Awesome angr
A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.
?
ExplorationTechniquesA collection of exploration techniques written by the community
- SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
- MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
- ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
- KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
- KLEERandomSearch: an ET for random path selection.
- LoopExhaustion: a loop exhaustion search strategy.
- StochasticSearch: an ET for stocastic search of active states.
- HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.
?
Documentation- docs.angr.op – Official angr general documentatoin website.
- angr.io – Official angr API documentation.
- Intro to Binary Analysis with Z3 and angr – FSecureLABS workshop on using Z3 and the angr framework.
?
ProjectsList of academic/not-acadamic projects based on angr which code is open source.
- Heaphopper – Apply symbolic execution to automatically verify security properties of most common heap libraries.
- angr-cli – Command line interface for angr a la peda/GEF/pwndbg.
- Syml – Use ML to prioritize exploration of promising vulnerable paths.
- Angrop – Generate ropchains using angr and symbolic execution.
- Angr-management – GUI for angr.
- Mechaphish – AEG system for CGC.
- angr-static-analysis-for-vuzzer64 – angr-based static analysis module for Vuzzer.
- FirmXRay-angr – An angr version of the base address detection analysis implemented in FirmXRay.
- IVTSpotter – An IVT Spotter for monolithic ARM firmware images.
- MemSight – Rethinking Pointer Reasoning in Symbolic Execution.
- Karonte – Detecting Insecure Multi-binary Interactions in Embedded Firmware.
?
Blogposts- angr-blog – Official angr blog.
- A reaching definition engine for binary analysis built-in in angr. – A walk-through of the ReachingDefinition analysis built-in in angr.
- shellphish-phrack – Phrack article on Mechaphish, the AEG system based on angr that got 3rd place at the CGC.
- angr-tutorial – Introduction to angr – baby steps in symbolic execution.
?
PapersHere a collection of papers which used or whose project is based on the angr framework.