angr

9.2.209 · active · verified Sun Apr 12

angr is a multi-architecture binary analysis toolkit, providing capabilities for dynamic symbolic execution, various static analyses, and program instrumentation on binaries. It is actively developed and maintained, with frequent minor and patch releases, and less frequent major version changes.

Warnings

breaking With angr 9.0+, there was a significant refactoring around the 'KnowledgeBase'. Analysis results and program facts are now primarily stored in `project.kb`, instead of being directly attributes of analysis objects. Code interacting with older analysis result storage patterns will break.
Fix: Migrate your code to access program information and analysis results via `project.kb`. Consult the official documentation for specific migration paths.
gotcha angr relies on several dependencies (like `pyvex` and `z3`) which include forked native code libraries. Installing directly into a global Python environment can lead to conflicts with existing system libraries or other Python projects. This is a common source of unexpected behavior or installation failures.
Fix: Always install angr within a dedicated Python virtual environment (e.g., `venv`, `conda`).
gotcha Direct `pip install angr` is generally not supported on Windows due to complexities with its native code dependencies. Users on Windows typically need to install individual components manually or use the official Docker image.
Fix: On Windows, consider using the official `angr/angr` Docker image or follow detailed source installation instructions for individual components if a native installation is required.
gotcha Binary analysis, especially symbolic execution, is computationally intensive and can be slow, leading to 'path explosion' for complex programs. Initial attempts may seem non-performant or get stuck.
Fix: Start with small, focused binaries. Utilize angr's various analysis techniques (e.g., CFG, VSA) to reduce the search space before symbolic execution. Be mindful of state options and exploration techniques to prune irrelevant paths. Consult the 'Optimization considerations' section in the documentation.

Install

pip install angr Recommended installation in a virtual environment
sudo apt-get install python3-dev libffi-dev build-essential Required system dependencies for building C components on Ubuntu/Debian if binary wheels are unavailable

Imports

angr
```
import angr
```

Quickstart

This quickstart loads a specified binary (defaults to '/bin/ls') into an angr Project, prints basic information, and creates an initial execution state. It demonstrates the fundamental steps for starting an analysis. The commented-out section shows a typical pattern for symbolic execution, which would require a specific challenge binary with known target addresses.

import angr
import os

binary_path = os.environ.get('ANGR_BINARY_PATH', '/bin/ls')

try:
    project = angr.Project(binary_path, auto_load_libs=False)
    print(f"Successfully loaded binary: {project.filename}")
    print(f"Architecture: {project.arch}")
    print(f"Entry point: {hex(project.entry)}")

    # Example of creating an initial state
    initial_state = project.factory.entry_state()
    print(f"Initial state created at: {hex(initial_state.addr)}")

    # Optional: Basic symbolic execution (requires a suitable binary and goal)
    # simgr = project.factory.simulation_manager(initial_state)
    # simgr.explore(find=0x400844, avoid=0x400850) # Replace with addresses relevant to your binary
    # if simgr.found:
    #     solution = simgr.found[0]
    #     print(f"Found solution input: {solution.posix.dumps(0)}")

except Exception as e:
    print(f"An error occurred: {e}")
    print("Please ensure 'ANGR_BINARY_PATH' is set to a valid executable, or that /bin/ls exists.")

view raw JSON →