angr.analyses.variable_recovery¶
- class angr.analyses.variable_recovery.VariableRecovery
Bases:
ForwardAnalysis,VariableRecoveryBaseRecover “variables” from a function using forced execution.
While variables play a very important role in programming, it does not really exist after compiling. However, we can still identify and recovery their counterparts in binaries. It is worth noting that not every variable in source code can be identified in binaries, and not every recognized variable in binaries have a corresponding variable in the original source code. In short, there is no guarantee that the variables we identified/recognized in a binary are the same variables in its source code.
This analysis uses heuristics to identify and recovers the following types of variables: - Register variables. - Stack variables. - Heap variables. (not implemented yet) - Global variables. (not implemented yet)
This analysis takes a function as input, and performs a data-flow analysis on nodes. It runs concrete execution on every statement and hooks all register/memory accesses to discover all places that are accessing variables. It is slow, but has a more accurate analysis result. For a fast but inaccurate variable recovery, you may consider using VariableRecoveryFast.
This analysis follows SSA, which means every write creates a new variable in registers or memory (statck, heap, etc.). Things may get tricky when overlapping variable (in memory, as you cannot really have overlapping accesses to registers) accesses exist, and in such cases, a new variable will be created, and this new variable will overlap with one or more existing variables. A decision procedure (which is pretty much TODO) is required at the end of this analysis to resolve the conflicts between overlapping variables.
- __init__(func, max_iterations=20, store_live_variables=False)
- Parameters:
func (knowledge.Function) – The function to analyze.
- class angr.analyses.variable_recovery.VariableRecoveryFast
Bases:
ForwardAnalysis,VariableRecoveryBaseRecover “variables” from a function by keeping track of stack pointer offsets and pattern matching VEX statements.
If calling conventions are recovered prior to running VariableRecoveryFast, variables can be recognized more accurately. However, it is not a requirement. In this case, the function graph you pass must contain information indicating the call-out sites inside the analyzed function. These graph edges must be annotated with either
"type": "call"or"outside": True.
Submodules