1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
| class ExplorationTechnique:
_hook_list = ("step", "filter", "selector", "step_state", "successors")
def _get_hooks(self):
return {name: getattr(self, name) for name in self._hook_list if self._is_overriden(name)}
def _is_overriden(self, name):
return getattr(self, name).__code__ is not getattr(ExplorationTechnique, name).__code__
def __init__(self):
if not hasattr(self, "project"):
self.project: angr.project.Project = None
def setup(self, simgr):
def step(self, simgr, stash="active", **kwargs):
"""
用来hook step函数,最后应该调用simgr.step以便真正执行
原本的step是往下执行一步,去到后继block
"""
simgr.step(stash=stash, **kwargs)
def filter(self, simgr, state, **kwargs):
"""
决定该state要被移去哪一个stash
如果说这个state要被filter的话,就把这个state要被移去的stash名字返回
如果想在filter之前对state做一些改变,就返回一个stash的元组,并修改state
这和step里的filter_fun起到的作用一样的
"""
return simgr.filter(state, **kwargs)
def selector(self, simgr, state, **kwargs):
"""
决定该state是否要参与进这个step round,也就是如果这个state要进入的话,就返
回True否则返回False
这个step里的selector_fun起到的作用是一样的
"""
return simgr.selector(state, **kwargs)
def step_state(self, simgr, state, **kwargs):
"""
决定该state的successor应该放去哪个块。结果应该是一个stash到successor列表的字典映射
如["active:[succ1,succ2]"]
note:该函数的优先级高于filter filter是作用于当前返回的state
"""
return simgr.step_state(state, **kwargs)
def successors(self, simgr, state, **kwargs):
"""
在进入一个state时调用,返回一个SimSuccssors对象
"""
return simgr.successors(state, **kwargs)
def complete(self, simgr):
"""
返回当前simgr是否到达 "completed" state
该方法不是hook的对象,也不应该直接调用此方法,而是应该自己决定返回True或者False
"""
return False
|