Skip to main content

A Python interface to libVEX and VEX IR

Project description

PyVEX

Latest Release Python Version PyPI Statistics License

PyVEX is Python bindings for the VEX IR.

Project Links

Project repository: https://github.com/angr/pyvex

Documentation: https://api.angr.io/projects/pyvex/en/latest/

Installing PyVEX

PyVEX can be pip-installed:

pip install pyvex

Using PyVEX

import pyvex
import archinfo

# translate an AMD64 basic block (of nops) at 0x400400 into VEX
irsb = pyvex.lift(b"\x90\x90\x90\x90\x90", 0x400400, archinfo.ArchAMD64())

# pretty-print the basic block
irsb.pp()

# this is the IR Expression of the jump target of the unconditional exit at the end of the basic block
print(irsb.next)

# this is the type of the unconditional exit (i.e., a call, ret, syscall, etc)
print(irsb.jumpkind)

# you can also pretty-print it
irsb.next.pp()

# iterate through each statement and print all the statements
for stmt in irsb.statements:
    stmt.pp()

# pretty-print the IR expression representing the data, and the *type* of that IR expression written by every store statement
import pyvex
for stmt in irsb.statements:
    if isinstance(stmt, pyvex.IRStmt.Store):
        print("Data:", end="")
        stmt.data.pp()
        print("")

        print("Type:", end="")
        print(stmt.data.result_type)
        print("")

# pretty-print the condition and jump target of every conditional exit from the basic block
for stmt in irsb.statements:
    if isinstance(stmt, pyvex.IRStmt.Exit):
        print("Condition:", end="")
        stmt.guard.pp()
        print("")

        print("Target:", end="")
        stmt.dst.pp()
        print("")

# these are the types of every temp in the IRSB
print(irsb.tyenv.types)

# here is one way to get the type of temp 0
print(irsb.tyenv.types[0])

Keep in mind that this is a syntactic representation of a basic block. That is, it'll tell you what the block means, but you don't have any context to say, for example, what actual data is written by a store instruction.

VEX Intermediate Representation

To deal with widely diverse architectures, it is useful to carry out analyses on an intermediate representation. An IR abstracts away several architecture differences when dealing with different architectures, allowing a single analysis to be run on all of them:

  • Register names. The quantity and names of registers differ between architectures, but modern CPU designs hold to a common theme: each CPU contains several general purpose registers, a register to hold the stack pointer, a set of registers to store condition flags, and so forth. The IR provides a consistent, abstracted interface to registers on different platforms. Specifically, VEX models the registers as a separate memory space, with integer offsets (i.e., AMD64's rax is stored starting at address 16 in this memory space).
  • Memory access. Different architectures access memory in different ways. For example, ARM can access memory in both little-endian and big-endian modes. The IR must abstract away these differences.
  • Memory segmentation. Some architectures, such as x86, support memory segmentation through the use of special segment registers. The IR understands such memory access mechanisms.
  • Instruction side-effects. Most instructions have side-effects. For example, most operations in Thumb mode on ARM update the condition flags, and stack push/pop instructions update the stack pointer. Tracking these side-effects in an ad hoc manner in the analysis would be crazy, so the IR makes these effects explicit.

There are lots of choices for an IR. We use VEX, since the uplifting of binary code into VEX is quite well supported. VEX is an architecture-agnostic, side-effects-free representation of a number of target machine languages. It abstracts machine code into a representation designed to make program analysis easier. This representation has five main classes of objects:

  • Expressions. IR Expressions represent a calculated or constant value. This includes memory loads, register reads, and results of arithmetic operations.
  • Operations. IR Operations describe a modification of IR Expressions. This includes integer arithmetic, floating-point arithmetic, bit operations, and so forth. An IR Operation applied to IR Expressions yields an IR Expression as a result.
  • Temporary variables. VEX uses temporary variables as internal registers: IR Expressions are stored in temporary variables between use. The content of a temporary variable can be retrieved using an IR Expression. These temporaries are numbered, starting at t0. These temporaries are strongly typed (i.e., "64-bit integer" or "32-bit float").
  • Statements. IR Statements model changes in the state of the target machine, such as the effect of memory stores and register writes. IR Statements use IR Expressions for values they may need. For example, a memory store IR Statement uses an IR Expression for the target address of the write, and another IR Expression for the content.
  • Blocks. An IR Block is a collection of IR Statements, representing an extended basic block (termed "IR Super Block" or "IRSB") in the target architecture. A block can have several exits. For conditional exits from the middle of a basic block, a special Exit IR Statement is used. An IR Expression is used to represent the target of the unconditional exit at the end of the block.

VEX IR is actually quite well documented in the libvex_ir.h file (https://github.com/angr/vex/blob/dev/pub/libvex_ir.h) in the VEX repository. For the lazy, we'll detail some parts of VEX that you'll likely interact with fairly frequently. To begin with, here are some IR Expressions:

IR Expression Evaluated Value VEX Output Example
Constant A constant value. 0x4:I32
Read Temp The value stored in a VEX temporary variable. RdTmp(t10)
Get Register The value stored in a register. GET:I32(16)
Load Memory The value stored at a memory address, with the address specified by another IR Expression. LDle:I32 / LDbe:I64
Operation A result of a specified IR Operation, applied to specified IR Expression arguments. Add32
If-Then-Else If a given IR Expression evaluates to 0, return one IR Expression. Otherwise, return another. ITE
Helper Function VEX uses C helper functions for certain operations, such as computing the conditional flags registers of certain architectures. These functions return IR Expressions. function_name()

These expressions are then, in turn, used in IR Statements. Here are some common ones:

IR Statement Meaning VEX Output Example
Write Temp Set a VEX temporary variable to the value of the given IR Expression. WrTmp(t1) = (IR Expression)
Put Register Update a register with the value of the given IR Expression. PUT(16) = (IR Expression)
Store Memory Update a location in memory, given as an IR Expression, with a value, also given as an IR Expression. STle(0x1000) = (IR Expression)
Exit A conditional exit from a basic block, with the jump target specified by an IR Expression. The condition is specified by an IR Expression. if (condition) goto (Boring) 0x4000A00:I32

An example of an IR translation, on ARM, is produced below. In the example, the subtraction operation is translated into a single IR block comprising 5 IR Statements, each of which contains at least one IR Expression (although, in real life, an IR block would typically consist of more than one instruction). Register names are translated into numerical indices given to the GET Expression and PUT Statement. The astute reader will observe that the actual subtraction is modeled by the first 4 IR Statements of the block, and the incrementing of the program counter to point to the next instruction (which, in this case, is located at 0x59FC8) is modeled by the last statement.

The following ARM instruction:

subs R2, R2, #8

Becomes this VEX IR:

t0 = GET:I32(16)
t1 = 0x8:I32
t3 = Sub32(t0,t1)
PUT(16) = t3
PUT(68) = 0x59FC8:I32

Cool stuff!

Citing PyVEX

If you use PyVEX in an academic work, please cite the paper for which it was developed:

@article{shoshitaishvili2015firmalice,
  title={Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware},
  author={Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={NDSS},
  year={2015}
}

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyvex-9.2.223.tar.gz (3.7 MB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

pyvex-9.2.223-cp312-abi3-win_amd64.whl (1.4 MB view details)

Uploaded CPython 3.12+Windows x86-64

pyvex-9.2.223-cp312-abi3-musllinux_1_2_x86_64.whl (1.9 MB view details)

Uploaded CPython 3.12+musllinux: musl 1.2+ x86-64

pyvex-9.2.223-cp312-abi3-musllinux_1_2_aarch64.whl (1.8 MB view details)

Uploaded CPython 3.12+musllinux: musl 1.2+ ARM64

pyvex-9.2.223-cp312-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl (1.9 MB view details)

Uploaded CPython 3.12+manylinux: glibc 2.17+ x86-64manylinux: glibc 2.28+ x86-64

pyvex-9.2.223-cp312-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl (1.8 MB view details)

Uploaded CPython 3.12+manylinux: glibc 2.17+ ARM64manylinux: glibc 2.28+ ARM64

pyvex-9.2.223-cp312-abi3-macosx_11_0_arm64.whl (1.6 MB view details)

Uploaded CPython 3.12+macOS 11.0+ ARM64

File details

Details for the file pyvex-9.2.223.tar.gz.

File metadata

  • Download URL: pyvex-9.2.223.tar.gz
  • Upload date:
  • Size: 3.7 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for pyvex-9.2.223.tar.gz
Algorithm Hash digest
SHA256 10979e525cb0eefcf09d1857ed745b87a4f2f79aa2485d5c316fd9a647c51985
MD5 1188526979fe04777bac661f312271fc
BLAKE2b-256 512e29719e116b0468a1d92afed18fdb6727db83b968154472df175a88062e28

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223.tar.gz:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyvex-9.2.223-cp312-abi3-win_amd64.whl.

File metadata

  • Download URL: pyvex-9.2.223-cp312-abi3-win_amd64.whl
  • Upload date:
  • Size: 1.4 MB
  • Tags: CPython 3.12+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for pyvex-9.2.223-cp312-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 d83dfc1664021aebf35e2d9d2d88256945935cec033260304236bbaf37f6763a
MD5 f677c4f7c7bc8b59718faa08a3b91792
BLAKE2b-256 13f030b156ba21b101502e9ff9ae3492c16ba1f0f92faefc57150f90c260e1c2

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223-cp312-abi3-win_amd64.whl:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyvex-9.2.223-cp312-abi3-musllinux_1_2_x86_64.whl.

File metadata

File hashes

Hashes for pyvex-9.2.223-cp312-abi3-musllinux_1_2_x86_64.whl
Algorithm Hash digest
SHA256 4c327df568a5944430dd120298529645b58f2dce7f08efb5a403fc114a616be6
MD5 764df5a93b42386fdb177ca89eb63283
BLAKE2b-256 ff7bd251d1584c2fa0904677981185fcabfa09a759aa5797a7619957365eb881

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223-cp312-abi3-musllinux_1_2_x86_64.whl:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyvex-9.2.223-cp312-abi3-musllinux_1_2_aarch64.whl.

File metadata

File hashes

Hashes for pyvex-9.2.223-cp312-abi3-musllinux_1_2_aarch64.whl
Algorithm Hash digest
SHA256 18fdd0b73f4e1e1ad370a7590d85ee9287c66ebd4a5954cdf3216f00e2a80138
MD5 2c30d5ddec85c1a192a8c02379f00c4b
BLAKE2b-256 2226aeb0811b716966cca0622b53885eb118db4e9aa49d0bd1876b0b6239d956

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223-cp312-abi3-musllinux_1_2_aarch64.whl:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyvex-9.2.223-cp312-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl.

File metadata

File hashes

Hashes for pyvex-9.2.223-cp312-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl
Algorithm Hash digest
SHA256 af718582d7c9de192b275b2c13d3a946e2103e552cdaebf60c6a197c30512d92
MD5 eabe4504a0ecd9def3de1a5715db0aae
BLAKE2b-256 a084f9bd615862e834ffb2e6b5375cbd0b8ba38d12b8267f619ae8f1fcd6ae50

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223-cp312-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyvex-9.2.223-cp312-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl.

File metadata

File hashes

Hashes for pyvex-9.2.223-cp312-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl
Algorithm Hash digest
SHA256 d039b5d5302774d141a14ffbe59a1ccd3324b7794e21360316a1d2a183973c57
MD5 c61207c9e7f57d50808e4fd1dced29ac
BLAKE2b-256 c02d080939afd2a0c167467c19502b0d2f94fe09baae7f46164b737d7fe93cfa

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223-cp312-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyvex-9.2.223-cp312-abi3-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for pyvex-9.2.223-cp312-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 852df7447a12ff5d5d0a096615fae34a2a41055f860d18d0e0b6b4cbf0e68112
MD5 196994cc105a307eef29a0cfbe52544a
BLAKE2b-256 6e9aa4aa781871829bf5b08771a5b2b0fa15118826f09cd0ae0b73628b115613

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyvex-9.2.223-cp312-abi3-macosx_11_0_arm64.whl:

Publisher: angr-release.yml on angr/ci-settings

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page