[angr] Help with angr

Niddodi, Chaitra chaitra at illinois.edu
Sun Mar 11 20:09:11 PDT 2018

Quick question - why does angr not generate the complete set of syscalls like how strace does ? Is there a way to get the entire list using angr ?

From: Audrey Dutcher [audrey at rhelmot.io]
Sent: Sunday, March 11, 2018 4:34 PM
To: Niddodi, Chaitra
Cc: angr at lists.cs.ucsb.edu
Subject: Re: [angr] Help with angr


If your binary is dynamically linked, angr will provide its own implementations of many common library functions, called SimProcedures. These implementations are just as privileged from a syscall from angr's point of view, so if the function would normally need to invoke a syscall in order to finish, it will not actually call a syscall since the SimProcedure can just tweak the state at the highest permission level it likes. There is not a mapping available for which procedure implementations "implicitly perform syscalls".

To disable the use of these models, you should provide use_sim_procedures=False to the Project constructor. However, you must have all the dynamic libraries requested by the program available. angr will search in a few place for these, notably in your system libs folders, in the current working directory, and in the same folder as the binary. You can set except_missing_libs=True to throw an exception if any library is not available.

- Audrey

On Sun, Mar 11, 2018 at 2:14 PM, Niddodi, Chaitra <chaitra at illinois.edu<mailto:chaitra at illinois.edu>> wrote:
I'm trying to use angr to get the list of syscalls from the binary of a simple C code. However, there are no syscalls listed in the output.

This is my test code:


Where am I going wrong ?


From: Audrey Dutcher [audrey at rhelmot.io<mailto:audrey at rhelmot.io>]
Sent: Wednesday, February 14, 2018 3:24 PM
To: Niddodi, Chaitra
Cc: angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>
Subject: Re: [angr] Help with angr

Of course - you can just add an instrumentation breakpoint (SimInspect) on syscalls, and you'll be notified whenever there's a syscall. However, "exploring all paths" is rarely a feasible analysis option due to the number of paths being exponential with respect to the number of branches. You could control this state explosion via an exploration technique that decides how to explore the state space, but you may run into issues with environment support - if the decision to call one syscall is based on the output of another syscall for which angr doesn't have a model implemented, that syscall will appear impossible to reach.

On Tue, Feb 13, 2018 at 7:30 PM, Niddodi, Chaitra <chaitra at illinois.edu<mailto:chaitra at illinois.edu><mailto:chaitra at illinois.edu<mailto:chaitra at illinois.edu>>> wrote:

I have a quick question. Using angr, can I get the list of all possible system calls by exploring all paths in the binary?


angr mailing list
angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu><mailto:angr at lists.cs.ucsb.edu<mailto:angr at lists.cs.ucsb.edu>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180312/347f8006/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot (185).png
Type: image/png
Size: 30855 bytes
Desc: Screenshot (185).png
URL: <https://lists.cs.ucsb.edu/pipermail/angr/attachments/20180312/347f8006/attachment-0001.png>

More information about the angr mailing list