angr 9.2.79__py3-none-win_amd64.whl → 9.2.81__py3-none-win_amd64.whl

angr/analyses/propagator/propagator.py

@@ -289,6 +289,9 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
         if self._base_state is not None:
             self._base_state.options.add(sim_options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS)
             self._base_state.options.add(sim_options.SYMBOL_FILL_UNCONSTRAINED_MEMORY)
+
+        self.model.input_states[block_key] = state.copy()
+
         state = engine.process(
             state,
             block=block,
@@ -305,8 +308,7 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
 
         self.model.node_iterations[block_key] += 1
         self.model.states[block_key] = state
-        if isinstance(state, PropagatorAILState):
-            self.model.block_initial_reg_values.update(state.block_initial_reg_values)
+        self.model.block_initial_reg_values.update(state.block_initial_reg_values)
 
         if self.model.replacements is None:
             self.model.replacements = state._replacements
@@ -325,19 +327,26 @@ class PropagatorAnalysis(ForwardAnalysis, Analysis):  # pylint:disable=abstract-
     def _process_input_state_for_successor(
         self, node, successor, input_state: Union[PropagatorAILState, PropagatorVEXState]
     ):
-        if self._only_consts and isinstance(input_state, PropagatorAILState):
-            key = node.addr, successor.addr
-            if key in self.model.block_initial_reg_values:
-                input_state: PropagatorAILState = input_state.copy()
-                for reg_atom, reg_value in self.model.block_initial_reg_values[key]:
-                    input_state.store_register(
-                        reg_atom,
-                        PropValue(
-                            claripy.BVV(reg_value.value, reg_value.bits),
-                            offset_and_details={0: Detail(reg_atom.size, reg_value, self._initial_codeloc)},
-                        ),
-                    )
-                return input_state
+        if self._only_consts:
+            if isinstance(input_state, PropagatorAILState):
+                key = node.addr, successor.addr
+                if key in self.model.block_initial_reg_values:
+                    input_state: PropagatorAILState = input_state.copy()
+                    for reg_atom, reg_value in self.model.block_initial_reg_values[key]:
+                        input_state.store_register(
+                            reg_atom,
+                            PropValue(
+                                claripy.BVV(reg_value.value, reg_value.bits),
+                                offset_and_details={0: Detail(reg_atom.size, reg_value, self._initial_codeloc)},
+                            ),
+                        )
+                    return input_state
+            elif isinstance(input_state, PropagatorVEXState):
+                key = node.addr, successor.addr
+                if key in self.model.block_initial_reg_values:
+                    input_state: PropagatorVEXState = input_state.copy()
+                    for reg_offset, reg_size, value in self.model.block_initial_reg_values[key]:
+                        input_state.store_register(reg_offset, reg_size, claripy.BVV(value, reg_size * 8))
         return input_state
 
     def _intra_analysis(self):

angr/analyses/reaching_definitions/engine_ail.py

@@ -141,7 +141,7 @@ class SimEngineRDAIL(
             return handler(expr)
         else:
             self.l.warning("Unsupported expression type %s.", type(expr).__name__)
-            return None
+            return MultiValues(self.state.top(self.arch.bits))
 
     def _ail_handle_Assignment(self, stmt):
         """

angr/analyses/reaching_definitions/rd_state.py

@@ -566,19 +566,19 @@ class ReachingDefinitionsState:
     @overload
     def deref(
         self,
-        pointer: Union[MultiValues, Atom, Definition, Iterable[Atom], Iterable[Definition]],
+        pointer: Union[int, claripy.ast.bv.BV, HeapAddress, SpOffset],
         size: Union[int, DerefSize],
         endness: str = ...,
-    ) -> Set[MemoryLocation]:
+    ) -> Optional[MemoryLocation]:
         ...
 
     @overload
     def deref(
         self,
-        pointer: Union[int, claripy.ast.BV, HeapAddress, SpOffset],
+        pointer: Union[MultiValues, Atom, Definition, Iterable[Atom], Iterable[Definition]],
         size: Union[int, DerefSize],
         endness: str = ...,
-    ) -> Optional[MemoryLocation]:
+    ) -> Set[MemoryLocation]:
         ...
 
     def deref(

angr/analyses/stack_pointer_tracker.py

@@ -1,6 +1,7 @@
 # pylint:disable=abstract-method,ungrouped-imports
 
 from typing import Set, List, Optional, TYPE_CHECKING
+import re
 import logging
 
 import pyvex
@@ -286,6 +287,9 @@ class CouldNotResolveException(Exception):
     """
 
 
+IROP_CONVERT_REGEX = re.compile(r"^Iop_(\d+)(U{0,1})to(\d+)(U{0,1})$")
+
+
 class StackPointerTracker(Analysis, ForwardAnalysis):
     """
     Track the offset of stack pointer at the end of each basic block of a function.
@@ -366,6 +370,42 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
         else:
             return self.offset_before(instr_addrs[0], reg)
 
+    def _constant_for(self, addr, pre_or_post, reg):
+        try:
+            s = self._state_for(addr, pre_or_post)
+            if s is None:
+                return TOP
+            regval = dict(s.regs)[reg]
+        except KeyError:
+            return TOP
+        if type(regval) is Constant:
+            return regval.val
+        return TOP
+
+    def constant_after(self, addr, reg):
+        return self._constant_for(addr, "post", reg)
+
+    def constant_before(self, addr, reg):
+        return self._constant_for(addr, "pre", reg)
+
+    def constant_after_block(self, block_addr, reg):
+        if block_addr not in self._blocks:
+            return TOP
+        instr_addrs = self._blocks[block_addr].instruction_addrs
+        if len(instr_addrs) == 0:
+            return TOP
+        else:
+            return self.constant_after(instr_addrs[-1], reg)
+
+    def constant_before_block(self, block_addr, reg):
+        if block_addr not in self._blocks:
+            return TOP
+        instr_addrs = self._blocks[block_addr].instruction_addrs
+        if len(instr_addrs) == 0:
+            return TOP
+        else:
+            return self.constant_before(instr_addrs[0], reg)
+
     @property
     def inconsistent(self):
         return any(self.inconsistent_for(r) for r in self.reg_offsets)
@@ -515,6 +555,21 @@ class StackPointerTracker(Analysis, ForwardAnalysis):
                 return Constant(expr.con.value)
             elif type(expr) is pyvex.IRExpr.Get:
                 return state.get(expr.offset)
+            elif type(expr) is pyvex.IRExpr.Unop:
+                m = IROP_CONVERT_REGEX.match(expr.op)
+                if m is not None:
+                    from_bits = int(m.group(1))
+                    # from_unsigned = m.group(2) == "U"
+                    to_bits = int(m.group(3))
+                    # to_unsigned = m.group(4) == "U"
+                    v = resolve_expr(expr.args[0])
+                    if not isinstance(v, Constant):
+                        return TOP
+                    if from_bits > to_bits:
+                        # truncation
+                        mask = (1 << to_bits) - 1
+                        return Constant(v.val & mask)
+                    return v
             elif self.track_mem and type(expr) is pyvex.IRExpr.Load:
                 return state.load(_resolve_expr(expr.addr))
             raise CouldNotResolveException()

angr/callable.py

@@ -74,10 +74,10 @@ class Callable:
         self.perform_call(*args, prototype=prototype)
         if self.result_state is not None and prototype.returnty is not None:
             loc = self._cc.return_val(prototype.returnty)
-            val = loc.get_value(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF)
-            return self.result_state.solver.simplify(val)
-        else:
-            return None
+            if loc is not None:
+                val = loc.get_value(self.result_state, stack_base=self.result_state.regs.sp - self._cc.STACKARG_SP_DIFF)
+                return self.result_state.solver.simplify(val)
+        return None
 
     def perform_call(self, *args, prototype=None):
         prototype = SimCC.guess_prototype(args, prototype or self._func_ty).with_arch(self._project.arch)

angr/calling_conventions.py

@@ -1592,6 +1592,7 @@ class SimCCAMD64LinuxSyscall(SimCCSyscall):
     RETURN_VAL = SimRegArg("rax", 8)
     RETURN_ADDR = SimRegArg("ip_at_syscall", 8)
     ARCH = archinfo.ArchAMD64
+    CALLER_SAVED_REGS = ["rax", "rcx", "r11"]
 
     @staticmethod
     def _match(arch, args, sp_delta):  # pylint: disable=unused-argument
@@ -2257,6 +2258,7 @@ def default_cc(  # pylint:disable=unused-argument
     arch: str,
     platform: Optional[str] = "Linux",
     language: Optional[str] = None,
+    syscall: bool = False,
     **kwargs,
 ) -> Optional[Type[SimCC]]:
     """
@@ -2265,6 +2267,7 @@ def default_cc(  # pylint:disable=unused-argument
     :param arch:        The architecture name.
     :param platform:    The platform name (e.g., "Linux" or "Win32").
     :param language:    The programming language name (e.g., "go").
+    :param syscall:     Return syscall convention (True), or normal calling convention (False, default).
     :return:            A default calling convention class if we can find one for the architecture, platform, and
                         language combination, or None if nothing fits.
     """
@@ -2273,20 +2276,21 @@ def default_cc(  # pylint:disable=unused-argument
         platform = "Linux"
 
     default = kwargs.get("default", ...)
+    cc_map = SYSCALL_CC if syscall else DEFAULT_CC
 
-    if arch in DEFAULT_CC:
-        if platform not in DEFAULT_CC[arch]:
+    if arch in cc_map:
+        if platform not in cc_map[arch]:
             if default is not ...:
                 return default
-            if "Linux" in DEFAULT_CC[arch]:
-                return DEFAULT_CC[arch]["Linux"]
-        return DEFAULT_CC[arch][platform]
+            if "Linux" in cc_map[arch]:
+                return cc_map[arch]["Linux"]
+        return cc_map[arch][platform]
 
     alias = unify_arch_name(arch)
-    if alias not in DEFAULT_CC or platform not in DEFAULT_CC[alias]:
+    if alias not in cc_map or platform not in cc_map[alias]:
         if default is not ...:
             return default
-    return DEFAULT_CC[alias][platform]
+    return cc_map[alias][platform]
 
 
 def unify_arch_name(arch: str) -> str:

angr/engines/light/engine.py

@@ -177,12 +177,12 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
                 func_addr = (
                     self.block.vex.next if isinstance(self.block.vex.next, int) else self._expr(self.block.vex.next)
                 )
-                if func_addr is not None:
-                    getattr(self, handler)(func_addr)
-                else:
+                if func_addr is None and self.l is not None:
                     self.l.debug("Cannot determine the callee address at %#x.", self.block.addr)
+                getattr(self, handler)(func_addr)
             else:
-                self.l.warning("Function handler not implemented.")
+                if self.l is not None:
+                    self.l.warning("Function handler not implemented.")
 
     #
     # Statement handlers
@@ -193,7 +193,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if hasattr(self, handler):
             getattr(self, handler)(stmt)
         elif type(stmt).__name__ not in ("IMark", "AbiHint"):
-            self.l.error("Unsupported statement type %s.", type(stmt).__name__)
+            if self.l is not None:
+                self.l.error("Unsupported statement type %s.", type(stmt).__name__)
 
     # synchronize with function _handle_WrTmpData()
     def _handle_WrTmp(self, stmt):
@@ -210,7 +211,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         self.tmps[tmp] = data
 
     def _handle_Dirty(self, stmt):
-        self.l.error("Unimplemented Dirty node for current architecture.")
+        if self.l is not None:
+            self.l.error("Unimplemented Dirty node for current architecture.")
 
     def _handle_Put(self, stmt):
         raise NotImplementedError("Please implement the Put handler with your own logic.")
@@ -232,12 +234,13 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         handler = "_handle_%s" % type(expr).__name__
         if hasattr(self, handler):
             return getattr(self, handler)(expr)
-        else:
+        elif self.l is not None:
             self.l.error("Unsupported expression type %s.", type(expr).__name__)
         return None
 
     def _handle_Triop(self, expr: pyvex.IRExpr.Triop):  # pylint: disable=useless-return
-        self.l.error("Unsupported Triop %s.", expr.op)
+        if self.l is not None:
+            self.l.error("Unsupported Triop %s.", expr.op)
         return None
 
     def _handle_RdTmp(self, expr):
@@ -295,7 +298,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         if handler is not None and hasattr(self, handler):
             return getattr(self, handler)(expr)
         else:
-            self.l.error("Unsupported Unop %s.", expr.op)
+            if self.l is not None:
+                self.l.error("Unsupported Unop %s.", expr.op)
             return None
 
     def _handle_Binop(self, expr: pyvex.IRExpr.Binop):
@@ -372,13 +376,14 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
                 return getattr(self, handler)(expr, vector_size, vector_count)
             return getattr(self, handler)(expr)
         else:
-            if once(expr.op):
+            if once(expr.op) and self.l is not None:
                 self.l.warning("Unsupported Binop %s.", expr.op)
 
         return None
 
     def _handle_CCall(self, expr):  # pylint:disable=useless-return
-        self.l.warning("Unsupported expression type CCall with callee %s.", str(expr.cee))
+        if self.l is not None:
+            self.l.warning("Unsupported expression type CCall with callee %s.", str(expr.cee))
         return None
 
     #
@@ -479,7 +484,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         try:
             return ~expr_0  # pylint:disable=invalid-unary-operand-type
         except TypeError as e:
-            self.l.exception(e)
+            if self.l is not None:
+                self.l.exception(e)
             return None
 
     def _handle_Clz(self, expr):
@@ -602,7 +608,8 @@ class SimEngineLightVEXMixin(SimEngineLightMixin):
         try:
             return expr_0 ^ expr_1
         except TypeError as e:
-            self.l.warning(e)
+            if self.l is not None:
+                self.l.warning(e)
             return None
 
     def _handle_Shl(self, expr):
@@ -834,7 +841,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
 
         if h is not None:
             return h(expr)
-        self.l.warning("Unsupported expression type %s.", type(expr).__name__)
+        if self.l is not None:
+            self.l.warning("Unsupported expression type %s.", type(expr).__name__)
         return None
 
     #
@@ -866,7 +874,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
             getattr(self, old_handler)(stmt)
             return
 
-        self.l.warning("Unsupported statement type %s.", type(stmt).__name__)
+        if self.l is not None:
+            self.l.warning("Unsupported statement type %s.", type(stmt).__name__)
 
     def _ail_handle_Label(self, stmt):
         pass
@@ -933,7 +942,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported UnaryOp %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported UnaryOp %s.", expr.op)
             return None
 
         return handler(expr)
@@ -943,7 +953,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported BinaryOp %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported BinaryOp %s.", expr.op)
             return None
 
         return handler(expr)
@@ -953,7 +964,8 @@ class SimEngineLightAILMixin(SimEngineLightMixin):
         try:
             handler = getattr(self, handler_name)
         except AttributeError:
-            self.l.warning("Unsupported Ternary %s.", expr.op)
+            if self.l is not None:
+                self.l.warning("Unsupported Ternary %s.", expr.op)
             return None
 
         return handler(expr)

angr/knowledge_plugins/propagations/propagation_model.py

@@ -17,6 +17,7 @@ class PropagationModel(Serializable):
         "key",
         "node_iterations",
         "states",
+        "input_states",
         "block_initial_reg_values",
         "replacements",
         "equivalence",
@@ -35,9 +36,11 @@ class PropagationModel(Serializable):
         replacements: Optional[DefaultDict[Any, Dict]] = None,
         equivalence: Optional[Set] = None,
         function: Optional[Function] = None,
+        input_states: Optional[Dict] = None,
     ):
         self.key = prop_key
         self.node_iterations = node_iterations if node_iterations is not None else defaultdict(int)
+        self.input_states = input_states if input_states is not None else {}
         self.states = states if states is not None else {}
         self.block_initial_reg_values = block_initial_reg_values if block_initial_reg_values is not None else {}
         self.replacements = replacements
@@ -51,6 +54,7 @@ class PropagationModel(Serializable):
         self.node_iterations = None
         self.block_initial_reg_values = None
         self.states = None
+        self.input_states = None
         self.graph_visitor = None
 
     def block_beginning_state(self, block_addr) -> PropagatorState:

angr/knowledge_plugins/propagations/states.py

@@ -1,3 +1,4 @@
+# pylint:disable=too-many-boolean-expressions
 from typing import Set, Optional, Union, Tuple, DefaultDict, List, Any, Dict, TYPE_CHECKING
 from collections import defaultdict
 import weakref
@@ -256,7 +257,9 @@ class PropagatorState:
     def init_replacements(self):
         self._replacements = defaultdict(dict)
 
-    def add_replacement(self, codeloc: CodeLocation, old, new, force_replace: bool = False) -> bool:
+    def add_replacement(
+        self, codeloc: CodeLocation, old, new, force_replace: bool = False
+    ) -> bool:  # pylint:disable=unused-argument
         """
         Add a replacement record: Replacing expression `old` with `new` at program location `codeloc`.
         If the self._only_consts flag is set to true, only constant values will be set.
@@ -296,6 +299,44 @@ class PropagatorState:
 # VEX state
 
 
+class RegisterAnnotation(claripy.Annotation):
+    """
+    Annotates TOP values that are coming from registers.
+    """
+
+    def __init__(self, offset, size):
+        self.offset = offset
+        self.size = size
+
+    @property
+    def eliminatable(self) -> bool:
+        return True
+
+    @property
+    def relocatable(self) -> bool:
+        return True
+
+
+class RegisterComparisonAnnotation(claripy.Annotation):
+    """
+    Annotate TOP values that are the result of register values comparing against constant values.
+    """
+
+    def __init__(self, offset, size, cmp_op, value):
+        self.offset = offset
+        self.size = size
+        self.cmp_op = cmp_op
+        self.value = value
+
+    @property
+    def eliminatable(self) -> bool:
+        return True
+
+    @property
+    def relocatable(self) -> bool:
+        return True
+
+
 class PropagatorVEXState(PropagatorState):
     """
     Describes the state used in the VEX engine of Propagator.
@@ -305,6 +346,7 @@ class PropagatorVEXState(PropagatorState):
         "_registers",
         "_stack_variables",
         "do_binops",
+        "block_initial_reg_values",
     )
 
     def __init__(
@@ -319,6 +361,7 @@ class PropagatorVEXState(PropagatorState):
         expr_used_locs=None,
         do_binops=True,
         store_tops=True,
+        block_initial_reg_values=None,
         gp=None,
         max_prop_expr_occurrence: int = 1,
         model=None,
@@ -349,6 +392,9 @@ class PropagatorVEXState(PropagatorState):
 
         self._registers.set_state(self)
         self._stack_variables.set_state(self)
+        self.block_initial_reg_values = (
+            defaultdict(list) if block_initial_reg_values is None else block_initial_reg_values
+        )
 
     def __repr__(self):
         return "<PropagatorVEXState>"
@@ -418,6 +464,7 @@ class PropagatorVEXState(PropagatorState):
             only_consts=self._only_consts,
             do_binops=self.do_binops,
             store_tops=self._store_tops,
+            block_initial_reg_values=self.block_initial_reg_values.copy(),
             gp=self._gp,
             max_prop_expr_occurrence=self._max_prop_expr_occurrence,
             model=self.model,
@@ -448,12 +495,15 @@ class PropagatorVEXState(PropagatorState):
     def load_register(self, offset, size):
         # TODO: Fix me
         if size != self.gpr_size:
-            return self.top(size * self.arch.byte_width)
+            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
         try:
-            return self._registers.load(offset, size=size)
+            v = self._registers.load(offset, size=size)
+            if self.is_top(v):
+                v = v.annotate(RegisterAnnotation(offset, size))
+            return v
         except SimMemoryMissingError:
-            return self.top(size * self.arch.byte_width)
+            return self.top(size * self.arch.byte_width).annotate(RegisterAnnotation(offset, size))
 
     def register_results(self) -> Dict[str, claripy.ast.BV]:
         result = {}

angr/procedures/definitions/__init__.py

@@ -632,7 +632,8 @@ def load_win32api_definitions():
         for _ in autoimport.auto_import_modules(
             "angr.procedures.definitions",
             _DEFINITIONS_BASEDIR,
-            filter_func=lambda module_name: module_name.startswith("win32_"),
+            filter_func=lambda module_name: module_name.startswith("win32_")
+            or module_name in {"ntoskrnl", "ntdll", "user32"},
         ):
             pass
 

angr/procedures/definitions/ntoskrnl.py

@@ -0,0 +1,9 @@
+from . import SimLibrary
+from .. import SIM_PROCEDURES as P
+from ...calling_conventions import SimCCStdcall, SimCCMicrosoftAMD64
+
+lib = SimLibrary()
+lib.set_library_names("ntoskrnl.exe")
+lib.add_all_from_dict(P["win32_kernel"])
+lib.set_default_cc("X86", SimCCStdcall)
+lib.set_default_cc("AMD64", SimCCMicrosoftAMD64)

angr/procedures/win32_kernel/ExAllocatePool.py

@@ -0,0 +1,12 @@
+# pylint: disable=missing-class-docstring
+import claripy
+
+import angr
+
+
+class ExAllocatePool(angr.SimProcedure):
+    def run(self, PoolType, NumberOfBytes):  # pylint:disable=arguments-differ, unused-argument
+        addr = self.state.heap._malloc(NumberOfBytes)
+        memset = angr.SIM_PROCEDURES["libc"]["memset"]
+        self.inline_call(memset, addr, claripy.BVV(0, 8), NumberOfBytes)  # zerofill
+        return addr

angr/procedures/win32_kernel/ExFreePoolWithTag.py

@@ -0,0 +1,7 @@
+# pylint: disable=missing-class-docstring
+from angr import SimProcedure
+
+
+class ExFreePoolWithTag(SimProcedure):
+    def run(self, P, Tag):  # pylint:disable=arguments-differ, unused-argument
+        self.state.heap._free(P)

angr/procedures/win32_kernel/__init__.py

@@ -0,0 +1,3 @@
+"""
+These procedures implement functions from the Windows kernel.
+"""

angr/storage/memory_mixins/__init__.py

@@ -58,7 +58,7 @@ class MemoryMixin(SimStatePlugin):
                 to_add = c
             self.state.add_constraints(to_add)
 
-    def load(self, addr, **kwargs):
+    def load(self, addr, size=None, **kwargs):
         pass
 
     def store(self, addr, data, **kwargs):