This project is maintained by andreafioraldi

Use angr in the IDA Pro debugger generating a state from the current debug session

IDAngr

Use angr in the IDA Pro debugger generating a state from the current debug session.

it works only with x86/x86_64 ELF binaries on linux at the moment

IDAngr needs angrdbg installed in the same machine of IDA or in a remote machine.

python2 -m pip install angrdbg

IDAngr can run only with angr 7 at the moment because IDAPython is only Python 2.

GUI

The idangr_gui.py script must be loaded during the debug.

IDAngr adds a panel with a self explanatory interface.

You can set find/avoid addresses and symbolic memory directly from the context menu in the IDA View.

Explore other useful context menus in the panel with the rigth-click on items.

Plugin

You can install indagr as a plugin (see INSTALL.md), to activate it press Ctrl+Alt+I.

Api

IDAngr implements the angrdbg api in the IDA debugger.

Use idangr.init(is_remote=False, host=None, port=None, use_pin=False) to setup the library environment and access to the angrdbg api at the beginning of everything. When is_remote is True the plugin will connect to a remote angrdbg server (start it on the remote machine using python -m angrdbg ). You must set use_pin to True if you are connected to Intel Pin with a PinTool compatible with IDAngr (this problably does not work when using remote angrdbg).

idangr.is_initialized() can be used in a script to check if init must be called or not.

StateShot

Return an angr state from the current debug session state.

StateManager

A wrapper around angr to simplify the symbolic values creation and to write the results back in the debugger when angr founds a valid path.

Methods

instance.sim(key, size) create a symbolic value on a register or on a memory address (size is optional)

create a symbolic value on a register or on a memory address (size is optional) instance[key] get a register or a memory value

get a register or a memory value instance.simulation_manager() create an angr simulation manager based on the state

create an angr simulation manager based on the state instance.to_dbg(found_state) transfer to the debugger state the evaluated value of the symbolic value created before with sim

note: memory values are the same that are returned by state.mem[addr]

A more detailed description of the Api can be found in the angrdbg repo and in my Bachelor thesis.

hook_lib_funcs

Try to hook functions that are recognized by IDA as inserted by the compiler to the corrispondent simprocedure if present.

Example

Python > sm = StateManager () Python > sm . sim ( "edi" ) Python > sm . sim ( "esi" ) Python > m = sm . simulation_manager () Python > m . explore ( avoid = 0x04005D5 , find = 0x00004005BC ) < SimulationManager with 1 found , 3 avoid > Python > idc . GetRegValue ( "edi" ) 0 Python > idc . GetRegValue ( "esi" ) 5 Python > sm . to_dbg ( m . found [ 0 ]) Python > idc . GetRegValue ( "edi" ) 2 Python > idc . GetRegValue ( "esi" ) 0

See examples folder.

Other Debuggers

If you want to use angr in other debuggers looks at angrdbg

I’va also made an almost equal plugin for GDB: angrgdb

TODO

add support to angr data dependence graph integration in the ida view

add an iphyton shell to manually change the value in the gui

add a taint engine based on intel pin

Cite

Thesis PDF.

Bibtex: