angr 8 is out! This release migrates angr to Python 3 and drops Python 2 support, in addition to bringing a bunch of performance improvements and bugfixes. For more details, see here.
What is angr?
angr is a python framework for analyzing binaries. It combines both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.
As an introduction to angr's capabilities, here are some of the things that you can do using angr and the tools built with it:
>>>importangr>>>importangrop>>>project=angr.Project("/bin/bash",auto_load_libs=False)>>>rop=project.analyses.ROP()>>>rop.find_gadgets()>>>rop.execve("/bin/sh").print_payload_code()chain=""chain+=p64(0x4929bc)# pop rax; retchain+=p64(0x702fb8)chain+=p64(0x420b5c)# pop rsi; retchain+=p64(0x68732f6e69622f)chain+=p64(0x4a382a)# mov qword ptr [rax + 8], rsi; xor eax, eax; retchain+=p64(0x4929bc)# pop rax; retchain+=p64(0x3b)chain+=p64(0x41e844)# pop rdi; retchain+=p64(0x702fc0)chain+=p64(0x4ed076)# pop rdx; retchain+=p64(0x0)chain+=p64(0x420b5c)# pop rsi; retchain+=p64(0x0)chain+=p64(0x401b94)chain+=p64(0x0)chain+=p64(0x0)chain+=p64(0x0)chain+=p64(0x0)chain+=p64(0x0)chain+=p64(0x0)chain+=p64(0x0)
There are a few resources you can use to help you get up to speed or get you contributing to the project!
We primarily use slack for communication, at angr.slack.com. You can get an invite here.
If you want real-time communication but absolutely refuse to use slack, you can hang out in #angr on freenode. Responsiveness here, realistically, is lower than on slack, unfortunately.
You can file an issue or send us a PR on github in the appropriate repo.
If you prefer email, and don't mind longer response times, shoot an email to angr-at-lists.cs.ucsb.edu. This is a public mailing list (to which you can subscribe here).
In all this, please keep in mind that angr is a large project being frantically worked on by a very small group of overworked students. It's open source, with a typical open source support model (i.e., pray for the best).
We have used angr heavily in our academic research! If you have used angr or its sub-components in your research, please cite at least the following paper describing it:
@inproceedings{shoshitaishvili2016state,
title={{SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis}},
author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and
Stephens, Nick and Polino, Mario and Dutcher, Audrey and Grosen, John and
Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
booktitle={IEEE Symposium on Security and Privacy},
year={2016}
}
Additionally, the angr authors and their collaborators have used angr in the following publications:
@inproceedings{bao2017your,
title={{Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits}},
author={Bao, Tiffany and Wang, Ruoyu and Shoshitaishvili, Yan and Brumley, David},
booktitle={IEEE Symposium on Security and Privacy},
year={2017}
}
@inproceedings{machiry2017boomerang,
title={{BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments}},
author={Machiry, Aravind and Gustafson, Eric and Spensky, Chad and Salls, Christopher
and Stephens, Nick and Wang, Ruoyu and Bianchi, Antonio and Choe, Yung Ryn and
Kruegel, Christopher and Vigna, Giovanni},
booktitle={Proceedings of the 2017 Network and Distributed System Security Symposium},
year={2017}
}
@inproceedings{wang2017ramblr,
title={{Ramblr: Making Reassembly Great Again}},
author={Wang, Ruoyu and Shoshitaishvili, Yan and Bianchi, Antonio and Aravind, Machiry
and Grosen, John and Grosen, Paul and Kruegel, Christopher and Vigna, Giovanni},
booktitle={Proceedings of the 2017 Network and Distributed System Security Symposium},
year={2017}
}
@misc{shellphish-phrack,
title={Cyber Grand Shellphish},
author={Shellphish},
note={\url{http://phrack.org/papers/cyber_grand_shellphish.html}},
year={2017},
}
@inproceedings{stephens2016driller,
title={{Driller: Augmenting Fuzzing Through Selective Symbolic Execution}},
author={Stephens, Nick and Grosen, John and Salls, Christopher and Dutcher, Audrey and
Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and
Kruegel, Christopher and Vigna, Giovanni},
booktitle={Proceedings of the 2016 Network and Distributed System Security Symposium},
year={2016}
}
@inproceedings{shoshitaishvili2015firmalice,
title={{Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities
in Binary Firmware}},
author={Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe and
Kruegel, Christopher and Vigna, Giovanni},
booktitle={Proceedings of the 2015 Network and Distributed System Security Symposium},
year={2015}
}
Finally, angr (or its subcomponents) have been used in many other academic works:
@article{parvez2016combining,
title={{Combining Static Analysis and Targeted Symbolic Execution for Scalable
Bug-finding in Application Binaries}},
author={Parvez, Muhammad Riyad},
year={2016},
publisher={University of Waterloo}
}
@inproceedings{pewny2015cross,
title={{Cross-Architecture Bug Search in Binary Executables}},
author={Pewny, Jannik and Garmany, Behrad and Gawlik, Robert and Rossow, Christian
and Holz, Thorsten},
booktitle={Security and Privacy (SP), 2015 IEEE Symposium on},
pages={709--724},
year={2015},
organization={IEEE}
}
@inproceedings{vogl2014dynamic,
title={{Dynamic hooks: hiding control flow changes within non-control data}},
author={Vogl, Sebastian and Gawlik, Robert and Garmany, Behrad and Kittel, Thomas
and Pfoh, Jonas and Eckert, Claudia and Holz, Thorsten},
booktitle={23rd USENIX Security Symposium (USENIX Security 14)},
pages={813--328},
year={2014}
}
Semi-academically, angr was one of the underpinnings of Shellphish's Cyber Reasoning System for the DARPA Cyber Grand Challenge, enabling them to win third place in the final round (more info here)! Shellphish has also used angr in many CTFs.