angr/patcherex angr/patcherex

  • Stars
    star
    249
  • Rank 162,013 (Top 4 %)
  • Language
    Python
  • License
    BSD 2-Clause "Sim...
  • Created about 8 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
angr/patcherex
github

angr

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.

Patcherex

Patcherex is the component used to create patched binaries in our CRS.

Installation

sudo apt-get install nasm clang

sudo apt-get install clang-10 gcc-avr binutils-avr avr-libc # (optional) for AVR patching (see patcherex/backends/detourbackends/avr.py)

# mkvirtualenv cgc # create and activate a proper virtual env in which other CRS components have been installed (see setup.py)

git clone https://github.com/angr/patcherex.git
cd patcherex
pip install -e .

Usage

There are three fundamental concepts in patcherex:

  • patches
  • techniques
  • backends

patches

A patch is a single modification to a binary.

Different types of patches exist, for instance:

  • InsertCodePatch: add some code that is going to be executed before an instruction at a specific address
  • AddEntryPointPatch: add some code that is going to be executed before the original entry point of the binary.
  • AddCodePatch: add some code that other patches can use.
  • AddRWData: add some RW data that other patches can use.
  • ...

See patcherex/patches.py for the full list of available patches.

Every patch has a name and it is possible to refer from a patch to another patch using its name.

backends

A backend is the component responsible to "inject" a list of patches in an existing binary and produce a new binary.

There are two backends:

  • DetourBackend: it adds patches by inserting jumps inside the original code.
  • ReassemblerBacked: it adds code by disassembling and then reassembling the original binary.

The DetourBackend generates bigger and slower binaries (and in some rare cases it cannot insert some patches), however it is slightly more reliable than the ReassemblerBackend (i.e., it breaks slightly less binaries).

techniques

A technique is a component analyzing a binary and returning a list of patches.

For instance:

  • StackRetEncryption: it encrypts the return pointers of "unsafe" functions.
  • Backdoor: it adds a backdoor to a binary.
  • ...

Examples

IPython usage

Patcherex can be used with IPython.

The following example modifies the binary CADET_00003 so that it prints "HI!" every time a new string is entered by the user.

import patcherex
from patcherex.backends.detourbackend import DetourBackend
from patcherex.backends.reassembler_backend import ReassemblerBackend
from patcherex.patches import *

# the detour backend can be used as well:
# backend = DetourBackend("test_binaries/CADET_00003")
backend = ReassemblerBackend("test_binaries/CADET_00003")
patches = []

transmit_code = '''
  ; eax is the transmitted buffer
  ; ebx is the length
  pusha
  mov ecx,eax
  mov edx,ebx
  mov eax,0x2
  mov ebx,0x1
  mov esi,0x0
  int 0x80
  popa
  ret
  '''
patches.append(AddCodePatch(transmit_code, name="transmit_function"))
patches.append(AddRODataPatch(b"HI!\x00", name="transmitted_string"))
# the following code is going to be executed just before the original instruction at 0x8048166
injected_code = '''
; at this code location, it is fine to clobber eax and ebx
mov eax, {transmitted_string} ; a patch can refer to another patch address, by putting its name between curly brackets
mov ebx, 4
call {transmit_function}
'''
patches.append(InsertCodePatch(0x8048166,injected_code,name="injected_code_after_receive"))

# now we ask to the backend to inject all our patches
backend.apply_patches(patches)
# and then we save the file
backend.save("/tmp/CADET_00003_mod1")
# at this point you can try to run /tmp/CADET_00003_mod1 inside the DECREE VM or using our modified version of QEMU

Command line usage

Any method of the class PatchMaster (in patch_master.py) called generate_something_binary can be directly invoked from the command line.

The syntax is the following:

./patch_master.py single <input_file> <method> <output_file>

For instance, running the following command:

./patch_master.py single ../test_binaries/CADET_00003 stackretencryption  /tmp/CADET_00003_stackretencryption

will execute the following code:

def generate_stackretencryption_binary(self, test_bin=None):
    backend = ReassemblerBackend(self.infile)
    patches = []
    patches.extend(StackRetEncryption(self.infile, backend).get_patches())
    backend.apply_patches(patches)
    final_content = backend.get_final_content()
    return (final_content, "")

patch_master.py contains also methods to patch multiple binaries in parallel and quickly test them.

More Repositories

1

angr

A powerful and user-friendly binary analysis platform!
Python
7,466
star
2

angr-management

The official angr GUI.
Python
864
star
3

angr-doc

Documentation for the angr suite
TeX
835
star
4

rex

Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
Python
626
star
5

angrop

Python
582
star
6

cle

CLE Loads Everything (at least, many binary formats!)
Python
391
star
7

pyvex

Python bindings for Valgrind's VEX IR.
Python
328
star
8

claripy

An abstraction layer for constraint solvers.
Python
274
star
9

heaphopper

HeapHopper is a bounded model checking framework for Heap-implementations
Python
212
star
10

pypcode

Python bindings to Ghidra's SLEIGH library for disassembly and lifting to P-Code IR
C++
174
star
11

phuzzer

The new phuzzing framework!
Python
149
star
12

angr-dev

Some helper scripts to set up an environment for angr development.
Shell
113
star
13

vex

A patched version of VEX to work with PyVEX.
C
104
star
14

tracer

Utilities for generating dynamic traces
Python
87
star
15

archinfo

Classes with architecture-specific information useful to other projects.
Python
82
star
16

simuvex

[DEPRECATED] A symbolic execution engine for the VEX IR
Python
80
star
17

archr

Target-centric program analysis.
Python
73
star
18

angr-platforms

A collection of extensions to angr to handle new platforms
Python
66
star
19

binaries

A repository with binaries for angr tests and examples.
C
57
star
20

acsac-course

Python
47
star
21

fidget

A tool to add simple inline patches to a binary to rearrange its stack frames, and other things!
Python
46
star
22

pysoot

Python bindings for Shimple/Jimple IR from Soot.
Python
41
star
23

angr-targets

This repository contains the currently implemented angr concrete targets.
Python
32
star
24

ailment

AIL: The angr Intermediate Language.
Python
27
star
25

angr-examples

Example scripts using angr
Python
24
star
26

secdev-course

Python
20
star
27

identifier

[DEPRECATED] Using angr and prebuilt testcases to identify functions in statically-linked binaries.
9
star
28

wheels

Wheels for speeding up builds and helping people out.
7
star
29

angr.github.io

angry website
HTML
6
star
30

nixpkgs

angr related nixpkgs
Nix
4
star
31

flirt_signatures

4
star
32

angr.io

angr.io website source
HTML
3
star
33

syscall-agent

C
2
star
34

ci-settings

Docker image and azure templates for angr's CI
Python
2
star
35

library_docs

1
star
36

azure-runners

Docker stuff for self-hosted azure runners
Shell
1
star