Closed Kyle-Kyle closed 8 months ago
Would it be possible for this to be user configurable?
Would it be possible for this to be user configurable?
Of course it is possible. But I'm curious what's your use case? Are you actually trying to use angrop generated payload in privileged context? Or are you just using it for gadget searching?
We are currently using angrop for both gadget analysis and chain building of userspace binaries.
My current use case does not need to use privileged instructions. I am the user that posted the iretd
question in the angr slack. The privileged instructions are causing my current issues.
However, when thinking about your comment "since currently angrop is designed only for userspace programs, it makes sense to filter out privileged instructions", it occurred to me that this might not always be the case. My research might include kernel space in the future.
So. It seems that iret is not a privileged instruction as documented in https://www.uops.info/xml.html. What I proposed is not a great solution to the problem. I'll just filter out iret in user_mode as a monkey patch then: https://github.com/angr/angrop/compare/master...wip/chainbuilder_refactor
the code is merged in https://github.com/angr/angrop/commit/285786d608d42e6da8affc3d1d4ede94c98a4d1a
Description
angrop is designed for userspace ROP chain generation and should not include privileged instructions in the ROP chain. We should add a filter in the architecture-specific configurations.
Steps to reproduce the bug
No response
Environment
No response
Additional context
No response