Angr : A Powerful & User-Friendly Binary Analysis Platform

Angr is a platform-agnostic binary analysis framework. It is a suite of Python 3 libraries that let you load a binary and do a lot of cool things to it:

  • Disassembly and intermediate-representation lifting
  • Program instrumentation
  • Symbolic execution
  • Control-flow analysis
  • Data-dependency analysis
  • Value-set analysis (VSA)
  • Decompilation

The most common angr operation is loading a binary: p = angr.Project('/bin/bash') If you do this in an enhanced REPL like IPython, you can use tab-autocomplete to browse the top-level-accessible methods and their docstrings.

The short version of “how to install angr” is mkvirtualenv --python=$(which python3) angr && python -m pip install angr.

Also Read – Hacking With BeEF- Fake Flash Update, Add-ons Installation, Stealing Facebook & Gmail Credentials

Example

angr does a lot of binary analysis stuff. To get you started, here’s a simple example of using symbolic execution to get a flag in a CTF challenge.

import angr
project = angr.Project(“angr-doc/examples/defcamp_r100/r100”, auto_load_libs=False)
@project.hook(0x400844)
def print_flag(state):
print(“FLAG SHOULD BE:”, state.posix.dumps(0))
project.terminate_execution()
project.execute()

Installation

Mac OS X

pip install angr should work, but there are some caveats.

angr requires the unicorn library, which (as of this writing) pip must build from source on macOS, even though binary distributions (“wheels”) exist on other platforms.

Building unicorn from source requires Python 2, so will fail inside a virtualenv where python gets you Python 3. If you encounter errors with pip install angr, you may need to first install unicorn separately, pointing it to your Python 2:

UNICORN_QEMU_FLAGS=”–python=/path/to/python2″ pip install unicorn # Python 2 is probably /usr/bin/python on your macOS system

Then retry pip install angr.

If this still doesn’t work and you run into a broken build script with Clang, try using GCC.

brew install gcc
CC=/usr/local/bin/gcc-8 UNICORN_QEMU_FLAGS=”–python=/path/to/python2″ pip install unicorn # As of this writing, brew install gcc gives you gcc-8
pip install angr

After installing angr, you will need to fix some shared library paths for the angr native libraries. Activate your virtual env and execute the following lines. A script is provided in the angr-dev repo.

PYVEX=python3 -c 'import pyvex; print(pyvex.__path__[0])' UNICORN=python3 -c 'import unicorn; print(unicorn.__path__[0])'
ANGR=python3 -c 'import angr; print(angr.__path__[0])'
install_name_tool -change libunicorn.1.dylib “$UNICORN”/lib/libunicorn.dylib “$ANGR”/lib/angr_native.dylib
install_name_tool -change libpyvex.dylib “$PYVEX”/lib/libpyvex.dylib “$ANGR”/lib/angr_native.dylib

Windows

As usual, a virtualenv is very strongly recommended. You can use either the virtualenv-win or virtualenv packages for this.

angr can be installed from pip on Windows, same as above: pip install angr. You should not be required to build any C code with this setup, since wheels (binary distributions) should be automatically pulled down for angr and its dependencies.

Development install

There is a special repository angr-dev with scripts to make life easier for angr developers. You can set up angr in development mode by running:

git clone https://github.com/angr/angr-dev
cd angr-dev
./setup.sh -i -e angr

This creates a virtualenv (-e angr), checks for any dependencies you might need (-i), clones all of the repositories and installs them in editable mode. setup.sh can even create a PyPy virtualenv for you (replace -e with -p), resulting in significantly faster performance and lower memory usage.

You can branch/edit/recompile the various modules in-place, and it will automatically reflect in your virtual environment.

Development install on windows

The angr-dev repository has a setup.bat script that creates the same setup as above, though it’s not as magical as setup.sh.

Since we’ll be building C code, you must be in the visual studio developer command prompt. Make sure that if you’re using a 64-bit python interpreter, you’re also using the 64-bit build tools (VsDevCmd.bat -arch=x64)

pip install virtualenv
git clone https://github.com/angr/angr-dev
cd angr-dev
virtualenv -p “C:\Path\To\python3\python.exe” env
env\Scripts\activate
setup.bat

You may also substitute the use of virtualenv above with the virtualenvwrapper-win package for a more streamlined experience.

Docker install

For convenience, we ship a Docker image that is 99% guaranteed to work. You can install via docker by doing:

install docker
curl -sSL https://get.docker.com/ | sudo sh

pull the docker image
sudo docker pull angr/angr

run it
sudo docker run -it angr/angr

Synchronization of files in and out of docker is left as an exercise to the user (hint: check out docker -v).

Modifying the angr container

You might find yourself needing to install additional packages via apt. The vanilla version of the container does not have the sudo package installed, which means the default user in the container cannot escalate privilege to install additional packages.

To over come this hurdle, use the following docker command to grant yourself root access:

#assuming the docker container is running
#with the name “angr” and the instance is
#running in the background.
docker exec -ti -u root angr bash

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

16 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

16 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

3 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago