[angr] CFG for self-modifying code

Yan zardus at gmail.com
Mon Jan 11 18:54:58 PST 2016


If you know when the shellcode is fully unpacked (if such a point exists),
you can push the memory contents back into CLE (Andrew can probably give
you some pointers on doing this) and then simply treat it as a separate
program with a different entry point. It could be cool to have official API
support for such an action, actually (if you want to get your hands dirty
and send along a PR!).

- Yan

On Mon, Jan 11, 2016 at 6:51 PM, Fish Wang <fish at cs.ucsb.edu> wrote:

> Hi Sean,
>
>
>
> CFG does not support self-modifying code right now (since it’s pure static
> analysis). You might want to use symbolic execution in angr to execute or
> dump all the shellcode being executed. With that information, it’s very
> easy to show addresses, instructions, and even states of everything along
> the path. If you want to generate a CFG for self-modifying code, you really
> have to loyally simulate the execution, which is difficult for a static
> analysis to do.
>
>
>
> We’ve done it for some CTF challenges (that has some simple unpacking or
> self-modification mechanisms). They are not included in the angr-doc repo
> though, sorry :-(
>
>
>
> Best,
>
> Fish
>
>
>
> *From:* angr [mailto:angr-bounces at lists.cs.ucsb.edu] *On Behalf Of *
> spark at trendmicro.com
> *Sent:* Monday, January 11, 2016 7:58 PM
> *To:* angr at lists.cs.ucsb.edu
> *Subject:* [angr] CFG for self-modifying code
>
>
>
> Hi people,
>
>
>
> I was trying to get CFG for a self-modifying shellcode. I used the
> following code.
>
>
>
> project = angr.Project('shellcode.exe', support_selfmodifying_code=True,
> load_options={'auto_load_libs':False})
>
> cfg = project.analyses.CFG(keep_state=True,
> enable_symbolic_back_traversal=True)
>
>
>
> It appears angr creates a CFG for the original code instead of the
> modified code. Is there any way to get a CFG by symbolically executing the
> code? Any example code to do this showing address and disassembly for each
> path will be much appreciated.
>
>
>
> Regards,
>
> Sean
>
>
>
> TREND MICRO EMAIL NOTICE
>
> The information contained in this email and any attachments is confidential
>
> and may be subject to copyright or other intellectual property protection.
>
> If you are not the intended recipient, you are not authorized to use or
>
> disclose this information, and we request that you notify us by reply mail or
>
> telephone and delete the original message from your mail system.
>
>
>
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160111/76bac0d9/attachment-0001.html>


More information about the angr mailing list