I successfully figured out how to run a program using angr, starting with the state defined by a core dump (see How to run program using angr after loading with the elfcore backend?) but now I am wondering this:
How can I malloc memory in the program's SimulationState?
The starting state I am running the program from is the beginning of a function which takes a pointer and a length. I want to be able to malloc memory fresh with arbitrary lengths, and pass this pointer (and the appropriate length) instead into the function.
I found that there is what I believe is a plugin class, angr.state_plugins.heap.heap_libc.SimHeapLibc (documentation) which has a malloc method, but how do I use this plugin, and is it in fact what I need?
Alright, figured it out.
First of all, the plugin class that you want is angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc. Turns out angr.state_plugins.heap.heap_libc.SimHeapLibc is just the base class.
The use case then becomes:
simstate = angr.factory.AngrObjectFactory(proj).blank_state()
# IMPORTANT NOTE: you need to register the plugin with the name heap or it will break
simstate.register_plugin("heap", angr.state_plugins.heap.heap_ptmalloc.SimHeapPTMalloc())
# Voila, malloc and use arbitrary amounts of memory in the simulation space.
ptr = self.simstate.heap.malloc(data_len)
simstate.memory.store(ptr, simstate.solver.BVV(data_bytes, data_len*8))