HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥 - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
# Installation ```bash sudo apt-get install python3-dev libffi-dev build-essential python3 -m pip install --user virtualenv python3 -m venv ang source ang/bin/activate pip install angr ``` # Basic Actions ```python import angr import monkeyhex # this will format numerical results in hexadecimal #Load binary proj = angr.Project('/bin/true') #BASIC BINARY DATA proj.arch #Get arch "" proj.arch.name #'AMD64' proj.arch.memory_endness #'Iend_LE' proj.entry #Get entrypoint "0x4023c0" proj.filename #Get filename "/bin/true" #There are specific options to load binaries #Usually you won't need to use them but you could angr.Project('examples/fauxware/fauxware', main_opts={'backend': 'blob', 'arch': 'i386'}, lib_opts={'libc.so.6': {'backend': 'elf'}}) ``` # Loaded and Main object information ## Loaded Data ```python #LOADED DATA proj.loader # proj.loader.min_addr #0x400000 proj.loader.max_addr #0x5004000 proj.loader.all_objects #All loaded proj.loader.shared_objects #Loaded binaries """ OrderedDict([('true', ), ('libc.so.6', ), ('ld-linux-x86-64.so.2', ), ('extern-address space', ), ('cle##tls', )]) """ proj.loader.all_elf_objects #Get all ELF objects loaded (Linux) proj.loader.all_pe_objects #Get all binaries loaded (Windows) proj.loader.find_object_containing(0x400000)#Get object loaded in an address "" ``` ## Main Object ```python #Main Object (main binary loaded) obj = proj.loader.main_object # obj.execstack #"False" Check for executable stack obj.pic #"True" Check PIC obj.imports #Get imports obj.segments #, , ]> obj.find_segment_containing(obj.entry) #Get segment by address obj.sections #, <.interp | offset 0x238, vaddr 0x400238, size 0x1c>, <.note.ABI-tag | offset 0x254, vaddr 0x400254, size 0x20>, <.note.gnu.build-id ... obj.find_section_containing(obj.entry) #Get section by address obj.plt['strcmp'] #Get plt address of a funcion (0x400550) obj.reverse_plt[0x400550] #Get function from plt address ('strcmp') ``` ## Symbols and Relocations ```python strcmp = proj.loader.find_symbol('strcmp') # strcmp.name #'strcmp' strcmp.owne # strcmp.rebased_addr #0x1089cd0 strcmp.linked_addr #0x89cd0 strcmp.relative_addr #0x89cd0 strcmp.is_export #True, as 'strcmp' is a function exported by libc #Get strcmp from the main object main_strcmp = proj.loader.main_object.get_symbol('strcmp') main_strcmp.is_export #False main_strcmp.is_import #True main_strcmp.resolvedby # ``` ## Blocks ```python #Blocks block = proj.factory.block(proj.entry) #Get the block of the entrypoint fo the binary block.pp() #Print disassembly of the block block.instructions #"0xb" Get number of instructions block.instruction_addrs #Get instructions addresses "[0x401670, 0x401672, 0x401675, 0x401676, 0x401679, 0x40167d, 0x40167e, 0x40167f, 0x401686, 0x40168d, 0x401694]" ``` # Dynamic Analysis ## Simulation Manager, States ```python #Live States #This is useful to modify content in a live analysis state = proj.factory.entry_state() state.regs.rip #Get the RIP state.mem[proj.entry].int.resolved #Resolve as a C int (BV) state.mem[proj.entry].int.concreteved #Resolve as python int state.regs.rsi = state.solver.BVV(3, 64) #Modify RIP state.mem[0x1000].long = 4 #Modify mem #Other States project.factory.entry_state() project.factory.blank_state() #Most of its data left uninitialized project.factory.full_init_statetate() #Execute through any initializers that need to be run before the main binary's entry point project.factory.call_state() #Ready to execute a given function. #Simulation manager #The simulation manager stores all the states across the execution of the binary simgr = proj.factory.simulation_manager(state) #Start simgr.step() #Execute one step simgr.active[0].regs.rip #Get RIP from the last state ``` ## Calling functions * You can pass a list of arguments through `args` and a dictionary of environment variables through `env` into `entry_state` and `full_init_state`. The values in these structures can be strings or bitvectors, and will be serialized into the state as the arguments and environment to the simulated execution. The default `args` is an empty list, so if the program you're analyzing expects to find at least an `argv[0]`, you should always provide that! * If you'd like to have `argc` be symbolic, you can pass a symbolic bitvector as `argc` to the `entry_state` and `full_init_state` constructors. Be careful, though: if you do this, you should also add a constraint to the resulting state that your value for argc cannot be larger than the number of args you passed into `args`. * To use the call state, you should call it with `.call_state(addr, arg1, arg2, ...)`, where `addr` is the address of the function you want to call and `argN` is the Nth argument to that function, either as a python integer, string, or array, or a bitvector. If you want to have memory allocated and actually pass in a pointer to an object, you should wrap it in an PointerWrapper, i.e. `angr.PointerWrapper("point to me!")`. The results of this API can be a little unpredictable, but we're working on it. ## BitVectors ```python #BitVectors state = proj.factory.entry_state() bv = state.solver.BVV(0x1234, 32) #Create BV of 32bits with the value "0x1234" state.solver.eval(bv) #Convert BV to python int bv.zero_extend(30) #Will add 30 zeros on the left of the bitvector bv.sign_extend(30) #Will add 30 zeros or ones on the left of the BV extending the sign ``` ## Symbolic BitVectors & Constraints ```python x = state.solver.BVS("x", 64) #Symbolic variable BV of length 64 y = state.solver.BVS("y", 64) #Symbolic oprations tree = (x + 1) / (y + 2) tree # tree.op #'__floordiv__' Access last operation tree.args #(, ) tree.args[0].op #'__add__' Access of dirst arg tree.args[0].args #(, ) tree.args[0].args[1].op #'BVV' tree.args[0].args[1].args #(1, 64) #Symbolic constraints solver state = proj.factory.entry_state() #Get a fresh state without constraints input = state.solver.BVS('input', 64) operation = (((input + 4) * 3) >> 1) + input output = 200 state.solver.add(operation == output) state.solver.eval(input) #0x3333333333333381 state.solver.add(input < 2**32) state.satisfiable() #False #Solver solutions solver.eval(expression) #one possible solution solver.eval_one(expression) #solution to the given expression, or throw an error if more than one solution is possible. solver.eval_upto(expression, n) #n solutions to the given expression, returning fewer than n if fewer than n are possible. solver.eval_atleast(expression, n) #n solutions to the given expression, throwing an error if fewer than n are possible. solver.eval_exact(expression, n) #n solutions to the given expression, throwing an error if fewer or more than are possible. solver.min(expression) #minimum possible solution to the given expression. solver.max(expression) #maximum possible solution to the given expression. ``` ## Hooking ```python >>> stub_func = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'] # this is a CLASS >>> proj.hook(0x10000, stub_func()) # hook with an instance of the class >>> proj.is_hooked(0x10000) # these functions should be pretty self-explanitory True >>> proj.hooked_by(0x10000) >>> proj.unhook(0x10000) >>> @proj.hook(0x20000, length=5) ... def my_hook(state): ... state.regs.rax = 1 >>> proj.is_hooked(0x20000) True ``` Furthermore, you can use `proj.hook_symbol(name, hook)`, providing the name of a symbol as the first argument, to hook the address where the symbol lives # Examples
HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥 - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.