>>> import angr
>>> proj = angr.Project('./fauxware-amd64')
>>> cfg = proj.analyses.CFG(); cfg.function_manager.functions
{4195600L: <Function sub_400510 (0x400510)>,
 4195616L: <Function sub_400520 (0x400520)>,
 4195632L: <Function sub_400530 (0x400530)>,
 4195648L: <Function sub_400540 (0x400540)>,
 4195664L: <Function sub_400550 (0x400550)>,
 4195680L: <Function sub_400560 (0x400560)>,
 4195696L: <Function sub_400570 (0x400570)>,
 4195712L: <Function _start (0x400580)>,
 4195940L: <Function authenticate (0x400664)>,
 4196077L: <Function accepted (0x4006ed)>,
 4196093L: <Function rejected (0x4006fd)>,
 4196125L: <Function main (0x40071d)>}
>>> ex = proj.surveyors.Explorer(find=0x4006ed).run()
>>> ex.found[0].state.posix.dumps(0)

What is angr?

angr is a framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.

What's it made of?

angr is made up of several subprojects, all of which are open-source!

How has it been used academically?

If you have used angr or its sub-components in research, please cite the paper that it was developed for:

  title={SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and
          Stephens, Nick and Polino, Mario and Dutcher, Andrew and Grosen, John and
          Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={IEEE Symposium on Security and Privacy},

Additionally, the angr authors have used angr in the following publications:

  title={Driller: Augmenting Fuzzing Through Selective Symbolic Execution},
  author={Stephens, Nick and Grosen, John and Salls, Christopher and Dutcher, Andrew and
          Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and
          Kruegel, Christopher and Vigna, Giovanni},

  title={Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities
         in Binary Firmware},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe and
          Kruegel, Christopher and Vigna, Giovanni},

Finally, angr (or its subcomponents) have been used in many other academic works:

  title={Combining Static Analysis and Targeted Symbolic Execution for Scalable
         Bug-finding in Application Binaries},
  author={Parvez, Muhammad Riyad},
  publisher={University of Waterloo}

  title={Cross-Architecture Bug Search in Binary Executables},
  author={Pewny, Jannik and Garmany, Behrad and Gawlik, Robert and Rossow, Christian
          and Holz, Thorsten},
  booktitle={Security and Privacy (SP), 2015 IEEE Symposium on},

  title={Dynamic hooks: hiding control flow changes within non-control data},
  author={Vogl, Sebastian and Gawlik, Robert and Garmany, Behrad and Kittel, Thomas
          and Pfoh, Jonas and Eckert, Claudia and Holz, Thorsten},
  booktitle={23rd USENIX Security Symposium (USENIX Security 14)},

And non-academically?

angr was one of the underpinnings of Shellphish's Cyber Reasoning System for the DARPA Cyber Grand Challenge, enabling them to qualify for the CGC finals! Shellphish has also used angr in many CTFs!

Whom can I contact?

If you have questions with a subcomponent of angr, please open an issue on github (or send us a pull request!). If you have questions or comments, drop us a line at the mailing list at angr AT or hang out on the IRC channel (#angr on freenode).

Who works on angr?

angr is worked on by several researchers in the Computer Security Lab at UC Santa Barbara. Core developers (arbitrarily, 1000+ lines of code!) include:

Additionally, we would like to acknowledge the following individuals for their work on and support of angr:

angr owes its existence to research sponsored by DARPA under agreement number N66001-13-2-4039!

How do I learn?

There are a few resources you can use to help you get up to speed!

How can I help?

There are many ways to participate! Here are some ideas: