angr.state_plugins¶

angr.state_plugins.BP_IPDB(state)

Return type:: None
Parameters:: state (SimState)

angr.state_plugins.BP_IPYTHON(state)

Return type:: None
Parameters:: state (SimState)

class angr.state_plugins.GDB

Bases: SimStatePlugin

Initialize or update a state from gdb dumps of the stack, heap, registers and data (or arbitrary) segments.

__init__(omit_fp=False, adjust_stack=False)

Parameters:

omit_fp – The frame pointer register is used for something else. (i.e. –omit_frame_pointer)
adjust_stack – Use different stack addresses than the gdb session (not recommended).

set_stack(stack_dump, stack_top)

Stack dump is a dump of the stack from gdb, i.e. the result of the following gdb command :

dump binary memory [stack_dump] [begin_addr] [end_addr]

We set the stack to the same addresses as the gdb session to avoid pointers corruption.

Parameters:

stack_dump – The dump file.
stack_top – The address of the top of the stack in the gdb session.

set_heap(heap_dump, heap_base)

Heap dump is a dump of the heap from gdb, i.e. the result of the following gdb command:

dump binary memory [stack_dump] [begin] [end]

Parameters:

heap_dump – The dump file.
heap_base – The start address of the heap in the gdb session.

set_data(addr, data_dump): Update any data range (most likely use is the data segments of loaded objects)

set_regs(regs_dump)

Initialize register values within the state

Parameters:: regs_dump – The output of info registers in gdb.

class angr.state_plugins.CallStack

Bases: SimStatePlugin

Stores the address of the function you’re in and the value of SP at the VERY BOTTOM of the stack, i.e. points to the return address.

__init__(call_site_addr=0, func_addr=0, stack_ptr=0, ret_addr=0, jumpkind='Ijk_Call', next_frame=None, invoke_return_variable=None)

Parameters:: next_frame (Self | None)

copy_without_tail(memo)

property current_function_address

Address of the current function.

Returns:: the address of the function
Return type:: int

property current_stack_pointer

Get the value of the stack pointer.

Returns:: Value of the stack pointer
Return type:: int

property current_return_target

Get the return target.

Returns:: The address of return target.
Return type:: int

static stack_suffix_to_string(stack_suffix): Convert a stack suffix to a human-readable string representation. :type tuple stack_suffix: :param tuple stack_suffix: The stack suffix. :return: A string representation :rtype: str

property top: Self

Returns the element at the top of the callstack without removing it.

Returns:: A CallStack.

push(cf)

Push the frame cf onto the stack. Return the new stack.

Return type:: Self
Parameters:: cf (Self)

pop(): Pop the top frame from the stack. Return the new stack.

call(callsite_addr, addr, retn_target=None, stack_pointer=None)

Push a stack frame into the call stack. This method is called when calling a function in CFG recovery.

Parameters:

callsite_addr (int) – Address of the call site
addr (int) – Address of the call target
retn_target (int or None) – Address of the return target
stack_pointer (int) – Value of the stack pointer

Returns:

None

ret(retn_target=None)

Pop one or many call frames from the stack. This method is called when returning from a function in CFG recovery.

Parameters:: retn_target (int) – The target to return to.
Returns:: None

dbg_repr()

Debugging representation of this CallStack object.

Returns:: Details of this CalLStack
Return type:: str

stack_suffix(context_sensitivity_level)

Generate the stack suffix. A stack suffix can be used as the key to a SimRun in CFG recovery.

Parameters:: context_sensitivity_level (int) – Level of context sensitivity.
Returns:: A tuple of stack suffix.
Return type:: tuple[int | None, ...]

class angr.state_plugins.InspectAttrs

Bases: object

Per-event attributes published by the inspect machinery while a breakpoint is firing.

Each field is set on the active state before any matching breakpoint is checked, then cleared (back to None) after the event completes. Breakpoint actions read and write these fields through state.inspect.attrs to observe or override the in-flight event.

vex_lift_addr: Any = None¶

vex_lift_size: Any = None¶

vex_lift_buff: Any = None¶

mem_read_address: Any = None¶

mem_read_expr: Any = None¶

mem_read_length: Any = None¶

mem_read_condition: Any = None¶

mem_read_endness: Any = None¶

mem_write_address: Any = None¶

mem_write_expr: Any = None¶

mem_write_length: Any = None¶

mem_write_condition: Any = None¶

mem_write_endness: Any = None¶

reg_read_offset: Any = None¶

reg_read_expr: Any = None¶

reg_read_length: Any = None¶

reg_read_condition: Any = None¶

reg_read_endness: Any = None¶

reg_write_offset: Any = None¶

reg_write_expr: Any = None¶

reg_write_length: Any = None¶

reg_write_condition: Any = None¶

reg_write_endness: Any = None¶

tmp_read_num: Any = None¶

tmp_read_expr: Any = None¶

tmp_write_num: Any = None¶

tmp_write_expr: Any = None¶

expr: Any = None¶

expr_result: Any = None¶

statement: Any = None¶

instruction: Any = None¶

address: Any = None¶

added_constraints: Any = None¶

function_address: Any = None¶

exit_target: Any = None¶

exit_guard: Any = None¶

exit_jumpkind: Any = None¶

backtrace: Any = None¶

symbolic_name: Any = None¶

symbolic_size: Any = None¶

symbolic_expr: Any = None¶

address_concretization_strategy: Any = None¶

address_concretization_action: Any = None¶

address_concretization_memory: Any = None¶

address_concretization_expr: Any = None¶

address_concretization_result: Any = None¶

address_concretization_add_constraints: Any = None¶

syscall_name: Any = None¶

simprocedure_name: Any = None¶

simprocedure_addr: Any = None¶

simprocedure_result: Any = None¶

simprocedure: Any = None¶

dirty_name: Any = None¶

dirty_handler: Any = None¶

dirty_args: Any = None¶

dirty_result: Any = None¶

sim_engine: Any = None¶

sim_successors: Any = None¶

mapped_page: Any = None¶

mapped_address: Any = None¶

__init__(vex_lift_addr=None, vex_lift_size=None, vex_lift_buff=None, mem_read_address=None, mem_read_expr=None, mem_read_length=None, mem_read_condition=None, mem_read_endness=None, mem_write_address=None, mem_write_expr=None, mem_write_length=None, mem_write_condition=None, mem_write_endness=None, reg_read_offset=None, reg_read_expr=None, reg_read_length=None, reg_read_condition=None, reg_read_endness=None, reg_write_offset=None, reg_write_expr=None, reg_write_length=None, reg_write_condition=None, reg_write_endness=None, tmp_read_num=None, tmp_read_expr=None, tmp_write_num=None, tmp_write_expr=None, expr=None, expr_result=None, statement=None, instruction=None, address=None, added_constraints=None, function_address=None, exit_target=None, exit_guard=None, exit_jumpkind=None, backtrace=None, symbolic_name=None, symbolic_size=None, symbolic_expr=None, address_concretization_strategy=None, address_concretization_action=None, address_concretization_memory=None, address_concretization_expr=None, address_concretization_result=None, address_concretization_add_constraints=None, syscall_name=None, simprocedure_name=None, simprocedure_addr=None, simprocedure_result=None, simprocedure=None, dirty_name=None, dirty_handler=None, dirty_args=None, dirty_result=None, sim_engine=None, sim_successors=None, mapped_page=None, mapped_address=None)

Parameters:

vex_lift_addr (Any)
vex_lift_size (Any)
vex_lift_buff (Any)
mem_read_address (Any)
mem_read_expr (Any)
mem_read_length (Any)
mem_read_condition (Any)
mem_read_endness (Any)
mem_write_address (Any)
mem_write_expr (Any)
mem_write_length (Any)
mem_write_condition (Any)
mem_write_endness (Any)
reg_read_offset (Any)
reg_read_expr (Any)
reg_read_length (Any)
reg_read_condition (Any)
reg_read_endness (Any)
reg_write_offset (Any)
reg_write_expr (Any)
reg_write_length (Any)
reg_write_condition (Any)
reg_write_endness (Any)
tmp_read_num (Any)
tmp_read_expr (Any)
tmp_write_num (Any)
tmp_write_expr (Any)
expr (Any)
expr_result (Any)
statement (Any)
instruction (Any)
address (Any)
added_constraints (Any)
function_address (Any)
exit_target (Any)
exit_guard (Any)
exit_jumpkind (Any)
backtrace (Any)
symbolic_name (Any)
symbolic_size (Any)
symbolic_expr (Any)
address_concretization_strategy (Any)
address_concretization_action (Any)
address_concretization_memory (Any)
address_concretization_expr (Any)
address_concretization_result (Any)
address_concretization_add_constraints (Any)
syscall_name (Any)
simprocedure_name (Any)
simprocedure_addr (Any)
simprocedure_result (Any)
simprocedure (Any)
dirty_name (Any)
dirty_handler (Any)
dirty_args (Any)
dirty_result (Any)
sim_engine (Any)
sim_successors (Any)
mapped_page (Any)
mapped_address (Any)

Return type:

None

class angr.state_plugins.PTChunk

Bases: Chunk

A chunk, inspired by the implementation of chunks in ptmalloc. Provides a representation of a chunk via a view into the memory plugin. For the chunk definitions and docs that this was loosely based off of, see glibc malloc/malloc.c, line 1033, as of commit 5a580643111ef6081be7b4c7bd1997a5447c903f. Alternatively, take the following link. https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=67cdfd0ad2f003964cd0f7dfe3bcd85ca98528a7;hb=5a580643111ef6081be7b4c7bd1997a5447c903f#l1033

Variables:

base – the location of the base of the chunk in memory
state – the program state that the chunk is resident in
heap – the heap plugin that the chunk is managed by

__init__(base, sim_state, heap=None)

set_size(size, is_free=None)

Use this to set the size on a chunk. When the chunk is new (such as when a free chunk is shrunk to form an allocated chunk and a remainder free chunk) it is recommended that the is_free hint be used since setting the size depends on the chunk’s freeness, and vice versa.

Parameters:

size – size of the chunk
is_free – boolean indicating the chunk’s freeness

set_prev_freeness(is_free)

Sets (or unsets) the flag controlling whether the previous chunk is free.

Parameters:: is_free – if True, sets the previous chunk to be free; if False, sets it to be allocated

is_prev_free()

Returns a concrete state of the flag indicating whether the previous chunk is free or not. Issues a warning if that flag is symbolic and has multiple solutions, and then assumes that the previous chunk is free.

Returns:: True if the previous chunk is free; False otherwise

prev_size(): Returns the size of the previous chunk, masking off what would be the flag bits if it were in the actual size field. Performs NO CHECKING to determine whether the previous chunk size is valid (for example, when the previous chunk is not free, its size cannot be determined).

next_chunk()

Returns the chunk immediately following (and adjacent to) this one, if it exists.

Returns:: The following chunk, or None if applicable

prev_chunk()

Returns the chunk immediately prior (and adjacent) to this one, if that chunk is free. If the prior chunk is not free, then its base cannot be located and this method raises an error.

Returns:: If possible, the previous chunk; otherwise, raises an error

fwd_chunk()

Returns the chunk following this chunk in the list of free chunks. If this chunk is not free, then it resides in no such list and this method raises an error.

Returns:: If possible, the forward chunk; otherwise, raises an error

bck_chunk()

Returns the chunk backward from this chunk in the list of free chunks. If this chunk is not free, then it resides in no such list and this method raises an error.

Returns:: If possible, the backward chunk; otherwise, raises an error

class angr.state_plugins.PTChunkIterator

Bases: object

__init__(chunk, cond=<function PTChunkIterator.<lambda>>)

class angr.state_plugins.PosixDevFS: Bases: SimMount

class angr.state_plugins.PosixProcFS

Bases: SimMount

The virtual file system mounted at /proc (as of now, on Linux).

class angr.state_plugins.SimAction

Bases: SimEvent

A SimAction represents a semantic action that an analyzed program performs.

TMP = 'tmp'¶

REG = 'reg'¶

MEM = 'mem'¶

__init__(state, region_type)

Initializes the SimAction.

Parameters:: state – the state that’s the SimAction is taking place in.

property all_objects

property is_symbolic

property tmp_deps

property reg_deps

copy()

downsize(): Clears some low-level details (that take up memory) out of the SimAction.

class angr.state_plugins.SimActionConstraint

Bases: SimAction

A constraint action represents an extra constraint added during execution of a path.

property all_objects

property is_symbolic

class angr.state_plugins.SimActionData

Bases: SimAction

A Data action represents a read or a write from memory, registers or a file.

READ = 'read'¶

WRITE = 'write'¶

OPERATE = 'operate'¶

property all_objects

property is_symbolic

property tmp_deps

property reg_deps

property storage

class angr.state_plugins.SimActionExit

Bases: SimAction

An Exit action represents a (possibly conditional) jump.

CONDITIONAL = 'conditional'¶

DEFAULT = 'default'¶

property all_objects

property is_symbolic

class angr.state_plugins.SimActionObject

Bases: object

A SimActionObject tracks an AST and its dependencies.

__init__(ast, reg_deps=frozenset({}), tmp_deps=frozenset({}), deps=frozenset({}), state=None)

Parameters:

ast (Base)
reg_deps (frozenset[SimActionData | SimActionOperation])
tmp_deps (frozenset[SimActionData | SimActionOperation])
deps (frozenset)
state (SimState | None)

ast: Base

reg_deps: frozenset[SimActionData | SimActionOperation]

tmp_deps: frozenset[SimActionData | SimActionOperation]

to_claripy()

Return type:: Base

copy()

Return type:: SimActionObject

is_leaf()

Return type:: bool

property op: str

property args: tuple[Base | bool | int | float | str | FSort | tuple[Base | bool | int | float | str | FSort | tuple[ArgType] | None] | None, ...]

property length: int | None

property variables: frozenset[str]

property symbolic: bool

property annotations: tuple[Annotation, ...]

property depth: int

SDiv(other)

Return type:: SimActionObject

SMod(other)

Return type:: SimActionObject

union(other)

Return type:: SimActionObject

intersection(other)

Return type:: SimActionObject

widen(other)

Return type:: SimActionObject

raw_to_bv()

Return type:: SimActionObject

bv_to_fp()

Return type:: SimActionObject

class angr.state_plugins.SimActionOperation

Bases: SimAction

An action representing an operation between variables and/or constants.

property all_objects

property is_symbolic

class angr.state_plugins.SimDebugVariable

Bases: object

A SimDebugVariable will get dynamically created when queriyng for variable in a state with the SimDebugVariablePlugin. It features a link to the state, an address and a type.

__init__(state, addr, var_type)

Parameters:

state (SimState)
var_type (VariableType)

static from_cle_variable(state, cle_variable, dwarf_cfa)

Return type:

SimDebugVariable

Parameters:

state (SimState)
cle_variable (Variable)

property mem_untyped: SimMemView

property mem: SimMemView

property string: SimMemView

with_type(sim_type)

Return type:: SimMemView
Parameters:: sim_type (SimType)

property resolvable

property resolved

property concrete

store(value)

property deref: SimDebugVariable

array(i)

Return type:: SimDebugVariable

member(member_name)

Return type:: SimDebugVariable
Parameters:: member_name (str)

class angr.state_plugins.SimDebugVariablePlugin

Bases: SimStatePlugin

This is the plugin you’ll use to interact with (global/local) program variables. These variables have a name and a visibility scope which depends on the pc address of the state. With this plugin, you can access/modify the value of such variable or find its memory address. For creating program variables, or for importing them from cle, see the knowledge plugin debug_variables. Run p.kb.dvars.load_from_dwarf() before using this plugin.

Example

>>> p = angr.Project("various_variables", load_debug_info=True)
>>> p.kb.dvars.load_from_dwarf()
>>> state =  # navigate to the state you want
>>> state.dvars.get_variable("pointer2").deref.mem
<int (32 bits) <BV32 0x1> at 0x404020>

get_variable(var_name)

Returns the visible variable (if any) with name var_name based on the current state.ip.

Return type:: SimDebugVariable
Parameters:: var_name (str)

property dwarf_cfa: Returns the current cfa computation. Set this property to the correct value if needed.

property dwarf_cfa_approx

class angr.state_plugins.SimEvent

Bases: object

A SimEvent is a log entry for some notable event during symbolic execution. It logs the location it was generated (ins_addr, bbl_addr, stmt_idx, and sim_procedure) as well as arbitrary tags (objects).

You may also be interested in SimAction, which is a specialization of SimEvent for CPU events.

__init__(state, event_type, **kwargs)

class angr.state_plugins.SimFilesystem

Bases: SimStatePlugin

angr’s emulated filesystem. Available as state.fs. When constructing, all parameters are optional.

Parameters:

files – A mapping from filepath to SimFile
pathsep – The character used to separate path elements, default forward slash.
cwd – The path of the current working directory to use
mountpoints – A mapping from filepath to SimMountpoint

Variables:

pathsep – The current pathsep
cwd – The current working directory
unlinks – A list of unlink operations, tuples of filename and simfile. Be careful, this list is shallow-copied from successor to successor, so don’t mutate anything in it without copying.

__init__(files=None, pathsep=None, cwd=None, mountpoints=None)

property unlinks

chdir(path): Changes the current directory to the given path

get(path): Get a file from the filesystem. Returns a SimFile or None.

insert(path, simfile): Insert a file into the filesystem. Returns whether the operation was successful.

delete(path)

Remove a file from the filesystem. Returns whether the operation was successful.

This will add a fs_unlink event with the path of the file and also the index into the unlinks list.

mount(path, mount): Add a mountpoint to the filesystem.

unmount(path): Remove a mountpoint from the filesystem.

get_mountpoint(path)

Look up the mountpoint servicing the given path.

Returns:: A tuple of the mount and a list of path elements traversing from the mountpoint to the specified file.

class angr.state_plugins.SimHeapBase

Bases: SimStatePlugin

This is the base heap class that all heap implementations should subclass. It defines a few handlers for common heap functions (the libc memory management functions). Heap implementations are expected to override these functions regardless of whether they implement the SimHeapLibc interface. For an example, see the SimHeapBrk implementation, which is based on the original libc SimProcedure implementations.

Variables:

heap_base – the address of the base of the heap in memory
heap_size – the total size of the main memory region managed by the heap in memory
mmap_base – the address of the region from which large mmap allocations will be made

__init__(heap_base=None, heap_size=None)

class angr.state_plugins.SimHeapBrk

Bases: SimHeapBase

SimHeapBrk represents a trivial heap implementation based on the Unix brk system call. This type of heap stores virtually no metadata, so it is up to the user to determine when it is safe to release memory. This also means that it does not properly support standard heap operations like realloc.

This heap implementation is a holdover from before any more proper implementations were modelled. At the time, various libc (or win32) SimProcedures handled the heap in the same way that this plugin does now. To make future heap implementations plug-and-playable, they should implement the necessary logic themselves, and dependent SimProcedures should invoke a method by the same name as theirs (prepended with an underscore) upon the heap plugin. Depending on the heap implementation, if the method is not supported, an error should be raised.

Out of consideration for the original way the heap was handled, this plugin implements functionality for all relevant SimProcedures (even those that would not normally be supported together in a single heap implementation).

Variables:: heap_location – the address of the top of the heap, bounding the allocations made starting from heap_base

__init__(heap_base=None, heap_size=None)

allocate(sim_size)

The actual allocation primitive for this heap implementation. Increases the position of the break to allocate space. Has no guards against the heap growing too large.

Parameters:: sim_size – a size specifying how much to increase the break pointer by
Returns:: a pointer to the previous break position, above which there is now allocated space

release(sim_size)

The memory release primitive for this heap implementation. Decreases the position of the break to deallocate space. Guards against releasing beyond the initial heap base.

Parameters:: sim_size – a size specifying how much to decrease the break pointer by (may be symbolic or not)

class angr.state_plugins.SimHeapLibc

Bases: SimHeapBase

A class of heap that implements the major libc heap management functions.

malloc(sim_size)

A somewhat faithful implementation of libc malloc.

Parameters:: sim_size – the amount of memory (in bytes) to be allocated
Returns:: the address of the allocation, or a NULL pointer if the allocation failed

free(ptr)

A somewhat faithful implementation of libc free.

Parameters:: ptr – the location in memory to be freed

calloc(sim_nmemb, sim_size)

A somewhat faithful implementation of libc calloc.

Parameters:

sim_nmemb – the number of elements to allocated
sim_size – the size of each element (in bytes)

Returns:

the address of the allocation, or a NULL pointer if the allocation failed

realloc(ptr, size)

A somewhat faithful implementation of libc realloc.

Parameters:

ptr – the location in memory to be reallocated
size – the new size desired for the allocation

Returns:

the address of the allocation, or a NULL pointer if the allocation was freed or if no new allocation was made

class angr.state_plugins.SimHeapPTMalloc

Bases: SimHeapFreelist

A freelist-style heap implementation inspired by ptmalloc. The chunks used by this heap contain heap metadata in addition to user data. While the real-world ptmalloc is implemented using multiple lists of free chunks (corresponding to their different sizes), this more basic model uses a single list of chunks and searches for free chunks using a first-fit algorithm.

NOTE: The plugin must be registered using register_plugin with name heap in order to function properly.

Variables:

heap_base – the address of the base of the heap in memory
heap_size – the total size of the main memory region managed by the heap in memory
mmap_base – the address of the region from which large mmap allocations will be made
free_head_chunk – the head of the linked list of free chunks in the heap

__init__(heap_base=None, heap_size=None)

chunk_from_mem(ptr)

Given a pointer to a user payload, return the base of the chunk associated with that payload (i.e. the chunk pointer). Returns None if ptr is null.

Parameters:: ptr – a pointer to the base of a user payload in the heap
Returns:: a pointer to the base of the associated heap chunk, or None if ptr is null

class angr.state_plugins.SimHostFilesystem

Bases: SimConcreteFilesystem

Simulated mount that makes some piece from the host filesystem available to the guest.

Parameters:

host_path (str) – The path on the host to mount
pathsep (str) – The host path separator character, default os.path.sep

__init__(host_path=None, **kwargs)

class angr.state_plugins.SimInspector

Bases: SimStatePlugin

The breakpoint interface, used to instrument execution. For usage information, look here: https://docs.angr.io/core-concepts/simulation#breakpoints

BP_AFTER = 'after'¶

BP_BEFORE = 'before'¶

BP_BOTH = 'both'¶

__init__()

action(event_type, when, **kwargs)

Called from within the engine when events happens. This function checks all breakpoints registered for that event and fires the ones whose conditions match.

Return type:

None

Parameters:

event_type (EventType)
when (When)
kwargs (dict[str, Any])

make_breakpoint(event_type, when=When.BEFORE, enabled=True, condition=None, action=<function BP_IPDB>, **kwargs)

Creates and adds a breakpoint which would trigger on event_type. Additional arguments are passed to the BP constructor.

Returns:

The created breakpoint, so that it can be removed later.

Parameters:

event_type (EventType)
when (When)
enabled (bool)
condition (Callable[[SimState], bool] | None)
action (Action)
kwargs (dict[str, Any])

b(event_type, when=When.BEFORE, enabled=True, condition=None, action=<function BP_IPDB>, **kwargs)

Creates and adds a breakpoint which would trigger on event_type. Additional arguments are passed to the BP constructor.

Returns:

The created breakpoint, so that it can be removed later.

Parameters:

event_type (EventType)
when (When)
enabled (bool)
condition (Callable[[SimState], bool] | None)
action (Action)
kwargs (dict[str, Any])

add_breakpoint(event_type, bp)

Adds a breakpoint which would trigger on event_type.

Parameters:

event_type (EventType) – The event type to trigger on
bp (BP) – The breakpoint

Return type:

None

Returns:

The created breakpoint.

remove_breakpoint(event_type, bp=None, filter_func=None)

Removes a breakpoint.

Parameters:

bp (BP | None) – The breakpoint to remove.
filter_func (Callable[[BP], bool] | None) – A filter function to specify whether each breakpoint should be removed or not.
event_type (EventType)

Return type:

None

downsize()

Reset event-specific attributes on this plugin instance to save memory. This method is supposed to be called by breakpoint implementors. A typical workflow looks like the following:

>>> # Add `attr0` and `attr1` via the inspect machinery
>>> self.state.inspect(xxxxxx, attr0=yyyy, attr1=zzzz)
>>> # Get new attributes out of SimInspect in case they are modified by the user
>>> new_attr0 = self.state.inspect.attrs.attr0
>>> new_attr1 = self.state.inspect.attrs.attr1
>>> # Reset them
>>> self.state.inspect.downsize()

class angr.state_plugins.SimJavaVmClassloader

Bases: SimStatePlugin

JavaVM Classloader is used as an interface for resolving and initializing Java classes.

__init__(initialized_classes=None)

get_class(class_name, init_class=False, step_func=None)

Get a class descriptor for the class.

Parameters:

class_name (str) – Name of class.
init_class (bool) – Whether the class initializer <clinit> should be executed.
step_func (func) – Callback function executed at every step of the simulation manager during the execution of the main <clinit> method

get_superclass(class_): Get the superclass of the class.

get_class_hierarchy(base_class): Walks up the class hierarchy and returns a list of all classes between base class (inclusive) and java.lang.Object (exclusive).

is_class_initialized(class_): Indicates whether the classes initializing method <clinit> was already executed on the state.

init_class(class_, step_func=None)

This method simulates the loading of a class by the JVM, during which parts of the class (e.g. static fields) are initialized. For this, we run the class initializer method <clinit> (if available) and update the state accordingly.

Note: Initialization is skipped, if the class has already been: initialized (or if it’s not loaded in CLE).

property initialized_classes: List of all initialized classes.

class angr.state_plugins.SimLightRegisters

Bases: SimStatePlugin

__init__(reg_map=None, registers=None)

resolve_register(offset, size)

load(offset, size=None, **kwargs)

store(offset, value, size=None, endness=None, **kwargs)

class angr.state_plugins.SimMemView

Bases: SimStatePlugin

This is a convenient interface with which you can access a program’s memory.

The interface works like this:

You first use [array index notation] to specify the address you’d like to load from

If at that address is a pointer, you may access the deref property to return a SimMemView at the address present in memory.

You then specify a type for the data by simply accessing a property of that name. For a list of supported types, look at state.mem.types.

You can then refine the type. Any type may support any refinement it likes. Right now the only refinements supported are that you may access any member of a struct by its member name, and you may index into a string or array to access that element.

If the address you specified initially points to an array of that type, you can say .array(n) to view the data as an array of n elements.

Finally, extract the structured data with .resolved or .concrete. .resolved will return bitvector values, while .concrete will return integer, string, array, etc values, whatever best represents the data.

Alternately, you may store a value to memory, by assigning to the chain of properties that you’ve constructed. Note that because of the way python works, x = s.mem[...].prop; x = val will NOT work, you must say s.mem[...].prop = val.

For example:

>>> s.mem[0x601048].long
<long (64 bits) <BV64 0x4008d0> at 0x601048>
>>> s.mem[0x601048].long.resolved
<BV64 0x4008d0>
>>> s.mem[0x601048].deref
<<untyped> <unresolvable> at 0x4008d0>
>>> s.mem[0x601048].deref.string.concrete
'SOSNEAKY'

__init__(ty=None, addr=None, state=None)

types: ClassVar[dict] = {'CharT': char, 'DIR': struct DIR, 'FILE': struct FILE, 'FILE_t': struct FILE_t, '_Bool': bool, '_ENTRY': struct _ENTRY, '_IO_codecvt': struct _IO_codecvt, '_IO_iconv_t': struct _IO_iconv_t, '_IO_lock_t': struct pthread_mutex_t, '_IO_marker': struct _IO_marker, '_IO_wide_data': struct _IO_wide_data, '__action_fn_t': __action_fn_t, '__clock_t': uint32_t, '__dev_t': uint64_t, '__free_fn_t': __free_fn_t, '__ftw_func_t': __ftw_func_t, '__gid_t': unsigned int, '__ino64_t': unsigned long long, '__ino_t': unsigned long, '__int128': int128_t, '__int256': int256_t, '__int32': int, '__int64': long long, '__mbstate_t': struct __mbstate_t, '__mode_t': unsigned int, '__nlink_t': unsigned int, '__off64_t': long long, '__off_t': long, '__pid_t': int, '__suseconds_t': int64_t, '__time_t': long, '__uid_t': unsigned int, '_obstack_chunk': struct _obstack_chunk, 'aiocb': struct aiocb, 'aiocb64': struct aiocb64, 'aioinit': struct aioinit, 'argp': struct argp, 'argp_child': struct argp_child, 'argp_option': struct argp_option, 'argp_parser_t': (int, char *, struct argp_state*) -> int, 'argp_state': struct argp_state, 'basic_string': string_t, 'bool': bool, 'byte': uint8_t, 'cc_t': char, 'char': char, 'clock_t': uint32_t, 'comparison_fn_t': comparison_fn_t, 'crypt_data': struct crypt_data, 'dev_t': int, 'dirent': struct dirent, 'dirent64': struct dirent64, 'double': double, 'drand48_data': struct <anon>, 'dword': uint32_t, 'error_t': int, 'exit_status': struct exit_status, 'fd_set': struct fd_set, 'float': float, 'fpos64_t': struct fpos64_t, 'fpos_t': struct fpos_t, 'fstab': struct fstab, 'glob64_t': struct glob64_t, 'glob_t': struct glob_t, 'group': struct group, 'hostent': struct hostent, 'hsearch_data': struct hsearch_data, 'if_nameindex': struct if_nameindex, 'in_addr': struct in_addr, 'in_port_t': uint16_t, 'ino64_t': unsigned long long, 'ino_t': unsigned long, 'int': int, 'int16_t': int16_t, 'int32_t': int32_t, 'int64_t': int64_t, 'int8_t': int8_t, 'iovec': struct <anon>, 'itimerval': struct itimerval, 'lconv': struct lconv, 'long': long, 'long double': double, 'long int': long, 'long long': long long, 'long long int': long long, 'long signed': long, 'long unsigned int': unsigned long, 'mallinfo': struct mallinfo, 'mallinfo2': struct mallinfo2, 'mbstate_t': struct mbstate_t, 'mntent': struct mntent, 'mode_t': unsigned int, 'netent': struct netent, 'ntptimeval': struct ntptimeval, 'obstack': struct obstack, 'off64_t': long long, 'off_t': long, 'option': struct option, 'passwd': struct passwd, 'pid_t': int, 'printf_info': struct printf_info, 'protoent': struct protoent, 'ptrdiff_t': long, 'qword': uint64_t, 'random_data': struct <anon>, 'regex_t': struct regex_t, 'rlim64_t': uint64_t, 'rlim_t': unsigned long, 'rlimit': struct rlimit, 'rlimit64': struct rlimit64, 'rusage': struct rusage, 'sa_family_t': unsigned short, 'sched_param': struct sched_param, 'sem_t': int, 'sembuf': struct sembuf, 'servent': struct servent, 'sgttyb': struct sgttyb, 'short': short, 'short int': short, 'sigevent': struct sigevent, 'sighandler_t': sighandler_t, 'signed': int, 'signed char': char, 'signed int': int, 'signed long': long, 'signed long int': long, 'signed long long': long long, 'signed long long int': long long, 'signed short': short, 'signed short int': short, 'sigset_t': int, 'sigstack': struct sigstack, 'sigval': union sigval { sival_int int; sival_ptr void *; }, 'size_t': size_t, 'sockaddr': struct sockaddr, 'sockaddr_in': struct sockaddr_in, 'socklen_t': uint32_t, 'speed_t': long, 'ssize': size_t, 'ssize_t': size_t, 'std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>': string_t, 'string': string_t, 'struct iovec': struct <anon>, 'struct stat': struct stat, 'struct stat64': struct stat64, 'struct timespec': struct timespec, 'struct timeval': struct timeval, 'tcflag_t': unsigned long, 'termios': struct termios, 'time_t': long, 'timespec': struct timeval, 'timeval': struct timeval, 'timex': struct timex, 'timezone': struct timezone, 'tm': struct tm, 'tms': struct tms, 'uint16_t': uint16_t, 'uint32_t': uint32_t, 'uint64_t': uint64_t, 'uint8_t': uint8_t, 'uintptr_t': unsigned long, 'unsigned': unsigned int, 'unsigned __int128': uint128_t, 'unsigned __int256': uint256_t, 'unsigned char': char, 'unsigned int': unsigned int, 'unsigned long': unsigned long, 'unsigned long int': unsigned long, 'unsigned long long': unsigned long long, 'unsigned long long int': unsigned long long, 'unsigned short': unsigned short, 'unsigned short int': unsigned short, 'utimbuf': struct utimbuf, 'utmp': struct utmp, 'utmpx': struct utmx, 'utsname': struct utsname, 'va_list': struct va_list[1], 'void': void, 'vtimes': struct vtimes, 'wchar_t': short, 'wctype_t': int, 'winsize': struct winsize, 'wint_t': int, 'word': uint16_t, 'wstring': wstring_t}¶

state: SimState[Any, Any] = None¶

struct: StructMode

with_type(sim_type)

Returns a copy of the SimMemView with a type.

Parameters:: sim_type (SimType) – The new type.
Return type:: SimMemView
Returns:: The typed SimMemView copy.

property resolvable

property resolved

property concrete

property deref: SimMemView

array(n)

Return type:: SimMemView

member(member_name)

If self is a struct and member_name is a member of the struct, return that member element. Otherwise raise an exception.

Return type:: SimMemView
Parameters:: member_name (str)

store(value)

class angr.state_plugins.SimMount

Bases: SimStatePlugin

This is the base class for “mount points” in angr’s simulated filesystem. Subclass this class and give it to the filesystem to intercept all file creations and opens below the mountpoint. Since this a SimStatePlugin you may also want to implement set_state, copy, merge, etc.

get(path_elements)

Implement this function to instrument file lookups.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A SimFile, or None

insert(path_elements, simfile)

Implement this function to instrument file creation.

Parameters:

path_elements – A list of path elements traversing from the mountpoint to the file
simfile – The file to insert

Returns:

A bool indicating whether the insert occurred

delete(path_elements)

Implement this function to instrument file deletion.

Parameters:: path_elements – A list of path elements traversing from the mountpoint to the file
Returns:: A bool indicating whether the delete occurred

lookup(sim_file)

Look up the path of a SimFile in the mountpoint

Parameters:: sim_file – A SimFile object needs to be looked up
Returns:: A string representing the path of the file in the mountpoint Or None if the SimFile does not exist in the mountpoint

class angr.state_plugins.SimRegNameView

Bases: SimStatePlugin

get(reg_name)

class angr.state_plugins.SimSolver

Bases: SimStatePlugin

This is the plugin you’ll use to interact with symbolic variables, creating them and evaluating them. It should be available on a state as state.solver.

Any top-level variable of the claripy module can be accessed as a property of this object.

__init__(solver=None, all_variables=None, temporal_tracked_variables=None, eternal_tracked_variables=None)

reload_solver(constraints=None)

Reloads the solver. Useful when changing solver options.

Parameters:: constraints (list) – A new list of constraints to use in the reloaded solver instead of the current one

get_variables(*keys)

Iterate over all variables for which their tracking key is a prefix of the values provided.

Elements are a tuple, the first element is the full tracking key, the second is the symbol.

>>> list(s.solver.get_variables('mem'))
[(('mem', 0x1000), <BV64 mem_1000_4_64>), (('mem', 0x1008), <BV64 mem_1008_5_64>)]

>>> list(s.solver.get_variables('file'))
[(('file', 1, 0), <BV8 file_1_0_6_8>), (('file', 1, 1), <BV8 file_1_1_7_8>),
    (('file', 2, 0), <BV8 file_2_0_8_8>)]

>>> list(s.solver.get_variables('file', 2))
[(('file', 2, 0), <BV8 file_2_0_8_8>)]

>>> list(s.solver.get_variables())
[(('mem', 0x1000), <BV64 mem_1000_4_64>), (('mem', 0x1008), <BV64 mem_1008_5_64>),
    (('file', 1, 0), <BV8 file_1_0_6_8>), (('file', 1, 1), <BV8 file_1_1_7_8>),
    (('file', 2, 0), <BV8 file_2_0_8_8>)]

register_variable(v, key, eternal=True)

Parameters:

v – The BVS to register
key – A tuple to register the variable under

Parma eternal:

Whether this is an eternal variable, default True. If False, an incrementing counter will be appended to the key.

describe_variables(v): Given an AST, iterate over all the keys of all the BVS leaves in the tree which are registered.

Unconstrained(name, bits, uninitialized=True, inspect=True, events=True, key=None, eternal=False, uc_alloc_depth=None, **kwargs)

Creates an unconstrained symbol or a default concrete value (0), based on the state options.

Parameters:

name – The name of the symbol.
bits – The size (in bits) of the symbol.
uninitialized – Whether this value should be counted as an “uninitialized” value in the course of an analysis.
inspect – Set to False to avoid firing SimInspect breakpoints
events – Set to False to avoid generating a SimEvent for the occasion
key – Set this to a tuple of increasingly specific identifiers (for example, ('mem', 0xffbeff00) or ('file', 4, 0x20) to cause it to be tracked, i.e. accessible through solver.get_variables.
eternal – Set to True in conjunction with setting a key to cause all states with the same ancestry to retrieve the same symbol when trying to create the value. If False, a counter will be appended to the key.

Returns:

an unconstrained symbol (or a concrete value of 0).

BVS(name, size, min=None, max=None, stride=None, uninitialized=False, explicit_name=False, key=None, eternal=False, inspect=True, events=True, **kwargs)

Creates a bit-vector symbol (i.e., a variable). Other keyword parameters are passed directly on to the constructor of claripy.ast.BV.

Parameters:

name – The name of the symbol.
size – The size (in bits) of the bit-vector.
min – The minimum value of the symbol. Note that this only work when using VSA.
max – The maximum value of the symbol. Note that this only work when using VSA.
stride – The stride of the symbol. Note that this only work when using VSA.
uninitialized – Whether this value should be counted as an “uninitialized” value in the course of an analysis.
explicit_name – Set to True to prevent an identifier from appended to the name to ensure uniqueness.
key – Set this to a tuple of increasingly specific identifiers (for example, ('mem', 0xffbeff00) or ('file', 4, 0x20) to cause it to be tracked, i.e. accessible through solver.get_variables.
eternal – Set to True in conjunction with setting a key to cause all states with the same ancestry to retrieve the same symbol when trying to create the value. If False, a counter will be appended to the key.
inspect – Set to False to avoid firing SimInspect breakpoints
events – Set to False to avoid generating a SimEvent for the occasion

Returns:

A BV object representing this symbol.

downsize(): Frees memory associated with the constraint solver by clearing all of its internal caches.

property constraints: Returns the constraints of the state stored by the solver.

eval_to_ast(e, n, extra_constraints=(), exact=None)

Evaluate an expression, using the solver if necessary. Returns AST objects.

Parameters:

e – the expression
n – the number of desired solutions
extra_constraints – extra constraints to apply to the solver
exact – if False, returns approximate solutions

Returns:

a tuple of the solutions, in the form of claripy AST nodes

Return type:

tuple

max(e, extra_constraints=(), exact=None, signed=False)

Return the maximum value of expression e.

:param e : expression (an AST) to evaluate :type extra_constraints: :param extra_constraints: extra constraints (as ASTs) to add to the solver for this solve :param exact : if False, return approximate solutions. :param signed : Whether the expression should be treated as a signed value. :return: the maximum possible value of e (backend object)

min(e, extra_constraints=(), exact=None, signed=False)

Return the minimum value of expression e.

solution(e, v, extra_constraints=(), exact=None)

Return True if v is a solution of expr with the extra constraints, False otherwise.

Parameters:

e – An expression (an AST) to evaluate
v – The proposed solution (an AST)
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns:

True if v is a solution of expr, False otherwise

is_true(e, extra_constraints=(), exact=None)

If the expression provided is absolutely, definitely a true boolean, return True. Note that returning False doesn’t necessarily mean that the expression can be false, just that we couldn’t figure that out easily.

Parameters:

e – An expression (an AST) to evaluate
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns:

True if v is definitely true, False otherwise

is_false(e, extra_constraints=(), exact=None)

If the expression provided is absolutely, definitely a false boolean, return True. Note that returning False doesn’t necessarily mean that the expression can be true, just that we couldn’t figure that out easily.

Parameters:

e – An expression (an AST) to evaluate
extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
exact – If False, return approximate solutions.

Returns:

True if v is definitely false, False otherwise

unsat_core(extra_constraints=())

This function returns the unsat core from the backend solver.

Parameters:: extra_constraints – Extra constraints (as ASTs) to add to the solver for this solve.
Returns:: The unsat core.

satisfiable(extra_constraints=(), exact=None)

This function does a constraint check and checks if the solver is in a sat state.

Parameters:

extra_constraints – Extra constraints (as ASTs) to add to s for this solve
exact – If False, return approximate solutions.

Returns:

True if sat, otherwise false

add(*constraints)

Add some constraints to the solver.

Parameters:: constraints – Pass any constraints that you want to add (ASTs) as varargs.

CastType = ~CastType

eval_upto(e, n, cast_to=None, **kwargs)

Overloads:

self, e (claripy.ast.BV), n (int), cast_to (None), kwargs → list[int]
self, e (claripy.ast.BV), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.Bool), n (int), cast_to (None), kwargs → list[bool]
self, e (claripy.ast.Bool), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.FP), n (int), cast_to (None), kwargs → list[float]
self, e (claripy.ast.FP), n (int), cast_to (type[CastType]), kwargs → list[CastType]

Evaluate an expression, using the solver if necessary. Returns primitives as specified by the cast_to parameter. Only certain primitives are supported, check the implementation of _cast_to to see which ones.

Parameters:

e – the expression
n – the number of desired solutions
extra_constraints – extra constraints to apply to the solver
exact – if False, returns approximate solutions
cast_to – desired type of resulting values

Returns:

a tuple of the solutions, in the form of Python primitives

Return type:

tuple

eval(e, cast_to=None, **kwargs)

Overloads:

self, e (claripy.ast.BV), cast_to (None), kwargs → int
self, e (claripy.ast.BV), cast_to (type[CastType]), kwargs → CastType
self, e (claripy.ast.Bool), cast_to (None), kwargs → bool
self, e (claripy.ast.Bool), cast_to (type[CastType]), kwargs → CastType
self, e (claripy.ast.FP), cast_to (None), kwargs → float
self, e (claripy.ast.FP), cast_to (type[CastType]), kwargs → CastType

Evaluate an expression to get any possible solution. The desired output types can be specified using the cast_to parameter. extra_constraints can be used to specify additional constraints the returned values must satisfy.

Parameters:

e – the expression to get a solution for
kwargs – Any additional kwargs will be passed down to eval_upto
cast_to – desired type of resulting values

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints

Returns:

eval_one(e, cast_to=None, **kwargs)

Overloads:

self, e (claripy.ast.BV), cast_to (None), kwargs → int
self, e (claripy.ast.BV), cast_to (type[CastType]), kwargs → CastType
self, e (claripy.ast.Bool), cast_to (None), kwargs → bool
self, e (claripy.ast.Bool), cast_to (type[CastType]), kwargs → CastType
self, e (claripy.ast.FP), cast_to (None), kwargs → float
self, e (claripy.ast.FP), cast_to (type[CastType]), kwargs → CastType

Evaluate an expression to get the only possible solution. Errors if either no or more than one solution is returned. A kwarg parameter default can be specified to be returned instead of failure!

Parameters:

e – the expression to get a solution for
cast_to – desired type of resulting values
default – A value can be passed as a kwarg here. It will be returned in case of failure.
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if more than one solution was found to satisfy the given constraints

Returns:

The value for e

eval_atmost(e, n, cast_to=None, **kwargs)

Overloads:

self, e (claripy.ast.BV), n (int), cast_to (None), kwargs → list[int]
self, e (claripy.ast.BV), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.Bool), n (int), cast_to (None), kwargs → list[bool]
self, e (claripy.ast.Bool), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.FP), n (int), cast_to (None), kwargs → list[float]
self, e (claripy.ast.FP), n (int), cast_to (type[CastType]), kwargs → list[CastType]

Evaluate an expression to get at most n possible solutions. Errors if either none or more than n solutions are returned.

Parameters:

e – the expression to get a solution for
n – the inclusive upper limit on the number of solutions
cast_to – desired type of resulting values
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if more than n solutions were found to satisfy the given constraints

Returns:

The solutions for e

eval_atleast(e, n, cast_to=None, **kwargs)

Overloads:

self, e (claripy.ast.BV), n (int), cast_to (None), kwargs → list[int]
self, e (claripy.ast.BV), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.Bool), n (int), cast_to (None), kwargs → list[bool]
self, e (claripy.ast.Bool), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.FP), n (int), cast_to (None), kwargs → list[float]
self, e (claripy.ast.FP), n (int), cast_to (type[CastType]), kwargs → list[CastType]

Evaluate an expression to get at least n possible solutions. Errors if less than n solutions were found.

Parameters:

e – the expression to get a solution for
n – the inclusive lower limit on the number of solutions
cast_to – desired type of resulting values
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if less than n solutions were found to satisfy the given constraints

Returns:

The solutions for e

eval_exact(e, n, cast_to=None, **kwargs)

Overloads:

self, e (claripy.ast.BV), n (int), cast_to (None), kwargs → list[int]
self, e (claripy.ast.BV), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.Bool), n (int), cast_to (None), kwargs → list[bool]
self, e (claripy.ast.Bool), n (int), cast_to (type[CastType]), kwargs → list[CastType]
self, e (claripy.ast.FP), n (int), cast_to (None), kwargs → list[float]
self, e (claripy.ast.FP), n (int), cast_to (type[CastType]), kwargs → list[CastType]

Evaluate an expression to get exactly the n possible solutions. Errors if any number of solutions other than n was found to exist.

Parameters:

e – the expression to get a solution for
n – the inclusive lower limit on the number of solutions
cast_to – desired type of resulting values
kwargs – Any additional kwargs will be passed down to eval_upto

Raises:

SimUnsatError – if no solution could be found satisfying the given constraints
SimValueError – if any number of solutions other than n were found to satisfy the given constraints

Returns:

The solutions for e

min_int(e, extra_constraints=(), exact=None, signed=False)

Return the minimum value of expression e.

max_int(e, extra_constraints=(), exact=None, signed=False)

Return the maximum value of expression e.

unique(e, **kwargs): Returns True if the expression e has only one solution by querying the constraint solver. It does also add that unique solution to the solver’s constraints.

symbolic(e): Returns True if the expression e is symbolic.

single_valued(e): Returns True whether e is a concrete value or is a value set with only 1 possible value. This differs from unique in that this does not query the constraint solver.

simplify(e=None): Simplifies e. If e is None, simplifies the constraints of this state.

variables(e): Returns the symbolic variables present in the AST of e.

class angr.state_plugins.SimStateCGC

Bases: SimStatePlugin

This state plugin keeps track of CGC state.

EBADF = 1¶

EFAULT = 2¶

EINVAL = 3¶

ENOMEM = 4¶

ENOSYS = 5¶

EPIPE = 6¶

FD_SETSIZE = 1024¶

max_allocation = 268435456¶

__init__()

peek_input()

discard_input(num_bytes)

peek_output()

discard_output(num_bytes)

addr_invalid(a)

get_max_sinkhole(length)

Find a sinkhole which is large enough to support length bytes.

This uses first-fit. The first sinkhole (ordered in descending order by their address) which can hold length bytes is chosen. If there are more than length bytes in the sinkhole, a new sinkhole is created representing the remaining bytes while the old sinkhole is removed.

add_sinkhole(address, length)

Add a sinkhole.

Allow the possibility for the program to reuse the memory represented by the address length pair.

class angr.state_plugins.SimStateEdgeHitmap

Bases: SimStatePlugin

A state plugin that stores AFL-style edge hitmap coverage data.

This plugin is used by the Icicle engine to track edge coverage during concrete execution. It stores the hitmap as raw bytes, which can be efficiently passed to and from the Icicle emulator.

This plugin is NOT registered as a default plugin - it must be explicitly added to states that need edge coverage tracking.

HITMAP_SIZE = 65536¶

__init__(edge_hitmap=None)

Initialize the edge hitmap plugin.

Parameters:: edge_hitmap (bytes | None) – Initial edge hitmap bytes, or None to start with a zeroed hitmap.

copy(memo)

Create a copy of the plugin.

Parameters:: memo – Memoization dictionary to avoid duplicate copies.
Returns:: A new SimStateEdgeHitmap instance with a copy of the hitmap.

merge(others, merge_conditions, common_ancestor=None)

Merge multiple hitmap plugins.

For coverage tracking, we OR the hitmaps together to preserve all observed edges.

Parameters:

others – Other plugin instances to merge with.
merge_conditions – Symbolic conditions for each merge branch.
common_ancestor – Common ancestor plugin instance.

Returns:

True if merge was successful.

widen(others)

Widening operation for static analysis.

Parameters:: others – Other plugin instances.
Returns:: False, widening is not meaningful for hitmaps.

class angr.state_plugins.SimStateGlobals

Bases: SimStatePlugin

__init__(backer=None)

keys()

values()

items()

get(k, alt=None)

pop(k, alt=None)

class angr.state_plugins.SimStateHistory

Bases: SimStatePlugin

This class keeps track of historically-relevant information for paths.

STRONGREF_STATE = True¶

__init__(parent=None, clone=None)

set_strongref_state(state)

property addr

trim(): Discard the ancestry of this state.

filter_actions(start_block_addr=None, end_block_addr=None, block_stmt=None, insn_addr=None, read_from=None, write_to=None)

Filter self.actions based on some common parameters.

[start_block_addr, end_block_addr]

Parameters:

start_block_addr – Only return actions generated in blocks starting at this address.
end_block_addr – Only return actions generated in blocks ending at this address.
block_stmt – Only return actions generated in the nth statement of each block.
insn_addr – Only return actions generated in the assembly instruction at this address.
read_from – Only return actions that perform a read from the specified location.
write_to – Only return actions that perform a write to the specified location.

Notes: If IR optimization is turned on, reads and writes may not occur in the instruction they originally came from. Most commonly, If a register is read from twice in the same block, the second read will not happen, instead reusing the temp the value is already stored in.

Valid values for read_from and write_to are the string literals ‘reg’ or ‘mem’ (matching any read or write to registers or memory, respectively), any string (representing a read or write to the named register), and any integer (representing a read or write to the memory at this address).

demote(): Demotes this history node, causing it to drop the strong state reference.

reachable()

add_event(event_type, **kwargs)

add_action(action)

extend_actions(new_actions)

subscribe_actions()

property recent_constraints

property recent_actions

property block_count

property lineage

property parents

property events: Reversible[SimEvent]

property actions: Reversible[SimAction]

property jumpkinds: Reversible[str]

property jump_guards: Reversible[Bool]

property jump_targets

property jump_sources

property descriptions: Reversible[str]

property bbl_addrs: Reversible[int]

property ins_addrs: Reversible[int]

property stack_actions

property last_edge_hitmap: bytes | None: Returns the last edge hitmap in the history chain, or None if there is no edge hitmap.

closest_common_ancestor(other)

Find the common ancestor between this history node and ‘other’.

Parameters:: other – the PathHistory to find a common ancestor with.
Returns:: the common ancestor SimStateHistory, or None if there isn’t one

constraints_since(other)

Returns the constraints that have been accumulated since other.

Parameters:: other – a prior PathHistory object
Returns:: a list of constraints

make_child()

class angr.state_plugins.SimStateIcicle

Bases: SimStatePlugin

Engine-internal plugin for IcicleEngine continuation detection.

Attached to states produced by IcicleEngine.process(). Owns the VM and the metadata the engine needs to decide whether the next call is a lightweight continuation or requires a full snapshot restore.

__init__(vm_ref=None, generation=None, base_translation_data=None, translation_data=None, dirty_pages=None)

Parameters:

vm_ref (IcicleVMRef | None)
generation (int | None)
base_translation_data (IcicleStateTranslationData | None)
translation_data (IcicleStateTranslationData | None)
dirty_pages (set[int] | None)

property is_live: bool: True when the VM is still positioned where this state last left it.

class angr.state_plugins.SimStateJNIReferences

Bases: SimStatePlugin

Management of the mapping between opaque JNI references and the corresponding Java objects.

__init__(local_refs=None, global_refs=None)

lookup(opaque_ref): Lookups the object that was used for creating the reference.

create_new_reference(obj, global_ref=False)

Create a new reference thats maps to the given object.

Parameters:

obj – Object which gets referenced.
global_ref (bool) – Whether a local or global reference is created.

clear_local_references(): Clear all local references.

delete_reference(opaque_ref, global_ref=False)

Delete the stored mapping of a reference.

Parameters:

opaque_ref – Reference which should be removed.
global_ref (bool) – Whether opaque_ref is a local or global reference.

class angr.state_plugins.SimStateLibc

Bases: SimStatePlugin

This state plugin keeps track of various libc stuff:

LOCALE_ARRAY = [b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x03 ', b'\x02 ', b'\x02 ', b'\x02 ', b'\x02 ', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x02\x00', b'\x01`', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x08\xd8', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xd5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x08\xc5', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xd6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x08\xc6', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x04\xc0', b'\x02\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00', b'\x00\x00']¶

TOLOWER_LOC_ARRAY = [128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 4294967295, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]¶

TOUPPER_LOC_ARRAY = [128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 4294967295, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255]¶

__init__()

property errno

ret_errno(val)

class angr.state_plugins.SimStateLog

Bases: SimStatePlugin

__init__(log=None)

property actions

add_event(event_type, **kwargs)

add_action(action)

extend_actions(new_actions)

events_of_type(event_type)

actions_of_type(action_type)

property fresh_constraints

clear()

class angr.state_plugins.SimStateLoopData

Bases: SimStatePlugin

This class keeps track of loop-related information for states. Note that we have 2 counters for loop iterations (trip counts): the first recording the number of times one of the back edges (or continue edges) of a loop is taken, whereas the second recording the number of times the loop header (or loop entry) is executed. These 2 counters may differ since compilers usually optimize loops hence completely change the loop structure at the binary level. This is supposed to be used with LoopSeer exploration technique, which monitors loop execution. For the moment, the only thing we want to analyze is loop trip counts, but nothing prevents us from extending this plugin for other loop analyses.

__init__(back_edge_trip_counts=None, header_trip_counts=None, current_loop=None)

Parameters:

back_edge_trip_counts – Dictionary that stores back edge based trip counts for each loop. Keys are address of loop headers.
header_trip_counts – Dictionary that stores header based trip counts for each loop. Keys are address of loop headers.
current_loop – List of currently running loops. Each element is a tuple (loop object, list of loop exits).

class angr.state_plugins.SimStatePlugin

Bases: object

This is a base class for SimState plugins. A SimState plugin will be copied along with the state when the state is branched. They are intended to be used for things such as tracking open files, tracking heap details, and providing storage and persistence for SimProcedures.

STRONGREF_STATE = False¶

__init__()

Return type:: None

state: SimState[Any, Any]

set_state(state)

Sets a new state (for example, if the state has been branched)

Return type:: None

set_strongref_state(state)

Return type:: None

static memo(f)

A decorator function you should apply to copy

Return type:: _CopyFunc[TypeVar(S_co)]
Parameters:: f (Callable[[Any, dict[int, Any]], S_co])

copy(_memo)

Should return a copy of the plugin without any state attached. Should check the memo first, and add itself to memo if it ends up making a new copy.

In order to simplify using the memo, you should annotate implementations of this function with SimStatePlugin.memo

The base implementation of this function constructs a new instance of the plugin’s class without calling its initializer. If you super-call down to it, make sure you instantiate all the fields in your copy method!

Parameters:

memo – A dictionary mapping object identifiers (id(obj)) to their copied instance. Use this to avoid infinite recursion and diverged copies.
_memo (dict[int, Any])

Return type:

SimStatePlugin

merge(others, merge_conditions, common_ancestor=None)

Should merge the state plugin with the provided others. This will be called by state.merge() after copying the target state, so this should mutate the current instance to merge with the others.

Note that when multiple instances of a single plugin object (for example, a file) are referenced in the state, it is important that merge only ever be called once. This should be solved by designating one of the plugin’s referees as the “real owner”, who should be the one to actually merge it. This technique doesn’t work to resolve the similar issue that arises during copying because merging doesn’t produce a new reference to insert.

There will be n others and n+1 merge conditions, since the first condition corresponds to self. To match elements up to conditions, say zip([self] + others, merge_conditions)

When implementing this, make sure that you “deepen” both others and common_ancestor before calling sub-elements’ merge methods, e.g.

self.foo.merge(
    [o.foo for o in others],
    merge_conditions,
    common_ancestor=common_ancestor.foo if common_ancestor is not None else None
)

During static analysis, merge_conditions can be None, in which case you should use state.solver.union(values). TODO: fish please make this less bullshit

There is a utility claripy.ite_cases which will help with constructing arbitrarily large merged ASTs. Use it like self.bar = claripy.ite_cases(zip(conditions[1:], [o.bar for o in others]), self.bar)

Parameters:

others – the other state plugins to merge with
merge_conditions – a symbolic condition for each of the plugins
common_ancestor – a common ancestor of this plugin and the others being merged

Returns:

True if the state plugins are actually merged.

Return type:

bool

widen(others)

The widening operation for plugins. Widening is a special kind of merging that produces a more general state from several more specific states. It is used only during intensive static analysis. The same behavior regarding copying and mutation from merge should be followed.

Parameters:: others (Iterable[SimStatePlugin]) – the other state plugins to widen with
Returns:: True if the state plugin is actually widened.
Return type:: bool

classmethod register_default(name, xtr=None)

Return type:

None

Parameters:

name (str)
xtr (type[SimStatePlugin] | str | None)

init_state()

Use this function to perform any initialization on the state at plugin-add time

Return type:: None

class angr.state_plugins.SimStatePreconstrainer

Bases: SimStatePlugin

This state plugin manages the concept of preconstraining - adding constraints which you would like to remove later.

Parameters:: constrained_addrs – SimActions for memory operations whose addresses should be constrained during crash analysis

__init__(constrained_addrs=None)

preconstrain(value, variable)

Add a preconstraint that variable == value to the state.

Parameters:

value – The concrete value. Can be a bitvector or a bytestring or an integer.
variable – The BVS to preconstrain.

preconstrain_file(content, simfile, set_length=False)

Preconstrain the contents of a file.

Parameters:

content – The content to preconstrain the file to. Can be a bytestring or a list thereof.
simfile – The actual simfile to preconstrain

preconstrain_flag_page(magic_content)

Preconstrain the data in the flag page.

Parameters:: magic_content – The content of the magic page as a bytestring.

remove_preconstraints(to_composite_solver=True, simplify=True)

Remove the preconstraints from the state.

If you are using the zen plugin, this will also use that to filter the constraints.

Parameters:

to_composite_solver – Whether to convert the replacement solver to a composite solver. You probably want this if you’re switching from tracing to symbolic analysis.
simplify – Whether to simplify the resulting set of constraints.

reconstrain(): Split the solver. If any of the subsolvers time out after a short timeout (10 seconds), re-add the preconstraints associated with each of its variables. Hopefully these constraints still allow us to do meaningful things to the state.

class angr.state_plugins.SimStateScratch

Bases: SimStatePlugin

Implements the scratch state plugin.

__init__(scratch=None)

property ail_block_idx

property is_ail

property priv

push_priv(priv)

pop_priv()

set_tyenv(tyenv)

tmp_expr(tmp)

Returns the Claripy expression of a VEX temp value.

Parameters:

tmp – the number of the tmp
simplify – simplify the tmp before returning it

Returns:

a Claripy expression of the tmp

store_tmp(tmp, content, reg_deps=frozenset({}), tmp_deps=frozenset({}), deps=None, **kwargs)

Stores a Claripy expression in a VEX temp value. If in symbolic mode, this involves adding a constraint for the tmp’s symbolic variable.

Parameters:

tmp – the number of the tmp
content – a Claripy expression of the content
reg_deps – the register dependencies of the content
tmp_deps – the temporary value dependencies of the content

clear()

class angr.state_plugins.SimSymbolizer

Bases: SimStatePlugin

The symbolizer state plugin ensures that pointers that are stored in memory are symbolic. This allows for the tracking of and reasoning over these pointers (for example, to reason about memory disclosure).

__init__()

set_symbolization_for_all_pages(): Sets the symbolizer to symbolize pointers to all pages as they are written to memory..

set_symbolized_target_range(base, length)

All pointers to the target range will be symbolized as they are written to memory.

Due to optimizations, the _pages_ containing this range will be set as symbolization targets, not just the range itself.

resymbolize(): Re-symbolizes all pointers in memory. This can be called to symbolize any pointers to target regions that were written (and not mangled beyond recognition) before symbolization was set.

class angr.state_plugins.SimSystemPosix

Bases: SimStatePlugin

Data storage and interaction mechanisms for states with an environment conforming to posix. Available as state.posix.

SIG_BLOCK = 0¶

SIG_UNBLOCK = 1¶

SIG_SETMASK = 2¶

EPERM = 1¶

ENOENT = 2¶

ESRCH = 3¶

EINTR = 4¶

EIO = 5¶

ENXIO = 6¶

E2BIG = 7¶

ENOEXEC = 8¶

EBADF = 9¶

ECHILD = 10¶

EAGAIN = 11¶

ENOMEM = 12¶

EACCES = 13¶

EFAULT = 14¶

ENOTBLK = 15¶

EBUSY = 16¶

EEXIST = 17¶

EXDEV = 18¶

ENODEV = 19¶

ENOTDIR = 20¶

EISDIR = 21¶

EINVAL = 22¶

ENFILE = 23¶

EMFILE = 24¶

ENOTTY = 25¶

ETXTBSY = 26¶

EFBIG = 27¶

ENOSPC = 28¶

ESPIPE = 29¶

EROFS = 30¶

EMLINK = 31¶

EPIPE = 32¶

EDOM = 33¶

ERANGE = 34¶

__init__(stdin=None, stdout=None, stderr=None, fd=None, sockets=None, socket_queue=None, argv=None, argc=None, environ=None, auxv=None, tls_modules=None, sigmask=None, pid=None, ppid=None, uid=None, gid=None, brk=None)

property closed_fds

set_brk(new_brk)

open(name, flags, preferred_fd=None)

Open a symbolic file. Basically open(2).

Parameters:

name (string or bytes) – Path of the symbolic file, as a string or bytes.
flags – File operation flags, a bitfield of constants from open(2), as an AST
preferred_fd – Assign this fd if it’s not already claimed.

Returns:

The file descriptor number allocated (maps through posix.get_fd to a SimFileDescriptor) or -1 if the open fails.

mode from open(2) is unsupported at present.

open_socket(ident)

get_fd(fd, create_file=True): Looks up the SimFileDescriptor associated with the given number (an AST). If the number is concrete and does not map to anything, return None. If the number is symbolic, constrain it to an open fd and create a new file for it. Set create_file to False if no write-access is planned (i.e. fd is read-only).

get_concrete_fd(fd, create_file=True): Same behavior as get_fd(fd), only the result is a concrete integer fd (or -1) instead of a SimFileDescriptor.

close(fd): Closes the given file descriptor (an AST). Returns whether the operation succeeded (a concrete boolean)

fstat(fd)

fstat_with_result(sim_fd)

sigmask(sigsetsize=None)

Gets the current sigmask. If it’s blank, a new one is created (of sigsetsize).

Parameters:: sigsetsize – the size (in bytes of the sigmask set)
Returns:: the sigmask

sigprocmask(how, new_mask, sigsetsize, valid_ptr=True)

Updates the signal mask.

Parameters:

how – the “how” argument of sigprocmask (see manpage)
new_mask – the mask modification to apply
sigsetsize – the size (in bytes of the sigmask set)
valid_ptr – is set if the new_mask was not NULL

dump_file_by_path(path, **kwargs)

Returns the concrete content for a file by path.

Parameters:

path – file path as string
kwargs – passed to state.solver.eval

Returns:

file contents as string

dumps(fd, **kwargs)

Returns the concrete content for a file descriptor.

BACKWARD COMPATIBILITY: if you ask for file descriptors 0 1 or 2, it will return the data from stdin, stdout, or stderr as a flat string.

Parameters:: fd – A file descriptor.
Returns:: The concrete content.
Return type:: str

class angr.state_plugins.SimUCManager

Bases: SimStatePlugin

__init__(man=None)

assign(dst_addr_ast)

Assign a new region for under-constrained symbolic execution.

Parameters:: dst_addr_ast – the symbolic AST which address of the new allocated region will be assigned to.
Returns:: as ast of memory address that points to a new region

get_alloc_depth(addr)

Return type:: int | None
Parameters:: addr (int | Base)

set_alloc_depth(addr, depth)

Parameters:

addr (Base)
depth (int)

is_bounded(ast)

Test whether an AST is bounded by any existing constraint in the related solver.

Parameters:: ast – an claripy.AST object
Returns:: True if there is at least one related constraint, False otherwise

class angr.state_plugins.Stat

Bases: tuple

Stat(st_dev, st_ino, st_nlink, st_mode, st_uid, st_gid, st_rdev, st_size, st_blksize, st_blocks, st_atime, st_atimensec, st_mtime, st_mtimensec, st_ctime, st_ctimensec)

static __new__(_cls, st_dev, st_ino, st_nlink, st_mode, st_uid, st_gid, st_rdev, st_size, st_blksize, st_blocks, st_atime, st_atimensec, st_mtime, st_mtimensec, st_ctime, st_ctimensec): Create new instance of Stat(st_dev, st_ino, st_nlink, st_mode, st_uid, st_gid, st_rdev, st_size, st_blksize, st_blocks, st_atime, st_atimensec, st_mtime, st_mtimensec, st_ctime, st_ctimensec)

st_atime: Alias for field number 10

st_atimensec: Alias for field number 11

st_blksize: Alias for field number 8

st_blocks: Alias for field number 9

st_ctime: Alias for field number 14

st_ctimensec: Alias for field number 15

st_dev: Alias for field number 0

st_gid: Alias for field number 5

st_ino: Alias for field number 1

st_mode: Alias for field number 3

st_mtime: Alias for field number 12

st_mtimensec: Alias for field number 13

st_nlink: Alias for field number 2

st_rdev: Alias for field number 6

st_size: Alias for field number 7

st_uid: Alias for field number 4

class angr.state_plugins.StructMode

Bases: object

__init__(view)

class angr.state_plugins.Unicorn

Bases: SimStatePlugin

setup the unicorn engine for a state

UC_CONFIG = {}¶

__init__(syscall_hooks=None, cache_key=None, unicount=None, symbolic_var_counts=None, symbolic_inst_counts=None, concretized_asts=None, always_concretize=None, never_concretize=None, concretize_at=None, concretization_threshold_memory=None, concretization_threshold_registers=None, concretization_threshold_instruction=None, cooldown_symbolic_stop=2, cooldown_unsupported_stop=2, cooldown_nonunicorn_blocks=100, cooldown_stop_point=1, max_steps=1000000): Initializes the Unicorn plugin for angr. This plugin handles communication with UnicornEngine.

property uc

static delete_uc()

set_last_block_details(details)

set_stops(stop_points)

set_tracking(track_bbls, track_stack)

hook()

uncache_region(addr, length)

clear_page_cache()

setup(syscall_data=None, fd_bytes=None)

start(step=None)

get_recent_bbl_addrs()

get_stop_details()

finish(succ_state)

destroy(succ_state)

set_regs(): setting unicorn registers

setup_flags()

setup_gdt(fs, gs)

read_msr(msr=3221225728)

write_msr(val, msr=3221225728)

get_regs(succ_state): loading registers from unicorn. If succ_state is not None, update it instead of self.state. Needed when handling symbolic exits in native interface

angr.state_plugins.resource_event(state, exception)

Submodules

`callstack`
`cgc`
`debug_variables`
`edge_hitmap`
`filesystem`
`gdb`
`globals`
`heap`
`history`
`icicle`
`inspect`
`javavm_classloader`
`jni_references`
`libc`
`light_registers`
`log`
`loop_data`
`plugin`
`posix`
`preconstrainer`
`scratch`
`sim_action`
`sim_action_object`
`sim_event`
`solver`
`symbolizer`
`trace_additions`	This file contains objects to track additional information during a trace or modify symbolic variables during a trace.
`uc_manager`
`unicorn_engine`
`view`