How to use the archr.arsenal.angrProjectBow function in archr
To help you get started, we’ve selected a few archr examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
angr / archr / tests / test_bow_angr.py View on Github 
def test_angr_catflag(self):
with archr.targets.DockerImageTarget('archr-test:cat-flag').build().start() as t:
dsb = archr.arsenal.DataScoutBow(t)
apb = archr.arsenal.angrProjectBow(t, dsb)
asb = archr.arsenal.angrStateBow(t, apb)
project = apb.fire()
state = asb.fire()
simgr = project.factory.simulation_manager(state)
simgr.run()
assert len(simgr.errored) == 0
assert len(simgr.deadended) == 1
assert simgr.one_deadended.posix.dumps(1) == b"archr-flag\n"def test_angr_tracing(self):
target = archr.targets.LocalTarget(os.path.join(test_location, '../../binaries/tests/x86_64/true'))
dsb = archr.arsenal.DataScoutBow(target)
apb = archr.arsenal.angrProjectBow(target, dsb)
asb = archr.arsenal.angrStateBow(target, apb)
qtb = archr.arsenal.QEMUTracerBow(target)
trace = qtb.fire()
p = apb.fire()
s = asb.fire()
tech = trace.tracer_technique()
simgr = p.factory.simulation_manager(s)
simgr.use_technique(tech)
simgr.run()
assert len(simgr.traced) == 1def test_stack(self):
import angr
t = archr.targets.DockerImageTarget('archr-test:stackprinter64').build().start()
reference_str = t.run_command(aslr=False).stdout.read()
dsb = archr.arsenal.DataScoutBow(t)
apb = archr.arsenal.angrProjectBow(t, dsb)
asb = archr.arsenal.angrStateBow(t, apb)
project = apb.fire(use_sim_procedures=False)
state = asb.fire(add_options={angr.sim_options.STRICT_PAGE_ACCESS}) # for now
simgr = project.factory.simulation_manager(state)
simgr.run()
assert len(simgr.errored) == 0
assert len(simgr.deadended) == 1
assert len(sum(simgr.stashes.values(), [])) == 1
#assert simgr.deadended[0].posix.dumps(1) == reference_str
t.stop()def angr_checks(self, t):
dsb = archr.arsenal.DataScoutBow(t)
apb = archr.arsenal.angrProjectBow(t, dsb)
asb = archr.arsenal.angrStateBow(t, apb)
project = apb.fire()
assert all(obj.binary.startswith("/tmp") for obj in project.loader.all_elf_objects[1:])
state = asb.fire()
initial_stack = state.solver.eval(state.memory.load(state.regs.rsp, 200), cast_to=bytes)
assert b"ARCHR=YES" in initial_stack
assert state.solver.eval_one(state.posix.brk == apb._mem_mapping['[heap]'])
assert state.solver.eval_one((state.regs.sp + 0xfff) & ~claripy.BVV(0xfff, project.arch.bits) == apb._mem_mapping['[stack-end]'])
# now screw with the memory map
apb._mem_mapping['[stack-end]'] = 0x1337000
state = asb.fire()
assert state.solver.eval_one((state.regs.sp + 0xfff) & ~claripy.BVV(0xfff, project.arch.bits) == apb._mem_mapping['[stack-end]'])
project.loader.close()self.target = target # type: archr.targets.Target
self.constrained_addrs = [ ] if constrained_addrs is None else constrained_addrs
self.hooks = {} if hooks is None else hooks
self.explore_steps = explore_steps
self.use_crash_input = use_crash_input
self.input_type = input_type
self.target_port = port
self.crash = crash
self.tracer_bow = tracer_bow if tracer_bow is not None else archr.arsenal.QEMUTracerBow(self.target)
if self.explore_steps > 10:
raise CannotExploit("Too many steps taken during crash exploration")
# Initialize an angr Project
dsb = archr.arsenal.DataScoutBow(self.target)
self.angr_project_bow = archr.arsenal.angrProjectBow(self.target, dsb)
self.project = self.angr_project_bow.fire()
self.binary = self.target.resolve_local_path(self.target.target_path)
# Add custom hooks
for addr, proc in self.hooks.items():
self.project.hook(addr, proc)
l.debug("Hooking %#x -> %s...", addr, proc.display_name)
# ROP-related stuff
if use_rop:
if angrop_object is not None:
self.rop = angrop_object
else:
if not rop_cache_path:
# we search for ROP gadgets now to avoid the memory exhaustion bug in pypy
# hash binary contents for rop cache namedef _initialize(self, rop_obj, rop_cache_path, checkpoint_path, crash_state, prev_state):
"""
Initialization steps.
- Create a new angr project.
- Load or collect ROP gadgets.
- Restore states from a previous checkpoint if available.
:return: None
"""
# Initialize an angr Project
dsb = archr.arsenal.DataScoutBow(self.target)
self.angr_project_bow = archr.arsenal.angrProjectBow(self.target, dsb)
self.project = self.angr_project_bow.fire()
self.binary = self.target.resolve_local_path(self.target.target_path)
# Add custom hooks
for addr, proc in self.hooks.items():
self.project.hook(addr, proc)
l.debug("Hooking %#x -> %s...", addr, proc.display_name)
# ROP-related stuff
if self._use_rop:
if rop_obj is not None:
self.rop = rop_obj
else:
if not rop_cache_path:
# we search for ROP gadgets now to avoid the memory exhaustion bug in pypy
# hash binary contents for rop cache namedef run(self, inst):
self._progress_callback(5)
with self.target.build().start() as t:
self._progress_callback(10)
dsb = archr.arsenal.DataScoutBow(t)
apb = archr.arsenal.angrProjectBow(t, dsb)
partial_ld = apb.fire(return_loader=True, perform_relocations=False, load_debug_info=False)
self._progress_callback(50)
# is it smart to do this from the worker thread? who knows
load_options, cfg_args = gui_thread_schedule(LoadBinary.run, (partial_ld,))
partial_ld.close()
if cfg_args is None:
return
# Create the project, load it, then record the image name on success
proj = apb.fire(use_sim_procedures=True, load_options=load_options)
self._progress_callback(95)
inst.set_project(proj, cfg_args=cfg_args)
Popular archr functions
- archr._angr_available
- archr.arsenal
- archr.arsenal.angrProjectBow
- archr.arsenal.angrStateBow
- archr.arsenal.Bow
- archr.arsenal.ContextBow
- archr.arsenal.DataScoutBow
- archr.arsenal.GDBServerBow
- archr.arsenal.LTraceAttachBow
- archr.arsenal.LTraceBow
- archr.arsenal.MemoryMapBow
- archr.arsenal.NetCatBow
- archr.arsenal.QEMUTracerBow
- archr.arsenal.RRTracerBow
- archr.arsenal.STraceAttachBow
- archr.errors.ArchrError
- archr.targets
- archr.targets.DockerImageTarget
- archr.targets.LocalTarget
- archr.utils.lib_dependencies