[angr] Angr and virtual function calls

Chris Salls chrissalls5 at gmail.com
Sat Oct 29 19:40:08 PDT 2016


Hi,

When using CFGAccurate() you will need to load the binary without loading
the libraries, since the libraries will include things we don't model.
b = angr.Project('a.out', load_options={"auto_load_libs":False})

I would guess that you will need a sim_procedure for new (or it's name
mangled version "__Znwm") to have angr get the correct successor.

-Salls


On Fri, Oct 28, 2016 at 11:10 AM, Julian Kranz <kranzj at in.tum.de> wrote:

> Hi there,
>
> I'm new to Angr, so please bear with me if the following question is
> stupid :-D. I'm working on a control flow graph reconstruction tool myself
> and wanted to compare its results with Angr's. I have been using the
> following script to generate a CFG using Angr:
>
> import angr
> b = angr.Project('/path/to/a.out')
> cfg = b.analyses.CFGAccurate()
> from angrutils import *
> plot_cfg(cfg, "ais3_cfg", asminst=True, remove_imports=True,
> remove_path_terminator=True)
>
> I've tried an example program that contains a virtual function call:
>
> struct hugo {
>   virtual int foo() {
>     return 99;
>   }
>   virtual ~hugo() { }
> };
>
> struct inge : public hugo {
>   virtual int foo() {
>     return 42;
>   }
>   virtual ~inge() { }
> };
>
> int main(int argc, char **argv) {
>   hugo *h = new inge();
>   auto x = h->foo();
>   return x;
> }
>
> Angr gets stuck for about 20 minutes before it terminates with the
> following error message:
>
> Traceback (most recent call last):
>   File "test_angr.py", line 5, in <module>
>     plot_cfg(cfg, "ais3_cfg", asminst=True, remove_imports=True,
> remove_path_terminator=True)
>   File "/home/jucs/virtualenvs/angr/local/lib/python2.7/site-packages/angrutils/visualize.py",
> line 26, in plot_cfg
>     vis.process(cfg.graph)
>   File "/home/jucs/virtualenvs/angr/local/lib/python2.7/site-packages/bingraphvis/base.py",
> line 220, in process
>     graph = self.pipeline.process()
>   File "/home/jucs/virtualenvs/angr/local/lib/python2.7/site-packages/bingraphvis/base.py",
> line 203, in process
>     c.render(n)
>   File "/home/jucs/virtualenvs/angr/local/lib/python2.7/site-packages/bingraphvis/base.py",
> line 105, in render
>     self.gen_render(n)
>   File "/home/jucs/virtualenvs/angr/local/lib/python2.7/site-packag
> es/bingraphvis/angr/content.py", line 184, in gen_render
>     insns = self.project.factory.block(addr=addr, max_size=max_size,
> num_inst=size).capstone.insns
>   File "/home/jucs/virtualenvs/angr/local/lib/python2.7/site-packages/angr/lifter.py",
> line 152, in lift
>     raise AngrMemoryError("No bytes in memory for block starting at %#x."
> % addr)
> angr.errors.AngrMemoryError: No bytes in memory for block starting at 0x0.
>
> The example has been compiled with clang++ 3.8.1 in C++11 mode (no further
> configuration options). What am I doing wrong? Thank you for any tips you
> might have for me :-).
>
> Greetings,
> Julian Kranz
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20161029/3e843a97/attachment.html>


More information about the angr mailing list