angr.calling_conventions¶
- class angr.calling_conventions.AllocHelper¶
Bases:
object- __init__(ptrsize)¶
- alloc(size)¶
- dump(val, state, loc=None)¶
- translate(val, base)¶
- apply(state, base)¶
- size()¶
- classmethod calc_size(val, arch)¶
- classmethod stack_loc(val, arch, offset=0)¶
- angr.calling_conventions.refine_locs_with_struct_type(arch, locs, arg_type, offset=0, treat_bot_as_int=True, treat_unsupported_as_int=True)¶
- class angr.calling_conventions.SerializableListIterator¶
Bases:
SerializableIterator- __init__(lst)¶
- getstate()¶
- setstate(state)¶
- class angr.calling_conventions.SerializableCounter¶
Bases:
SerializableIterator- __init__(start, stride, mapping=<function SerializableCounter.<lambda>>)¶
- getstate()¶
- setstate(state)¶
- class angr.calling_conventions.SimFunctionArgument¶
Bases:
objectRepresent a generic function argument.
- Variables:
- check_value_set(value, arch)¶
- check_value_get(value)¶
- set_value(state, value, **kwargs)¶
- get_value(state, **kwargs)¶
- refine(size, arch=None, offset=None, is_fp=None)¶
- get_footprint()¶
Return a list of SimRegArg and SimStackArgs that are the base components used for this location
- Return type:
- class angr.calling_conventions.SimRegArg¶
Bases:
SimFunctionArgumentRepresents a function argument that has been passed in a register.
- Variables:
reg_name (string) – The name of the represented register.
size (int) – The size of the data to store, in number of bytes.
reg_offset – The offset into the register to start storing data.
clear_entire_reg – Whether a store to this register should zero the unused parts of the register.
is_fp (bool) – Whether loads from this location should return a floating point bitvector
- __init__(reg_name, size, reg_offset=0, is_fp=False, clear_entire_reg=False)¶
- set_value(state, value, **kwargs)¶
- get_value(state, **kwargs)¶
- refine(size, arch=None, offset=None, is_fp=None)¶
- sse_extend()¶
- class angr.calling_conventions.SimStackArg¶
Bases:
SimFunctionArgumentRepresents a function argument that has been passed on the stack.
- Variables:
- stack_offset: int
- set_value(state, value, stack_base=None, **kwargs)¶
- get_value(state, stack_base=None, **kwargs)¶
- refine(size, arch=None, offset=None, is_fp=None)¶
- class angr.calling_conventions.SimComboArg¶
Bases:
SimFunctionArgument,GenericAn argument which spans multiple storage locations. Locations should be given least-significant first.
- set_value(state, value, **kwargs)¶
- get_value(state, **kwargs)¶
- class angr.calling_conventions.SimStructArg¶
Bases:
SimFunctionArgumentAn argument which de/serializes a struct from a list of storage locations
- Variables:
struct – The simtype describing the structure
locs – The storage locations to use
- __init__(struct, locs)¶
- Parameters:
struct (SimStruct)
locs (dict[str, SimFunctionArgument])
- get_single_footprint()¶
- Return type:
- get_value(state, **kwargs)¶
- set_value(state, value, **kwargs)¶
- class angr.calling_conventions.SimArrayArg¶
Bases:
SimFunctionArgument- __init__(locs)¶
- get_value(state, **kwargs)¶
- set_value(state, value, **kwargs)¶
- class angr.calling_conventions.SimReferenceArgument¶
Bases:
SimFunctionArgumentA function argument which is passed by reference.
- Variables:
ptr_loc – The location the reference’s pointer is stored
main_loc – A SimStackArgument describing how to load the argument’s value as if it were stored at offset zero on the stack. It will be passed
stack_base=ptr_loc.get_value(state)
- __init__(ptr_loc, main_loc)¶
- Parameters:
ptr_loc (SimFunctionArgument)
main_loc (SimFunctionArgument)
- get_value(state, **kwargs)¶
- set_value(state, value, **kwargs)¶
- class angr.calling_conventions.ArgSession¶
Bases:
objectA class to keep track of the state accumulated in laying parameters out into memory
- __init__(cc)¶
- cc
- fp_iter
- int_iter
- both_iter
- getstate()¶
- setstate(state)¶
- class angr.calling_conventions.UsercallArgSession¶
Bases:
objectAn argsession for use with SimCCUsercall
- __init__(cc)¶
- cc
- real_args
- getstate()¶
- setstate(state)¶
- class angr.calling_conventions.SimCC¶
Bases:
objectA calling convention allows you to extract from a state the data passed from function to function by calls and returns. Most of the methods provided by SimCC that operate on a state assume that the program is just after a call but just before stack frame allocation, though this may be overridden with the stack_base parameter to each individual method.
This is the base class for all calling conventions.
- STACKARG_SP_BUFF = 0¶
- STACKARG_SP_DIFF = 0¶
- RETURN_ADDR: SimFunctionArgument | None = None¶
- RETURN_VAL: SimFunctionArgument | None = None¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = None¶
- FP_RETURN_VAL: SimFunctionArgument | None = None¶
- CALLEE_CLEANUP = False¶
- STACK_ALIGNMENT = 1¶
- property int_args¶
Iterate through all the possible arg positions that can only be used to store integer or pointer values.
Returns an iterator of SimFunctionArguments
- property memory_args¶
Iterate through all the possible arg positions that can be used to store any kind of argument.
Returns an iterator of SimFunctionArguments
- property fp_args¶
Iterate through all the possible arg positions that can only be used to store floating point values.
Returns an iterator of SimFunctionArguments
- is_fp_arg(arg)¶
This should take a SimFunctionArgument instance and return whether or not that argument is a floating-point argument.
- Returns True for MUST be a floating point arg,
False for MUST NOT be a floating point arg, None for when it can be either.
- class ArgSession¶
Bases:
objectA class to keep track of the state accumulated in laying parameters out into memory
- both_iter
- cc
- fp_iter
- int_iter
- __init__(cc)¶
- getstate()¶
- setstate(state)¶
- arg_session(ret_ty)¶
Return an arg session.
A session provides the control interface necessary to describe how integral and floating-point arguments are laid out into memory. The default behavior is that there are a finite list of int-only and fp-only argument slots, and an infinite number of generic slots, and when an argument of a given type is requested, the most slot available is used. If you need different behavior, subclass ArgSession.
You need to provide the return type of the function in order to kick off an arg layout session.
- Return type:
- Parameters:
ret_ty (SimType | None)
- stack_space(args)¶
- Parameters:
args – A list of SimFunctionArguments
- Returns:
The number of bytes that should be allocated on the stack to store all these args, NOT INCLUDING the return address.
- return_val(ty, perspective_returned=False)¶
The location the return value is stored, based on its type.
- property return_addr¶
The location the return address is stored.
- next_arg(session, arg_type)¶
- Return type:
- Parameters:
session (ArgSession)
arg_type (SimType)
- static is_fp_value(val)¶
- static guess_prototype(args, prototype=None)¶
Come up with a plausible SimTypeFunction for the given args (as would be passed to e.g. setup_callsite).
You can pass a variadic function prototype in the base_type parameter and all its arguments will be used, only guessing types for the variadic arguments.
- arg_locs(prototype)¶
- Return type:
- get_args(state, prototype, stack_base=None)¶
- set_return_val(state, val, ty, stack_base=None, perspective_returned=False)¶
- setup_callsite(state, ret_addr, args, prototype, stack_base=None, alloc_base=None, grow_like_stack=True)¶
This function performs the actions of the caller getting ready to jump into a function.
- Parameters:
state – The SimState to operate on
ret_addr – The address to return to when the called function finishes
args – The list of arguments that that the called function will see
prototype – The signature of the call you’re making. Should include variadic args concretely.
stack_base – An optional pointer to use as the top of the stack, circa the function entry point
alloc_base – An optional pointer to use as the place to put excess argument data
grow_like_stack – When allocating data at alloc_base, whether to allocate at decreasing addresses
The idea here is that you can provide almost any kind of python type in args and it’ll be translated to a binary format to be placed into simulated memory. Lists (representing arrays) must be entirely elements of the same type and size, while tuples (representing structs) can be elements of any type and size. If you’d like there to be a pointer to a given value, wrap the value in a PointerWrapper.
If stack_base is not provided, the current stack pointer will be used, and it will be updated. If alloc_base is not provided, the stack base will be used and grow_like_stack will implicitly be True.
grow_like_stack controls the behavior of allocating data at alloc_base. When data from args needs to be wrapped in a pointer, the pointer needs to point somewhere, so that data is dumped into memory at alloc_base. If you set alloc_base to point to somewhere other than the stack, set grow_like_stack to False so that sequential allocations happen at increasing addresses.
- teardown_callsite(state, return_val=None, prototype=None, force_callee_cleanup=False)¶
This function performs the actions of the callee as it’s getting ready to return. It returns the address to return to.
- Parameters:
state – The state to mutate
return_val – The value to return
prototype – The prototype of the given function
force_callee_cleanup – If we should clean up the stack allocation for the arguments even if it’s not the callee’s job to do so
TODO: support the stack_base parameter from setup_callsite…? Does that make sense in this context? Maybe it could make sense by saying that you pass it in as something like the “saved base pointer” value?
- static find_cc(arch, args, sp_delta, platform='Linux', unused_hint=None, extra_pop=None)¶
Pinpoint the best-fit calling convention and return the corresponding SimCC instance, or None if no fit is found.
- Parameters:
arch (
Arch) – An ArchX instance. Can be obtained from archinfo.args (
list[SimRegArg|SimStackArg]) – A list of arguments. It may be updated by the first matched calling convention to remove non-argument arguments.sp_delta (
int) – The change of stack pointer before and after the call is made.extra_pop (
int|None) – The number of bytes that are popped by the callee. This is used to distinguish between callee-cleanup and caller-cleanup conventions.platform (str | None)
- Return type:
- Returns:
A calling convention instance, or None if none of the SimCC subclasses seems to fit the arguments provided.
- get_arg_info(state, prototype)¶
This is just a simple wrapper that collects the information from various locations prototype is as passed to self.arg_locs and self.get_args :type angr.SimState state: :param angr.SimState state: The state to evaluate and extract the values from :return: A list of tuples, where the nth tuple is (type, name, location, value) of the nth argument
- class angr.calling_conventions.SimLyingRegArg¶
Bases:
SimRegArgA register that LIES about the types it holds
- __init__(name, size=8)¶
- get_value(state, **kwargs)¶
- set_value(state, value, **kwargs)¶
- refine(size, arch=None, offset=None, is_fp=None)¶
- class angr.calling_conventions.SimCCUsercall¶
Bases:
SimCC- ArgSession¶
alias of
UsercallArgSession
- next_arg(session, arg_type)¶
- Parameters:
session (UsercallArgSession)
- class angr.calling_conventions.SimCCCdecl¶
Bases:
SimCC- STACKARG_SP_DIFF = 4¶
- RETURN_VAL: SimFunctionArgument | None = <eax>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <edx>¶
- FP_RETURN_VAL: SimFunctionArgument | None = <st0>¶
- RETURN_ADDR: SimFunctionArgument | None = [0x0]¶
- ARCH
alias of
ArchX86
- next_arg(session, arg_type)¶
- STRUCT_RETURN_THRESHOLD = 32¶
- return_in_implicit_outparam(ty)¶
- class angr.calling_conventions.SimCCMicrosoftCdecl¶
Bases:
SimCCCdecl- STRUCT_RETURN_THRESHOLD = 64¶
- class angr.calling_conventions.SimCCMicrosoftThiscall¶
Bases:
SimCCCdecl- CALLEE_CLEANUP = True¶
- STRUCT_RETURN_THRESHOLD = 64¶
- arg_locs(prototype)¶
- Return type:
- class angr.calling_conventions.SimCCStdcall¶
Bases:
SimCCMicrosoftCdecl- CALLEE_CLEANUP = True¶
- class angr.calling_conventions.SimCCMicrosoftFastcall¶
Bases:
SimCC- STACKARG_SP_DIFF = 4¶
- RETURN_VAL: SimFunctionArgument | None = <eax>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <edx>¶
- RETURN_ADDR: SimFunctionArgument | None = [0x0]¶
- ARCH
alias of
ArchX86
- class angr.calling_conventions.MicrosoftAMD64ArgSession¶
Bases:
ArgSession- both_iter
- cc
- fp_iter
- int_iter
- class angr.calling_conventions.SimCCMicrosoftAMD64¶
Bases:
SimCC- STACKARG_SP_DIFF = 8¶
- STACKARG_SP_BUFF = 32¶
- RETURN_VAL: SimFunctionArgument | None = <rax>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <rdx>¶
- FP_RETURN_VAL: SimFunctionArgument | None = <xmm0>¶
- RETURN_ADDR: SimFunctionArgument | None = [0x0]¶
- ARCH
alias of
ArchAMD64
- STACK_ALIGNMENT = 16¶
- ArgSession¶
alias of
MicrosoftAMD64ArgSession
- STRUCT_RETURN_THRESHOLD = 64¶
- next_arg(session, arg_type)¶
- return_in_implicit_outparam(ty)¶
- class angr.calling_conventions.SimCCSyscall¶
Bases:
SimCCThe base class of all syscall CCs.
- SYSCALL_ERRNO_START = None¶
- linux_syscall_update_error_reg(state, expr)¶
- set_return_val(state, val, ty, **kwargs)¶
- class angr.calling_conventions.SimCCX86LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <eax>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchX86
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCX86WindowsSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <eax>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchX86
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCSystemVAMD64¶
Bases:
SimCC- STACKARG_SP_DIFF = 8¶
- RETURN_ADDR: SimFunctionArgument | None = [0x0]¶
- RETURN_VAL: SimFunctionArgument | None = <rax>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <rdx>¶
- FP_RETURN_VAL: SimFunctionArgument | None = <xmm0>¶
- OVERFLOW_FP_RETURN_VAL = <xmm1>¶
- ARCH
alias of
ArchAMD64
- STACK_ALIGNMENT = 16¶
- next_arg(session, arg_type)¶
- return_in_implicit_outparam(ty)¶
- class angr.calling_conventions.SimCCAMD64LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <rax>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchAMD64
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCAMD64WindowsSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <rax>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchAMD64
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCARM¶
Bases:
SimCC- RETURN_ADDR: SimFunctionArgument | None = <lr>¶
- RETURN_VAL: SimFunctionArgument | None = <r0>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <r1>¶
- ARCH
alias of
ArchARM
- next_arg(session, arg_type)¶
- class angr.calling_conventions.SimCCARMHF¶
Bases:
SimCCARM- FP_ARG_REGS: list[str] = ['s0', 's1', 's2', 's3', 's4', 's5', 's6', 's7', 's8', 's9', 's10', 's11', 's12', 's13', 's14', 's15']¶
- FP_RETURN_VAL: SimFunctionArgument | None = <s0>¶
- RETURN_ADDR: SimFunctionArgument | None = <lr>¶
- RETURN_VAL: SimFunctionArgument | None = <r0>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <r1>¶
- ARCH
alias of
ArchARMHF
- next_arg(session, arg_type)¶
- Parameters:
session (ArgSession)
- class angr.calling_conventions.SimCCARMLinuxSyscall¶
Bases:
SimCCSyscall- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- RETURN_VAL: SimFunctionArgument | None = <r0>¶
- ARCH
alias of
ArchARM
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCAArch64¶
Bases:
SimCC- RETURN_ADDR: SimFunctionArgument | None = <lr>¶
- RETURN_VAL: SimFunctionArgument | None = <x0>¶
- ARCH
alias of
ArchAArch64
- class angr.calling_conventions.SimCCAArch64LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <x0>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchAArch64
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCRISCV64¶
Bases:
SimCC- FP_RETURN_VAL: SimFunctionArgument | None = <fa0>¶
- RETURN_VAL: SimFunctionArgument | None = <a0>¶
- RETURN_ADDR: SimFunctionArgument | None = <ra>¶
- CALLER_SAVED_REGS: list[str] = ['ra', 'a0', 'a1', 'a2', 'a3', 'a4', 'a5', 'a6', 'a7', 't0', 't1', 't2', 't3', 't4', 't5', 't6']¶
- STACK_ALIGNMENT = 16¶
- ARCH
alias of
ArchRISCV64
- next_arg(session, arg_type)¶
- class angr.calling_conventions.SimCCRISCV64LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <a0>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchRISCV64
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCO32¶
Bases:
SimCC- STACKARG_SP_BUFF = 16¶
- RETURN_ADDR: SimFunctionArgument | None = <ra>¶
- RETURN_VAL: SimFunctionArgument | None = <v0>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <v1>¶
- ARCH
alias of
ArchMIPS32
- next_arg(session, arg_type)¶
- class angr.calling_conventions.SimCCO32LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <v0>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchMIPS32
- SYSCALL_ERRNO_START = -1133¶
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCN64¶
Bases:
SimCC- STACKARG_SP_BUFF = 32¶
- RETURN_ADDR: SimFunctionArgument | None = <ra>¶
- RETURN_VAL: SimFunctionArgument | None = <v0>¶
- ARCH
alias of
ArchMIPS64
- class angr.calling_conventions.SimCCN64LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <v0>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchMIPS64
- SYSCALL_ERRNO_START = -1133¶
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCPowerPC¶
Bases:
SimCC- STACKARG_SP_BUFF = 8¶
- RETURN_ADDR: SimFunctionArgument | None = <lr>¶
- RETURN_VAL: SimFunctionArgument | None = <r3>¶
- OVERFLOW_RETURN_VAL: SimFunctionArgument | None = <r4>¶
- ARCH
alias of
ArchPPC32
- class angr.calling_conventions.SimCCPowerPCLinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <r3>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchPPC32
- SYSCALL_ERRNO_START = -515¶
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCPowerPC64¶
Bases:
SimCC- STACKARG_SP_BUFF = 112¶
- RETURN_ADDR: SimFunctionArgument | None = <lr>¶
- RETURN_VAL: SimFunctionArgument | None = <r3>¶
- ARCH
alias of
ArchPPC64
- class angr.calling_conventions.SimCCPowerPC64LinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <r3>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchPPC64
- SYSCALL_ERRNO_START = -515¶
- static syscall_num(state)¶
- class angr.calling_conventions.SimCCS390X¶
Bases:
SimCC- STACKARG_SP_BUFF = 160¶
- RETURN_ADDR: SimFunctionArgument | None = <r14>¶
- RETURN_VAL: SimFunctionArgument | None = <r2>¶
- ARCH
alias of
ArchS390X
- class angr.calling_conventions.SimCCS390XLinuxSyscall¶
Bases:
SimCCSyscall- RETURN_VAL: SimFunctionArgument | None = <r2>¶
- RETURN_ADDR: SimFunctionArgument | None = <ip_at_syscall>¶
- ARCH
alias of
ArchS390X
- static syscall_num(state)¶
- angr.calling_conventions.register_default_cc(arch, cc, platform='Linux')¶
- angr.calling_conventions.default_cc(arch, platform='Linux', language=None, syscall=False, default=None)¶
Return the default calling convention for a given architecture, platform, and language combination.
- Parameters:
arch (
str) – The architecture name.platform (
str|None) – The platform name (e.g., “Linux” or “Win32”).language (
str|None) – The programming language name (e.g., “go”).syscall (
bool) – Return syscall convention (True), or normal calling convention (False, default).default (
type[SimCC] |None) – The default calling convention to return if nothing fits.
- Return type:
- Returns:
A default calling convention class if we can find one for the architecture, platform, and language combination, or the default if nothing fits.
- angr.calling_conventions.unify_arch_name(arch)¶
Return the unified architecture name.
- angr.calling_conventions.register_syscall_cc(arch, os, cc)¶
- angr.calling_conventions.cls_¶
alias of
SimCCUsercall