angrdbg

Abstract library to generate angr states from a debugger state

Works with both angr 7 and 8.

Install

pip install angrdbg

Windows

Before installing angrdbg you must install Visual C++ Redistributable Packages for Visual Studio 2013.

Then type in the command prompt:

py -m pip install capstone-windows
py -m pip install angrdbg

Usage

The library uses an abstract class, Debugger, to be agnostic from the debugger api.

The user must implement a derived class, see abstract_debugger.py to view the methods that must be implemented.

After this register an instance of the derived class with the register_debugger function.

To create an angr state from the current debugger state use StateShot.

Api

StateShot

Return an angr state from the current debug session state.

StateManager

A wrapper around angr to simplify the symbolic values creation and to write the results back in the debugger when angr founds a valid path.

Methods

• instance.sim(key, size) create a symbolic value on a register or on a memory address (size is optional)
• instance[key] get a register or a memory value
• instance.simulation_manager() create an angr simulation manager based on the state
• instance.to_dbg(found_state) transfer to the debugger state the evaluated value of the symbolic value created before with sim

note: memory values are the same that are returned by state.mem[addr]

Managing the Project

load_project and reload_project are used to get or lazily create a project based on the current debugger state.

Memory type

The memory type defines how angrdbg get the memory from the debugger and from the cle backer. Use get_memory_type to know what the active one.

You can change the memory type with set_memory_type.

• SIMPROCS_FROM_CLE import only not-stubs simprocedures in the got from the cle backer (defaut)
• ONLY_GOT_FROM_CLE import the entire got from the cle backer
• USE_CLE_MEMORY import memory from the cle backer firstly
• GET_ALL_DISCARD_CLE full debugger memory mode (the only avaiable for PE at the moment)

Frontends

• GDB -> angrgdb
• IDA Pro debugger -> IDAngr
• radare2 -> r2angrdbg

Cite

Thesis PDF.

Bibtex:

@misc{fioraldi2020symbolic,
    title={Symbolic Execution and Debugging Synchronization},
    author={Andrea Fioraldi},
    year={2020},
    eprint={2006.16601},
    archivePrefix={arXiv},
    primaryClass={cs.CR}
}