• This repository has been archived on 28/Apr/2023
  • Stars
    star
    837
  • Rank 54,466 (Top 2 %)
  • Language
    TeX
  • License
    BSD 2-Clause "Sim...
  • Created over 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Documentation for the angr suite

This repo has been archived

If looking for documentation, check out https://docs.angr.io/en/latest/. The content from this repo has been moved to new locations. API documentation has been moved to the related project repos. The former gitbook doc source have been moved to https://github.com/angr/angr/tree/master/docs. Examples have been moved to https://github.com/angr/angr-examples.

What is angr, and how do I use it?

angr is a multi-architecture binary analysis toolkit, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc.) and various static analyses on binaries. If you'd like to learn how to use it, you're in the right place!

We've tried to make using angr as pain-free as possible - our goal is to create a user-friendly binary analysis suite, allowing a user to simply start up iPython and easily perform intensive binary analyses with a couple of commands. That being said, binary analysis is complex, which makes angr complex. This documentation is an attempt to help out with that, providing narrative explanation and exploration of angr and its design.

Several challenges must be overcome to programmatically analyze a binary. They are, roughly:

  • Loading a binary into the analysis program.
  • Translating a binary into an intermediate representation (IR).
  • Performing the actual analysis. This could be:
    • A partial or full-program static analysis (i.e., dependency analysis, program slicing).
    • A symbolic exploration of the program's state space (i.e., "Can we execute it until we find an overflow?").
    • Some combination of the above (i.e., "Let's execute only program slices that lead to a memory write, to find an overflow.")

angr has components that meet all of these challenges. This book will explain how each one works, and how they can all be used to accomplish your evil goals.

Get Started

Installation instructions can be found here.

To dive right into angr's capabilities, start with the top level methods and read forward from there.

A searchable HTML version of this documentation is hosted at docs.angr.io, and an HTML API reference can be found at angr.io/api-doc.

If you enjoy playing CTFs and would like to learn angr in a similar fashion, angr_ctf will be a fun way for you to get familiar with much of the symbolic execution capability of angr. The angr_ctf repo is maintained by @jakespringer.

Citing angr

If you use angr in an academic work, please cite the papers for which it was developed:

@article{shoshitaishvili2016state,
  title={SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and Stephens, Nick and Polino, Mario and Dutcher, Audrey and Grosen, Jessie and Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={IEEE Symposium on Security and Privacy},
  year={2016}
}

@article{stephens2016driller,
  title={Driller: Augmenting Fuzzing Through Selective Symbolic Execution},
  author={Stephens, Nick and Grosen, Jessie and Salls, Christopher and Dutcher, Audrey and Wang, Ruoyu and Corbetta, Jacopo and Shoshitaishvili, Yan and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={NDSS},
  year={2016}
}

@article{shoshitaishvili2015firmalice,
  title={Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={NDSS},
  year={2015}
}

Support

To get help with angr, you can ask via:

  • the slack channel: angr.slack.com, for which you can get an account here.
  • opening an issue on the appropriate github repository

Going further:

You can read this paper, explaining some of the internals, algorithms, and used techniques to get a better understanding on what's going on under the hood.

More Repositories

1

angr

A powerful and user-friendly binary analysis platform!
Python
7,537
star
2

angr-management

The official angr GUI.
Python
892
star
3

rex

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
Python
634
star
4

angrop

Python
597
star
5

cle

CLE Loads Everything (at least, many binary formats!)
Python
412
star
6

pyvex

Python bindings for Valgrind's VEX IR.
Python
337
star
7

claripy

An abstraction layer for constraint solvers.
Python
286
star
8

patcherex

Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
Python
249
star
9

heaphopper

HeapHopper is a bounded model checking framework for Heap-implementations
Python
212
star
10

pypcode

Python bindings to Ghidra's SLEIGH library for disassembly and lifting to P-Code IR
C++
179
star
11

phuzzer

The new phuzzing framework!
Python
148
star
12

angr-dev

Some helper scripts to set up an environment for angr development.
Shell
115
star
13

vex

A patched version of VEX to work with PyVEX.
C
105
star
14

tracer

Utilities for generating dynamic traces
Python
88
star
15

archinfo

Classes with architecture-specific information useful to other projects.
Python
85
star
16

simuvex

[DEPRECATED] A symbolic execution engine for the VEX IR
Python
79
star
17

archr

Target-centric program analysis.
Python
72
star
18

angr-platforms

A collection of extensions to angr to handle new platforms
Python
66
star
19

binaries

A repository with binaries for angr tests and examples.
C
56
star
20

acsac-course

Python
47
star
21

fidget

A tool to add simple inline patches to a binary to rearrange its stack frames, and other things!
Python
45
star
22

pysoot

Python bindings for Shimple/Jimple IR from Soot.
Python
41
star
23

angr-targets

This repository contains the currently implemented angr concrete targets.
Python
32
star
24

ailment

AIL: The angr Intermediate Language.
Python
29
star
25

angr-examples

Example scripts using angr
Python
27
star
26

secdev-course

Python
20
star
27

identifier

[DEPRECATED] Using angr and prebuilt testcases to identify functions in statically-linked binaries.
9
star
28

wheels

Wheels for speeding up builds and helping people out.
7
star
29

angr.github.io

angry website
HTML
6
star
30

nixpkgs

angr related nixpkgs
Nix
4
star
31

flirt_signatures

4
star
32

angr.io

angr.io website source
HTML
3
star
33

syscall-agent

C
2
star
34

ci-settings

Docker image and azure templates for angr's CI
Python
2
star
35

library_docs

1
star
36

azure-runners

Docker stuff for self-hosted azure runners
Shell
1
star