angr.exploration_techniques.tracer

class angr.exploration_techniques.tracer.TracingMode

Bases: object

Variables:

  • Strict – Strict mode, the default mode, where an exception is raised immediately if tracer’s path deviates from the provided trace.

  • Permissive – Permissive mode, where tracer attempts to force the path back to the provided trace when a deviation happens. This does not always work, especially when the cause of deviation is related to input that will later be used in exploit generation. But, it might work magically sometimes.

  • CatchDesync – CatchDesync mode, catch desync because of sim_procedures. It might be a sign of something interesting.

Strict = 'strict'
Permissive = 'permissive'
CatchDesync = 'catch_desync'
exception angr.exploration_techniques.tracer.TracerDesyncError

Bases: AngrTracerError

An error class to report tracing Tracing desyncronization error

class angr.exploration_techniques.tracer.RepHook

Bases: object

Hook rep movs/stos to speed up constraint solving TODO: This should be made an exploration technique later

__init__(mnemonic)
run(state)
class angr.exploration_techniques.tracer.Tracer

Bases: ExplorationTechnique

An exploration technique that follows an angr path with a concrete input. The tracing result is the state at the last address of the trace, which can be found in the ‘traced’ stash.

If the given concrete input makes the program crash, you should provide crash_addr, and the crashing state will be found in the ‘crashed’ stash.

Parameters:

  • trace – The basic block trace.

  • resiliency – Should we continue to step forward even if qemu and angr disagree?

  • keep_predecessors – Number of states before the final state we should log.

  • crash_addr – If the trace resulted in a crash, provide the crashing instruction pointer here, and the ‘crashed’ stash will be populated with the crashing state.

  • syscall_data – Data related to various syscalls recorded by tracer for replaying

  • copy_states – Whether COPY_STATES should be enabled for the tracing state. It is off by default because most tracing workloads benefit greatly from not performing copying. You want to enable it if you want to see the missed states. It will be re-added for the last 2% of the trace in order to set the predecessors list correctly. If you turn this on you may want to enable the LAZY_SOLVES option.

  • mode – Tracing mode.

  • aslr – Whether there are aslr slides. if not, tracer uses trace address as state address.

  • follow_unsat – Whether unsatisfiable states should be treated as potential successors or not.

Variables:

predecessors (list[SimState]) – A list of states in the history before the final state.

__init__(trace=None, resiliency=False, keep_predecessors=1, crash_addr=None, syscall_data=None, copy_states=False, fast_forward_to_entry=True, mode='strict', aslr=True, follow_unsat=False)
predecessors: list[SimState]
set_fd_data(fd_data)

Set concrete bytes of various fds read by the program

Parameters:

fd_data (dict[int, bytes])

classmethod crash_windup(state, crash_addr)