angr 9.2.124__py3-none-macosx_11_0_arm64.whl → 9.2.125__py3-none-macosx_11_0_arm64.whl

angr/analyses/pathfinder.py

@@ -0,0 +1,282 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+from enum import Enum, auto
+from dataclasses import dataclass
+from weakref import ref
+from collections import defaultdict
+
+from networkx import DiGraph
+from networkx.algorithms.shortest_paths import single_target_shortest_path_length
+
+from angr.sim_state import SimState
+from angr.engines.successors import SimSuccessors
+from angr.knowledge_plugins.cfg import CFGModel, CFGNode
+from .analysis import Analysis, AnalysesHub
+
+
+class Unreachable(Exception):
+    pass
+
+
+@dataclass(eq=False)
+class SimStateMarker:
+    addr: int
+    parent: SimStateMarker | None = None
+    banned: bool = False
+    misses: int = 0
+
+    def __repr__(self):
+        inner_repr = "None" if self.parent is None else "..."
+        return f"SimStateMarker(addr={self.addr:#x}, parent={inner_repr}, banned={self.banned}, misses={self.misses})"
+
+
+class SuccessorsKind(Enum):
+    SAT = auto()
+    UNSAT = auto()
+    MISSING = auto()
+
+
+@dataclass
+class TestPathReport:
+    path_markers: dict[int, SimStateMarker]
+    termination: SuccessorsKind
+
+
+def nilref():
+    return None
+
+
+class Pathfinder(Analysis):
+    def __init__(self, start_state: SimState, goal_addr: int, cfg: CFGModel, cache_size=10000):
+        self.start_state = start_state
+        self.goal_addr = goal_addr
+        self.goal_state: SimState | None = None
+        self.cfg = cfg
+        self.cache_size = cache_size
+
+        # HACK HACK HACK HACK TODO FIXME FISH PLEASE GET RID OF THIS
+        extra_edges = []
+        for node in self.cfg.graph.nodes:
+            if node.is_syscall:
+                for pred in self.cfg.graph.pred[node]:
+                    for succ, data in self.cfg.graph.succ[pred].items():
+                        if data["jumpkind"] == "Ijk_FakeRet":
+                            extra_edges.append((node, succ))
+        for node, succ in extra_edges:
+            self.cfg.graph.add_edge(node, succ, jumpkind="Ijk_Ret")
+
+        goal_node = self.cfg.get_any_node(goal_addr)
+        if goal_node is None:
+            raise ValueError(f"Node {goal_addr:#x} is not in graph")
+
+        self.start_marker = SimStateMarker(start_state.addr)
+        self.transition_cache: DiGraph[SimStateMarker] = DiGraph()
+        self.transition_cache.add_node(self.start_marker, state=ref(start_state))
+        self.base_heuristic: dict[int, int] = {
+            node.addr: dist for node, dist in single_target_shortest_path_length(cfg.graph, goal_node)
+        }
+        self.state_cache = {}
+        self.unsat_markers = set()
+        self.extra_weight = defaultdict(int)
+
+        self._search_frontier_marker = self.start_marker
+        self._search_path: list[tuple[int, str]] = [(self.start_marker.addr, "Ijk_Boring")]
+        self._search_stack = []
+        self._search_backtrack_to = {self.start_marker}
+        self._search_address_backtrack_points = {self.start_marker.addr: self.start_marker}
+
+    def cache_state(self, state: SimState):
+        self.state_cache[state] = self.state_cache.pop(state, None)
+        if len(self.state_cache) > self.cache_size:
+            self.state_cache.pop(next(iter(self.state_cache)))
+
+    def marker_to_state(self, marker: SimStateMarker) -> SimState | None:
+        return self.transition_cache.nodes[marker]["state"]()
+
+    def analyze(self) -> bool:
+        while True:
+            search_path = self.find_best_hypothesis_path()
+            result = self.test_path(search_path)
+            if result.termination == SuccessorsKind.SAT:
+                self.goal_state = self.marker_to_state(result.path_markers[len(search_path) - 1])
+                return True
+            marker = result.path_markers[max(result.path_markers)]
+            marker.banned = True
+            self._search_backtrack_to.add(marker)
+            if result.termination == SuccessorsKind.UNSAT:
+                self.unsat_markers.add(marker)
+
+    def _search_backtrack(self):
+        if self._search_address_backtrack_points[self._search_frontier_marker.addr] is self._search_frontier_marker:
+            self._search_address_backtrack_points.pop(self._search_frontier_marker.addr)
+
+        self._search_frontier_marker = self._search_frontier_marker.parent
+        if self._search_frontier_marker is None:
+            raise Unreachable
+
+        addr, jumpkind = self._search_path.pop()
+        if jumpkind == "Ijk_Ret":
+            self._search_stack.append(addr)
+        elif jumpkind == "Ijk_Call" or jumpkind.startswith("Ijk_Sys"):
+            self._search_stack.pop()
+
+    def find_best_hypothesis_path(self) -> tuple[int, ...]:
+        assert self._search_backtrack_to, "Uhh every iteration should set at least one backtrack point"
+        if self.start_marker in self._search_backtrack_to:
+            self._search_frontier_marker = self.start_marker
+            self._search_path: list[tuple[int, str]] = [(self.start_marker.addr, "Ijk_Boring")]
+            self._search_stack = []
+            self._search_backtrack_to = set()
+        else:
+            while self._search_backtrack_to:
+                self._search_backtrack_to.discard(self._search_frontier_marker)
+                try:
+                    self._search_backtrack()
+                except Unreachable as e:
+                    raise RuntimeError("oops") from e
+
+        while self._search_path[-1][0] != self.goal_addr:
+            banned = {
+                marker.addr for marker in self.transition_cache.succ[self._search_frontier_marker] if marker.banned
+            }
+            current_node = self.cfg.get_any_node(self._search_path[-1][0])
+            options = [
+                (node, data["jumpkind"], self.base_heuristic[node.addr] + self.extra_weight[node.addr])
+                for node, data in self.cfg.graph.succ[current_node].items()
+                if data["jumpkind"] != "Ijk_FakeRet"
+                and node.addr not in banned
+                and node.addr in self.base_heuristic
+                and (data["jumpkind"] != "Ijk_Ret" or node.addr == self._search_stack[-1])
+            ]
+            if not options:
+                # backtrack
+                self._search_frontier_marker.banned = True
+                self._search_backtrack()
+                continue
+
+            best_node, best_jumpkind, best_weight = min(
+                options,
+                default=(None, None),
+                key=lambda xyz: xyz[2],
+            )
+
+            assert isinstance(best_jumpkind, str)
+            assert isinstance(best_node, CFGNode)
+            self.extra_weight[best_node.addr] += 1
+            self._search_path.append((best_node.addr, best_jumpkind))
+
+            if best_jumpkind == "Ijk_Call" or best_jumpkind.startswith("Ijk_Sys"):
+                self._search_stack.append(
+                    next(
+                        iter(
+                            node.addr
+                            for node, data in self.cfg.graph.succ[current_node].items()
+                            if data["jumpkind"] == "Ijk_FakeRet"
+                        ),
+                        None,
+                    )
+                )
+            elif best_jumpkind == "Ijk_Ret":
+                self._search_stack.pop()
+
+            frontier_marker_nullable = next(
+                (
+                    marker
+                    for marker in self.transition_cache.succ[self._search_frontier_marker]
+                    if marker.addr == best_node.addr
+                ),
+                None,
+            )
+            if frontier_marker_nullable is None:
+                new_marker = SimStateMarker(best_node.addr, self._search_frontier_marker)
+                self.transition_cache.add_node(new_marker, state=nilref)
+                self.transition_cache.add_edge(self._search_frontier_marker, new_marker)
+                self._search_frontier_marker = new_marker
+            else:
+                self._search_frontier_marker = frontier_marker_nullable
+
+            if self._search_frontier_marker.addr not in self._search_address_backtrack_points:
+                self._search_address_backtrack_points[self._search_frontier_marker.addr] = self._search_frontier_marker
+
+            # TODO does this go above the above stanza?
+            if sum(weight == best_weight for _, _, weight in options) != 1:
+                self._search_backtrack_to.add(self._search_address_backtrack_points[self._search_frontier_marker.addr])
+
+        return tuple(addr for addr, _ in self._search_path)
+
+    def diagnose_unsat(self, state: SimState):
+        pass
+
+    def test_path(self, bbl_addr_trace: tuple[int, ...]) -> TestPathReport:
+        assert bbl_addr_trace[0] == self.start_marker.addr, "Paths must begin with the start state"
+
+        known_markers = [self.start_marker]
+        for addr in bbl_addr_trace[1:]:
+            for succ in self.transition_cache.succ[known_markers[-1]]:
+                if succ.addr == addr:
+                    break
+            else:
+                break
+            known_markers.append(succ)
+
+        marker = None
+        for ri, marker_ in enumerate(reversed(known_markers)):
+            i = len(known_markers) - 1 - ri
+            state: SimState = self.transition_cache.nodes[marker_]["state"]()
+            marker = marker_
+            if state is not None:
+                break
+        else:
+            assert False, "The first item in known_markers should always have a resolvable weakref"
+
+        while i != len(bbl_addr_trace) - 1:
+            assert state.addr == bbl_addr_trace[i]
+
+            marker.misses += 1
+            successors = state.step(strict_block_end=True)
+            succ, kind = find_successor(successors, bbl_addr_trace[i + 1])
+
+            # cache state
+            if i + 1 < len(known_markers):
+                succ_marker = known_markers[i + 1]
+            else:
+                succ_marker = SimStateMarker(bbl_addr_trace[i + 1], parent=marker)
+                self.transition_cache.add_node(succ_marker)
+            self.transition_cache.add_edge(marker, succ_marker)
+            self.transition_cache.nodes[succ_marker]["state"] = ref(succ) if succ is not None else nilref
+            if succ is not None:
+                self.cache_state(succ)
+
+            if kind == SuccessorsKind.SAT:
+                assert succ is not None
+                state = succ
+                marker = succ_marker
+                i += 1
+                continue
+            if kind == SuccessorsKind.UNSAT:
+                assert succ is not None
+                return TestPathReport(
+                    path_markers={i: marker, i + 1: succ_marker},
+                    termination=SuccessorsKind.UNSAT,
+                )
+            return TestPathReport(path_markers={i: marker, i + 1: succ_marker}, termination=SuccessorsKind.MISSING)
+
+        return TestPathReport(path_markers={i: marker}, termination=SuccessorsKind.SAT)
+
+
+def find_successor(successors: SimSuccessors, target_addr: int) -> tuple[SimState | None, SuccessorsKind]:
+    for succ in successors.flat_successors:
+        if succ.addr == target_addr:
+            return succ, SuccessorsKind.SAT
+    for succ in successors.unsat_successors:
+        if succ.addr == target_addr:
+            return succ, SuccessorsKind.UNSAT
+    for succ in successors.unconstrained_successors:
+        succ2 = succ.copy()
+        succ2.add_constraints(succ2._ip == target_addr)
+        if succ2.satisfiable():
+            return succ2, SuccessorsKind.SAT
+    return None, SuccessorsKind.MISSING
+
+
+AnalysesHub.register_default("Pathfinder", Pathfinder)

angr/analyses/smc.py

@@ -0,0 +1,159 @@
+from __future__ import annotations
+import logging
+import random
+
+from enum import auto, IntFlag
+from collections.abc import Generator
+
+import angr
+from angr.analyses import Analysis, AnalysesHub
+from angr.knowledge_plugins import Function
+from angr.sim_state import SimState
+
+from angr.utils.tagged_interval_map import TaggedIntervalMap
+
+
+log = logging.getLogger(__name__)
+log.setLevel(logging.INFO)
+
+
+class TraceActions(IntFlag):
+    """
+    Describe memory access actions.
+    """
+
+    WRITE = auto()
+    EXECUTE = auto()
+
+
+class TraceClassifier:
+    """
+    Classify traces.
+    """
+
+    def __init__(self, state: SimState | None = None):
+        self.map = TaggedIntervalMap()
+        if state:
+            self.instrument(state)
+
+    def act_mem_write(self, state) -> None:
+        """
+        SimInspect callback for memory writes.
+        """
+        addr = state.solver.eval(state.inspect.mem_write_address)
+        length = state.inspect.mem_write_length
+        if not isinstance(length, int):
+            length = state.solver.eval(length)
+        self.map.add(addr, length, TraceActions.WRITE)
+
+    def act_instruction(self, state) -> None:
+        """
+        SimInspect callback for instruction execution.
+        """
+        addr = state.inspect.instruction
+        if addr is None:
+            log.warning("Symbolic addr")
+            return
+
+        # FIXME: Ensure block size is correct
+        self.map.add(addr, state.block().size, TraceActions.EXECUTE)
+
+    def instrument(self, state) -> None:
+        """
+        Instrument `state` for tracing.
+        """
+        state.inspect.b("mem_write", when=angr.BP_BEFORE, action=self.act_mem_write)
+        state.inspect.b("instruction", when=angr.BP_BEFORE, action=self.act_instruction)
+
+    def get_smc_address_and_lengths(self) -> Generator[tuple[int, int]]:
+        """
+        Evaluate the trace to find which areas of memory were both written to and executed.
+        """
+        smc_flags = TraceActions.WRITE | TraceActions.EXECUTE
+        for addr, size, flags in self.map.irange():
+            if (flags & smc_flags) == smc_flags:
+                yield (addr, size)
+
+    def determine_smc(self) -> bool:
+        """
+        Evaluate the trace to find areas of memory that were both written to and executed.
+        """
+        return any(self.get_smc_address_and_lengths())
+
+    def pp(self):
+        for a, b, c in self.map.irange():
+            print(f"{a:8x} {b} {c}")
+
+
+class SelfModifyingCodeAnalysis(Analysis):
+    """
+    Determine if some piece of code is self-modifying.
+
+    This determination is made by simply executing. If an address is executed
+    that is also written to, the code is determined to be self-modifying. The
+    determination is stored in the `result` property. The `regions` property
+    contains a list of (addr, length) regions that were both written to and
+    executed.
+    """
+
+    result: bool
+    regions: list[tuple[int, int]]
+
+    def __init__(self, subject: None | int | str | Function, max_bytes: int = 0, state: SimState | None = None):
+        """
+        :param subject: Subject of analysis
+        :param max_bytes: Maximum number of bytes from subject address. 0 for no limit (default).
+        :param state: State to begin executing from from.
+        """
+        assert self.project.selfmodifying_code
+
+        if subject is None:
+            subject = self.project.entry
+        if isinstance(subject, str):
+            try:
+                addr = self.project.kb.labels.lookup(subject)
+            except KeyError:
+                addr = self.project.kb.functions[subject].addr
+        elif isinstance(subject, Function):
+            addr = subject.addr
+        elif isinstance(subject, int):
+            addr = subject
+        else:
+            raise ValueError("Not a supported subject")
+
+        if state is None:
+            init_state = self.project.factory.call_state(addr)
+        else:
+            init_state = state.copy()
+            init_state.regs.pc = addr
+
+        init_state.options -= angr.sim_options.simplification
+
+        self._trace_classifier = TraceClassifier(init_state)
+        simgr = self.project.factory.simgr(init_state)
+
+        kwargs = {}
+        if max_bytes:
+            kwargs["filter_func"] = lambda s: (
+                "active" if s.solver.eval(addr <= s.regs.pc) and s.solver.eval(s.regs.pc < addr + max_bytes) else "oob"
+            )
+
+        # FIXME: Early out on SMC detect
+        # FIXME: Configurable step threshold
+        # FIXME: Loop analysis
+
+        for n in range(100):
+            self._update_progress(n)
+            simgr.step(n=3)
+            random.shuffle(simgr.active)
+            simgr.split(from_stash="active", to_stash=simgr.DROP, limit=10)
+
+        # Classify any out of bound entrypoints
+        for state_ in simgr.stashes["oob"]:
+            self._trace_classifier.act_instruction(state_)
+
+        self.regions = list(self._trace_classifier.get_smc_address_and_lengths())
+        self.result = len(self.regions) > 0
+
+
+AnalysesHub.register_default("SMC", SelfModifyingCodeAnalysis)

angr/angrdb/models.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 from sqlalchemy import Column, Integer, String, Boolean, BLOB, ForeignKey
-from sqlalchemy.orm import relationship
-from sqlalchemy.ext.declarative import declarative_base
+from sqlalchemy.orm import declarative_base, relationship
 
 Base = declarative_base()
 

angr/engines/vex/heavy/heavy.py

@@ -90,6 +90,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
         num_inst=None,
         extra_stop_points=None,
         opt_level=None,
+        strict_block_end=None,
         **kwargs,
     ):
         if not pyvex.lifting.lifters[self.state.arch.name] or type(successors.addr) is not int:
@@ -144,6 +145,7 @@ class HeavyVEXMixin(SuccessorsMixin, ClaripyDataMixin, SimStateStorageMixin, VEX
                     num_inst=num_inst,
                     extra_stop_points=extra_stop_points,
                     opt_level=opt_level,
+                    strict_block_end=strict_block_end,
                 )
 
             if (

angr/exploration_techniques/spiller_db.py

@@ -5,8 +5,7 @@ import datetime
 try:
     import sqlalchemy
     from sqlalchemy import Column, Integer, String, Boolean, DateTime, create_engine
-    from sqlalchemy.orm import sessionmaker
-    from sqlalchemy.ext.declarative import declarative_base
+    from sqlalchemy.orm import declarative_base, sessionmaker
     from sqlalchemy.exc import OperationalError
 
     Base = declarative_base()

angr/knowledge_plugins/functions/function.py

@@ -56,6 +56,7 @@ class Function(Serializable):
         "addr",
         "is_simprocedure",
         "_name",
+        "previous_names",
         "is_default_name",
         "from_signature",
         "binary_name",
@@ -224,6 +225,7 @@ class Function(Serializable):
         else:
             self.is_default_name = False
             self._name = name
+        self.previous_names = []
         self.from_signature = None
 
         # Determine the name the binary where this function is.
@@ -274,6 +276,7 @@ class Function(Serializable):
 
     @name.setter
     def name(self, v):
+        self.previous_names.append(self._name)
         self._name = v
         self._function_manager._kb.labels[self.addr] = v
 
@@ -1667,6 +1670,7 @@ class Function(Serializable):
         func._endpoints = self._endpoints.copy()
         func._call_sites = self._call_sites.copy()
         func._project = self._project
+        func.previous_names = list(self.previous_names)
         func.is_plt = self.is_plt
         func.is_simprocedure = self.is_simprocedure
         func.binary_name = self.binary_name

angr/knowledge_plugins/functions/function_manager.py

@@ -313,7 +313,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         if isinstance(k, self.function_address_types):
             f = self.function(addr=k)
         elif type(k) is str:
-            f = self.function(name=k)
+            f = self.function(name=k) or self.function(name=k, check_previous_names=True)
         else:
             raise ValueError(f"FunctionManager.__getitem__ does not support keys of type {type(k)}")
 
@@ -350,9 +350,9 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
     def get_by_addr(self, addr) -> Function:
         return self._function_map.get(addr)
 
-    def get_by_name(self, name: str) -> Generator[Function]:
+    def get_by_name(self, name: str, check_previous_names: bool = False) -> Generator[Function]:
         for f in self._function_map.values():
-            if f.name == name:
+            if f.name == name or (check_previous_names and name in f.previous_names):
                 yield f
 
     def _function_added(self, func: Function):
@@ -411,7 +411,7 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         except KeyError:
             return None
 
-    def query(self, query: str) -> Function | None:
+    def query(self, query: str, check_previous_names: bool = False) -> Function | None:
         """
         Query for a function using selectors to disambiguate. Supported variations:
 
@@ -430,19 +430,21 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
                 addr = int(matches.group(2), 0)
                 try:
                     func = self._function_map.get(addr)
-                    if func.name == name:
+                    if func.name == name or (check_previous_names and name in func.previous_names):
                         return func
                 except KeyError:
                     pass
 
             obj_name = selector or self._kb._project.loader.main_object.binary_basename
-            for func in self.get_by_name(name):
+            for func in self.get_by_name(name, check_previous_names=check_previous_names):
                 if func.binary_name == obj_name:
                     return func
 
         return None
 
-    def function(self, addr=None, name=None, create=False, syscall=False, plt=None) -> Function | None:
+    def function(
+        self, addr=None, name=None, check_previous_names=False, create=False, syscall=False, plt=None
+    ) -> Function | None:
         """
         Get a function object from the function manager.
 
@@ -457,6 +459,13 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
         :return: The Function instance, or None if the function is not found and create is False.
         :rtype: Function or None
         """
+        if name is not None and name.startswith("sub_"):
+            try:
+                addr = int(name.split("_")[-1], 16)
+                name = None
+            except ValueError:
+                pass
+
         if addr is not None:
             try:
                 f = self._function_map.get(addr)
@@ -472,11 +481,11 @@ class FunctionManager(KnowledgeBasePlugin, collections.abc.Mapping):
                         f.is_syscall = True
                     return f
         elif name is not None:
-            func = self.query(name)
+            func = self.query(name, check_previous_names=check_previous_names)
             if func is not None:
                 return func
 
-            for func in self.get_by_name(name):
+            for func in self.get_by_name(name, check_previous_names=check_previous_names):
                 if plt is None or func.is_plt == plt:
                     return func
 

angr/knowledge_plugins/functions/function_parser.py

@@ -33,7 +33,7 @@ class FunctionParser:
         obj.is_syscall = function.is_syscall
         obj.is_simprocedure = function.is_simprocedure
         obj.returning = function.returning
-        obj.alignment = function.alignment
+        obj.alignment = function.is_alignment
         obj.binary_name = function.binary_name or ""
         obj.normalized = function.normalized
 

angr/knowledge_plugins/functions/soot_function.py

@@ -34,6 +34,7 @@ class SootFunction(Function):
         # block nodes (basic block nodes) at whose ends the function terminates
         # in theory, if everything works fine, endpoints == ret_sites | jumpout_sites | callout_sites
         self._endpoints = defaultdict(set)
+        self.previous_names = []
 
         self._call_sites = {}
         self.addr = addr

angr/misc/ux.py

@@ -20,9 +20,9 @@ def deprecated(replacement=None):
         def inner(*args, **kwargs):
             if func not in already_complained:
                 if replacement is None:
-                    warnings.warn(f"Don't use {func.__name__}", DeprecationWarning, stacklevel=1)
+                    warnings.warn(f"Don't use {func.__name__}", DeprecationWarning, stacklevel=2)
                 else:
-                    warnings.warn(f"Use {replacement} instead of {func.__name__}", DeprecationWarning, stacklevel=1)
+                    warnings.warn(f"Use {replacement} instead of {func.__name__}", DeprecationWarning, stacklevel=2)
                 already_complained.add(func)
             return func(*args, **kwargs)
 

angr/project.py

@@ -236,7 +236,7 @@ class Project:
         self._initialize_analyses_hub()
 
         # Step 5.3: ...etc
-        self.kb = KnowledgeBase(self, name="global")
+        self._knowledge_bases = {"default": KnowledgeBase(self, name="global")}
 
         self.is_java_project = isinstance(self.arch, ArchSoot)
         self.is_java_jni_project = isinstance(self.arch, ArchSoot) and getattr(
@@ -257,6 +257,22 @@ class Project:
         # Step 7: Run OS-specific configuration
         self.simos.configure_project()
 
+    @property
+    def kb(self):
+        return self._knowledge_bases["default"]
+
+    @kb.setter
+    def kb(self, kb):
+        self._knowledge_bases["default"] = kb
+
+    def get_kb(self, name):
+        try:
+            return self._knowledge_bases[name]
+        except KeyError:
+            kb = KnowledgeBase(self, name)
+            self._knowledge_bases[name] = kb
+            return kb
+
     @property
     def analyses(self) -> AnalysesHubWithDefault:
         result = self._analyses