Angr 学习摘要 0x01

最新推荐文章于 2024-09-13 15:35:25 发布

2T1

最新推荐文章于 2024-09-13 15:35:25 发布

阅读量125

点赞数

分类专栏： angr 软件分析文章标签：测试工具系统安全

本文链接：https://blog.csdn.net/weixin_44229639/article/details/121062026

版权

软件分析同时被 2 个专栏收录

7 篇文章 1 订阅

订阅专栏

angr

6 篇文章 0 订阅

订阅专栏

本文介绍了如何在程序分析中使用符号执行技术。从指定开始地址的空白状态开始，通过创建和设置符号化的寄存器、栈变量、内存以及动态内存来模拟程序行为。此外，还涉及到了符号化文件内容，以实现对文件系统的模拟。这些技术对于理解程序行为、漏洞检测和输入约束求解具有重要意义。

摘要由CSDN通过智能技术生成

符号化相关数据

# Sometimes, you want to specify where the program should start. The variable
# start_address will specify where the symbolic execution engine should begin.
# Note that we are using blank_state, not entry_state.
# (!)
  start_address = 0x080488B1   # :integer (probably hexadecimal)
  initial_state = project.factory.blank_state(addr=start_address)

(1)符号化寄存器
# angr没有办法处理scanf这种输入
# Create a symbolic bitvector
  password_size_in_bits = 32  # :integer
  password0 = claripy.BVS('password0', password_size_in_bits)
# Set a register to a symbolic value.
  initial_state.regs.eax = password0
# Solve for the symbolic values. If there are multiple solutions, we only
# care about one, so we can use eval, which returns any (but only one)
# solution. Pass eval the bitvector you want to solve for.
 solution0 = solution_state.solver.eval(password0)
 # Add the constraint to the state to instruct z3 to include it when solving
 # for input.
 solution_state.add_constraints(constrained_parameter_bitvector == constrained_parameter_desired_value)

（2）符号化栈变量
  password0 = claripy.BVS('password0', 32)
  password1 = claripy.BVS('password1', 32)
  padding_length_in_bytes = 8  # :integer
  initial_state.regs.esp -= padding_length_in_bytes
  # control stack_size
  initial_state.stack_push(password0)  # :bitvector (claripy.BVS, claripy.BVV, claripy.BV)
  initial_state.stack_push(password1)

（3）符号化内存
 password0 = claripy.BVS('password0', 64)
 password0_address = 0xB039E60
 initial_state.memory.store(password0_address, password0)

（4）符号化动态内存
 password0 = claripy.BVS('password0', 64)
 fake_heap_address0 = 0xffffc93c
 pointer_to_malloc_memory_address0 = 0xaf90220
 initial_state.memory.store(pointer_to_malloc_memory_address0, fake_heap_address0, endness=project.arch.memory_endness)
 simulation = project.factory.simgr(initial_state)

（5）符号化文件
# 使用angr模拟文件系统，而文件被我们用仿真文件所替代（符号化文件）
#符号化文件内容
password = claripy.BVS('password', symbolic_file_size_bytes * 8)
#模拟一个文件（需要知道文件名，内容，文件大小）
password_file = angr.storage.SimFile(filename, content=password,size = symbolic_file_size_bytes)
#将这个文件插入到angr的模拟文件系统中
init_state.fs.insert(filename,password_file)