[angr] identifying statically- and/or dynamically-linked library calls

Yan zardus at gmail.com
Fri May 6 18:05:42 PDT 2016


Sorry about the late response; I was trying to be lazy and see if someone
else would answer it :-)

For statically linked binaries, the only thing we really have that can
identify functions is probably the bindiff implementation (see
`project.analyses.BinDiff`), by abusing it to detect functions similar to
the function you want to identify. It's not really made for this, but could
probably work. We don't have FLIRT itself implemented, though.

The dynamic case is tricky.. I was going to say that you should use CFGFast
to get all functions that end in a single indirect jump, but CFGFast
probably won't support what you need. Fish, do you have any ideas?

- Yan

On Tue, May 3, 2016 at 1:06 PM, Hira Agrawal <hagrawal at appcomsci.com> wrote:

> How do I use angr to identify calls to statically- and/or dynamically
> linked library functions in a binary? I want to find all Vex statements
> that call functions such read, fread, getc, fgetc, scanf, etc., in a
> binary, so I can use angr's VSA_DDG analysis to find all other statements
> that directly or indirectly depend upon such calls.
> IDA employs its FLIRT technology to identify statically linked library
> functions. Is there an analogous technique in angr?
> For dynamically linked library functions, binaries often contain thunk
> "functions" that end with an indirect jump via an entry in a table stored
> in the data segment. Is there a way in angr to identify such calls and
> their target library functions?
> Thanks.
> -- Hira
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160506/9c8a4718/attachment.html>

More information about the angr mailing list