2

I successfully figured out how to run a program using angr, starting with the state defined by a core dump (see How to run program using angr after loading with the elfcore backend?) but now I am wondering this:

How can I malloc memory in the program's SimulationState?

The starting state I am running the program from is the beginning of a function which takes a pointer and a length. I want to be able to malloc memory fresh with arbitrary lengths, and pass this pointer (and the appropriate length) instead into the function.

I found that there is what I believe is a plugin class, angr.state_plugins.heap.heap_libc.SimHeapLibc (documentation) which has a malloc method, but how do I use this plugin, and is it in fact what I need?

pooley1994
  • 723
  • 4
  • 16

1 Answers1

1

Alright, figured it out.

First of all, the plugin class that you want is angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc. Turns out angr.state_plugins.heap.heap_libc.SimHeapLibc is just the base class.

The use case then becomes:

simstate = angr.factory.AngrObjectFactory(proj).blank_state()

# IMPORTANT NOTE: you need to register the plugin with the name heap or it will break
simstate.register_plugin("heap", angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc())

# Voila, malloc and use arbitrary amounts of memory in the simulation space.
ptr = self.simstate.heap.malloc(data_len)
simstate.memory.store(ptr, simstate.solver.BVV(data_bytes, data_len*8))
pooley1994
  • 723
  • 4
  • 16