I am able to successfully run my target binary under Qiling, an emulator that supplements Unicorn with hooks for system libraries. I would like to do the same thing under angr. I don't need any symbolic execution, I don't need any Symbion: Just simply use angr as an emulator (which it's more than capable of). How can I tell angr to run everything concretely, but still continue to hook the libs and replace them with angr's sims?
Surprisingly, this turns out to not be simple. What I found so far:
- https://github.com/angr/angr/issues/200 - A discussion from 6 years ago how to do this
- https://angr.io/blog/angr_symbion/ Symbion, which does something similar, but much more complex: It runs the concrete side externally, interfaces to it via gdb, and syncs periodically with angr
