angr.analyses.flirt¶

class angr.analyses.flirt.FlirtAnalysis

Bases: Analysis

FlirtAnalysis accomplishes two purposes:

If a FLIRT signature file is specified, it will match the given signature file against the current binary and rename recognized functions accordingly.
If no FLIRT signature file is specified, it will use strings to determine possible libraries embedded in the current binary, and then match all possible signatures for the architecture.

__init__(sig=None, max_mismatched_bytes=0, dry_run=False, match_named_functions=False)

Parameters:

sig (FlirtSignature | str | None)
max_mismatched_bytes (int)
dry_run (bool)
match_named_functions (bool)

class angr.analyses.flirt.FlirtSignature

Bases: object

This class describes a FLIRT signature without any internal data that is only available after parsing.

__init__(arch, platform, sig_name, sig_path, unique_strings=None, compiler=None, compiler_version=None, os_name=None, os_version=None)

Parameters:

arch (str)
platform (str)
sig_name (str)
sig_path (str)
unique_strings (set[str] | None)
compiler (str | None)
compiler_version (str | None)
os_name (str | None)
os_version (str | None)

exception angr.analyses.flirt.FlirtSignatureError

Bases: AngrError

Describes errors related to FLIRT signatures, especially parsing.

class angr.analyses.flirt.FlirtSignatureParsed

Bases: object

Describes a FLIRT signature file after parsing.

__init__(version, arch, file_types, os_types, app_types, features, crc, ctype, ctypes_crc, nfuncs, pattern_size, libname, root)

Parameters:

version (int)
arch (int)
file_types (int)
os_types (int)
app_types (int)
features (int)
crc (int)
ctype (int)
ctypes_crc (int)
nfuncs (int | None)
pattern_size (int | None)
libname (str)
root (FlirtNode | None)

version

arch

file_types

os_types

app_types

features

crc

ctype

ctypes_crc

nfuncs

pattern_size

libname

root

parse_tree(file_obj, root=False)

Parse a FLIRT function tree.

Return type:: FlirtNode
Parameters:: root (bool)

parse_public_function(file_obj, offset)

Return type:: tuple[FlirtFunction, int, int]
Parameters:: offset (int)

parse_referenced_functions(file_obj)

Return type:: list[FlirtFunction]

parse_tail_bytes(file_obj)

Return type:: list[tuple[int, int]]

parse_modules(file_obj)

Return type:: list[FlirtModule]

parse_module(file_obj)

Return type:: tuple[FlirtModule, int]

static parse_variant_mask(file_obj, length)

Return type:: int
Parameters:: length (int)

static is_bit_set_be(mask, mask_len, bit_offset)

Return type:

bool

Parameters:

mask (int)
mask_len (int)
bit_offset (int)

static parse_node(file_obj, length, variant_mask)

Return type:

list[int]

Parameters:

length (int)
variant_mask (int)

classmethod parse_header(file_obj)

Parse only the FLIRT signature header (no function tree).

The returned object has root set to None. Use parse() if you also need the function tree, or call parse_tree_from() later on a separately opened file to populate root on demand.

The following struct definitions come from radare2

// FLIRT v5+ ut8 magic[6]; ut8 version; ut8 arch; ut32 file_types; ut16 os_types; ut16 app_types; ut16 features; ut16 old_n_functions; ut16 crc16; ut8 ctype[12]; ut8 library_name_len; ut16 ctypes_crc16;

// FLIRT v6+ ut32 nfuncs;

// FLIRT v8+ ut16 pattern_size;

// FLIRT v10 ut16 unknown;

Return type:: FlirtSignatureParsed

classmethod parse(file_obj)

Parse a FLIRT signature file, including the function tree.

Return type:: FlirtSignatureParsed

angr.analyses.flirt.flirt_arch_to_arch_name(flirt_arch, app_types)¶

Convert FLIRT architecture ID to architecture name.

Parameters:

flirt_arch (int) – FLIRT architecture ID.
app_types (int) – FLIRT application types.

Return type:

str

Returns:

Architecture name.

angr.analyses.flirt.flirt_os_type_to_os_name(os_type)¶

Convert FLIRT OS type to OS name.

Parameters:: os_type (int) – FLIRT OS type.
Return type:: str
Returns:: OS name.

Submodules

`consts`
`flirt`
`flirt_function`
`flirt_matcher`
`flirt_module`
`flirt_node`
`flirt_sig`
`flirt_utils`