[angr] Help with angr

Audrey Dutcher audrey at rhelmot.io
Sun Mar 11 14:34:29 PDT 2018


If your binary is dynamically linked, angr will provide its own
implementations of many common library functions, called SimProcedures.
These implementations are just as privileged from a syscall from angr's
point of view, so if the function would normally need to invoke a syscall
in order to finish, it will not actually call a syscall since the
SimProcedure can just tweak the state at the highest permission level it
likes. There is not a mapping available for which procedure implementations
"implicitly perform syscalls".

To disable the use of these models, you should provide
use_sim_procedures=False to the Project constructor. However, you must have
all the dynamic libraries requested by the program available. angr will
search in a few place for these, notably in your system libs folders, in
the current working directory, and in the same folder as the binary. You
can set except_missing_libs=True to throw an exception if any library is
not available.

- Audrey

On Sun, Mar 11, 2018 at 2:14 PM, Niddodi, Chaitra <chaitra at illinois.edu>

> I'm trying to use angr to get the list of syscalls from the binary of a
> simple C code. However, there are no syscalls listed in the output.
> This is my test code:
> Where am I going wrong ?
> Thanks,
> Chaitra
> ________________________________________
> From: Audrey Dutcher [audrey at rhelmot.io]
> Sent: Wednesday, February 14, 2018 3:24 PM
> To: Niddodi, Chaitra
> Cc: angr at lists.cs.ucsb.edu
> Subject: Re: [angr] Help with angr
> Of course - you can just add an instrumentation breakpoint (SimInspect) on
> syscalls, and you'll be notified whenever there's a syscall. However,
> "exploring all paths" is rarely a feasible analysis option due to the
> number of paths being exponential with respect to the number of branches.
> You could control this state explosion via an exploration technique that
> decides how to explore the state space, but you may run into issues with
> environment support - if the decision to call one syscall is based on the
> output of another syscall for which angr doesn't have a model implemented,
> that syscall will appear impossible to reach.
> On Tue, Feb 13, 2018 at 7:30 PM, Niddodi, Chaitra <chaitra at illinois.edu
> <mailto:chaitra at illinois.edu>> wrote:
> Hello,
> I have a quick question. Using angr, can I get the list of all possible
> system calls by exploring all paths in the binary?
> Thanks,
> Chaitra
> _______________________________________________
> angr mailing list
> angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>
> https://lists.cs.ucsb.edu/mailman/listinfo/angr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180311/9b77b07c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot (185).png
Type: image/png
Size: 30855 bytes
Desc: not available
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180311/9b77b07c/attachment-0001.png>

More information about the angr mailing list