[angr] identifying statically- and/or dynamically-linked library calls

Chris Salls chrissalls5 at gmail.com
Fri May 6 18:19:52 PDT 2016


For dynamically linked binaries you might look at
project.loader.main_bin.plt

On Fri, May 6, 2016 at 6:05 PM, Yan <zardus at gmail.com> wrote:

> Hello,
>
> Sorry about the late response; I was trying to be lazy and see if someone
> else would answer it :-)
>
> For statically linked binaries, the only thing we really have that can
> identify functions is probably the bindiff implementation (see
> `project.analyses.BinDiff`), by abusing it to detect functions similar to
> the function you want to identify. It's not really made for this, but could
> probably work. We don't have FLIRT itself implemented, though.
>
> The dynamic case is tricky.. I was going to say that you should use
> CFGFast to get all functions that end in a single indirect jump, but
> CFGFast probably won't support what you need. Fish, do you have any ideas?
>
> - Yan
>
> On Tue, May 3, 2016 at 1:06 PM, Hira Agrawal <hagrawal at appcomsci.com>
> wrote:
>
>> How do I use angr to identify calls to statically- and/or dynamically
>> linked library functions in a binary? I want to find all Vex statements
>> that call functions such read, fread, getc, fgetc, scanf, etc., in a
>> binary, so I can use angr's VSA_DDG analysis to find all other statements
>> that directly or indirectly depend upon such calls.
>>
>> IDA employs its FLIRT technology to identify statically linked library
>> functions. Is there an analogous technique in angr?
>>
>> For dynamically linked library functions, binaries often contain thunk
>> "functions" that end with an indirect jump via an entry in a table stored
>> in the data segment. Is there a way in angr to identify such calls and
>> their target library functions?
>>
>> Thanks.
>>
>> -- Hira
>>
>> _______________________________________________
>> angr mailing list
>> angr at lists.cs.ucsb.edu
>> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>>
>
>
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cs.ucsb.edu/pipermail/angr/attachments/20160506/77f3b47e/attachment.html>


More information about the angr mailing list