSetMixin, angr.storage.memory_mixins.paged_memory.pages.PageBase

MVListPage allows storing multiple values at the same location, thus allowing weak updates.

Each store() may take a value or multiple values, and a “weak” parameter to specify if this store is a weak update or not. Each load() returns an iterator of all values stored at that location.

copy(memo) → angr.storage.memory_mixins.paged_memory.pages.mv_list_page.MVListPage

load(addr, size=None, endness=None, page_addr=None, memory=None, cooperate=False, **kwargs) → List[Tuple[int, angr.storage.memory_object.SimMemoryObject]]

store(addr, data, size=None, endness=None, memory=None, cooperate=False, weak=False, **kwargs)

erase(addr, size=None, **kwargs) → None

merge(others: List[angr.storage.memory_mixins.paged_memory.pages.mv_list_page.MVListPage], merge_conditions, common_ancestor=None, page_addr: Optional[int] = None, memory=None, changed_offsets: Optional[Set[int]] = None)

changed_bytes(other: angr.storage.memory_mixins.paged_memory.pages.mv_list_page.MVListPage, page_addr: Optional[int] = None)

content_gen(index)

class angr.storage.memory_mixins.paged_memory.pages.multi_values.MultiValues(offset_to_values=None)

Bases: object

values: Dict[int, Set[claripy.ast.base.Base]]

add_value(offset, value) → None

one_value() → Optional[claripy.ast.base.Base]

merge(mv: angr.storage.memory_mixins.paged_memory.pages.multi_values.MultiValues) → angr.storage.memory_mixins.paged_memory.pages.multi_values.MultiValues

class angr.storage.memory_mixins.top_merger_mixin.TopMergerMixin(*args, top_func=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

A memory mixin for merging values in memory to TOP.

copy(memo=None)

class angr.storage.memory_mixins.multi_value_merger_mixin.MultiValueMergerMixin(*args, element_limit=5, top_func=None, phi_maker=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

copy(memo=None)

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin(page_size=4096, default_permissions=3, permissions_map=None, page_kwargs=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

A bottom-level storage mechanism. Dispatches reads to individual pages, the type of which is the PAGE_TYPE class variable.

SUPPORTS_CONCRETE_LOAD = True

PAGE_TYPE: Type[PageType] = None

copy(memo=None, **kwargs)

load(addr: int, size: Optional[int] = None, endness=None, **kwargs)

store(addr: int, data, size: Optional[int] = None, endness=None, **kwargs)

erase(addr, size=None, **kwargs) → None

merge(others: Iterable[angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin], merge_conditions, common_ancestor=None) → bool

permissions(addr, permissions=None, **kwargs)

map_region(addr, length, permissions, init_zero=False, **kwargs)

unmap_region(addr, length, **kwargs)

concrete_load(addr, size, writing=False, with_bitmap=False, **kwargs)

changed_bytes(other) → Set[int]

changed_pages(other) → Dict[int, Optional[Set[int]]]

copy_contents(dst, src, size, condition=None, **kwargs)

flush_pages(white_list): Flush all pages not included in the white_list by removing their pages. Note, this will not wipe them from memory if they were backed by a memory_backer, it will simply reset them to their initial state. Returns the list of pages that were cleared consisting of (addr, length) tuples. :param white_list: white list of regions in the form of (start, end) to exclude from the flush :return: a list of memory page ranges that were flushed :rtype: list

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.LabeledPagesMixin(page_size=4096, default_permissions=3, permissions_map=None, page_kwargs=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

load_with_labels(addr: int, size: Optional[int] = None, endness=None, **kwargs) → Tuple[claripy.ast.base.Base, Tuple[Tuple[int, int, int, Any]]]

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.ListPagesMixin(page_size=4096, default_permissions=3, permissions_map=None, page_kwargs=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

PAGE_TYPE: alias of angr.storage.memory_mixins.paged_memory.pages.list_page.ListPage

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.MVListPagesMixin(*args, skip_missing_values_during_merging=False, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

PAGE_TYPE: alias of angr.storage.memory_mixins.paged_memory.pages.mv_list_page.MVListPage

copy(memo=None, **kwargs)

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.ListPagesWithLabelsMixin(page_size=4096, default_permissions=3, permissions_map=None, page_kwargs=None, **kwargs): Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.LabeledPagesMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.ListPagesMixin

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.MVListPagesWithLabelsMixin(*args, skip_missing_values_during_merging=False, **kwargs): Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.LabeledPagesMixin, angr.storage.memory_mixins.paged_memory.paged_memory_mixin.MVListPagesMixin

class angr.storage.memory_mixins.paged_memory.paged_memory_mixin.UltraPagesMixin(page_size=4096, default_permissions=3, permissions_map=None, page_kwargs=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

PAGE_TYPE: alias of angr.storage.memory_mixins.paged_memory.pages.ultra_page.UltraPage

class angr.storage.memory_mixins.paged_memory.page_backer_mixins.NotMemoryview(obj, offset, size): Bases: object

class angr.storage.memory_mixins.paged_memory.page_backer_mixins.ClemoryBackerMixin(cle_memory_backer: Union[None, cle.loader.Loader, cle.memory.Clemory] = None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

copy(memo)

class angr.storage.memory_mixins.paged_memory.page_backer_mixins.DictBackerMixin(dict_memory_backer=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

copy(memo)

class angr.storage.memory_mixins.paged_memory.stack_allocation_mixin.StackAllocationMixin(stack_end=None, stack_size=None, stack_perms=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

This mixin adds automatic allocation for a stack region based on the stack_end and stack_size parameters.

copy(memo)

allocate_stack_pages(addr: int, size: int, **kwargs)

Pre-allocates pages for the stack without triggering any logic related to reading from them.

Parameters

addr – The highest address that should be mapped
size – The number of bytes to be allocated. byte 1 is the one at addr, byte 2 is the one before that, and so on.

Returns

A list of the new page objects

class angr.storage.memory_mixins.paged_memory.privileged_mixin.PrivilegedPagingMixin(page_size=4096, default_permissions=3, permissions_map=None, page_kwargs=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.paged_memory_mixin.PagedMemoryMixin

A mixin for paged memory models which will raise SimSegfaultExceptions if STRICT_PAGE_ACCESS is enabled and a segfault condition is detected.

Segfault conditions include: - getting a page for reading which is non-readable - getting a page for writing which is non-writable - creating a page

The latter condition means that this should be inserted under any mixins which provide other implementations of _initialize_page.

class angr.storage.memory_mixins.paged_memory.pages.PageBase(*args, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.pages.history_tracking_mixin.HistoryTrackingMixin, angr.storage.memory_mixins.paged_memory.pages.refcount_mixin.RefcountMixin, angr.storage.memory_mixins.paged_memory.pages.cooperation.CooperationBase, angr.storage.memory_mixins.paged_memory.pages.ispo_mixin.ISPOMixin, angr.storage.memory_mixins.paged_memory.pages.permissions_mixin.PermissionsMixin, angr.storage.memory_mixins.MemoryMixin

This is a fairly succinct definition of the contract between PagedMemoryMixin and its constituent pages:

Pages must implement the MemoryMixin model for loads, stores, copying, merging, etc
However, loading/storing may not necessarily use the same data domain as PagedMemoryMixin. In order to do more efficient loads/stores across pages, we use the CooperationBase interface which allows the page class to determine how to generate and unwrap the objects which are actually stored.
To support COW, we use the RefcountMixin and the ISPOMixin (which adds the contract element that memory=self be passed to every method call)
Pages have permissions associated with them, stored in the PermissionsMixin.

Read the docstrings for each of the constituent classes to understand the nuances of their functionalities

class angr.storage.memory_mixins.paged_memory.pages.refcount_mixin.RefcountMixin(**kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

This mixin adds a locked reference counter and methods to manipulate it, to facilitate copy-on-write optimizations.

copy(memo)

acquire_unique(): Call this function to return a version of this page which can be used for writing, which may or may not be the same object as before. If you use this you must immediately replace the shared reference you previously had with the new unique copy.

acquire_shared() → None: Call this function to indicate that this page has had a reference added to it and must be copied before it can be acquired uniquely again. Creating the object implicitly starts it with one shared reference.

release_shared() → None: Call this function to indicate that this page has had a shared reference to it released

class angr.storage.memory_mixins.paged_memory.pages.permissions_mixin.PermissionsMixin(permissions=None, **kwargs)

Bases: angr.storage.memory_mixins.MemoryMixin

This mixin adds a permissions field and properties for extracting the read/write/exec permissions. It does NOT add permissions checking.

copy(memo)

property perm_read

property perm_write

property perm_exec

class angr.storage.memory_mixins.paged_memory.pages.history_tracking_mixin.HistoryTrackingMixin(*args, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.pages.refcount_mixin.RefcountMixin, angr.storage.memory_mixins.MemoryMixin

Tracks the history of memory writes.

store(addr, data, size=None, **kwargs)

copy(memo)

acquire_unique()

parents()

changed_bytes(other, **kwargs) → Optional[Set[int]]

all_bytes_changed_in_history() → Set[int]

class angr.storage.memory_mixins.paged_memory.pages.ispo_mixin.ISPOMixin(memory_id=None, endness='Iend_BE')

Bases: angr.storage.memory_mixins.MemoryMixin

An implementation of the International Stateless Persons Organisation, a mixin which should be applied as a bottom layer for memories which have no state and must redirect certain operations to a parent memory. Main usecase is for memory region classes which are stored within other memories, such as pages.

set_state(state)

class angr.storage.memory_mixins.paged_memory.pages.cooperation.CooperationBase

Bases: object

Any given subclass of this class which is not a subclass of MemoryMixin should have the property that any subclass it which is a subclass of MemoryMixin should all work with the same datatypes

class angr.storage.memory_mixins.paged_memory.pages.cooperation.MemoryObjectMixin

Bases: angr.storage.memory_mixins.paged_memory.pages.cooperation.CooperationBase

Uses SimMemoryObjects in region storage. With this, load will return a list of tuple (address, MO) and store will take a MO.

class angr.storage.memory_mixins.paged_memory.pages.cooperation.MemoryObjectSetMixin

Bases: angr.storage.memory_mixins.paged_memory.pages.cooperation.CooperationBase

Uses sets of SimMemoryObjects in region storage.

class angr.storage.memory_mixins.paged_memory.pages.cooperation.BasicClaripyCooperation

Bases: angr.storage.memory_mixins.paged_memory.pages.cooperation.CooperationBase

Mix this (along with PageBase) into a storage class which supports loading and storing claripy bitvectors and it will be able to work as a page in the paged memory model.

class angr.storage.memory_mixins.paged_memory.pages.list_page.ListPage(memory=None, content=None, sinkhole=None, mo_cmp=None, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.pages.cooperation.MemoryObjectMixin, angr.storage.memory_mixins.paged_memory.pages.PageBase

This class implements a page memory mixin with lists as the main content store.

copy(memo)

load(addr, size=None, endness=None, page_addr=None, memory=None, cooperate=False, **kwargs)

store(addr, data, size=None, endness=None, memory=None, cooperate=False, **kwargs)

erase(addr, size=None, **kwargs) → None

merge(others: List[angr.storage.memory_mixins.paged_memory.pages.list_page.ListPage], merge_conditions, common_ancestor=None, page_addr: Optional[int] = None, memory=None, changed_offsets: Optional[Set[int]] = None)

changed_bytes(other: angr.storage.memory_mixins.paged_memory.pages.list_page.ListPage, page_addr: Optional[int] = None)

class angr.storage.memory_mixins.paged_memory.pages.ultra_page.UltraPage(memory=None, init_zero=False, **kwargs)

Bases: angr.storage.memory_mixins.paged_memory.pages.cooperation.MemoryObjectMixin, angr.storage.memory_mixins.paged_memory.pages.PageBase

Default page implementation

SUPPORTS_CONCRETE_LOAD = True

classmethod new_from_shared(data, memory=None, **kwargs)

copy(memo)

load(addr, size=None, page_addr=None, endness=None, memory=None, cooperate=False, **kwargs)

store(addr, data: Union[int, angr.storage.memory_object.SimMemoryObject], size: Optional[int] = None, endness=None, memory=None, page_addr=None, cooperate=False, **kwargs)

merge(others: List[angr.storage.memory_mixins.paged_memory.pages.ultra_page.UltraPage], merge_conditions, common_ancestor=None, page_addr: Optional[int] = None, memory=None, changed_offsets: Optional[Set[int]] = None)

concrete_load(addr, size, **kwargs)

changed_bytes(other, page_addr=None) → Set[int]

replace_all_with_offsets(offsets: Iterable[int], old: claripy.ast.bv.BV, new: claripy.ast.bv.BV, memory=None)

class angr.storage.memory_mixins.regioned_memory.regioned_memory_mixin.RegionedMemoryMixin(write_targets_limit: int = 2048, read_targets_limit: int = 4096, stack_region_map: Optional[angr.storage.memory_mixins.regioned_memory.region_data.RegionMap] = None, generic_region_map: Optional

angr — Analysis and Coordination

Project

Plugin Ecosystem

Program State

Storage

Memory Mixins

`angr` — Analysis and Coordination