Feat/ropbot

Dockerfile

@@ -0,0 +1,27 @@
+from python:3.13-bookworm
+
+run apt-get update && apt-get upgrade -y
+run pip install --upgrade pip 
+
+run apt-get install -y make binutils-riscv64-linux-gnu git
+
+# setup python dependencies
+run pip install cffi pwntools unicorn==2.0.1.post1 protobuf==5.28.2
+run pip install setuptools==79.0.1
+
+run git clone --depth 1 -b wip/riscv https://github.com/angr/archinfo /archinfo
+workdir /archinfo
+run pip install -e .
+run pip install pyvex==9.2.139 cle==9.2.139 claripy==9.2.139
+run git clone --depth 1 -b wip/riscv https://github.com/angr/angr /angr
+workdir /angr
+run sed -i 's/9.2.153.dev0/9.2.139/' angr/__init__.py
+run sed -i 's/9.2.153.dev0/9.2.139/' ./pyproject.toml
+run pip install --no-build-isolation -e .
+
+# install angrop
+copy . /angrop
+workdir /angrop
+run pip install -e .
+run pip install ailment==9.2.153
+copy bin/angrop-cli /usr/bin/angrop-cli

README.md

@@ -6,144 +6,103 @@ angrop is a rop gadget finder and chain builder
 ## Overview
 angrop is a tool to automatically generate rop chains.
 
-It is built on top of angr's symbolic execution engine, and uses constraint solving for generating chains and understanding the effects of gadgets.
+It is built on top of angr's symbolic execution engine.
+It uses symbolic execution to understand the effects of gadgets and uses constraint solving and graph search for generating chains.
+Its design is architecture-agnostic so it supports multiple architectures.
 
-angrop should support all the architectures supported by angr, although more testing needs to be done.
+Typically, it generate rop chains faster than humans.
+In some cases, it can generate hard rop chains that may take humans hours to build within a few seconds.
+Some examples can be found [here](examples).
 
-Typically, it can generate rop chains (especially long chains) faster than humans.
+It comes with a cli and a python api.
+The command line `angrop-cli` offers some basic gadget finding/chaining capability such as finding an `system`/`execve` chain or invoking a specific function.
+The `angrop` python api offers the full features.
+Details can be found in [Usage](README.md#usage).
 
-It includes functions to generate chains which are commonly used in exploitation and CTF's, such as setting registers, and calling functions.
+`angrop` does not just only works for userspace binaries, it works for the Linux kernel as well.
 
 ## Architectures
 Supported architectures:
 * x86/x64
-* ARM
 * MIPS
-* AARCH64
+* ARM
+* AArch64
+* RISC-V (64bit)
 
 It should be relatively easy to support other architectures that are supported by `angr`.
 If you'd like to use `angrop` on other architectures, please create an issue and we will look into it :)
 
 ## Usage
 
-The ROP analysis finds rop gadgets and can automatically build rop chains.
+You can use either the CLI or the Python API.
+The CLI only offers some basic functionalities while the Python API provides much more capabilities and is much more powerful.
+
+## CLI
+angrop comes with a command line tool for easy day-to-day usage
+```bash
+# dump command will find gadgets in the target binary, true/false marks whether the gadget is self-contained
+$ angrop-cli dump /bin/ls
+0x11735: true  : adc bl, byte ptr [rbx + 0x4c]; mov eax, esp; pop r12; pop r13; pop r14; pop rbp; ret 
+0x10eaa: true  : adc eax, 0x12469; add rsp, 0x38; pop rbx; pop r12; pop r13; pop r14; pop r15; pop rbp; ret 
+00xe026: true  : adc eax, 0xcec8; pop rbx; cmove rax, rdx; pop r12; pop rbp; ret 
+00xdfd4: true  : adc eax, 0xcf18; pop rbx; cmove rax, rdx; pop r12; pop rbp; ret 
+00xdfa5: true  : adc eax, 0xcf4d; pop rbx; cmove rax, rdx; pop r12; pop rbp; ret 
+......
+
+# chain command will find some predefined chains in the binary
+$ angrop-cli chain -t execve /bin/bash
+code_base = 0x0
+chain = b""
+chain += p64(code_base + 0x36083)	# pop rax; pop rbx; pop rbp; ret 
+chain += p64(code_base + 0x30016)	# add rsp, 8; ret 
+chain += p64(code_base + 0x34873)
+chain += p64(code_base + 0x0)
+chain += p64(code_base + 0x9616d)	# mov edx, ebp; mov rsi, r12; mov rdi, rbx; call rax
+chain += p64(code_base + 0xe501e)	# pop rsi; ret 0
+chain += p64(code_base + 0x0)
+chain += p64(code_base + 0x31470)	# execve@plt
+chain += p64(0x0)
+chain += p64(code_base + 0x10d5bf)
+```
 
+## Python API
 ```python
 >>> import angr, angrop
 >>> p = angr.Project("/bin/ls")
 >>> rop = p.analyses.ROP()
 >>> rop.find_gadgets()
->>> chain = rop.set_regs(rax=0x1337, rbx=0x56565656)
->>> chain.payload_str()
-b'\xb32@\x00\x00\x00\x00\x007\x13\x00\x00\x00\x00\x00\x00\xa1\x18@\x00\x00\x00\x00\x00VVVV\x00\x00\x00\x00'
+>>> chain = rop.set_regs(rax=0x41414141, rbx=0x42424242)
 >>> chain.print_payload_code()
+code_base = 0x0
 chain = b""
-chain += p64(0x410b23)	# pop rax; ret
-chain += p64(0x1337)
-chain += p64(0x404dc0)	# pop rbx; ret
-chain += p64(0x56565656)
+chain += p64(code_base + 0xf5e2)	# pop rbx; pop r12; test eax, eax; pop rbp; cmovs eax, edx; ret 
+chain += p64(0x42424242)
+chain += p64(0x0)
+chain += p64(0x0)
+chain += p64(code_base + 0x812f)	# pop rsi; pop rbp; ret 
+chain += p64(0x41414141)
+chain += p64(0x0)
+chain += p64(code_base + 0x169dd)	# mov rax, rsi; ret 
+chain += p64(code_base + 0x10a55)
 ```
+More detailed docs on the Python API can be found [here](docs/pythonapi.md).
 
-## Chains
-```python
-# angrop includes methods to create certain common chains
-
-# setting registers
-chain = rop.set_regs(rax=0x1337, rbx=0x56565656)
-
-# moving registers
-chain = rop.move_regs(rax='rdx')
-
-# writing to memory 
-# writes "/bin/sh\0" to address 0x61b100
-chain = rop.write_to_mem(0x61b100, b"/bin/sh\0")
+## Demo
 
-# calling functions
-chain = rop.func_call("read", [0, 0x804f000, 0x100])
-
-# adding values to memory
-chain = rop.add_to_mem(0x804f124, 0x41414141)
-
-# shifting stack pointer like add rsp, 0x8; ret (this gadget shifts rsp by 0x10)
-chain = rop.shift(0x10)
-
-# generating ret-sled chains like ret*0x10, but works for ARM/MIPS as well
-chain = rop.retsled(0x40)
-
-# bad bytes can be specified to generate chains with no bad bytes
-rop.set_badbytes([0x0, 0x0a])
-chain = rop.set_regs(eax=0)
-
-# chains can be added together to chain operations
-chain = rop.write_to_mem(0x61b100, b"/home/ctf/flag\x00") + rop.func_call("open", [0x61b100,os.O_RDONLY]) + ...
-
-# chains can be printed for copy pasting into exploits
->>> chain.print_payload_code()
-chain = b""
-chain += p64(0x410b23)	# pop rax; ret
-chain += p64(0x74632f656d6f682f)
-chain += p64(0x404dc0)	# pop rbx; ret
-chain += p64(0x61b0f8)
-chain += p64(0x40ab63)	# mov qword ptr [rbx + 8], rax; add rsp, 0x10; pop rbx; ret
-...
-
-```
-
-## Gadgets
-
-Gadgets contain a lot of information:
-
-For example look at how the following code translates into a gadget
-
-```asm
-   0x403be4:	and    ebp,edi
-   0x403be6:	mov    QWORD PTR [rbx+0x90],rax
-   0x403bed:	xor    eax,eax
-   0x403bef:	add    rsp,0x10
-   0x403bf3:	pop    rbx
-   0x403bf4:	ret    
-```
-
-```python
->>> print(rop.rop_gadgets[0])
-Gadget 0x403be4
-Stack change: 0x20
-Changed registers: set(['rbx', 'rax', 'rbp'])
-Popped registers: set(['rbx'])
-Register dependencies:
-    rbp: [rdi, rbp]
-Memory write:
-    address (64 bits) depends on: ['rbx']
-    data (64 bits) depends on: ['rax']
-```
-
-
-The dependencies describe what registers affect the final value of another register. 
-In the example above, the final value of rbp depends on both rdi and rbp.
-Dependencies are analyzed for registers and for memory actions.
-All of the information is stored as properties in the gadgets, so it is easy to iterate over them and find gadgets which fit your needs.
-
-```python
->>> for g in rop.rop_gadgets:
-    if "rax" in g.popped_regs and "rbx" not in g.changed_regs:
-        print(g)
-Gadget 0x4032b3
-Stack change: 0x10
-Changed registers: set(['rax'])
-Popped registers: set(['rax'])
-Register dependencies:
-```
+### gadget finding
+![gadget](gifs/find_gadget.gif?raw=true)
 
-## TODO's
-Allow strings to be passed as arguments to func_call(), which are then written to memory and referenced.
+### find execve chain
+![execve](gifs/execve.gif?raw=true)
 
-Add a function for open, read, write (for ctf's)
+### container escape chain for the kernel
+![kernel](gifs/kernel.gif?raw=true)
 
-The segment analysis for finding executable addresses seems to break on non-elf binaries often, such as PE files, kernel modules.
+## Paper
+We describe our design and findings in this paper
 
-Allow setting constraints on the generated chain e.g. bytes that are valid.
+[__ropbot: Reimaging Code Reuse Attack Synthesis__](https://kylebot.net/papers/ropbot.pdf)
 
-## Common gotchas
-Make sure to import angrop before calling proj.analyses.ROP()
+Kyle Zeng, Moritz Schloegel, Christopher Salls, Adam Doupé, Ruoyu Wang, Yan Shoshitaishvili, Tiffany Bao
 
-Make sure to call find_gadets() before trying to make chains
+*In Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2026*,

angrop/arch.py

@@ -6,9 +6,10 @@ class ROPArch:
     def __init__(self, project, kernel_mode=False):
         self.project = project
         self.kernel_mode = kernel_mode
-        self.max_sym_mem_access = 4
+        self.max_sym_mem_access = 1
         self.alignment = project.arch.instruction_alignment
-        self.reg_set = self._get_reg_set()
+        self.reg_list = self._get_reg_list()
+        self.reg_set = set(self.reg_list) # backward compatibility, will be removed
         self.max_block_size = None
         self.fast_mode_max_block_size = None
 
@@ -19,20 +20,24 @@ def __init__(self, project, kernel_mode=False):
         self.ret_insts = None
         self.execve_num = None
 
-    def _get_reg_set(self):
+    def _get_reg_list(self):
         """
-        get the set of names of general-purpose registers
+        get the set of names of general-purpose registers + bp
+        because bp is usually considered as general-purpose these days
         """
         arch = self.project.arch
-        _sp_reg = arch.register_names[arch.sp_offset]
-        _ip_reg = arch.register_names[arch.ip_offset]
+        sp_reg = arch.register_names[arch.sp_offset]
+        ip_reg = arch.register_names[arch.ip_offset]
+        bp_reg = arch.register_names[arch.bp_offset]
 
         # get list of general-purpose registers
         default_regs = arch.default_symbolic_registers
         # prune the register list of the instruction pointer and the stack pointer
-        return {r for r in default_regs if r not in (_sp_reg, _ip_reg)}
+        reg_list = [r for r in default_regs if r not in (sp_reg, ip_reg, bp_reg)]
+        reg_list.append(bp_reg)
+        return reg_list
 
-    def block_make_sense(self, block):
+    def block_make_sense(self, block) -> bool:
         return True
 
 class X86(ROPArch):
@@ -47,13 +52,25 @@ def __init__(self, project, kernel_mode=False):
 
     def _x86_block_make_sense(self, block):
         capstr = str(block.capstone).lower()
+
+        for inst in block.capstone.insns:
+            if inst.mnemonic == 'ret' and inst.op_str:
+                n = int(inst.op_str, 16)
+                if n % self.project.arch.bytes != 0 or n >= 0x100:
+                    return False
+
+            if inst.mnemonic == 'int' and inst.op_str:
+                n = int(inst.op_str, 16)
+                if n != 0x80:
+                    return False
+
         # currently, angrop does not handle "repz ret" correctly, we filter it
-        if any(x in capstr for x in ('cli', 'rex', 'repz ret')):
+        if any(x in capstr for x in ('cli', 'rex', 'repz ret', 'retf', 'hlt', 'wait', 'loop', 'lock')):
             return False
         if not self.kernel_mode:
             if "fs:" in capstr or "gs:" in capstr or "iret" in capstr:
                 return False
-        if block.size < 1 or block.bytes[0] == 0x4f:
+        if block.size < 1:
             return False
         return True
 
@@ -115,13 +132,29 @@ def __init__(self, project, kernel_mode=False):
         self.fast_mode_max_block_size = self.alignment * 6
         self.execve_num = 0xdd
 
+    def block_make_sense(self, block):
+        for x in block.capstone.insns:
+            # won't be able to ROP with PAC
+            if x.mnemonic == 'autiasp':
+                return False
+        return True
+
 class MIPS(ROPArch):
     def __init__(self, project, kernel_mode=False):
         super().__init__(project, kernel_mode=kernel_mode)
         self.alignment = self.project.arch.bytes
         self.max_block_size = self.alignment * 8
         self.fast_mode_max_block_size = self.alignment * 6
         self.execve_num = 0xfab
+        self.syscall_insts = {b"\x0c\x00\x00\x00"} # syscall
+
+class RISCV64(ROPArch):
+    def __init__(self, project, kernel_mode=False):
+        super().__init__(project, kernel_mode=kernel_mode)
+        self.ret_insts = {b"\x82\x80"}
+        self.max_block_size = self.alignment * 10
+        self.fast_mode_max_block_size = self.alignment * 6
+        self.execve_num = 0xdd
 
 def get_arch(project, kernel_mode=False):
     name = project.arch.name
@@ -134,6 +167,8 @@ def get_arch(project, kernel_mode=False):
         return ARM(project, kernel_mode=mode)
     elif name == 'AARCH64':
         return AARCH64(project, kernel_mode=mode)
+    elif name == 'RISCV64':
+        return RISCV64(project, kernel_mode=mode)
     elif name.startswith('MIPS'):
         return MIPS(project, kernel_mode=mode)
     else: