angr 9.2.79__py3-none-win_amd64.whl → 9.2.80__py3-none-win_amd64.whl

angr/analyses/propagator/propagator.py

@@ -289,6 +289,9 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
         if self._base_state is not None:
             self._base_state.options.add(sim_options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)
             self._base_state.options.add(sim_options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
+
+        self.model.input_states[block_key] = state.copy()
+
         state = engine.process(
             state,
             block=block,
@@ -305,8 +308,7 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
 
         self.model.node_iterations[block_key] += 1
         self.model.states[block_key] = state
-        if isinstance(state, PropagatorAILState):
-            self.model.block_initial_reg_values.update(state.block_initial_reg_values)
+        self.model.block_initial_reg_values.update(state.block_initial_reg_values)
 
         if self.model.replacements is None:
             self.model.replacements = state._replacements
@@ -325,19 +327,26 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
     def _process_input_state_for_successor(
         self, node, successor, input_state: Union[PropagatorAILState, PropagatorVEXState]
     ):
-        if self._only_consts and isinstance(input_state, PropagatorAILState):
-            key = node.addr, successor.addr
-            if key in self.model.block_initial_reg_values:
-                input_state: PropagatorAILState = input_state.copy()
-                for reg_atom, reg_value in self.model.block_initial_reg_values[key]:
-                    input_state.store_register(
-                        reg_atom,
-                        PropValue(
-                            claripy.BVV(reg_value.value, reg_value.bits),
-                            offset_and_details={0: Detail(reg_atom.size, reg_value, self._initial_codeloc)},
-                        ),
-                    )
-                return input_state
+        if self._only_consts:
+            if isinstance(input_state, PropagatorAILState):
+                key = node.addr, successor.addr
+                if key in self.model.block_initial_reg_values:
+                    input_state: PropagatorAILState = input_state.copy()
+                    for reg_atom, reg_value in self.model.block_initial_reg_values[key]:
+                        input_state.store_register(
+                            reg_atom,
+                            PropValue(
+                                claripy.BVV(reg_value.value, reg_value.bits),
+                                offset_and_details={0: Detail(reg_atom.size, reg_value, self._initial_codeloc)},
+                            ),
+                        )
+                    return input_state
+            elif isinstance(input_state, PropagatorVEXState):
+                key = node.addr, successor.addr
+                if key in self.model.block_initial_reg_values:
+                    input_state: PropagatorVEXState = input_state.copy()
+                    for reg_offset, reg_size, value in self.model.block_initial_reg_values[key]:
+                        input_state.store_register(reg_offset, reg_size, claripy.BVV(value, reg_size * 8))
         return input_state
 
     def _intra_analysis(self):

angr/analyses/reaching_definitions/engine_ail.py

@@ -141,7 +141,7 @@ class SimEngineRDAIL(
             return handler(expr)
         else:
             self.l.warning("Unsupported expression type %s.", type(expr).__name__)
-            return None
+            return MultiValues(self.state.top(self.arch.bits))
 
     def _ail_handle_Assignment(self, stmt):
         """

angr/analyses/stack_pointer_tracker.py

@@ -1,6 +1,7 @@
 # pylint:disable=abstract-method,ungrouped-imports
 
 from typing import Set, List, Optional, TYPE_CHECKING
+import re
 import logging
 
 import pyvex
@@ -286,6 +287,9 @@ class CouldNotResolveException(Exception):
     """
 
 
+IROP_CONVERT_REGEX = re.compile(r"^Iop_(\d+)(U{0,1})to(\d+)(U{0,1})$")
+
+
 class StackPointerTracker(Analysis, ForwardAnalysis):
     """
     Track the offset of stack pointer at the end of each basic block of a function.
@@ -366,6 +370,42 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         else:
             return self.offset_before(instr_addrs[0], reg)
 
+    def _constant_for(self, addr, pre_or_post, reg):
+        try:
+            s = self._state_for(addr, pre_or_post)
+            if s is None:
+                return TOP
+            regval = dict(s.regs)[reg]
+        except KeyError:
+            return TOP
+        if type(regval) is Constant:
+            return regval.val
+        return TOP
+
+    def constant_after(self, addr, reg):
+        return self._constant_for(addr, "post", reg)
+
+    def constant_before(self, addr, reg):
+        return self._constant_for(addr, "pre", reg)
+
+    def constant_after_block(self, block_addr, reg):
+        if block_addr not in self._blocks:
+            return TOP
+        instr_addrs = self._blocks[block_addr].instruction_addrs
+        if len(instr_addrs) == 0:
+            return TOP
+        else:
+            return self.constant_after(instr_addrs[-1], reg)
+
+    def constant_before_block(self, block_addr, reg):
+        if block_addr not in self._blocks:
+            return TOP
+        instr_addrs = self._blocks[block_addr].instruction_addrs
+        if len(instr_addrs) == 0:
+            return TOP
+        else:
+            return self.constant_before(instr_addrs[0], reg)
+
     @property
     def inconsistent(self):
         return any(self.inconsistent_for(r) for r in self.reg_offsets)
@@ -515,6 +555,21 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                 return Constant(expr.con.value)
             elif type(expr) is pyvex.IRExpr.Get:
                 return state.get(expr.offset)
+            elif type(expr) is pyvex.IRExpr.Unop:
+                m = IROP_CONVERT_REGEX.match(expr.op)
+                if m is not None:
+                    from_bits = int(m.group(1))
+                    # from_unsigned = m.group(2) == "U"
+                    to_bits = int(m.group(3))
+                    # to_unsigned = m.group(4) == "U"
+                    v = resolve_expr(expr.args[0])
+                    if not isinstance(v, Constant):
+                        return TOP
+                    if from_bits > to_bits:
+                        # truncation
+                        mask = (1 << to_bits) - 1
+                        return Constant(v.val & mask)
+                    return v
             elif self.track_mem and type(expr) is pyvex.IRExpr.Load:
                 return state.load(_resolve_expr(expr.addr))
             raise CouldNotResolveException()

angr/callable.py

@@ -74,10 +74,10 @@ class Callable:
         self.perform_call(*args, prototype=prototype)
         if self.result_state is not None and prototype.returnty is not None:
             loc = self._cc.return_val(prototype.returnty)
-            val = loc.get_value(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF)
-            return self.result_state.solver.simplify(val)
-        else:
-            return None
+            if loc is not None:
+                val = loc.get_value(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF)
+                return self.result_state.solver.simplify(val)
+        return None
 
     def perform_call(self, *args, prototype=None):
         prototype = SimCC.guess_prototype(args, prototype or self._func_ty).with_arch(self._project.arch)

angr/engines/light/engine.py

@@ -177,12 +177,12 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
                 func_addr = (
                     self.block.vex.next if isinstance(self.block.vex.next, int) else self._expr(self.block.vex.next)
                 )
-                if func_addr is not None:
-                    getattr(self, handler)(func_addr)
-                else:
+                if func_addr is None and self.l is not None:
                     self.l.debug("Cannot determine the callee address at %#x.", self.block.addr)
+                getattr(self, handler)(func_addr)
             else:
-                self.l.warning("Function handler not implemented.")
+                if self.l is not None:
+                    self.l.warning("Function handler not implemented.")
 
     #
     # Statement handlers
@@ -193,7 +193,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if hasattr(self, handler):
             getattr(self, handler)(stmt)
         elif type(stmt).__name__ not in ("IMark", "AbiHint"):
-            self.l.error("Unsupported statement type %s.", type(stmt).__name__)
+            if self.l is not None:
+                self.l.error("Unsupported statement type %s.", type(stmt).__name__)
 
     # synchronize with function _handle_WrTmpData()
     def _handle_WrTmp(self, stmt):
@@ -210,7 +211,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         self.tmps[tmp] = data
 
     def _handle_Dirty(self, stmt):
-        self.l.error("Unimplemented Dirty node for current architecture.")
+        if self.l is not None:
+            self.l.error("Unimplemented Dirty node for current architecture.")
 
     def _handle_Put(self, stmt):
         raise NotImplementedError("Please implement the Put handler with your own logic.")
@@ -232,12 +234,13 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         handler = "_handle_%s" % type(expr).__name__
         if hasattr(self, handler):
             return getattr(self, handler)(expr)
-        else:
+        elif self.l is not None:
             self.l.error("Unsupported expression type %s.", type(expr).__name__)
         return None
 
     def _handle_Triop(self, expr: pyvex.IRExpr.Triop):  # pylint: disable=useless-return
-        self.l.error("Unsupported Triop %s.", expr.op)
+        if self.l is not None:
+            self.l.error("Unsupported Triop %s.", expr.op)
         return None
 
     def _handle_RdTmp(self, expr):
@@ -295,7 +298,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if handler is not None and hasattr(self, handler):
             return getattr(self, handler)(expr)
         else:
-            self.l.error("Unsupported Unop %s.", expr.op)
+            if self.l is not None:
+                self.l.error("Unsupported Unop %s.", expr.op)
             return None
 
     def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
@@ -372,13 +376,14 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
                 return getattr(self, handler)(expr, vector_size, vector_count)
             return getattr(self, handler)(expr)
         else:
-            if once(expr.op):
+            if once(expr.op) and self.l is not None:
                 self.l.warning("Unsupported Binop %s.", expr.op)
 
         return None
 
     def _handle_CCall(self, expr):  # pylint:disable=useless-return
-        self.l.warning("Unsupported expression type CCall with callee %s.", str(expr.cee))
+        if self.l is not None:
+            self.l.warning("Unsupported expression type CCall with callee %s.", str(expr.cee))
         return None
 
     #
@@ -479,7 +484,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         try:
             return ~expr_0  # pylint:disable=invalid-unary-operand-type
         except TypeError as e:
-            self.l.exception(e)
+            if self.l is not None:
+                self.l.exception(e)
             return None
 
     def _handle_Clz(self, expr):
@@ -602,7 +608,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         try:
             return expr_0 ^ expr_1
         except TypeError as e:
-            self.l.warning(e)
+            if self.l is not None:
+                self.l.warning(e)
             return None
 
     def _handle_Shl(self, expr):
@@ -834,7 +841,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
 
         if h is not None:
             return h(expr)
-        self.l.warning("Unsupported expression type %s.", type(expr).__name__)
+        if self.l is not None:
+            self.l.warning("Unsupported expression type %s.", type(expr).__name__)
         return None
 
     #
@@ -866,7 +874,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
             getattr(self, old_handler)(stmt)
             return
 
-        self.l.warning("Unsupported statement type %s.", type(stmt).__name__)
+        if self.l is not None:
+            self.l.warning("Unsupported statement type %s.", type(stmt).__name__)
 
     def _ail_handle_Label(self, stmt):
         pass
@@ -933,7 +942,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported UnaryOp %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported UnaryOp %s.", expr.op)
             return None
 
         return handler(expr)
@@ -943,7 +953,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported BinaryOp %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported BinaryOp %s.", expr.op)
             return None
 
         return handler(expr)
@@ -953,7 +964,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported Ternary %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported Ternary %s.", expr.op)
             return None
 
         return handler(expr)

angr/knowledge_plugins/propagations/propagation_model.py

@@ -17,6 +17,7 @@ class PropagationModel(Serializable):
         "key",
         "node_iterations",
         "states",
+        "input_states",
         "block_initial_reg_values",
         "replacements",
         "equivalence",
@@ -35,9 +36,11 @@ class PropagationModel(Serializable):
         replacements: Optional[DefaultDict[Any, Dict]] = None,
         equivalence: Optional[Set] = None,
         function: Optional[Function] = None,
+        input_states: Optional[Dict] = None,
     ):
         self.key = prop_key
         self.node_iterations = node_iterations if node_iterations is not None else defaultdict(int)
+        self.input_states = input_states if input_states is not None else {}
         self.states = states if states is not None else {}
         self.block_initial_reg_values = block_initial_reg_values if block_initial_reg_values is not None else {}
         self.replacements = replacements
@@ -51,6 +54,7 @@ class PropagationModel(Serializable):
         self.node_iterations = None
         self.block_initial_reg_values = None
         self.states = None
+        self.input_states = None
         self.graph_visitor = None
 
     def block_beginning_state(self, block_addr) -> PropagatorState:

angr/knowledge_plugins/propagations/states.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from typing import Set, Optional, Union, Tuple, DefaultDict, List, Any, Dict, TYPE_CHECKING
 from collections import defaultdict
 import weakref
@@ -256,7 +257,9 @@ class PropagatorState:
     def init_replacements(self):
         self._replacements = defaultdict(dict)
 
-    def add_replacement(self, codeloc: CodeLocation, old, new, force_replace: bool = False) -> bool:
+    def add_replacement(
+        self, codeloc: CodeLocation, old, new, force_replace: bool = False
+    ) -> bool:  # pylint:disable=unused-argument
         """
         Add a replacement record: Replacing expression `old` with `new` at program location `codeloc`.
         If the self._only_consts flag is set to true, only constant values will be set.
@@ -296,6 +299,44 @@ class PropagatorState:
 # VEX state
 
 
+class RegisterAnnotation(claripy.Annotation):
+    """
+    Annotates TOP values that are coming from registers.
+    """
+
+    def __init__(self, offset, size):
+        self.offset = offset
+        self.size = size
+
+    @property
+    def eliminatable(self) -> bool:
+        return True
+
+    @property
+    def relocatable(self) -> bool:
+        return True
+
+
+class RegisterComparisonAnnotation(claripy.Annotation):
+    """
+    Annotate TOP values that are the result of register values comparing against constant values.
+    """
+
+    def __init__(self, offset, size, cmp_op, value):
+        self.offset = offset
+        self.size = size
+        self.cmp_op = cmp_op
+        self.value = value
+
+    @property
+    def eliminatable(self) -> bool:
+        return True
+
+    @property
+    def relocatable(self) -> bool:
+        return True
+
+
 class PropagatorVEXState(PropagatorState):
     """
     Describes the state used in the VEX engine of Propagator.
@@ -305,6 +346,7 @@ class PropagatorVEXState(PropagatorState):
         "_registers",
         "_stack_variables",
         "do_binops",
+        "block_initial_reg_values",
     )
 
     def __init__(
@@ -319,6 +361,7 @@ class PropagatorVEXState(PropagatorState):
         expr_used_locs=None,
         do_binops=True,
         store_tops=True,
+        block_initial_reg_values=None,
         gp=None,
         max_prop_expr_occurrence: int = 1,
         model=None,
@@ -349,6 +392,9 @@ class PropagatorVEXState(PropagatorState):
 
         self._registers.set_state(self)
         self._stack_variables.set_state(self)
+        self.block_initial_reg_values = (
+            defaultdict(list) if block_initial_reg_values is None else block_initial_reg_values
+        )
 
     def __repr__(self):
         return "<PropagatorVEXState>"
@@ -418,6 +464,7 @@ class PropagatorVEXState(PropagatorState):
             only_consts=self._only_consts,
             do_binops=self.do_binops,
             store_tops=self._store_tops,
+            block_initial_reg_values=self.block_initial_reg_values.copy(),
             gp=self._gp,
             max_prop_expr_occurrence=self._max_prop_expr_occurrence,
             model=self.model,
@@ -448,12 +495,15 @@ class PropagatorVEXState(PropagatorState):
     def load_register(self, offset, size):
         # TODO: Fix me
         if size != self.gpr_size:
-            return self.top(size * self.arch.byte_width)
+            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
         try:
-            return self._registers.load(offset, size=size)
+            v = self._registers.load(offset, size=size)
+            if self.is_top(v):
+                v = v.annotate(RegisterAnnotation(offset, size))
+            return v
         except SimMemoryMissingError:
-            return self.top(size * self.arch.byte_width)
+            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
     def register_results(self) -> Dict[str, claripy.ast.BV]:
         result = {}

angr/procedures/definitions/__init__.py

@@ -632,7 +632,8 @@ def load_win32api_definitions():
         for _ in autoimport.auto_import_modules(
             "angr.procedures.definitions",
             _DEFINITIONS_BASEDIR,
-            filter_func=lambda module_name: module_name.startswith("win32_"),
+            filter_func=lambda module_name: module_name.startswith("win32_")
+            or module_name in {"ntoskrnl", "ntdll", "user32"},
         ):
             pass
 

angr/procedures/definitions/ntoskrnl.py

@@ -0,0 +1,9 @@
+from . import SimLibrary
+from .. import SIM_PROCEDURES as P
+from ...calling_conventions import SimCCStdcall, SimCCMicrosoftAMD64
+
+lib = SimLibrary()
+lib.set_library_names("ntoskrnl.exe")
+lib.add_all_from_dict(P["win32_kernel"])
+lib.set_default_cc("X86", SimCCStdcall)
+lib.set_default_cc("AMD64", SimCCMicrosoftAMD64)

angr/procedures/win32_kernel/ExAllocatePool.py

@@ -0,0 +1,12 @@
+# pylint: disable=missing-class-docstring
+import claripy
+
+import angr
+
+
+class ExAllocatePool(angr.SimProcedure):
+    def run(self, PoolType, NumberOfBytes):  # pylint:disable=arguments-differ, unused-argument
+        addr = self.state.heap._malloc(NumberOfBytes)
+        memset = angr.SIM_PROCEDURES["libc"]["memset"]
+        self.inline_call(memset, addr, claripy.BVV(0, 8), NumberOfBytes)  # zerofill
+        return addr

angr/procedures/win32_kernel/ExFreePoolWithTag.py

@@ -0,0 +1,7 @@
+# pylint: disable=missing-class-docstring
+from angr import SimProcedure
+
+
+class ExFreePoolWithTag(SimProcedure):
+    def run(self, P, Tag):  # pylint:disable=arguments-differ, unused-argument
+        self.state.heap._free(P)

angr/procedures/win32_kernel/__init__.py

@@ -0,0 +1,3 @@
+"""
+These procedures implement functions from the Windows kernel.
+"""

angr/storage/memory_mixins/__init__.py

@@ -58,7 +58,7 @@ class MemoryMixin(SimStatePlugin):
                 to_add = c
             self.state.add_constraints(to_add)
 
-    def load(self, addr, **kwargs):
+    def load(self, addr, size=None, **kwargs):
         pass
 
     def store(self, addr, data, **kwargs):

angr/utils/funcid.py

@@ -0,0 +1,128 @@
+# pylint:disable=too-many-boolean-expressions
+from typing import Optional
+
+import capstone
+
+from angr.knowledge_plugins.functions import Function
+
+
+def is_function_security_check_cookie(func, project, security_cookie_addr: int) -> bool:
+    # disassemble the first instruction
+    if func.is_plt or func.is_syscall or func.is_simprocedure:
+        return False
+    block = project.factory.block(func.addr)
+    if block.instructions != 2:
+        return False
+    ins0 = block.capstone.insns[0]
+    if (
+        ins0.mnemonic == "cmp"
+        and len(ins0.operands) == 2
+        and ins0.operands[0].type == capstone.x86.X86_OP_REG
+        and ins0.operands[0].reg == capstone.x86.X86_REG_RCX
+        and ins0.operands[1].type == capstone.x86.X86_OP_MEM
+        and ins0.operands[1].mem.base == capstone.x86.X86_REG_RIP
+        and ins0.operands[1].mem.index == 0
+        and ins0.operands[1].mem.disp + ins0.address + ins0.size == security_cookie_addr
+    ):
+        ins1 = block.capstone.insns[1]
+        if ins1.mnemonic == "jne":
+            return True
+    return False
+
+
+def is_function_security_init_cookie(func: "Function", project, security_cookie_addr: Optional[int]) -> bool:
+    if func.is_plt or func.is_syscall or func.is_simprocedure:
+        return False
+    # the function should have only one return point
+    if len(func.endpoints) == 1 and len(func.ret_sites) == 1:
+        # the function is normalized
+        ret_block = next(iter(func.ret_sites))
+        preds = [(pred.addr, pred.size) for pred in func.graph.predecessors(ret_block)]
+        if len(preds) != 2:
+            return False
+    elif len(func.endpoints) == 2 and len(func.ret_sites) == 2:
+        # the function is not normalized
+        ep0, ep1 = func.endpoints
+        if ep0.addr > ep1.addr:
+            ep0, ep1 = ep1, ep0
+        if ep0.addr + ep0.size == ep1.addr + ep1.size and ep0.addr < ep1.addr:
+            # overlapping block
+            preds = [(ep0.addr, ep1.addr - ep0.addr)]
+        else:
+            return False
+    else:
+        return False
+    for node_addr, node_size in preds:
+        # lift the block and check the last instruction
+        block = project.factory.block(node_addr, size=node_size)
+        if not block.instructions:
+            continue
+        last_insn = block.capstone.insns[-1]
+        if (
+            last_insn.mnemonic == "mov"
+            and len(last_insn.operands) == 2
+            and last_insn.operands[0].type == capstone.x86.X86_OP_MEM
+            and last_insn.operands[0].mem.base == capstone.x86.X86_REG_RIP
+            and last_insn.operands[0].mem.index == 0
+            and last_insn.operands[0].mem.disp + last_insn.address + last_insn.size == security_cookie_addr
+            and last_insn.operands[1].type == capstone.x86.X86_OP_REG
+        ):
+            return True
+    return False
+
+
+def is_function_security_init_cookie_win8(func: "Function", project, security_cookie_addr: int) -> bool:
+    # disassemble the first instruction
+    if func.is_plt or func.is_syscall or func.is_simprocedure:
+        return False
+    block = project.factory.block(func.addr)
+    if block.instructions != 3:
+        return False
+    ins0 = block.capstone.insns[0]
+    if (
+        ins0.mnemonic == "mov"
+        and len(ins0.operands) == 2
+        and ins0.operands[0].type == capstone.x86.X86_OP_REG
+        and ins0.operands[0].reg == capstone.x86.X86_REG_RAX
+        and ins0.operands[1].type == capstone.x86.X86_OP_MEM
+        and ins0.operands[1].mem.base == capstone.x86.X86_REG_RIP
+        and ins0.operands[1].mem.index == 0
+        and ins0.operands[1].mem.disp + ins0.address + ins0.size == security_cookie_addr
+    ):
+        ins1 = block.capstone.insns[-1]
+        if ins1.mnemonic == "je":
+            succs = list(func.graph.successors(func.get_node(block.addr)))
+            if len(succs) > 2:
+                return False
+            for succ in succs:
+                succ_block = project.factory.block(succ.addr)
+                if succ_block.instructions:
+                    first_insn = succ_block.capstone.insns[0]
+                    if (
+                        first_insn.mnemonic == "movabs"
+                        and len(first_insn.operands) == 2
+                        and first_insn.operands[1].type == capstone.x86.X86_OP_IMM
+                        and first_insn.operands[1].imm == 0x2B992DDFA232
+                    ):
+                        return True
+    return False
+
+
+def is_function_likely_security_init_cookie(func: "Function") -> bool:
+    """
+    Conducts a fuzzy match for security_init_cookie function.
+    """
+
+    callees = [node for node in func.transition_graph if isinstance(node, Function)]
+    callee_names = {callee.name for callee in callees}
+    if callee_names.issuperset(
+        {
+            "GetSystemTimeAsFileTime",
+            "GetCurrentProcessId",
+            "GetCurrentThreadId",
+            "GetTickCount",
+            "QueryPerformanceCounter",
+        }
+    ):
+        return True
+    return False