angr/cle angr/cle

  • Stars
    star
    391
  • Rank 109,319 (Top 3 %)
  • Language
    Python
  • License
    BSD 2-Clause "Sim...
  • Created over 9 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
angr/cle
github

angr

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CLE Loads Everything (at least, many binary formats!)

CLE

Latest Release Python Version PyPI Statistics License

CLE loads binaries and their associated libraries, resolves imports and provides an abstraction of process memory the same way as if it was loader by the OS's loader.

Project Links

Project repository: https://github.com/angr/cle

Documentation: https://api.angr.io/projects/cle/en/latest/

Installation

pip install cle

Usage example

>>> import cle
>>> ld = cle.Loader("/bin/ls")
>>> hex(ld.main_object.entry)
'0x4048d0'
>>> ld.shared_objects
{'ld-linux-x86-64.so.2': <ELF Object ld-2.21.so, maps [0x5000000:0x522312f]>,
 'libacl.so.1': <ELF Object libacl.so.1.1.0, maps [0x2000000:0x220829f]>,
 'libattr.so.1': <ELF Object libattr.so.1.1.0, maps [0x4000000:0x4204177]>,
 'libc.so.6': <ELF Object libc-2.21.so, maps [0x3000000:0x33a1a0f]>,
 'libcap.so.2': <ELF Object libcap.so.2.24, maps [0x1000000:0x1203c37]>}
>>> ld.addr_belongs_to_object(0x5000000)
<ELF Object ld-2.21.so, maps [0x5000000:0x522312f]>
>>> libc_main_reloc = ld.main_object.imports['__libc_start_main']
>>> hex(libc_main_reloc.addr)       # Address of GOT entry for libc_start_main
'0x61c1c0'
>>> import pyvex
>>> some_text_data = ld.memory.load(ld.main_object.entry, 0x100)
>>> irsb = pyvex.lift(some_text_data, ld.main_object.entry, ld.main_object.arch)
>>> irsb.pp()
IRSB {
   t0:Ity_I32 t1:Ity_I32 t2:Ity_I32 t3:Ity_I64 t4:Ity_I64 t5:Ity_I64 t6:Ity_I32 t7:Ity_I64 t8:Ity_I32 t9:Ity_I64 t10:Ity_I64 t11:Ity_I64 t12:Ity_I64 t13:Ity_I64 t14:Ity_I64

   15 | ------ IMark(0x4048d0, 2, 0) ------
   16 | t5 = 32Uto64(0x00000000)
   17 | PUT(rbp) = t5
   18 | t7 = GET:I64(rbp)
   19 | t6 = 64to32(t7)
   20 | t2 = t6
   21 | t9 = GET:I64(rbp)
   22 | t8 = 64to32(t9)
   23 | t1 = t8
   24 | t0 = Xor32(t2,t1)
   25 | PUT(cc_op) = 0x0000000000000013
   26 | t10 = 32Uto64(t0)
   27 | PUT(cc_dep1) = t10
   28 | PUT(cc_dep2) = 0x0000000000000000
   29 | t11 = 32Uto64(t0)
   30 | PUT(rbp) = t11
   31 | PUT(rip) = 0x00000000004048d2
   32 | ------ IMark(0x4048d2, 3, 0) ------
   33 | t12 = GET:I64(rdx)
   34 | PUT(r9) = t12
   35 | PUT(rip) = 0x00000000004048d5
   36 | ------ IMark(0x4048d5, 1, 0) ------
   37 | t4 = GET:I64(rsp)
   38 | t3 = LDle:I64(t4)
   39 | t13 = Add64(t4,0x0000000000000008)
   40 | PUT(rsp) = t13
   41 | PUT(rsi) = t3
   42 | PUT(rip) = 0x00000000004048d6
   43 | t14 = GET:I64(rip)
   NEXT: PUT(rip) = t14; Ijk_Boring
}

Valid options

For a full listing and description of the options that can be provided to the loader and the methods it provides, please examine the docstrings in cle/loader.py. If anything is unclear or poorly documented (there is much) please complain through whatever channel you feel appropriate.

Loading Backends

CLE's loader is implemented in the Loader class. There are several backends that can be used to load a single file:

  • ELF, as its name says, loads ELF binaries. ELF files loaded this way are statically parsed using PyElfTools.

  • PE is a backend to load Microsoft's Portable Executable format, effectively Windows binaries. It uses the (optional) pefile module.

  • Mach-O is a backend to load, you guessed it, Mach-O binaries. Support is limited for this backend.

  • Blob is a backend to load unknown data. It requires that you specify the architecture it would be run on, in the form of a class from ArchInfo.

Which backend you use can be specified as an argument to Loader. If left unspecified, the loader will pick a reasonable default.

Finding shared libraries

  • If the auto_load_libs option is set to False, the Loader will not automatically load libraries requested by loaded objects. Otherwise...

  • The loader determines which shared objects are needed when loading binaries, and searches for them in the following order:

    • in the current working directory
    • in folders specified in the ld_path option
    • in the same folder as the main binary
    • in the system (in the corresponding library path for the architecture of the binary, e.g., /usr/arm-linux-gnueabi/lib for ARM, note that you need to install cross libraries for this, e.g., libc6-powerpc-cross on Debian - needs emdebian repos)
    • in the system, but with mismatched version numbers from what is specified as a dependency, if the ignore_import_version_numbers option is True

  • If no binary is found with the correct architecture, the loader raises an exception if except_missing_libs option is True. Otherwise it simply leaves the dependencies unresolved.

More Repositories

1

angr

A powerful and user-friendly binary analysis platform!
Python
7,466
star
2

angr-management

The official angr GUI.
Python
864
star
3

angr-doc

Documentation for the angr suite
TeX
835
star
4

rex

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
Python
626
star
5

angrop

Python
582
star
6

pyvex

Python bindings for Valgrind's VEX IR.
Python
328
star
7

claripy

An abstraction layer for constraint solvers.
Python
274
star
8

patcherex

Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
Python
249
star
9

heaphopper

HeapHopper is a bounded model checking framework for Heap-implementations
Python
212
star
10

pypcode

Python bindings to Ghidra's SLEIGH library for disassembly and lifting to P-Code IR
C++
174
star
11

phuzzer

The new phuzzing framework!
Python
149
star
12

angr-dev

Some helper scripts to set up an environment for angr development.
Shell
113
star
13

vex

A patched version of VEX to work with PyVEX.
C
104
star
14

tracer

Utilities for generating dynamic traces
Python
87
star
15

archinfo

Classes with architecture-specific information useful to other projects.
Python
82
star
16

simuvex

[DEPRECATED] A symbolic execution engine for the VEX IR
Python
80
star
17

archr

Target-centric program analysis.
Python
73
star
18

angr-platforms

A collection of extensions to angr to handle new platforms
Python
66
star
19

binaries

A repository with binaries for angr tests and examples.
C
57
star
20

acsac-course

Python
47
star
21

fidget

A tool to add simple inline patches to a binary to rearrange its stack frames, and other things!
Python
46
star
22

pysoot

Python bindings for Shimple/Jimple IR from Soot.
Python
41
star
23

angr-targets

This repository contains the currently implemented angr concrete targets.
Python
32
star
24

ailment

AIL: The angr Intermediate Language.
Python
27
star
25

angr-examples

Example scripts using angr
Python
24
star
26

secdev-course

Python
20
star
27

identifier

[DEPRECATED] Using angr and prebuilt testcases to identify functions in statically-linked binaries.
9
star
28

wheels

Wheels for speeding up builds and helping people out.
7
star
29

angr.github.io

angry website
HTML
6
star
30

nixpkgs

angr related nixpkgs
Nix
4
star
31

flirt_signatures

4
star
32

angr.io

angr.io website source
HTML
3
star
33

syscall-agent

C
2
star
34

ci-settings

Docker image and azure templates for angr's CI
Python
2
star
35

library_docs

1
star
36

azure-runners

Docker stuff for self-hosted azure runners
Shell
1
star