Skip to main content

Zelos target for angr / symbion concrete execution.

Project description

PyPI PyPI - Python Version License: AGPL v3 Code style: black

Zelos Concrete Execution Engine for angr

Provides support for using zelos (a python-based binary instrumentation and emulation platform) as a concrete execution engine in angr via the symbion interface. Symbion provides an interface that enables angr to get and set program state from an external execution engine. Conversely, this enables zelos to take advantage of the symbolic execution capabilities of angr.

Installation

You first need angr with symbion. Their documentation recommends installation in a separate virtual environment, as several python packages are customized, including unicorn. This is the boilerplate to setup angr in a new virtual environment (**). Refer to their documentation for more comprehensive instructions.

$ sudo apt-get install python3-dev libffi-dev build-essential cmake gdb-multiarch
$ git clone https://github.com/angr/angr-targets.git

$ python3 -m venv ~/.venv/angr && source ~/.venv/angr/bin/activate
(angr) $ pip install wheel && pip install angr && pip install -e angr-targets

(**) As of this writing, the pip release of symbion is not working. Instead, use the development version, which already includes angr-targets:

$ git clone https://github.com/angr/angr-dev.git
$ cd angr-dev && ./setup.sh -i -e angr
$ source ~/.virtualenvs/angr/bin/activate

Once you have the angr environment setup, install the angr-zelos-target package within the environment to enable zelos as a concrete target:

(angr) $ pip install angr-zelos-target

Install the zelos emulator in a separate virtual environment, e.g.:

(zelos) $ pip install zelos

Basic Usage

Write your angr scripts as you usually would, but specify the zelos concrete target when creating the project:

from angr_zelos_target import ZelosConcreteTarget

...

zelos_target = ZelosConcreteTarget()
project = angr.Project(
    filepath,
    concrete_target=zelos_target,
    use_sim_procedures=True,
)

Use the angr.exploration_techniques.Symbion exploration technique when you want to concretely execution in zelos.

Before running your angr script, start the zelos zdbserver on the target binary:

(zelos) $ python -m zelos.zdbserver FILENAME

The zdbserver and angr scripts can run on the same system, but be sure to run them in separate python environments, as both packages use different versions of the unicorn CPU emulator.

Symbion Tutorial: "Fusing Concrete and Symbolic Execution"

As an example, we have reimplemented the symbion tutorial using the zelos concrete engine. In that tutorial, the goal is to force execution of a binary down the path that prints "Executing stage 2 fake malware V2" instead of the default message:

$ ./not_packed_elf64
[+] Parsing malware configuration
[+] Virtual environment detected!

The not_packed_elf64 binary is duplicated from the angr-binaries repository. The reimplemented tutorial example script will concretely execute up to the decision point, solve for a value that will ultimately drive excution to the desired path, write that value into zelos, then resume execution in zelos. The basic workflow is to start the binary via the zelos.zdbserver, then run the angr script that utilizes the zdbserver, for instance:

Terminal 1 (zelos):

(zelos) $ python -m zelos.zdbserver not_packed_elf64

Terminal 2 (angr):

(angr) $ python3 -m angr_zelos_target.example

Terminal 2 Output:

[0] Created angr_zelos project for 'angr_zelos_target/example/not_packed_elf64'
[1] Got to decision point concretely.
[2] Symbolically finding second stage @ 0x400bb6
[3] Executing concretely until exit @ 0x65310d
[4] DONE.

Terminal 1 Output:

[main] [SYSCALL] brk ( addr=0x0 ) -> 0x900000a4
[main] [SYSCALL] openat ( dirfd=0xffffff9c, pathname=0xb229170 ("not_packed_elf64"), flags=0x80000 ) -> 18
...
...
[main] [SYSCALL] brk ( addr=0x90022000 ) -> 0x90022000
Breakpoint "bp_400af3"
[StdOut]: 'bytearray(b'[+]Parsing malware configuration\n\n[+] Executing stage 2 fake malware V2\n\n')'
[main] [SYSCALL] write ( fd=0x1, buf=0x90000310 ("[+]Parsing malware configuration [+] Executing stage 2 fake malware V2"), count=0x3a ) -> 3a
[main] [SYSCALL] exit_group ( status=0x0 ) -> void

License

AGPL v3

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

angr_zelos_target-0.0.1-py2.py3-none-any.whl (24.9 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file angr_zelos_target-0.0.1-py2.py3-none-any.whl.

File metadata

  • Download URL: angr_zelos_target-0.0.1-py2.py3-none-any.whl
  • Upload date:
  • Size: 24.9 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/45.2.0 requests-toolbelt/0.9.1 tqdm/4.35.0 CPython/3.6.9

File hashes

Hashes for angr_zelos_target-0.0.1-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 f8367523fcee797338c50bbc8914ad118ac405faeaaee30d766122d1cf2df5c4
MD5 78188c999acb5508a211588610628586
BLAKE2b-256 0decb3c5d519be7650cb6d172dd65b62b0740b4967fb725ac6066021e732b296

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page