state.heapplugin which manages the heap (with pluggable heap schemes!) and provides malloc functionality. Thanks @tgduckworth.
__version__variable has been added to all modules.
call_stateis not broken for the first time ever
_security_cookieis initialized for SimWindows. Thanks @zeroSteiner.
SimData. It's a cleaner interface to deal with data imports in CLE -- especially for those data entries that are not imported because of missing or unloaded libraries. This commit fixes long-standing issues #151 and #693.
UnresolvableTargetis now split into two classes:
UnresolvableCallTarget. Thanks @Kyle-Kyle.
p = angr.Project("cfg_loop_unrolling", auto_load_libs=False); p.analyses.CFG(); print(p.analyses.Decompiler(p.kb.functions['test_func']).codegen.text).
SimActions now have incrementing IDs. Thanks @bannsec.
ANA, angr's old identity-aware serialization backend, has been removed. Instead of non-obvious serialization behavior, all angr objects should now be pickleable. If one is not, please file an issue. For use-cases that require identity-awareness (i.e., deduplicating ASTs across states serialized at different times), an
angr.vaultsmodule has been introduced.
SYMBOL_FILL_UNCONSTRAINED_MEMORYstate options to silence them.
describe_addrwill work on them. Additionally, the representation for SimProcedure (appearing in
project._sim_proceduresamong other places) has been improved to show this information.
save_unconstrainedflag of Simulation Manager is now on by default
'unsat'stash regardless of the
save_unsatsetting, since this usually indicates a bug. Add
auto_dropparameter to restore the old behavior.
object.symbols_by_addr(dict) and add
object.symbols(sorted list); add
CFGAccuratecan now leverage indirect jump resolvers to resolve indirect jumps.
PluginHubis added. Plugins (analyses, engines) are refactored to be based on
state.optionsis no longer a set of strings.
PRODUCE_ZERODIV_SUCCESSORSto generate divide-by-zero successors.
ManualMergepointexploration technique for when veritesting is too mysterious for your tastes
LoopSeerexploration technique for managing loops during symbolic exploration (credit @tyb0807)
ProxyTechniqueexploration technique for easily composing simple lambda-based instrumentations (credit @danse-macabre)
state.solver.BVSnow can take a
keyparameter, which describes its meaning in relation to the emulated environment. You can then use
state.solver.describe_variables(...)to map tags and ASTs to and from each other. Check out the API docs!
project._simos. Additionally, the SimOS code structure has been shuffled around a bit - it's now a subpackage instead of a submodule.
byte_widthparameter and angr supports emulation of platforms with non-octet bytes, lord help us
state.solverinterface has been cleaned up drastically
state.regs.eflagson x86 and
state.regs.flagson ARM (partial credit @tyb0807)
ForwardAnalysisclass. Additionally, a few exemplary data-flow analyses, like
VariableRecoveryFast, have been implemented in angr.
CFGUtils, which resulted in suboptimal graph node ordering after sorting.
LAZY_SOLVESis no longer enabled by default during symbolic execution. It's still there if it's wanted, but it just caused confusion when on by default.
processfunction that, from an input state, produces a SimSuccessors instance containing lists of different successor states (normal, unsat, unconstrained, etc) and any engine-specific artifacts (such as the VEX statements. Take a look at
state.mem[x:] = ynow requires a type for storage (for example
state.mem[x:].dword = y).
execute()on it and pass in a program state as well as the arguments.
state.regs.eax) always triggers SimInspect breakpoints and creates new actions. Now you can access a register by prefixing its name with an underscore (e.g.
state._ip) to avoid triggering breakpoints or creating actions.
max_sizeand changed it to to
angr.Blockconstructor (i.e., the argument to
project.factory.blockand more upstream methods (
project.factory.sim_runand changed it to to
project.factory.successors, and it now generates a
project.factory.sim_blockhas been deprecated and replaced with
project._simos.syscall_table. This will be made "public" after a usability refactor. If you were using
project.is_hooked(addr)to see if an address has a related SimProcedure, now you probably want to check if there is a related syscall as well (using
project._simos.syscall_table.get_by_addr(addr) is not None).
unsat_core()to get the core of unsatness of constraints. It is in fact a thin wrapper of the
unsat_core()function provided by Z3. Also a new state option
CONSTRAINT_TRACKING_IN_SOLVERis added to SimuVEX. That state option must be enabled if you want to use
unsat_core()on any state.
SimMemory.store()now takes a new parameter
disable_actions. Setting it to True will prevent any SimAction creation.
addr_traceis made much faster.
BackwardSlicingis temporarily disabled. It will be re-enabled once all DDG-related refactor are merged to master.
unicornis now a dependency for
ForwardAnalysismay prematurely terminate while there are still un-processed jobs.
VFGmay not terminate under certain cases.
SimSymbolicMemory, which is to say, conversion between symbolic states and static states is now possible.
branch_delay_slotfor each architecture.
simplified_data_graphon a DDG object!
simuvex.o.STRICT_PAGE_ACCESSwill cause a
SimSegfaultErrorto be raised whenever the guest reads/writes/executes memory that is either unmapped or doesn't have the appropriate permissions.
support_selfmodifying_codeproject option is changed:
base_graphkeyword to its constructor, e.g.
CFGFast().graph, or even
.graphof a function, to use as a base for analysis.
avoidparameters to the Explorer otiegnqwvk are resolved correctly. (credit clslgrnc)
StaticHookerwhich hooks library functions in unstripped statically linked binaries.
Liftercan be used without creating an angr Project.
CFGAccuratein order to have better and faster CFG recovery. The two biggest changes in
CFGFastare jump table resolution and data references collection, respectively. Now
CFGFastresolves indirect jumps by default. You may get a list of indirect jumps recovered in
CFGFastby accessing the
indirect_jumpsattribute. For many cases, it resolves the jump table accurately. Data references collection is still in alpha mode. To test data references collection, just pass
collect_data_references=Truewhen creating a fast CFG, and access the
memory_dataattribute after the CFG is constructed.
__div__was not always doing unsigned division, and added new methods
SModfor signed division and signed remainder, respectively.
claripy.frontends), and additional functionality (such as caching, deciding when to simplify, etc) is handled by frontend mixins (in
claripy.frontend_mixins). This makes it considerably easier to customize solvers to your specific needE. For examples, look at
simuvex.procedures.syscalls.handler. Instead, syscalls are now handled by
angr.SimOS.handle_syscall(). Previously, the address of a syscall SimProcedure is the address right after the syscall instruction (e.g.
int 80h), which collides with the real basic block starting at that address, and is very confusing. Now each syscall SimProcedure has its own address, just as a normal SimProcedure. To support this, there is another region mapped for the syscall addresses,
call_state. Comes with a refactor to
SimCC, a refactor to
callable, and the removal of
PathGroup.call. All these changes are thoroughly documented, in
SimTypeto make it easier to use types - they can be instanciated without a SimState and one can be added later. Comes with some usability improvements to SimMemView. Also, there's a better wrapper around PyCParser for generating SimType instances from c declarations and definitions. Again, thoroughly documented, still in the structured data doc.
CFGis now an alias to
CFGAccurate. In general,
CFGFastshould work under most cases, and it's way faster than
CFGAccurate. We believe such a change is necessary, and will make angr more approachable to new users. You will have to change your code from
CFGAccurateif you are relying on specific functionalities that only exist in
CFGAccurate, for example, context-sensitivity and state-preserving. An exception will be raised by angr if any parameter passed to
CFGis only supported by
CFGAccurate. For more detailed explanation, please take a look at the documentation of
IRConstmodules no longer exist as submodules, and those module names are deprecated. Use
pyvex.constif you need to access the members of those modules.
pyvex.IRSB(the required ones) have been changed. If you were passing the positional args to IRSB as keyword args, consider switching to positional args. The order is
full_init_stateconstructors has been removed and replaced with an
sargcpredates being able to have claripy ASTs independent from a solver. The new system is to pass in the exact value, ast or integer, that you'd like to have as the guest program's arg count.
stream.seek()can be passed in wherever a filepath is expected.
project.kb. Over time, this knowledge base will be expanded in the course of any analysis or symbolic execution, so angr is constantly learning more information about the program it is analyzing.
claripy.backends.vsa, and so on.
project.hook, even if those addresses are not the beginning of a basic block.
keep_input_statehas been renamed to
keep_state. With this option enabled, both input and final states are kept.
BackwardSlicinghave been deprecated. Instead,
BackwardSlicingtakes a single argument,
targets. This means that we now support slicing from multiple sources.