angr.analyses.deobfuscator

class angr.analyses.deobfuscator.APIObfType1PeepholeOptimizer

Bases: PeepholeOptimizationExprBase

Integrate type-1 deobfuscated API into decompilation output.

NAME = 'Simplify Type 1 API obfuscation references'

expr_classes = (<class 'angr.ailment.expression.Load'>,)

optimize(expr, **kwargs)

Parameters:

expr (Load)

class angr.analyses.deobfuscator.APIObfType3PeepholeOptimizer

Bases: PeepholeOptimizationExprBase

Integrate type-3 deobfuscated APIs (calls with const arguments which return APIs) into the decompilation output.

NAME = 'Simplify Type 3 API obfuscation references'

expr_classes = (<class 'angr.ailment.expression.Call'>,)

optimize(expr, **kwargs)

Parameters:

expr (Call)

class angr.analyses.deobfuscator.APIObfuscationFinder

Bases: Analysis

An analysis that automatically finds API “obfuscation” routines.

Currently, we support the following API “obfuscation” styles:

• Type 1: sub_A(“dll_name”, “api_name”) where sub_A ends up calling LoadLibrary.

• Type 2: GetProcAddress(_, “api_name”).

__init__(variable_kb=None)

Parameters:

variable_kb (KnowledgeBase | None)

analyze()

static is_libname(name)

Return type:

bool

Parameters:

name (str)

static is_apiname(name)

Return type:

bool

Parameters:

name (str)

class angr.analyses.deobfuscator.DataTransformationEmbedder

Bases: Analysis

An analysis that finds potentially inlined static data transformation logic and embeds the transformed data in decompilation whenever possible.

Some current limitations: - We assume the data transformation logic is inlined completely within a single function.

__init__(func, clinic, cfunc, outlining_max_args=1, preset='malware')

Parameters:

• func (Function)

• clinic (Clinic)

• cfunc (CFunction | None)

• outlining_max_args (int)

• preset (str)

class angr.analyses.deobfuscator.HashLookupAPIDeobfuscator

Bases: Analysis

An analysis that finds functions accessing loader metadata which take concrete arguments and executes them to see if they resolve symbols.

__init__(lifter, func_addrs=None)

Parameters:

• lifter (Callable[[Function], Clinic])

• func_addrs (Sequence[int] | None)

class angr.analyses.deobfuscator.StringObfType1PeepholeOptimizer

Bases: PeepholeOptimizationExprBase

Integrate type-1 deobfuscated strings into decompilation output.

NAME = 'Simplify Type 1/2 string deobfuscation references'

expr_classes = (<class 'angr.ailment.expression.Call'>,)

optimize(expr, **kwargs)

Parameters:

expr (Call)

class angr.analyses.deobfuscator.StringObfType3Rewriter

Bases: OptimizationPass

Type-3 optimization pass replaces deobfuscate_string calls with the deobfuscated strings, and then removes arguments on the stack.

ARCHES = ['X86', 'AMD64']

PLATFORMS = ['windows']

STAGE: OptimizationPassStage = 5

NAME = 'Simplify Type 3 string deobfuscation calls'

DESCRIPTION = 'Simplify Type 3 string deobfuscation calls'

stmt_classes = ()

__init__(*args, **kwargs)

static is_call_or_call_assignment(stmt)

Return type:

bool

class angr.analyses.deobfuscator.StringObfuscationFinder

Bases: Analysis

An analysis that automatically finds string obfuscation routines.

__init__(functions=None)

Parameters:

functions (list[Function] | None)

analyze()

Submodules

api_obf_finder
api_obf_peephole_optimizer
api_obf_type2_finder
data_transformation_embedder
hash_lookup_api_deobfuscator
irsb_reg_collector
scope_ops_analyzer
string_obf_finder
string_obf_opt_passes
string_obf_peephole_optimizer