# Hooks These command can be used to hook different parts of the code and run commands or print debugging information when a state hits those locations. This code is mostly proof-of-concept so a lot of features are currently missing. The relevant commands can be listed using `Mh?`. ``` [0x00400610]> Mh? Getting help | Mh[?] Hooks help | Mhf Hook all functions | Mhl Hook all loops [0x00400610]> ``` ## Hooking functions An example of the `Mhf` command for hooking all functions is shown below. ``` [0x00400610]> Mhf [HOOKS] Hooking function: entry0 at 0x400610 [HOOKS] Hooking import: sym.imp.__libc_start_main at 0x4005d0 [HOOKS] Hooking import: sym.imp.getenv at 0x400590 [HOOKS] Hooking import: sym.imp.puts at 0x4005a0 [HOOKS] Hooking import: sym.imp.__stack_chk_fail at 0x4005b0 [HOOKS] Hooking import: sym.imp.printf at 0x4005c0 [HOOKS] Hooking import: sym.imp.fgets at 0x4005e0 [HOOKS] Hooking import: sym.imp.ptrace at 0x400600 [HOOKS] Hooking function: main at 0x4007e8 [HOOKS] Hooking function: entry.init0 at 0x4006d0 [HOOKS] Hooking function: entry.init1 at 0x4007a8 [HOOKS] Hooking function: entry.fini0 at 0x4006b0 [HOOKS] Hooking function: fcn.00400640 at 0x400640 [0x00400610]> Meu 0x400844 [DEBUG] Starting exploration. Find: [0x400844] [HOOKS] Called entry0 (int64_t arg3); [HOOKS] Called int sym.imp.__libc_start_main (func main, int argc, char **ubp_av, func init, func fini, func rtld_fini, void *stack_end); [HOOKS] Called entry.init0 (); [HOOKS] Called entry.init1 (); [HOOKS] Called char *sym.imp.getenv (const char *name); [HOOKS] Called long sym.imp.ptrace (__ptrace_request request, pid_t pid, void*addr, void*data); [HOOKS] Called int main (int argc, char **argv, char **envp); [HOOKS] Called int sym.imp.printf (const char *format); [HOOKS] Called char *sym.imp.fgets (char *s, int size, FILE *stream); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [HOOKS] Called int sym.imp.puts (const char *s); [DEBUG] Found 1 solutions [0x00400844]> ``` As you can see, there is a lot more debugging information printed during exploration because these hooks have been installed. These hooks are useful for tracking what angr is doing during an exploration. ## Hooking loops Loops famously pose a challenge for symbolic execution due to the problem of path explosion. The `Mhl` command hooks the start of a loop and prints debugging information each iteration to make debugging these kinds of issues simpler. ``` [0x00400610]> Mhl WARNING | 2020-06-15 16:34:02,911 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior. WARNING | 2020-06-15 16:34:02,911 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by: WARNING | 2020-06-15 16:34:02,911 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state WARNING | 2020-06-15 16:34:02,911 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null WARNING | 2020-06-15 16:34:02,911 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages. WARNING | 2020-06-15 16:34:02,911 | angr.state_plugins.symbolic_memory | Filling memory at 0x7fffffff with 8 unconstrained bytes referenced from 0x400615 (PLT.ptrace+0x15 in r100 (0x400615)) [HOOKS] Found 4 loops [0x00400610]> Meu main [DEBUG] Starting exploration. Find: [0x4007e8] [HOOKS] Starting loop at 0x4008d0 [HOOKS] [1|0] {Loop count: 1} Looping at 0x4008d0 [HOOKS] Starting loop at 0x4007e4 [HOOKS] [3|0] {Loop count: 1} Looping at 0x4007e4 [HOOKS] [3|0] {Loop count: 2} Looping at 0x4007e4 [HOOKS] [3|0] {Loop count: 3} Looping at 0x4007e4 [HOOKS] [3|0] {Loop count: 4} Looping at 0x4007e4 [HOOKS] [3|0] {Loop count: 5} Looping at 0x4007e4 [DEBUG] Found 1 solutions ```