angr.simos

Manage OS-level configuration.

class angr.simos.SimCGC

Bases: SimUserland

Environment configuration for the CGC DECREE platform

__init__(project, **kwargs)
state_blank(flag_page=None, allocate_stack_page_count=256, **kwargs)
Parameters:

  • flag_page – Flag page content, either a string or a list of BV8s

  • allocate_stack_page_count – Number of pages to pre-allocate for stack

state_entry(add_options=None, **kwargs)
class angr.simos.SimJavaVM

Bases: SimOS

__init__(*args, **kwargs)
state_entry(args=None, **kwargs)

Create an entry state.

Parameters:

args – List of SootArgument values (optional).

static generate_symbolic_cmd_line_arg(state)

Generates a new symbolic cmd line argument string. :return: The string reference.

state_call(addr, *args, **kwargs)

Create a native or a Java call state.

Parameters:

  • addr – Soot or native addr of the invoke target.

  • args – List of SootArgument values.

static get_default_value_by_type(type_, state)

Java specify defaults values for primitive and reference types. This method returns the default value for a given type.

Parameters:

  • type (str) – Name of type.

  • state (SimState) – Current SimState.

Returns:

Default value for this type.

static cast_primitive(state, value, to_type)

Cast the value of primitive types.

Parameters:

  • value – Bitvector storing the primitive value.

  • to_type – Name of the targeted type.

Returns:

Resized value.

static init_static_field(state, field_class_name, field_name, field_type)

Initialize the static field with an allocated, but not initialized, object of the given type.

Parameters:

  • state – State associated to the field.

  • field_class_name – Class containing the field.

  • field_name – Name of the field.

  • field_type – Type of the field and the new object.

static get_cmd_line_args(state)
get_addr_of_native_method(soot_method)

Get address of the implementation from a native declared Java function.

Parameters:

soot_method – Method descriptor of a native declared function.

Returns:

CLE address of the given method.

get_native_type(java_type)

Maps the Java type to a SimTypeReg representation of its native counterpart. This type can be used to indicate the (well-defined) size of native JNI types.

Returns:

A SymTypeReg with the JNI size of the given type.

property native_arch

Arch of the native simos.

Type:

return

get_native_cc()
Returns:

SimCC object for the native simos.

class angr.simos.SimLinux

Bases: SimUserland

OS-specific configuration for *nix-y OSes.

__init__(project, **kwargs)
state_entry(args=None, env=None, argc=None, **kwargs)
set_entry_register_values(state)
state_full_init(**kwargs)
prepare_function_symbol(symbol_name, basic_addr=None)

Prepare the address space with the data necessary to perform relocations pointing to the given symbol.

Returns a 2-tuple. The first item is the address of the function code, the second is the address of the relocation target.

initialize_segment_register_x64(state, concrete_target)

Set the fs register in the angr to the value of the fs register in the concrete process

Parameters:

  • state – state which will be modified

  • concrete_target – concrete target that will be used to read the fs register

Returns:

None

initialize_gdt_x86(state, concrete_target)

Create a GDT in the state memory and populate the segment registers. Rehook the vsyscall address using the real value in the concrete process memory

Parameters:

  • state – state which will be modified

  • concrete_target – concrete target that will be used to read the fs register

Returns:

get_segment_register_name()
class angr.simos.SimOS

Bases: object

A class describing OS/arch-level configuration.

__init__(project, name=None)
Parameters:
name: str | None
configure_project()

Configure the project to set up global settings (like SimProcedures).

state_blank(addr=None, initial_prefix=None, brk=None, stack_end=None, stack_size=8388608, stdin=None, thread_idx=None, permissions_backer=None, **kwargs)

Initialize a blank state.

All parameters are optional.

Parameters:

  • addr – The execution start address.

  • initial_prefix

  • stack_end – The end of the stack (i.e., the byte after the last valid stack address).

  • stack_size – The number of bytes to allocate for stack space

  • brk – The address of the process’ break.

Returns:

The initialized SimState.

Any additional arguments will be passed to the SimState constructor

state_entry(**kwargs)
state_full_init(**kwargs)
state_call(addr, *args, **kwargs)
prepare_call_state(calling_state, initial_state=None, preserve_registers=(), preserve_memory=())

This function prepares a state that is executing a call instruction. If given an initial_state, it copies over all of the critical registers to it from the calling_state. Otherwise, it prepares the calling_state for action.

This is mostly used to create minimalistic for CFG generation. Some ABIs, such as MIPS PIE and x86 PIE, require certain information to be maintained in certain registers. For example, for PIE MIPS, this function transfer t9, gp, and ra to the new state.

prepare_function_symbol(symbol_name, basic_addr=None)

Prepare the address space with the data necessary to perform relocations pointing to the given symbol

Returns a 2-tuple. The first item is the address of the function code, the second is the address of the relocation target.

handle_exception(successors, engine, exception)

Perform exception handling. This method will be called when, during execution, a SimException is thrown. Currently, this can only indicate a segfault, but in the future it could indicate any unexpected exceptional behavior that can’t be handled by ordinary control flow.

The method may mutate the provided SimSuccessors object in any way it likes, or re-raise the exception.

Parameters:

  • successors – The SimSuccessors object currently being executed on

  • engine – The engine that was processing this step

  • exception – The actual exception object

syscall(state, allow_unsupported=True)
Return type:

SimProcedure | None

Parameters:
syscall_abi(state)
Return type:

str | None

Parameters:

state (SimState)

syscall_cc(state)
Return type:

SimCCSyscall | None

Parameters:

state (SimState)

is_syscall_addr(addr)
Return type:

bool

syscall_from_addr(addr, allow_unsupported=True)
Return type:

SimProcedure | None

syscall_from_number(number, allow_unsupported=True, abi=None)
Return type:

SimProcedure | None

setup_gdt(state, gdt)

Write the GlobalDescriptorTable object in the current state memory

Parameters:

  • state – state in which to write the GDT

  • gdt – GlobalDescriptorTable object

Returns:

generate_gdt(fs, gs, fs_size=4294967295, gs_size=4294967295)

Generate a GlobalDescriptorTable object and populate it using the value of the gs and fs register

Parameters:

  • fs – value of the fs segment register

  • gs – value of the gs segment register

  • fs_size – size of the fs segment register

  • gs_size – size of the gs segment register

Returns:

gdt a GlobalDescriptorTable object

class angr.simos.SimSnimmucNxp

Bases: SimOS

This class implements the “OS” for a bare-metal firmware used at an imaginary company.

__init__(project, name=None, **kwargs)
Parameters:

project (Project)

class angr.simos.SimUserland

Bases: SimOS

This is a base class for any SimOS that wants to support syscalls.

It uses the CLE kernel object to provide addresses for syscalls. Syscalls will be emulated as a jump to one of these addresses, where a SimProcedure from the syscall library provided at construction time will be executed.

__init__(project, syscall_library=None, syscall_addr_alignment=4, **kwargs)
syscall_cc(state)
Return type:

SimCCSyscall

syscall(state, allow_unsupported=True)

Given a state, return the procedure corresponding to the current syscall. This procedure will have .syscall_number, .display_name, and .addr set.

Parameters:

  • state – The state to get the syscall number from

  • allow_unsupported – Whether to return a “dummy” sycall instead of raising an unsupported exception

syscall_abi(state)

Optionally, override this function to determine which abi is being used for the state’s current syscall.

is_syscall_addr(addr)

Return whether or not the given address corresponds to a syscall implementation.

syscall_from_addr(addr, allow_unsupported=True)

Get a syscall SimProcedure from an address.

Parameters:

  • addr – The address to convert to a syscall SimProcedure

  • allow_unsupported – Whether to return a dummy procedure for an unsupported syscall instead of raising an exception.

Returns:

The SimProcedure for the syscall, or None if the address is not a syscall address.

syscall_from_number(number, allow_unsupported=True, abi=None)

Get a syscall SimProcedure from its number.

Parameters:

  • number – The syscall number

  • allow_unsupported – Whether to return a “stub” syscall for unsupported numbers instead of throwing an error

  • abi – The name of the abi to use. If None, will assume that the abis have disjoint numbering schemes and pick the right one.

Returns:

The SimProcedure for the syscall

class angr.simos.SimWindows

Bases: SimOS

Environment for the Windows Win32 subsystem. Does not support syscalls currently.

__init__(project)
property is_dump: bool
state_entry(args=None, env=None, argc=None, **kwargs)
syscall(state, allow_unsupported=True)

Given a state, return the procedure corresponding to the current syscall. This procedure will have .syscall_number, .display_name, and .addr set.

Parameters:

  • state – The state to get the syscall number from

  • allow_unsupported – Whether to return a “dummy” sycall instead of raising an unsupported exception

is_syscall_addr(addr)

Return whether or not the given address corresponds to a syscall implementation.

syscall_from_addr(addr, allow_unsupported=True)

Get a syscall SimProcedure from an address.

Parameters:

  • addr – The address to convert to a syscall SimProcedure

  • allow_unsupported – Whether to return a dummy procedure for an unsupported syscall instead of raising an exception.

Returns:

The SimProcedure for the syscall, or None if the address is not a syscall address.

initialize_segment_register_x64(state, concrete_target)

Set the gs register in the angr to the value of the fs register in the concrete process

Parameters:

  • state – state which will be modified

  • concrete_target – concrete target that will be used to read the fs register

Returns:

None

initialize_gdt_x86(state, concrete_target)

Create a GDT in the state memory and populate the segment registers.

Parameters:

  • state – state which will be modified

  • concrete_target – concrete target that will be used to read the fs register

Returns:

the created GlobalDescriptorTable object

get_segment_register_name()

Submodules

cgc

javavm

linux

simos

snimmuc_nxp

userland

windows

xbox