A collection of resources/tools and analyses for the angr binary analysis framework. This page does not only collect links and external resources, but its meant to be an harbour to release any non-official extensions/tool/utils that can be useful when working with angr.

A collection of exploration techniques written by the community

• SimgrViz: an exploration technique that collects information regarding the states generated by the SimulationManager and creates a graph that can be later visualized to debug the analyses (.dot file).
• MemLimiter: an exploration technique to stop the analysis when memory consumption is too high!
• ExplosionDetector: stop the analysis when there are too many states or other critical errors happen.
• KLEECoverageOptimizeSearch: KLEE technique to improve coverage.
• KLEERandomSearch: an ET for random path selection.
• LoopExhaustion: a loop exhaustion search strategy.
• StochasticSearch: an ET for stocastic search of active states.
• HeartBeat: An exploration technique to make sure symbolic execution is alive and provides some utility to gently hijack into the DSE while it is running.

• docs.angr.op - Official angr general documentatoin website.
• angr.io - Official angr API documentation.
• Intro to Binary Analysis with Z3 and angr - FSecureLABS workshop on using Z3 and the angr framework.

List of academic/not-acadamic projects based on angr which code is open source.

• Heaphopper - Apply symbolic execution to automatically verify security properties of most common heap libraries.
• angr-cli - Command line interface for angr a la peda/GEF/pwndbg.
• Syml - Use ML to prioritize exploration of promising vulnerable paths.
• Angrop - Generate ropchains using angr and symbolic execution.
• Angr-management - GUI for angr.
• Mechaphish - AEG system for CGC.
• angr-static-analysis-for-vuzzer64 - angr-based static analysis module for Vuzzer.
• FirmXRay-angr - An angr version of the base address detection analysis implemented in FirmXRay.
• IVTSpotter - An IVT Spotter for monolithic ARM firmware images.
• MemSight - Rethinking Pointer Reasoning in Symbolic Execution.
• Karonte - Detecting Insecure Multi-binary Interactions in Embedded Firmware.
• BootStomp - A bootloader vulnerability finder.
• SaTC - A prototype of Shared-keywords aware Taint Checking(SaTC), a static analysis method that tracks user input between front-end and back-end for vulnerability discovery effectively and efficiently.
• Arbiter - Arbiter is a combination of static and dynamic analyses, built on top of angr, that can be used to detect some vulnerability classes.

• angr-blog - Official angr blog.
• A reaching definition engine for binary analysis built-in in angr. - A walk-through of the ReachingDefinition analysis built-in in angr.
• shellphish-phrack - Phrack article on Mechaphish, the AEG system based on angr that got 3rd place at the CGC.
• angr-tutorial - Introduction to angr - baby steps in symbolic execution.
• bcheck - Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries.

Here a collection of papers which used or whose project is based on the angr framework.