Reputation: 983
How to allocate (malloc) memory in an angr simulation state?
I successfully figured out how to run a program using angr, starting with the state defined by a core dump (see How to run program using angr after loading with the elfcore backend?) but now I am wondering this:
How can I malloc memory in the program's SimulationState?
The starting state I am running the program from is the beginning of a function which takes a pointer and a length. I want to be able to malloc memory fresh with arbitrary lengths, and pass this pointer (and the appropriate length) instead into the function.
I found that there is what I believe is a plugin class, angr.state_plugins.heap.heap_libc.SimHeapLibc (documentation) which has a malloc method, but how do I use this plugin, and is it in fact what I need?
Upvotes: 3
Views: 1079
Answers (1)
Reputation: 983
Alright, figured it out.
First of all, the plugin class that you want is angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc. Turns out angr.state_plugins.heap.heap_libc.SimHeapLibc is just the base class.
The use case then becomes:
simstate = angr.factory.AngrObjectFactory(proj).blank_state()
# IMPORTANT NOTE: you need to register the plugin with the name heap or it will break
simstate.register_plugin("heap", angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc())
# Voila, malloc and use arbitrary amounts of memory in the simulation space.
ptr = self.simstate.heap.malloc(data_len)
simstate.memory.store(ptr, simstate.solver.BVV(data_bytes, data_len*8))
Upvotes: 3
Related Questions
- Executing assembler code with python
- How to assign a value to the space created by malloc in python?
- Allocating with malloc in Cython
- Using memory returned by call to malloc in NASM
- Allocating a dynamic array in a dynamically allocated struct (struct of arrays)
- python memory allocation when using chr()
- memory address generator in python
- dynamic memory allocation in python
- Accessing malloc'd memory in assembly
- Python String memory usage on FreeBSD