Awesome angr
A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.
📁
ExplorationTechniques A collection of exploration techniques written by the community
- SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
- MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
- ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
- KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
- KLEERandomSearch: an ET for random path selection.
- LoopExhaustion: a loop exhaustion search strategy.
- StochasticSearch: an ET for stocastic search of active states.
- HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.
📖
Documentation - docs.angr.op - Official angr general documentatoin website.
- angr.io - Official angr API documentation.
- Intro to Binary Analysis with Z3 and angr - FSecureLABS workshop on using Z3 and the angr framework.
🚀
Projects List of academic/not-acadamic projects based on angr which code is open source.
- Heaphopper - Apply symbolic execution to automatically verify security properties of most common heap libraries.
- angr-cli - Command line interface for angr a la peda/GEF/pwndbg.
- Syml - Use ML to prioritize exploration of promising vulnerable paths.
- Angrop - Generate ropchains using angr and symbolic execution.
- Angr-management - GUI for angr.
- Mechaphish - AEG system for CGC.
- angr-static-analysis-for-vuzzer64 - angr-based static analysis module for Vuzzer.
- FirmXRay-angr - An angr version of the base address detection analysis implemented in FirmXRay.
- IVTSpotter - An IVT Spotter for monolithic ARM firmware images.
- MemSight - Rethinking Pointer Reasoning in Symbolic Execution.
- Karonte - Detecting Insecure Multi-binary Interactions in Embedded Firmware.
📰
Blogposts - angr-blog - Official angr blog.
- A reaching definition engine for binary analysis built-in in angr. - A walk-through of the ReachingDefinition analysis built-in in angr.
- shellphish-phrack - Phrack article on Mechaphish, the AEG system based on angr that got 3rd place at the CGC.
- angr-tutorial - Introduction to angr - baby steps in symbolic execution.
📃
Papers Here a collection of papers which used or whose project is based on the angr framework.