PyPI - angr - Versions diffs - 9.2.124__py3-none-manylinux2014_aarch64.whl → 9.2.125__py3-none-manylinux2014_aarch64.whl - Mend

angr 9.2.124__py3-none-manylinux2014_aarch64.whl → 9.2.125__py3-none-manylinux2014_aarch64.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of angr might be problematic. Click here for more details.

Files changed (30) hide show

angr/__init__.py +1 -1
angr/analyses/__init__.py +9 -1
angr/analyses/codecave.py +77 -0
angr/analyses/decompiler/clinic.py +31 -1
angr/analyses/decompiler/decompiler.py +4 -0
angr/analyses/decompiler/optimization_passes/__init__.py +3 -0
angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py +6 -0
angr/analyses/decompiler/optimization_passes/tag_slicer.py +41 -0
angr/analyses/decompiler/peephole_optimizations/constant_derefs.py +2 -2
angr/analyses/patchfinder.py +137 -0
angr/analyses/pathfinder.py +282 -0
angr/analyses/smc.py +159 -0
angr/angrdb/models.py +1 -2
angr/engines/vex/heavy/heavy.py +2 -0
angr/exploration_techniques/spiller_db.py +1 -2
angr/knowledge_plugins/functions/function.py +4 -0
angr/knowledge_plugins/functions/function_manager.py +18 -9
angr/knowledge_plugins/functions/function_parser.py +1 -1
angr/knowledge_plugins/functions/soot_function.py +1 -0
angr/misc/ux.py +2 -2
angr/project.py +17 -1
angr/state_plugins/history.py +6 -4
angr/utils/bits.py +4 -0
angr/utils/tagged_interval_map.py +112 -0
{angr-9.2.124.dist-info → angr-9.2.125.dist-info}/METADATA +6 -6
{angr-9.2.124.dist-info → angr-9.2.125.dist-info}/RECORD +30 -24
{angr-9.2.124.dist-info → angr-9.2.125.dist-info}/LICENSE +0 -0
{angr-9.2.124.dist-info → angr-9.2.125.dist-info}/WHEEL +0 -0
{angr-9.2.124.dist-info → angr-9.2.125.dist-info}/entry_points.txt +0 -0
{angr-9.2.124.dist-info → angr-9.2.125.dist-info}/top_level.txt +0 -0

angr/__init__.py CHANGED Viewed

@@ -2,7 +2,7 @@
 # pylint: disable=wrong-import-position
 from __future__ import annotations
-__version__ = "9.2.124"
+__version__ = "9.2.125"
 if bytes is str:
     raise Exception(

angr/analyses/__init__.py CHANGED Viewed

@@ -1,4 +1,4 @@
-# pylint:disable=wrong-import-position
+# " pylint:disable=wrong-import-position
 from __future__ import annotations
 from .analysis import Analysis, AnalysesHub
@@ -49,6 +49,10 @@ from .flirt import FlirtAnalysis
 from .s_propagator import SPropagatorAnalysis
 from .s_reaching_definitions import SReachingDefinitionsAnalysis
 from .s_liveness import SLivenessAnalysis
+from .codecave import CodeCaveAnalysis
+from .patchfinder import PatchFinderAnalysis
+from .pathfinder import Pathfinder
+from .smc import SelfModifyingCodeAnalysis
 __all__ = (
@@ -101,4 +105,8 @@ __all__ = (
     "SPropagatorAnalysis",
     "SReachingDefinitionsAnalysis",
     "SLivenessAnalysis",
+    "CodeCaveAnalysis",
+    "PatchFinderAnalysis",
+    "Pathfinder",
+    "SelfModifyingCodeAnalysis",
 )

angr/analyses/codecave.py ADDED Viewed

@@ -0,0 +1,77 @@
+from __future__ import annotations
+import logging
+from enum import Enum, auto
+from typing import TYPE_CHECKING
+from dataclasses import dataclass
+from angr.analyses import Analysis, AnalysesHub
+if TYPE_CHECKING:
+    from angr.knowledge_plugins import Function
+log = logging.getLogger(__name__)
+class CodeCaveClassification(Enum):
+    """
+    Type of code caves.
+    """
+    ALIGNMENT = auto()
+    UNREACHABLE = auto()
+@dataclass
+class CodeCave:
+    """
+    Describes a code cave in a binary.
+    """
+    func: Function | None
+    addr: int
+    size: int
+    classification: CodeCaveClassification
+class CodeCaveAnalysis(Analysis):
+    """
+    Best-effort static location of potential vacant code caves for possible code injection:
+    - Padding functions
+    - Unreachable code
+    """
+    codecaves: list[CodeCave]
+    def __init__(self):
+        self.codecaves = []
+        if len(self.project.kb.functions) == 0 and self.project.kb.cfgs.get_most_accurate() is None:
+            log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+        # Alignment functions
+        for func in self.project.kb.functions.values():
+            if func.is_alignment:
+                for block in func.blocks:
+                    self.codecaves.append(CodeCave(func, block.addr, block.size, CodeCaveClassification.ALIGNMENT))
+        # Unreachable code
+        for func in self.project.kb.functions.values():
+            if func.is_alignment or func.is_plt or func.is_simprocedure or func.addr in self.project.kb.labels:
+                continue
+            in_degree = self.project.kb.callgraph.in_degree(func.addr)
+            if in_degree == 0 or (
+                in_degree == 1
+                and self.project.kb.functions[next(self.project.kb.callgraph.predecessors(func.addr))].is_alignment
+            ):
+                for block in func.blocks:
+                    self.codecaves.append(CodeCave(func, block.addr, block.size, CodeCaveClassification.UNREACHABLE))
+            # FIXME: find dead blocks with argument propagation
+            # FIXME: find dead blocks with external coverage info
+AnalysesHub.register_default("CodeCaves", CodeCaveAnalysis)

angr/analyses/decompiler/clinic.py CHANGED Viewed

@@ -42,6 +42,7 @@ from .optimization_passes import (
     OptimizationPassStage,
     RegisterSaveAreaSimplifier,
     StackCanarySimplifier,
+    TagSlicer,
     DUPLICATING_OPTS,
     CONDENSING_OPTS,
 )
@@ -111,6 +112,7 @@ class Clinic(Analysis):
         inlining_parents: set[int] | None = None,
         vvar_id_start: int = 0,
         optimization_scratch: dict[str, Any] | None = None,
+        desired_variables: set[str] | None = None,
     ):
         if not func.normalized and mode == ClinicMode.DECOMPILE:
             raise ValueError("Decompilation must work on normalized function graphs.")
@@ -154,6 +156,7 @@ class Clinic(Analysis):
         self._inline_functions = inline_functions
         self._inlined_counts = {} if inlined_counts is None else inlined_counts
         self._inlining_parents = inlining_parents or ()
+        self._desired_variables = desired_variables
         self._register_save_areas_removed: bool = False
@@ -220,6 +223,9 @@ class Clinic(Analysis):
             ail_graph = self._inline_child_functions(ail_graph)
         ail_graph = self._decompilation_simplifications(ail_graph)
+        if self._desired_variables:
+            ail_graph = self._slice_variables(ail_graph)
         self.graph = ail_graph
     def _decompilation_graph_recovery(self):
@@ -279,6 +285,27 @@ class Clinic(Analysis):
         return ail_graph
+    def _slice_variables(self, ail_graph):
+        nodes_index = {(n.addr, n.idx): n for n in ail_graph.nodes()}
+        vfm = self.variable_kb.variables.function_managers[self.function.addr]
+        for v_name in self._desired_variables:
+            v = next(iter(vv for vv in vfm._unified_variables if vv.name == v_name))
+            for va in vfm.get_variable_accesses(v):
+                nodes_index[(va.location.block_addr, va.location.block_idx)].statements[va.location.stmt_idx].tags[
+                    "keep_in_slice"
+                ] = True
+        a = TagSlicer(
+            self.function,
+            graph=ail_graph,
+            variable_kb=self.variable_kb,
+        )
+        if a.out_graph:
+            # use the new graph
+            ail_graph = a.out_graph
+        return ail_graph
     def _inline_child_functions(self, ail_graph):
         for blk in ail_graph.nodes():
             for idx, stmt in enumerate(blk.statements):
@@ -909,13 +936,16 @@ class Clinic(Analysis):
         Convert a VEX block to an AIL block.
         :param block_node:  A BlockNode instance.
-        :return:            An converted AIL block.
+        :return:            A converted AIL block.
         :rtype:             ailment.Block
         """
         if type(block_node) is not BlockNode:
             return block_node
+        if block_node.size == 0:
+            return ailment.Block(block_node.addr, 0, statements=[])
         block = self.project.factory.block(block_node.addr, block_node.size, cross_insn_opt=False)
         if block.vex.jumpkind not in {"Ijk_Call", "Ijk_Boring", "Ijk_Ret"} and not block.vex.jumpkind.startswith(
             "Ijk_Sys"

angr/analyses/decompiler/decompiler.py CHANGED Viewed

@@ -66,6 +66,7 @@ class Decompiler(Analysis):
         decompile=True,
         regen_clinic=True,
         inline_functions=frozenset(),
+        desired_variables=frozenset(),
         update_memory_data: bool = True,
         generate_code: bool = True,
         use_cache: bool = True,
@@ -103,6 +104,7 @@ class Decompiler(Analysis):
         self._update_memory_data = update_memory_data
         self._generate_code = generate_code
         self._inline_functions = inline_functions
+        self._desired_variables = desired_variables
         self._cache_parameters = (
             {
                 "cfg": self._cfg,
@@ -118,6 +120,7 @@ class Decompiler(Analysis):
                 "ite_exprs": self._ite_exprs,
                 "binop_operators": self._binop_operators,
                 "inline_functions": self._inline_functions,
+                "desired_variables": self._desired_variables,
             }
             if use_cache
             else None
@@ -226,6 +229,7 @@ class Decompiler(Analysis):
                 cache=cache,
                 progress_callback=progress_callback,
                 inline_functions=self._inline_functions,
+                desired_variables=self._desired_variables,
                 optimization_scratch=self._optimization_scratch,
                 **self.options_to_params(self.options_by_class["clinic"]),
             )

angr/analyses/decompiler/optimization_passes/__init__.py CHANGED Viewed

@@ -26,6 +26,7 @@ from .cross_jump_reverter import CrossJumpReverter
 from .code_motion import CodeMotionOptimization
 from .switch_default_case_duplicator import SwitchDefaultCaseDuplicator
 from .deadblock_remover import DeadblockRemover
+from .tag_slicer import TagSlicer
 from .inlined_string_transformation_simplifier import InlinedStringTransformationSimplifier
 from .const_prop_reverter import ConstPropOptReverter
 from .call_stmt_rewriter import CallStatementRewriter
@@ -59,6 +60,7 @@ ALL_OPTIMIZATION_PASSES = [
     FlipBooleanCmp,
     InlinedStringTransformationSimplifier,
     CallStatementRewriter,
+    TagSlicer,
 ]
 # these passes may duplicate code to remove gotos or improve the structure of the graph
@@ -118,6 +120,7 @@ __all__ = (
     "ConstPropOptReverter",
     "CallStatementRewriter",
     "DuplicationReverter",
+    "TagSlicer",
     "ALL_OPTIMIZATION_PASSES",
     "DUPLICATING_OPTS",
     "CONDENSING_OPTS",

angr/analyses/decompiler/optimization_passes/inlined_string_transformation_simplifier.py CHANGED Viewed

@@ -240,6 +240,12 @@ class InlinedStringTransformationAILEngine(SimEngineLightAILMixin):
         return None
     def _handle_Neg(self, expr: UnaryOp):
+        v = self._expr(expr.operand)
+        if isinstance(v, claripy.ast.Bits):
+            return -v
+        return None
+    def _handle_BitwiseNeg(self, expr: UnaryOp):
         v = self._expr(expr.operand)
         if isinstance(v, claripy.ast.Bits):
             return ~v

angr/analyses/decompiler/optimization_passes/tag_slicer.py ADDED Viewed

@@ -0,0 +1,41 @@
+# pylint:disable=too-many-boolean-expressions
+from __future__ import annotations
+import logging
+from ailment.statement import ConditionalJump, Jump, Label
+from .optimization_pass import OptimizationPass, OptimizationPassStage
+_l = logging.getLogger(name=__name__)
+class TagSlicer(OptimizationPass):
+    """
+    Removes unmarked statements from the graph.
+    """
+    ARCHES = None
+    PLATFORMS = None
+    STAGE = OptimizationPassStage.AFTER_VARIABLE_RECOVERY
+    NAME = "Remove unmarked statements from the graph."
+    DESCRIPTION = __doc__.strip()
+    def __init__(self, func, **kwargs):
+        super().__init__(func, **kwargs)
+        self.analyze()
+    def _check(self):
+        return True, {}
+    def _analyze(self, cache=None):
+        for n in self._graph.nodes():
+            for i, s in enumerate(n.statements):
+                if isinstance(s, (ConditionalJump, Jump, Label)):
+                    continue
+                if not s.tags.get("keep_in_slice", False):
+                    n.statements[i] = None
+        for n in self._graph.nodes():
+            n.statements = [s for s in n.statements if s is not None]
+        self.out_graph = self._graph

angr/analyses/decompiler/peephole_optimizations/constant_derefs.py CHANGED Viewed

@@ -1,6 +1,6 @@
 from __future__ import annotations
 from ailment.expression import Load, Const
-from cle.backends import Blob
+from cle.backends import Blob, Hex
 from .base import PeepholeOptimizationExprBase
@@ -32,7 +32,7 @@ class ConstantDereferences(PeepholeOptimizationExprBase):
             # is it loading from a blob?
             obj = self.project.loader.find_object_containing(expr.addr.value)
-            if obj is not None and isinstance(obj, Blob):
+            if obj is not None and isinstance(obj, (Blob, Hex)):
                 # do we know the value that it's reading?
                 try:
                     val = self.project.loader.memory.unpack_word(expr.addr.value, size=self.project.arch.bytes)

angr/analyses/patchfinder.py ADDED Viewed

@@ -0,0 +1,137 @@
+# pylint:disable=missing-class-docstring
+from __future__ import annotations
+import logging
+from typing import TYPE_CHECKING
+from collections import defaultdict
+from dataclasses import dataclass
+from sortedcontainers import SortedDict
+from angr.analyses import Analysis, AnalysesHub
+from angr.utils.bits import ffs
+if TYPE_CHECKING:
+    from angr.knowledge_plugins import Function
+log = logging.getLogger(__name__)
+class OverlappingFunctionsAnalysis(Analysis):
+    """
+    Identify functions with interleaved blocks.
+    """
+    overlapping_functions: dict[int, list[int]]
+    def __init__(self):
+        self.overlapping_functions = defaultdict(list)
+        addr_to_func_max_addr = SortedDict()
+        for func in self.project.kb.functions.values():
+            if func.is_alignment:
+                continue
+            func_max_addr = max((block.addr + block.size) for block in func.blocks)
+            addr_to_func_max_addr[func.addr] = (func, func_max_addr)
+        for idx, (addr, (func, max_addr)) in enumerate(addr_to_func_max_addr.items()):
+            for other_addr in addr_to_func_max_addr.islice(idx + 1):
+                if other_addr >= max_addr:
+                    break
+                self.overlapping_functions[addr].append(other_addr)
+class FunctionAlignmentAnalysis(Analysis):
+    """
+    Determine typical function alignment
+    """
+    alignment: int | None
+    def __init__(self):
+        self.alignment = None
+        if len(self.project.kb.functions) == 0:
+            if self.project.kb.cfgs.get_most_accurate() is None:
+                log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+        alignment_bins = defaultdict(int)
+        count = 0
+        for func in self.project.kb.functions.values():
+            if not (func.is_alignment or func.is_plt or func.is_simprocedure):
+                alignment_bins[ffs(func.addr)] += 1
+                count += 1
+        # FIXME: Higher alignment values will be naturally aligned
+        typical_alignment = max(alignment_bins, key=lambda k: alignment_bins[k])
+        if count > 10 and alignment_bins[typical_alignment] >= count / 4:  # XXX: cutoff
+            self.alignment = 1 << max(typical_alignment, 0)
+            log.debug("Function alignment appears to be %d bytes", self.alignment)
+@dataclass
+class AtypicallyAlignedFunction:
+    function: Function
+    expected_alignment: int
+@dataclass
+class PatchedOutFunctionality:
+    patched_function: Function
+    patched_out_function: Function
+class PatchFinderAnalysis(Analysis):
+    """
+    Looks for binary patches using some basic heuristics:
+    - Looking for interleaved functions
+    - Looking for unaligned functions
+    """
+    # FIXME: Possible additional heuristics:
+    # - Jumps out to end of function, then back
+    # - Looking for patch jumps, e.g. push <addr>; ret
+    # - Looking for instruction partials broken by a patch (nodecode)
+    # - Unusual stack manipulation
+    atypical_alignments: list[Function]
+    possibly_patched_out: list[PatchedOutFunctionality]
+    def __init__(self):
+        self.atypical_alignments = []
+        self.possibly_patched_out = []
+        if len(self.project.kb.functions) == 0:
+            if self.project.kb.cfgs.get_most_accurate() is None:
+                log.warning("Please run CFGFast analysis first, to identify functions")
+            return
+        # In CFGFast with scanning enabled, a function may be created from unreachable blocks within another function.
+        # Search for interleaved/overlapping functions to identify possible patches.
+        overlapping_functions = self.project.analyses.OverlappingFunctions().overlapping_functions
+        for addr, overlapping_func_addrs in overlapping_functions.items():
+            func = self.project.kb.functions[addr]
+            # Are the overlapping functions reachable?
+            for overlapping_addr in overlapping_func_addrs:
+                overlapping_func = self.project.kb.functions[overlapping_addr]
+                if self.project.kb.callgraph.in_degree(overlapping_addr) == 0:
+                    self.possibly_patched_out.append(PatchedOutFunctionality(func, overlapping_func))
+                    # FIXME: What does the patch do?
+        # Look for unaligned functions
+        expected_alignment = self.project.analyses.FunctionAlignment().alignment
+        if expected_alignment is not None and expected_alignment > self.project.arch.instruction_alignment:
+            for func in self.project.kb.functions.values():
+                if not (func.is_alignment or func.is_plt or func.is_simprocedure) and func.addr & (
+                    expected_alignment - 1
+                ):
+                    self.atypical_alignments.append(AtypicallyAlignedFunction(func, expected_alignment))
+AnalysesHub.register_default("OverlappingFunctions", OverlappingFunctionsAnalysis)
+AnalysesHub.register_default("FunctionAlignment", FunctionAlignmentAnalysis)
+AnalysesHub.register_default("PatchFinder", PatchFinderAnalysis)