CFGNode. Due to context sensitivity, a given basic block can have multiple nodes in the graph (for multiple contexts).
cfg.kb.functions. The most common use case for this object is to access it like a dictionary. It maps addresses to
Functionobjects, which can tell you properties about a function.
entry_func.block_addrsis a set of addresses at which basic blocks belonging to the function begin.
entry_func.blocksis the set of basic blocks belonging to the function, that you can explore and disassemble using capstone.
entry_func.string_references()returns a list of all the constant strings that were referred to at any point in the function. They are formatted as
(addr, string)tuples, where addr is the address in the binary's data section the string lives, and string is a Python string that contains the value of the string.
entry_func.returningis a boolean value signifying whether or not the function can return.
Falseindicates that all paths do not return.
entry_func.callableis an angr Callable object referring to this function. You can call it like a Python function with Python arguments and get back an actual result (may be symbolic) as if you ran the function with those arguments!
entry_func.transition_graphis a NetworkX DiGraph describing control flow within the function itself. It resembles the control-flow graphs IDA displays on a per-function level.
entry_func.nameis the name of the function.
entry.has_unresolved_jumpshave to do with detecting imprecision within the CFG. Sometimes, the analysis cannot detect what the possible target of an indirect call or jump could be. If this occurs within a function, that function will have the appropriate
has_unresolved_*value set to
entry_func.get_call_sites()returns a list of all the addresses of basic blocks which end in calls out to other functions.
callsite_addrfrom the list of call site addresses, return where that callsite will call out to.
callsite_addrfrom the list of call site addresses, return where that callsite should return to.
blobloader backend, CFG will scan the binary for a set of function prologues defined for the binary's architecture. Finally, by default, the binary's entire code section will be scanned for executable contents, regardless of prologues or symbols.
keep_stateis True, the state is saved in the CFGNode.
main>beta>error>puts. While, in this case, angr can probably execute both call chains, this becomes unfeasible for larger binaries. Thus, angr executes the blocks with states limited by the context sensitivity level. That is, each function is re-analyzed for each unique context that it is called in.
puts()function above will be analyzed with the following contexts, given different context sensitivity levels:
alpha, when called from
error, and so forth. With context sensitivity of 0, the CFG simply shows that
error. This, specifically, is the context sensitivity level used in IDA. The downside of increasing the context sensitivity level is that it exponentially increases the analysis time.