angr 9.2.78__py3-none-win_amd64.whl → 9.2.80__py3-none-win_amd64.whl

angr/knowledge_plugins/functions/function.py

@@ -80,6 +80,7 @@ class Function(Serializable):
         "is_alignment",
         "is_prototype_guessed",
         "ran_cca",
+        "_cyclomatic_complexity",
     )
 
     def __init__(
@@ -161,6 +162,9 @@ class Function(Serializable):
         self.info = {}  # storing special information, like $gp values for MIPS32
         self.tags = ()  # store function tags. can be set manually by performing CodeTagging analysis.
 
+        # Initialize _cyclomatic_complexity to None
+        self._cyclomatic_complexity = None
+
         # TODO: Can we remove the following two members?
         # Register offsets of those arguments passed in registers
         self._argument_registers = []
@@ -302,6 +306,30 @@ class Function(Serializable):
             except (SimEngineError, SimMemoryError):
                 pass
 
+    @property
+    def cyclomatic_complexity(self):
+        """
+        The cyclomatic complexity of the function.
+
+        Cyclomatic complexity is a software metric used to indicate the complexity of a program.
+        It is a quantitative measure of the number of linearly independent paths through a program's source code.
+        It is computed using the formula: M = E - N + 2P, where
+        E = the number of edges in the graph,
+        N = the number of nodes in the graph,
+        P = the number of connected components.
+
+        The cyclomatic complexity value is lazily computed and cached for future use.
+        Initially this value is None until it is computed for the first time
+
+        :return: The cyclomatic complexity of the function.
+        :rtype: int
+        """
+        if self._cyclomatic_complexity is None:
+            self._cyclomatic_complexity = (
+                self.transition_graph.number_of_edges() - self.transition_graph.number_of_nodes() + 2
+            )
+        return self._cyclomatic_complexity
+
     @property
     def xrefs(self):
         """
@@ -565,6 +593,7 @@ class Function(Serializable):
         s += "  Alignment: %s\n" % (self.alignment)
         s += f"  Arguments: reg: {self._argument_registers}, stack: {self._argument_stack_variables}\n"
         s += "  Blocks: [%s]\n" % ", ".join(["%#x" % i for i in self.block_addrs])
+        s += "  Cyclomatic Complexity: %s\n" % self.cyclomatic_complexity
         s += "  Calling convention: %s" % self.calling_convention
         return s
 

angr/knowledge_plugins/propagations/propagation_model.py

@@ -17,6 +17,7 @@ class PropagationModel(Serializable):
         "key",
         "node_iterations",
         "states",
+        "input_states",
         "block_initial_reg_values",
         "replacements",
         "equivalence",
@@ -35,9 +36,11 @@ class PropagationModel(Serializable):
         replacements: Optional[DefaultDict[Any, Dict]] = None,
         equivalence: Optional[Set] = None,
         function: Optional[Function] = None,
+        input_states: Optional[Dict] = None,
     ):
         self.key = prop_key
         self.node_iterations = node_iterations if node_iterations is not None else defaultdict(int)
+        self.input_states = input_states if input_states is not None else {}
         self.states = states if states is not None else {}
         self.block_initial_reg_values = block_initial_reg_values if block_initial_reg_values is not None else {}
         self.replacements = replacements
@@ -51,6 +54,7 @@ class PropagationModel(Serializable):
         self.node_iterations = None
         self.block_initial_reg_values = None
         self.states = None
+        self.input_states = None
         self.graph_visitor = None
 
     def block_beginning_state(self, block_addr) -> PropagatorState:

angr/knowledge_plugins/propagations/states.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from typing import Set, Optional, Union, Tuple, DefaultDict, List, Any, Dict, TYPE_CHECKING
 from collections import defaultdict
 import weakref
@@ -256,7 +257,9 @@ class PropagatorState:
     def init_replacements(self):
         self._replacements = defaultdict(dict)
 
-    def add_replacement(self, codeloc: CodeLocation, old, new, force_replace: bool = False) -> bool:
+    def add_replacement(
+        self, codeloc: CodeLocation, old, new, force_replace: bool = False
+    ) -> bool:  # pylint:disable=unused-argument
         """
         Add a replacement record: Replacing expression `old` with `new` at program location `codeloc`.
         If the self._only_consts flag is set to true, only constant values will be set.
@@ -296,6 +299,44 @@ class PropagatorState:
 # VEX state
 
 
+class RegisterAnnotation(claripy.Annotation):
+    """
+    Annotates TOP values that are coming from registers.
+    """
+
+    def __init__(self, offset, size):
+        self.offset = offset
+        self.size = size
+
+    @property
+    def eliminatable(self) -> bool:
+        return True
+
+    @property
+    def relocatable(self) -> bool:
+        return True
+
+
+class RegisterComparisonAnnotation(claripy.Annotation):
+    """
+    Annotate TOP values that are the result of register values comparing against constant values.
+    """
+
+    def __init__(self, offset, size, cmp_op, value):
+        self.offset = offset
+        self.size = size
+        self.cmp_op = cmp_op
+        self.value = value
+
+    @property
+    def eliminatable(self) -> bool:
+        return True
+
+    @property
+    def relocatable(self) -> bool:
+        return True
+
+
 class PropagatorVEXState(PropagatorState):
     """
     Describes the state used in the VEX engine of Propagator.
@@ -305,6 +346,7 @@ class PropagatorVEXState(PropagatorState):
         "_registers",
         "_stack_variables",
         "do_binops",
+        "block_initial_reg_values",
     )
 
     def __init__(
@@ -319,6 +361,7 @@ class PropagatorVEXState(PropagatorState):
         expr_used_locs=None,
         do_binops=True,
         store_tops=True,
+        block_initial_reg_values=None,
         gp=None,
         max_prop_expr_occurrence: int = 1,
         model=None,
@@ -349,6 +392,9 @@ class PropagatorVEXState(PropagatorState):
 
         self._registers.set_state(self)
         self._stack_variables.set_state(self)
+        self.block_initial_reg_values = (
+            defaultdict(list) if block_initial_reg_values is None else block_initial_reg_values
+        )
 
     def __repr__(self):
         return "<PropagatorVEXState>"
@@ -418,6 +464,7 @@ class PropagatorVEXState(PropagatorState):
             only_consts=self._only_consts,
             do_binops=self.do_binops,
             store_tops=self._store_tops,
+            block_initial_reg_values=self.block_initial_reg_values.copy(),
             gp=self._gp,
             max_prop_expr_occurrence=self._max_prop_expr_occurrence,
             model=self.model,
@@ -448,12 +495,15 @@ class PropagatorVEXState(PropagatorState):
     def load_register(self, offset, size):
         # TODO: Fix me
         if size != self.gpr_size:
-            return self.top(size * self.arch.byte_width)
+            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
         try:
-            return self._registers.load(offset, size=size)
+            v = self._registers.load(offset, size=size)
+            if self.is_top(v):
+                v = v.annotate(RegisterAnnotation(offset, size))
+            return v
         except SimMemoryMissingError:
-            return self.top(size * self.arch.byte_width)
+            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
     def register_results(self) -> Dict[str, claripy.ast.BV]:
         result = {}

angr/procedures/definitions/__init__.py

@@ -632,7 +632,8 @@ def load_win32api_definitions():
         for _ in autoimport.auto_import_modules(
             "angr.procedures.definitions",
             _DEFINITIONS_BASEDIR,
-            filter_func=lambda module_name: module_name.startswith("win32_"),
+            filter_func=lambda module_name: module_name.startswith("win32_")
+            or module_name in {"ntoskrnl", "ntdll", "user32"},
         ):
             pass
 

angr/procedures/definitions/msvcr.py

@@ -13,6 +13,3 @@ libc.set_non_returning('_exit', 'abort', 'exit', '_invoke_watson')
 libc.add_alias('_initterm', '_initterm_e')
 
 libc.set_default_cc('AMD64', SimCCMicrosoftAMD64)
-
-for name, procedure in libc.procedures.items():
-    libc.set_prototype(name, procedure.prototype)

angr/procedures/definitions/ntoskrnl.py

@@ -0,0 +1,9 @@
+from . import SimLibrary
+from .. import SIM_PROCEDURES as P
+from ...calling_conventions import SimCCStdcall, SimCCMicrosoftAMD64
+
+lib = SimLibrary()
+lib.set_library_names("ntoskrnl.exe")
+lib.add_all_from_dict(P["win32_kernel"])
+lib.set_default_cc("X86", SimCCStdcall)
+lib.set_default_cc("AMD64", SimCCMicrosoftAMD64)

angr/procedures/win32_kernel/ExAllocatePool.py

@@ -0,0 +1,12 @@
+# pylint: disable=missing-class-docstring
+import claripy
+
+import angr
+
+
+class ExAllocatePool(angr.SimProcedure):
+    def run(self, PoolType, NumberOfBytes):  # pylint:disable=arguments-differ, unused-argument
+        addr = self.state.heap._malloc(NumberOfBytes)
+        memset = angr.SIM_PROCEDURES["libc"]["memset"]
+        self.inline_call(memset, addr, claripy.BVV(0, 8), NumberOfBytes)  # zerofill
+        return addr

angr/procedures/win32_kernel/ExFreePoolWithTag.py

@@ -0,0 +1,7 @@
+# pylint: disable=missing-class-docstring
+from angr import SimProcedure
+
+
+class ExFreePoolWithTag(SimProcedure):
+    def run(self, P, Tag):  # pylint:disable=arguments-differ, unused-argument
+        self.state.heap._free(P)

angr/procedures/win32_kernel/__init__.py

@@ -0,0 +1,3 @@
+"""
+These procedures implement functions from the Windows kernel.
+"""

angr/sim_type.py

@@ -908,6 +908,9 @@ class SimTypeFunction(SimType):
         self.arg_names = arg_names if arg_names else ()
         self.variadic = variadic
 
+    def __hash__(self):
+        return hash(type(self)) ^ hash(tuple(self.args)) ^ hash(self.returnty)
+
     def __repr__(self):
         argstrs = [str(a) for a in self.args]
         if self.variadic:

angr/storage/memory_mixins/__init__.py

@@ -58,7 +58,7 @@ class MemoryMixin(SimStatePlugin):
                 to_add = c
             self.state.add_constraints(to_add)
 
-    def load(self, addr, **kwargs):
+    def load(self, addr, size=None, **kwargs):
         pass
 
     def store(self, addr, data, **kwargs):

angr/utils/funcid.py

@@ -0,0 +1,128 @@
+# pylint:disable=too-many-boolean-expressions
+from typing import Optional
+
+import capstone
+
+from angr.knowledge_plugins.functions import Function
+
+
+def is_function_security_check_cookie(func, project, security_cookie_addr: int) -> bool:
+    # disassemble the first instruction
+    if func.is_plt or func.is_syscall or func.is_simprocedure:
+        return False
+    block = project.factory.block(func.addr)
+    if block.instructions != 2:
+        return False
+    ins0 = block.capstone.insns[0]
+    if (
+        ins0.mnemonic == "cmp"
+        and len(ins0.operands) == 2
+        and ins0.operands[0].type == capstone.x86.X86_OP_REG
+        and ins0.operands[0].reg == capstone.x86.X86_REG_RCX
+        and ins0.operands[1].type == capstone.x86.X86_OP_MEM
+        and ins0.operands[1].mem.base == capstone.x86.X86_REG_RIP
+        and ins0.operands[1].mem.index == 0
+        and ins0.operands[1].mem.disp + ins0.address + ins0.size == security_cookie_addr
+    ):
+        ins1 = block.capstone.insns[1]
+        if ins1.mnemonic == "jne":
+            return True
+    return False
+
+
+def is_function_security_init_cookie(func: "Function", project, security_cookie_addr: Optional[int]) -> bool:
+    if func.is_plt or func.is_syscall or func.is_simprocedure:
+        return False
+    # the function should have only one return point
+    if len(func.endpoints) == 1 and len(func.ret_sites) == 1:
+        # the function is normalized
+        ret_block = next(iter(func.ret_sites))
+        preds = [(pred.addr, pred.size) for pred in func.graph.predecessors(ret_block)]
+        if len(preds) != 2:
+            return False
+    elif len(func.endpoints) == 2 and len(func.ret_sites) == 2:
+        # the function is not normalized
+        ep0, ep1 = func.endpoints
+        if ep0.addr > ep1.addr:
+            ep0, ep1 = ep1, ep0
+        if ep0.addr + ep0.size == ep1.addr + ep1.size and ep0.addr < ep1.addr:
+            # overlapping block
+            preds = [(ep0.addr, ep1.addr - ep0.addr)]
+        else:
+            return False
+    else:
+        return False
+    for node_addr, node_size in preds:
+        # lift the block and check the last instruction
+        block = project.factory.block(node_addr, size=node_size)
+        if not block.instructions:
+            continue
+        last_insn = block.capstone.insns[-1]
+        if (
+            last_insn.mnemonic == "mov"
+            and len(last_insn.operands) == 2
+            and last_insn.operands[0].type == capstone.x86.X86_OP_MEM
+            and last_insn.operands[0].mem.base == capstone.x86.X86_REG_RIP
+            and last_insn.operands[0].mem.index == 0
+            and last_insn.operands[0].mem.disp + last_insn.address + last_insn.size == security_cookie_addr
+            and last_insn.operands[1].type == capstone.x86.X86_OP_REG
+        ):
+            return True
+    return False
+
+
+def is_function_security_init_cookie_win8(func: "Function", project, security_cookie_addr: int) -> bool:
+    # disassemble the first instruction
+    if func.is_plt or func.is_syscall or func.is_simprocedure:
+        return False
+    block = project.factory.block(func.addr)
+    if block.instructions != 3:
+        return False
+    ins0 = block.capstone.insns[0]
+    if (
+        ins0.mnemonic == "mov"
+        and len(ins0.operands) == 2
+        and ins0.operands[0].type == capstone.x86.X86_OP_REG
+        and ins0.operands[0].reg == capstone.x86.X86_REG_RAX
+        and ins0.operands[1].type == capstone.x86.X86_OP_MEM
+        and ins0.operands[1].mem.base == capstone.x86.X86_REG_RIP
+        and ins0.operands[1].mem.index == 0
+        and ins0.operands[1].mem.disp + ins0.address + ins0.size == security_cookie_addr
+    ):
+        ins1 = block.capstone.insns[-1]
+        if ins1.mnemonic == "je":
+            succs = list(func.graph.successors(func.get_node(block.addr)))
+            if len(succs) > 2:
+                return False
+            for succ in succs:
+                succ_block = project.factory.block(succ.addr)
+                if succ_block.instructions:
+                    first_insn = succ_block.capstone.insns[0]
+                    if (
+                        first_insn.mnemonic == "movabs"
+                        and len(first_insn.operands) == 2
+                        and first_insn.operands[1].type == capstone.x86.X86_OP_IMM
+                        and first_insn.operands[1].imm == 0x2B992DDFA232
+                    ):
+                        return True
+    return False
+
+
+def is_function_likely_security_init_cookie(func: "Function") -> bool:
+    """
+    Conducts a fuzzy match for security_init_cookie function.
+    """
+
+    callees = [node for node in func.transition_graph if isinstance(node, Function)]
+    callee_names = {callee.name for callee in callees}
+    if callee_names.issuperset(
+        {
+            "GetSystemTimeAsFileTime",
+            "GetCurrentProcessId",
+            "GetCurrentThreadId",
+            "GetTickCount",
+            "QueryPerformanceCounter",
+        }
+    ):
+        return True
+    return False

{angr-9.2.78.dist-info → angr-9.2.80.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: angr
-Version: 9.2.78
+Version: 9.2.80
 Summary: A multi-architecture binary analysis toolkit, with the ability to perform dynamic symbolic execution and various static analyses on binaries
 Home-page: https://github.com/angr/angr
 License: BSD-2-Clause
@@ -17,13 +17,13 @@ Description-Content-Type: text/markdown
 License-File: LICENSE
 Requires-Dist: CppHeaderParser
 Requires-Dist: GitPython
-Requires-Dist: ailment ==9.2.78
-Requires-Dist: archinfo ==9.2.78
+Requires-Dist: ailment ==9.2.80
+Requires-Dist: archinfo ==9.2.80
 Requires-Dist: cachetools
 Requires-Dist: capstone ==5.0.0.post1
 Requires-Dist: cffi >=1.14.0
-Requires-Dist: claripy ==9.2.78
-Requires-Dist: cle ==9.2.78
+Requires-Dist: claripy ==9.2.80
+Requires-Dist: cle ==9.2.80
 Requires-Dist: dpkt
 Requires-Dist: itanium-demangler
 Requires-Dist: mulpyplexer
@@ -32,7 +32,7 @@ Requires-Dist: networkx !=2.8.1,>=2.0
 Requires-Dist: protobuf >=3.19.0
 Requires-Dist: psutil
 Requires-Dist: pycparser >=2.18
-Requires-Dist: pyvex ==9.2.78
+Requires-Dist: pyvex ==9.2.80
 Requires-Dist: rich >=13.1.0
 Requires-Dist: rpyc
 Requires-Dist: sortedcontainers