[angr] keeping state in path explorer / hooking hooked functions?
andrew at andrewdutcher.com
Thu Sep 15 22:26:13 PDT 2016
Whoops! Somehow I typo'd "exploration technique" as "otiegnqwvk" twice
in the same message. Sorry about that.
On Thu, Sep 15, 2016 at 10:25 PM, Andrew Dutcher
<andrew at andrewdutcher.com> wrote:
> I removed the threads=1 argument and the script worked immediately,
> barring your typo of `p` as `o` in the check function... it looks like
> the threading otignqwvk and the exploration otiegnqwvk interact poorly
> somehow... Let me see about how that can be fixed.
> On Thu, Sep 15, 2016 at 8:22 PM, Jasper van Woudenberg
> <vanwoudenberg at na.riscure.com> wrote:
>> Hi Andrew,
>> Thanks for your quick reply.. I'll play with path.info for #2.
>> Re #1, I've attached a test C program and angr script. I've tried both options (CFG and loader symbols) to try to grab malloc calls, but failed on both attempts. Screen output below; neither prints the string "Malloc found", so my check function never detected a malloc() call... I'm puzzled.
>> Option 1:
>> (angr) $ python malloctest_angr
>> WARNING | 2016-09-15 20:15:16,813 | simuvex.s_run | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV64 mem_601018_4_64>
>> WARNING | 2016-09-15 20:15:17,229 | simuvex.s_run | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV64 reg_10_5_64>
>> WARNING | 2016-09-15 20:15:17,634 | simuvex.s_run | Exit state has over 257 possible solutions. Likely unconstrained; skipping. <BV64 reg_10_6_64>
>> Found malloc's address at 0x1000010L!
>> malloc addr 0x1000010L
>> <PathGroup with 1 active>
>> Option 2:
>> (angr) $ python malloctest_angr
>> malloc addr 0x1083550
>> <PathGroup with 1 deadended>
>> On 09/14/2016 11:33 PM, Andrew Dutcher wrote:
>>> So, I'm very confused about what you describe for #1 - My tests
>>> indicate that you absolutely can check that p.addr == A in a check
>>> function, even if A is the address of a hook. This will not capture
>>> calls to malloc from within libc or within a simprocedure, though. If
>>> the later is your use case, we might have to add a SimInspect target
>>> for simprocedure calls. If the former is your use case, you can get
>>> that address with
>>> though it is very dangerous to try to symbolically execute through
>>> libc's malloc.
>>> On Wed, Sep 14, 2016 at 11:24 PM, Andrew Dutcher
>>> <andrew at andrewdutcher.com> wrote:
>>>> For #2 - path.info is a dictionary whose items will be copied to all
>>>> the descendants of the path!
>>>> I'll need to think about #1 for a few minutes to understand what
>>>> you're trying to do and if it's reasonable.
>>>> On Wed, Sep 14, 2016 at 8:30 PM, Jasper van Woudenberg
>>>> <vanwoudenberg at na.riscure.com> wrote:
>>>>> First, thanks a lot for the tons of excellent work that went into Angr; you put symbolic execution in the hands of simple people like me. I'm enjoying poking around binaries with it :)
>>>>> I'm trying to create a "found" condition for the path group explorer based on history of arguments passed to an already hooked libc function (in my case malloc). For example, I'd like to terminate on the third call to malloc. I'm facing two issues:
>>>>> 1. I can resolve malloc in the CFG KB, and this gives the 'hooked' address A, not the libc address for malloc. I do a "path_group.explore(find=check)", and in check(p) I check whether p.addr == A. However, this is never true (even though malloc is called). How do I process a malloc call in check(), while still retaining the original hook?
>>>>> 2. I don't know how to keep state in the check(p) function for a specific path, to keep my counter. How do I add state to a path?
>>>>> Any pointers to how I can address 1. and 2? Thanks for your help.
>>>>> angr mailing list
>>>>> angr at lists.cs.ucsb.edu
>> Jasper van Woudenberg (@jzvw)
>> CTO North America
>> Riscure North America
>> T: (650) 646 9979
More information about the angr