[angr] CFG for self-modifying code

Fish Wang fish at cs.ucsb.edu
Mon Jan 11 18:51:02 PST 2016


Hi Sean,

 

CFG does not support self-modifying code right now (since it’s pure static analysis). You might want to use symbolic execution in angr to execute or dump all the shellcode being executed. With that information, it’s very easy to show addresses, instructions, and even states of everything along the path. If you want to generate a CFG for self-modifying code, you really have to loyally simulate the execution, which is difficult for a static analysis to do.

 

We’ve done it for some CTF challenges (that has some simple unpacking or self-modification mechanisms). They are not included in the angr-doc repo though, sorry :-(

 

Best,

Fish

 

From: angr [mailto:angr-bounces at lists.cs.ucsb.edu] On Behalf Of spark at trendmicro.com
Sent: Monday, January 11, 2016 7:58 PM
To: angr at lists.cs.ucsb.edu
Subject: [angr] CFG for self-modifying code

 

Hi people,

 

I was trying to get CFG for a self-modifying shellcode. I used the following code.

 

project = angr.Project('shellcode.exe', support_selfmodifying_code=True, load_options={'auto_load_libs':False})

cfg = project.analyses.CFG(keep_state=True, enable_symbolic_back_traversal=True)

 

It appears angr creates a CFG for the original code instead of the modified code. Is there any way to get a CFG by symbolically executing the code? Any example code to do this showing address and disassembly for each path will be much appreciated.

 

Regards,

Sean



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160111/0c79a1bd/attachment.html>


More information about the angr mailing list