axt / angr-utils Goto Github PK
View Code? Open in Web Editor NEWHandy utilities for the angr binary analysis framework, most notably CFG visualization
License: BSD 2-Clause "Simplified" License
Handy utilities for the angr binary analysis framework, most notably CFG visualization
License: BSD 2-Clause "Simplified" License
hi, AXT, I run your sample code with newest angr and got several errors, and I fix it like this:
import angr
from angrutils import *
proj = angr.Project("./test", load_options={'auto_load_libs':False})
main = proj.loader.main_bin.get_symbol("main")
#start_state = proj.factory.blank_state(addr=main.addr)
start_state = proj.factory.entry_state()
#cfg = proj.analyses.CFGFast(fail_fast=True, starts=[main.addr], initial_state=start_state)
cfg = proj.analyses.CFG()
plot_cfg(cfg, "ais3_cfg", asminst=True, remove_imports=True, remove_path_terminator=True)
anyway, your work is great!
To support various kinds of highlighting / annotation, add support for HTML-like labels.
digraph G {
rankdir=TB;
0 [shape=Mrecord, label=<{ 0x80484cd (0x80484cd) main |
<TABLE BORDER="0" CELLPADDING="0">
<TR><TD><IMG SRC="cica.png" SCALE="TRUE"></IMG></TD><TD>0x80484cd:</TD><TD ALIGN="LEFT"><I>push</I></TD><TD ALIGN="LEFT">ebp</TD><TD></TD><TD></TD></TR>
<TR><TD><FONT COLOR="BLUE">[1]</FONT></TD><TD>0x80484ce:</TD><TD ALIGN="LEFT"><I>mov</I></TD><TD ALIGN="LEFT">ebp, <B>esp</B></TD><TD></TD><TD></TD></TR>
<TR><TD></TD><TD>0x80484d0:</TD><TD ALIGN="LEFT"><I>and</I></TD><TD ALIGN="LEFT"><B>esp</B>, <FONT COLOR="GREEN">0xfffffff0</FONT></TD><TD><FONT COLOR="grey">; comment</FONT></TD><TD></TD></TR>
</TABLE> }}>, fontsize="8.0", fontname=monospace, penwidth=1];
}
Thank you for the visualizations for the CDG.
Can someone please provide a short example for the DDG "plot_ddg_data". It seems that the DDG is overwhelmed with the number of edges when the entire binary file is put into it and no suitable example can be found in the example directory.
I tried to create the CFG just for the main method(that worked), but then no DDG was found.
Thank you in advance!
I am not able to plot graphs. Even the example files that you have given are not working.
`/home/siddhu/.virtualenvs/angr/lib/python2.7/site-packages/bingraphvis/angr/factory.pyc in default_cfg_pipeline(self, cfg, asminst, vexinst, remove_path_terminator, color_edges, comments)
19 vis.add_content(AngrAsm(project))
20 if comments:
---> 21 if cfg.sort == 'fast':
22 if project.arch.name in ('X86', 'AMD64'):
23 vis.add_content_annotator(AngrX86CommentsAsm(project))
AttributeError: 'CFGAccurate' object has no attribute 'sort'
`
Hello!
I intent to automaticaly analyze CFG graphs of binaries in order to find some properties of packers. The graph generated by simply running CFGFast() is not very easy to analyse as it's only a graph of addresess (as far as I cat tell). Is the a way to get this nice CFG representation in basic blocks, which is generated by plot_cfg(), and walk through it?
Thanks in advance!
Was wondering if it might be possible to export a graph to D3.js.
Hi,
at the moment when I create a png for a graph if an SIMP
is encountered the graph does not show all the call done but that SIMP
. Is it possible to have the full graph even with the call made by the SIMP
s? I think it would be useful in case a user has loaded all the shared object and wants to see whet happens in the SIMP
thar could be function in the loaded shared objects
Thanks
Hi, Here is the source code of the program I am trying to construct a call graph of:
#include <stdio.h>
void A(){}
void B(){}
void C(){A();}
void D(){B();}
void E(int x){
if ( x>0){ D(); }
else{ C(); }
}
int main(int argc, char *argv[]){
FILE *fp;
fp = fopen("input.txt","r");
return 0;
E(2);
}
Here is the generated CFGFast by angr which is drawn by angr-utils. Shouldn't the rightmost strongly connected component (Function E) should be somehow connected to the ending block of main? Why is that component completely disconnected from the main function graph? Thanks in advance.
Hi,
There is a runtime error, could you fix it?
Thanks!
------------------code-------------------
angrutils.plot_ddg_data(ddg.simplified_data_graph, "xxx", project=proj)
---------------Error message-----------
RuntimeError: dictionary changed size during iteration
I love your a fancy graph utility! :)
It would be great to have an option to insert a legend when generating a CFG if necessary.
I am trying to plot the cfg of notepad.exe as an exercise.
I am using CFGFast and CFGEmulated.
CFGFast()
proj = angr.Project('notepad.exe', load_options={'auto_load_libs': False})
#main = proj.loader.main_object.get_symbol("main") #cant find main, no symbols
cfg = proj.analyses.CFGFast(show_progressbar=True)
len(cfg.functions)
415
len(cfg.graph.nodes())
8086
plot_cfg(cfg, 'test', asminst=True, remove_imports=True, remove_path_terminator=True)
#ends up just hanging here
CFGEmulated()
proj = angr.Project('notepad.exe', load_options={'auto_load_libs': False})
#main = proj.loader.main_object.get_symbol("main") #cant find main, no symbols
cfg = proj.analyses.CFGEmulated(show_progressbar=True)
len(cfg.functions)
365
len(cfg.graph.nodes)
12501
plot_cfg(cfg, 'test', asminst=True, remove_imports=True, remove_path_terminator=True)
#hangs here as well
I could see how producing a PNG of 8k+ nodes would take a long time. I was just wondering if there was anything I was missing or if there is a limit to the size of the binary.
For me, the cfgs are nice to haves, but I'm just trying to get a list of all the possible addresses the program could jump to. With that goal in mind, which analyses would be better suited for finding all the addresses?
I'm using angr strictly in a shell environment. I would like to use the plot_cfg function, or something similar, to generate an image (perhaps in a PNG format) on my local file system, instead of rendering the image in a new window (which clearly won't work in a shell environment). Looking through the available arguments I don't see any options for saving the rendered CFG to a file instead of displaying it. Is such a feature available or something that could be incorporated in a future release?
Using plot_cfg(), generated PNG for CFG which is not readable at all when call depth is 5 or more.
Code snippet below:
main = proj.loader.main_object.get_symbol(FUNC_NAME)
start_state = proj.factory.blank_state(addr=main.rebased_addr)
if CFG_TYPE == "emulated":
cfg = proj.analyses.CFGEmulated(fail_fast=True, starts=[main.rebased_addr], initial_state=start_state, resolve_indirect_jumps=False, call_depth=CALL_DEPTH)
Basically when call depth was kept to 5, then it was blurred upon zooming, however, with depth 1 or 3, the plotted graphs were readable.
vex: priv/main_main.c:769 (LibVEX_Translate): Assertion `0 == sizeof(VexGuestMIPS32State) % LibVEX_GUEST_STATE_ALIGN' failed
It gives me this:
Traceback (most recent call last):
File "E:\Document\porgram\科研项目\src\angr_other_learn\angr-utils\examples\myExample\test.py", line 1, in
import angr
File "D:\Program Files\Anaconda3\lib\site-packages\angr_init_.py", line 22, in
from .utils.formatting import setup_terminal
File "D:\Program Files\Anaconda3\lib\site-packages\angr\utils_init_.py", line 5, in
from . import enums_conv
File "D:\Program Files\Anaconda3\lib\site-packages\angr\utils\enums_conv.py", line 6, in
from ..protos.primitives_pb2 import Edge
File "D:\Program Files\Anaconda3\lib\site-packages\angr\protos_init_.py", line 10, in
from . import primitives_pb2
File "D:\Program Files\Anaconda3\lib\site-packages\angr\protos\primitives_pb2.py", line 5, in
from google.protobuf import descriptor as _descriptor
ImportError: cannot import name 'descriptor' from 'google.protobuf' (unknown location)
here is the sourse code
import angr
it gives me the error in the first line of the code.
I don't know what is going on, and I coudn't find effective solutions on Google. please help me
Should work since NetworkX has GraphML support I believe.
python3.9
macOS Monterey 12.1
angr 9.1.11752
angr-utils 0.5.0
bingraphvis 0.3.0
import angr
from angrutils import *
def cfgfastpng(filename):
proj = angr.Project(filename, auto_load_libs = False)
cfg = proj.analyses.CFGFast()
plot_cfg(cfg, "cfg", format='png', asminst=True, remove_imports=True)
if __name__ == '__main__':
cfgfastpng('./01_angr_avoid')
WARNING | 2022-03-01 19:55:43,281 | angr.analyses.cfg.cfg_fast | _tidy_data_references() sees an address 0x80d6040 that does not belong to any section or segment.
Traceback (most recent call last):
File "/Users/chenyanzhi/Documents/angr/test.py", line 12, in
cfgfastpng('./01_angr_avoid')
File "/Users/chenyanzhi/Documents/angr/test.py", line 8, in cfgfastpng
plot_cfg(cfg, "cfg", format='png', asminst=True, remove_imports=True)
File "/Users/chenyanzhi/Desktop/angr-dev/angr-utils/angrutils/visualize.py", line 34, in plot_cfg
vis.process(cfg.graph)
File "/Users/chenyanzhi/Desktop/angr-dev/bingraphvis/bingraphvis/base.py", line 309, in process
graph = self.pipeline.process(filter=filter)
File "/Users/chenyanzhi/Desktop/angr-dev/bingraphvis/bingraphvis/base.py", line 286, in process
c.render(n)
File "/Users/chenyanzhi/Desktop/angr-dev/bingraphvis/bingraphvis/base.py", line 126, in render
an.annotate_content(n, n.content[self.name])
File "/Users/chenyanzhi/Desktop/angr-dev/bingraphvis/bingraphvis/angr/annotator.py", line 384, in annotate_content
if dr.sort == 'string':
AttributeError: 'XRef' object has no attribute 'sort'
Hi,
first of all thanks for the project. I would suggest to make possible for a user to have the graph
back. For example, once you call set_output
and subsequently process
you can store the png generated by the libraries. I would like to not be forces to set the output and maybe just call get_graph
and obtain the graph returned by the process
function. Is it already possible?
Thanks
Hay,
I've just tried to give the examples/plot_cfg example a go but keep receiving the "AttributeError: 'NoneType' object has no attribute 'addr'" error. I've tried a couple of PE32 executables but get the same error with all of them, I'm guessing it's an issue with the fact I'm targeting PE files?
Thanks
Hi @axt,
i was thinking that would be nice to have the opportunity to merge 2 graphs. When this can be useful? Suppose that a user would prefer to generate a graph of a function in a shared object and generate the graph of function contained in an elf file that uses that shared object. At this point the user could just generate the graph from the shared object only once and after for each occurrence pf that specific function in the elf it could just "merge" the pre-generated graph. Would be this useful?
Thanks
Hi,
I cloned the repository and try to run the examples. But I am getting this error while runnning.
Traceback (most recent call last):
File "/home/sankara/PycharmProjects/angr-utils/examples/plot_cfg/plot_cfg_example.py", line 21, in
analyze(proj, main.addr, "ais3")
File "/home/sankara/PycharmProjects/angr-utils/examples/plot_cfg/plot_cfg_example.py", line 13, in analyze
plot_cfg(cfg, "%s_%s_cfg" % (name, func.name), asminst=True, vexinst=False, func_addr={addr:True}, debug_info=False, remove_imports=True, remove_path_terminator=True)
File "/home/sankara/PycharmProjects/angr-utils/angrutils/visualize.py", line 31, in plot_cfg
vis.process(cfg.graph)
File "/home/sankara/.local/lib/python2.7/site-packages/bingraphvis/base.py", line 310, in process
return self.output.generate(graph)
File "/home/sankara/.local/lib/python2.7/site-packages/bingraphvis/output.py", line 214, in generate
dotfile.write("{}.{}".format(self.fname, self.format), format=self.format)
File "/home/sankara/.local/lib/python2.7/site-packages/pydot.py", line 1756, in write
s = self.create(prog, format, encoding=encoding)
File "/home/sankara/.local/lib/python2.7/site-packages/pydot.py", line 1867, in create
raise OSError(*args)
OSError: [Errno 2] "dot" not found in path.
I tried to debug but would could not able to fix.
on pydot.py line number 1855
try:
p = subprocess.Popen(
cmdline,
env=env,
cwd=tmp_dir,
shell=False,
stderr=subprocess.PIPE, stdout=subprocess.PIPE)
except OSError as e:
if e.errno == os.errno.ENOENT:
args = list(e.args)
args[1] = '"{prog}" not found in path.'.format(
prog=prog)
raise OSError(*args)
else:
raise
This particular part is throwing, "No such file" error. Could you please guide me?
hi
i want use CFGFast generate CFG
my code is:
proj=angr.Project('/opt/png')
cfg = proj.analyses.CFGFast()
plot_cfg(cfg, "mycfg",asminst=True, remove_imports=True, remove_path_terminator=True)
but an error occurred:
"dot" with args ['-Tpng', '/tmp/tmpd9c_cdp3'] returned code: -11
stdout, stderr:
b''
b''
Traceback (most recent call last):
File "outputGraph.py", line 135, in <module>
outputGraph()
File "outputGraph.py", line 88, in outputGraph
plot_cfg(cfgs, "static", asminst=True, remove_imports=True, remove_path_terminator=True) #, format='raw')
File "/opt/angr-utils/angrutils/visualize.py", line 34, in plot_cfg
vis.process(cfg.graph)
File "/opt/bingraphvis/bingraphvis/base.py", line 310, in process
return self.output.generate(graph)
File "/opt/bingraphvis/bingraphvis/output.py", line 217, in generate
dotfile.write("{}.{}".format(self.fname, self.format), format=self.format)
File "/usr/local/lib/python3.6/site-packages/pydot.py", line 1817, in write
s = self.create(prog, format, encoding=encoding)
File "/usr/local/lib/python3.6/site-packages/pydot.py", line 1945, in create
assert process.returncode == 0, process.returncode
AssertionError: -11
when instead of using the png format as output, add format='raw' (or svg)parameter to plot_cfg, use
dot -Tpng xxx.raw > xxx.png
also an error occurred:
Segmentation fault (core dumped)
can you give me some advice or hints.
thanks
When executing from angrutils import *
, the following error occurs:
c:\users\sandbox\.virtualenvs\angr-aoudwqk0\lib\site-packages\angrutils\pp.py in <module>
4 import claripy
5 import simuvex
----> 6 from expr import *
7
8 def pp(obj, **kwargs):
ModuleNotFoundError: No module named 'expr'
Looking at the other files in the package, it would seem that the line should be changed to from .expr import *
as it is a local module
I am using the cfg_path to collect all the possible path in the CFG for each function. However, it takes forever. Is there any way to speed up? Or another way to obtain all the paths in CFG?
Hello, @axt
I installed angr in virtualenv. And I want to install angr-utils in virtualenv too. But when I execute "python setup.py install" in virtualenv :
(angr_env) raphael@ubuntu:~/Desktop/angr-utils-0.3.0$ sudo python setup.py install /usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'install_requires' warnings.warn(msg) running install running build running build_py running install_lib running install_egg_info Removing /usr/local/lib/python2.7/dist-packages/angr_utils-0.3.0.egg-info Writing /usr/local/lib/python2.7/dist-packages/angr_utils-0.3.0.egg-info
Ubuntu 17.04, Python 2.7.13
How can I install this in virtualenv?
FakeRet edges, and edges created after cfg normalization are not highlighted.
Hi @axt,
I'm still trying to fix the problem with the angr-utils
and i have a weird behaviour. Using pngpixel
,like last time, 'm trying to print a simple graph for png_user_version_check
, maybe I'm doing something wrong, but I cannot see the connection between the block ending in 0x5a8
and 0x51d
. When you have time can you generate the graph for that function and upload here the result please?
Thanks
I generated CFGs of two representations of the same function (asm and VEX-IR) . So each BB contains the VEX statements and expressions.
I would like to get the whole function at VEX-IR representation. I tried to change the "format" in the following command:
plot_cfg(cfg, output_path, format="plain", asminst=asminst, vexinst=vexinst, func_addr={addr:True}, debug_info=False, remove_imports=True, remove_path_terminator=True)
But still I cannot get the text version of the VEX representation. I am wondering is that possible? Could you please help?
Thank you!
Traceback (most recent call last):
File "/home/a/.virtualenvs/angr/lib/python3.6/site-packages/pydot.py", line 1926, in create
working_dir=tmp_dir,
File "/home/a/.virtualenvs/angr/lib/python3.6/site-packages/pydot.py", line 139, in call_graphviz
**kwargs
File "/usr/lib/python3.6/subprocess.py", line 729, in init
restore_signals, start_new_session)
File "/usr/lib/python3.6/subprocess.py", line 1364, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'dot': 'dot'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "cfg123.py", line 7, in
plot_cfg(cfg, "ais3_cfg", asminst=True, remove_imports=True, remove_path_terminator=True)
File "/home/a/ang-dev/angr-utils/angrutils/visualize.py", line 34, in plot_cfg
vis.process(cfg.graph)
File "/home/a/ang-dev/bingraphvis/bingraphvis/base.py", line 310, in process
return self.output.generate(graph)
File "/home/a/ang-dev/bingraphvis/bingraphvis/output.py", line 217, in generate
dotfile.write("{}.{}".format(self.fname, self.format), format=self.format)
File "/home/a/.virtualenvs/angr/lib/python3.6/site-packages/pydot.py", line 1828, in write
s = self.create(prog, format, encoding=encoding)
File "/home/a/.virtualenvs/angr/lib/python3.6/site-packages/pydot.py", line 1933, in create
raise OSError(*args)
FileNotFoundError: [Errno 2] "dot" not found in path.
How can i solve this problem
I ran the sample code, but I didn't get an image of the disassembly code,image as below:
parameter "format='raw'" then "dot -Tpng -o out.png ais3_cfg.raw" as same as above.
the "ais3_cfg.raw" file's content as below:
The node description of the "ais3_cfg. Raw" file does not seem to contain disassembly content. I don't know whether this is an angr problem or an angr utils problem.
could you give me some help? Thanks
Hi, guys, your setup.py
of angrutils
is wrong. The name should be angrutils
but you set it to angr-utils
which leads to the error ModuleNotFoundError: No module named 'angrutils'
.
I use the latest version (8.19.4.5) of angr to generate a precise CFG with statements listed below.
Then I use angrutils.plot_cfg to plot the graphs, but the output seems wrong, there are multiple duplicated CFG in a graph. So, could you fix it? Thanks!
proj = angr.Project(binary_path, load_options={'auto_load_libs': False})
cfg = proj.analyses.CFGEmulated(context_sensitivity_level=1, fail_fast=True)
for addr,func in cfg.kb.functions.items():
print(func.name)
if func.name in ['main','func_0', 'func_1']:
angrutils.plot_cfg(cfg, "%s_%s_cfg" % ("emul", func.name), asminst=True, vexinst=False, func_addr={addr:True}, debug_info=False, remove_imports=True, remove_path_terminator=True)
Link of a malformed graph:
https://www.dropbox.com/s/xhq8t4pi9esyqwx/emul_func_0_cfg.png?dl=0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.