angr.analyses.deobfuscator.api_obf_finder

class angr.analyses.deobfuscator.api_obf_finder.APIObfuscationType

Bases: IntEnum

TYPE_1 = 0

__new__(value)

class angr.analyses.deobfuscator.api_obf_finder.APIDeobFuncDescriptor

Bases: object

__init__(type_, *, func_addr, libname_argidx, funcname_argidx)

Parameters:

• type_ (APIObfuscationType)

• func_addr (int)

• libname_argidx (int)

• funcname_argidx (int)

class angr.analyses.deobfuscator.api_obf_finder.Type1AssignmentFinder

Bases: CStructuredCodeWalker

__init__(func_addr, desc)

Parameters:

• func_addr (int)

• desc (APIDeobFuncDescriptor)

assignments: dict[int, tuple[str, str]]

handle_CAssignment(obj)

Parameters:

obj (CAssignment)

class angr.analyses.deobfuscator.api_obf_finder.APIObfuscationFinder

Bases: Analysis

An analysis that automatically finds API “obfuscation” routines.

Currently, we support the following API “obfuscation” styles:

• Type 1: sub_A(“dll_name”, “api_name”) where sub_A ends up calling LoadLibrary.

• Type 2: GetProcAddress(_, “api_name”).

__init__(variable_kb=None)

Parameters:

variable_kb (KnowledgeBase | None)

analyze()

static is_libname(name)

Return type:

bool

Parameters:

name (str)

static is_apiname(name)

Return type:

bool

Parameters:

name (str)