GithubHelp home page GithubHelp logo

andreafioraldi / idangr Goto Github PK

View Code? Open in Web Editor NEW
266.0 18.0 32.0 30.87 MB

Use angr in the IDA Pro debugger generating a state from the current debug session

Home Page: https://andreafioraldi.github.io/IDAngr/

License: BSD 2-Clause "Simplified" License

Python 99.29% Makefile 0.64% Shell 0.07%
angr ida-pro ida-plugin symbolic-execution debugger idapython ida plugin symbolic execution

idangr's Introduction

IDAngr

Use angr in the IDA Pro debugger generating a state from the current debug session.

it works only with x86/x86_64 ELF binaries on linux at the moment

IDAngr needs angrdbg installed in the same machine of IDA or in a remote machine.

python2 -m pip install angrdbg

IDAngr can run only with angr 7 at the moment because IDAPython is only Python 2.

GUI

The idangr_gui.py script must be loaded during the debug.

IDAngr adds a panel with a self explanatory interface.

You can set find/avoid addresses and symbolic memory directly from the context menu in the IDA View.

Explore other useful context menus in the panel with the rigth-click on items.

youtube_img

Plugin

You can install indagr as a plugin (see INSTALL.md), to activate it press Ctrl+Alt+I.

Api

IDAngr implements the angrdbg api in the IDA debugger.

Use idangr.init(is_remote=False, host=None, port=None, use_pin=False) to setup the library environment and access to the angrdbg api at the beginning of everything. When is_remote is True the plugin will connect to a remote angrdbg server (start it on the remote machine using python -m angrdbg). You must set use_pin to True if you are connected to Intel Pin with a PinTool compatible with IDAngr (this problably does not work when using remote angrdbg).

idangr.is_initialized() can be used in a script to check if init must be called or not.

StateShot

Return an angr state from the current debug session state.

StateManager

A wrapper around angr to simplify the symbolic values creation and to write the results back in the debugger when angr founds a valid path.

Methods
  • instance.sim(key, size) create a symbolic value on a register or on a memory address (size is optional)
  • instance[key] get a register or a memory value
  • instance.simulation_manager() create an angr simulation manager based on the state
  • instance.to_dbg(found_state) transfer to the debugger state the evaluated value of the symbolic value created before with sim

note: memory values are the same that are returned by state.mem[addr]

A more detailed description of the Api can be found in the angrdbg repo and in my Bachelor thesis.

hook_lib_funcs

Try to hook functions that are recognized by IDA as inserted by the compiler to the corrispondent simprocedure if present.

Example

Python>sm = StateManager()
Python>sm.sim("edi")
Python>sm.sim("esi")
Python>m = sm.simulation_manager()
Python>m.explore(avoid=0x04005D5, find=0x00004005BC)
<SimulationManager with 1 found, 3 avoid>
Python>idc.GetRegValue("edi")
0
Python>idc.GetRegValue("esi")
5
Python>sm.to_dbg(m.found[0])
Python>idc.GetRegValue("edi")
2
Python>idc.GetRegValue("esi")
0

See examples folder.

Other Debuggers

If you want to use angr in other debuggers looks at angrdbg

I'va also made an almost equal plugin for GDB: angrgdb

TODO

  • add support to angr data dependence graph integration in the ida view
  • add an iphyton shell to manually change the value in the gui
  • add a taint engine based on intel pin

Cite

Thesis PDF.

Bibtex:

@misc{fioraldi2020symbolic,
    title={Symbolic Execution and Debugging Synchronization},
    author={Andrea Fioraldi},
    year={2020},
    eprint={2006.16601},
    archivePrefix={arXiv},
    primaryClass={cs.CR}
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.