search

Hooks

These command can be used to hook different parts of the code and run commands or print debugging information when a state hits those locations. This code is mostly proof-of-concept so a lot of features are currently missing.

The relevant commands can be listed using Mh?.

[0x00400610]> Mh?
Getting help
| Mh[?]                  Hooks help
| Mhf                    Hook all functions
| Mhl                    Hook all loops
[0x00400610]>

hashtag
Hooking functions

An example of the Mhf command for hooking all functions is shown below.

[0x00400610]> Mhf
[HOOKS] Hooking function: entry0 at 0x400610
[HOOKS] Hooking import: sym.imp.__libc_start_main at 0x4005d0
[HOOKS] Hooking import: sym.imp.getenv at 0x400590
[HOOKS] Hooking import: sym.imp.puts at 0x4005a0
[HOOKS] Hooking import: sym.imp.__stack_chk_fail at 0x4005b0
[HOOKS] Hooking import: sym.imp.printf at 0x4005c0
[HOOKS] Hooking import: sym.imp.fgets at 0x4005e0
[HOOKS] Hooking import: sym.imp.ptrace at 0x400600
[HOOKS] Hooking function: main at 0x4007e8
[HOOKS] Hooking function: entry.init0 at 0x4006d0
[HOOKS] Hooking function: entry.init1 at 0x4007a8
[HOOKS] Hooking function: entry.fini0 at 0x4006b0
[HOOKS] Hooking function: fcn.00400640 at 0x400640
[0x00400610]> Meu 0x400844
[DEBUG] Starting exploration. Find: [0x400844]
[HOOKS] Called entry0 (int64_t arg3);
[HOOKS] Called int sym.imp.__libc_start_main (func main, int argc, char **ubp_av, func init, func fini, func rtld_fini, void *stack_end);
[HOOKS] Called entry.init0 ();
[HOOKS] Called entry.init1 ();
[HOOKS] Called char *sym.imp.getenv (const char *name);
[HOOKS] Called long sym.imp.ptrace (__ptrace_request request, pid_t pid, void*addr, void*data);
[HOOKS] Called int main (int argc, char **argv, char **envp);
[HOOKS] Called int sym.imp.printf (const char *format);
[HOOKS] Called char *sym.imp.fgets (char *s, int size, FILE *stream);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[HOOKS] Called int sym.imp.puts (const char *s);
[DEBUG] Found 1 solutions
[0x00400844]>

As you can see, there is a lot more debugging information printed during exploration because these hooks have been installed. These hooks are useful for tracking what angr is doing during an exploration.

hashtag
Hooking loops

Loops famously pose a challenge for symbolic execution due to the problem of path explosion. The Mhl command hooks the start of a loop and prints debugging information each iteration to make debugging these kinds of issues simpler.

PreviousStatesNextBitvectors

Last updated