angr.analyses.cfg.cfg_base

class angr.analyses.cfg.cfg_base.CFGBase

Bases: Analysis

The base class for control flow graphs.

tag: str = None
addr_type: Literal['int', 'block_id', 'soot'] = None
__init__(sort, context_sensitivity_level, normalize=False, binary=None, objects=None, regions=None, exclude_sparse_regions=True, skip_specific_regions=True, force_segment=False, base_state=None, resolve_indirect_jumps=True, indirect_jump_resolvers=None, indirect_jump_target_limit=100000, detect_tail_calls=False, low_priority=False, skip_unmapped_addrs=True, sp_tracking_track_memory=True, model=None)
Parameters:

  • sort (str) – ‘fast’ or ‘emulated’.

  • context_sensitivity_level (int) – The level of context-sensitivity of this CFG (see documentation for further details). It ranges from 0 to infinity.

  • normalize (bool) – Whether the CFG as well as all Function graphs should be normalized.

  • binary (cle.backends.Backend) – The binary to recover CFG on. By default, the main binary is used.

  • objects – A list of objects to recover the CFG on. By default, it will recover the CFG of all loaded objects.

  • regions (iterable) – A list of tuples in the form of (start address, end address) describing memory regions that the CFG should cover.

  • force_segment (bool) – Force CFGFast to rely on binary segments instead of sections.

  • base_state (angr.SimState) – A state to use as a backer for all memory loads.

  • resolve_indirect_jumps (bool) – Whether to try to resolve indirect jumps. This is necessary to resolve jump targets from jump tables, etc.

  • indirect_jump_resolvers (list) – A custom list of indirect jump resolvers. If this list is None or empty, default indirect jump resolvers specific to this architecture and binary types will be loaded.

  • indirect_jump_target_limit (int) – Maximum indirect jump targets to be recovered.

  • skip_unmapped_addrs – Ignore all branches into unmapped regions. True by default. You may want to set it to False if you are analyzing manually patched binaries or malware samples.

  • detect_tail_calls (bool) – Aggressive tail-call optimization detection. This option is only respected in make_functions().

  • sp_tracking_track_memory (bool) – Whether or not to track memory writes if tracking the stack pointer. This increases the accuracy of stack pointer tracking, especially for architectures without a base pointer. Only used if detect_tail_calls is enabled.

  • model (None or CFGModel) – The CFGModel instance to write to. A new CFGModel instance will be created and registered with the knowledge base if model is None.

Returns:

None

indirect_jumps: dict[int, IndirectJump]
property model: CFGModel

Get the CFGModel instance. :return: The CFGModel instance that this analysis currently uses.

property normalized
property context_sensitivity_level
property functions

A reference to the FunctionManager in the current knowledge base.

Returns:

FunctionManager with all functions

Return type:

angr.knowledge_plugins.FunctionManager

make_copy(copy_to)

Copy self attributes to the new object.

Parameters:

copy_to (CFGBase) – The target to copy to.

Returns:

None

copy()
output()
generate_index()

Generate an index of all nodes in the graph in order to speed up get_any_node() with anyaddr=True.

Returns:

None

get_loop_back_edges()
property graph: SpillingCFG
remove_edge(block_from, block_to)
is_thumb_addr(addr)
record_memory_data_addr(addr)

Record the address of a newly added memory data object.

Return type:

None

Parameters:

addr (int)

reset_memory_data_addrs()

Reset the set of addresses of newly added memory data objects.

Return type:

None

normalize()

Normalize the CFG, making sure that there are no overlapping basic blocks.

Note that this method will not alter transition graphs of each function in self.kb.functions. You may call normalize() on each Function object to normalize their transition graphs.

Returns:

None

mark_function_alignments()

Find all potential function alignments and mark them.

Note that it is not always correct to simply remove them, because these functions may not be actual alignments but part of an actual function, and is incorrectly marked as an individual function because of failures in resolving indirect jumps. An example is in the test binary x86_64/dir_gcc_-O0 0x40541d (indirect jump at 0x4051b0). If the indirect jump cannot be correctly resolved, removing function 0x40541d will cause a missing label failure in reassembler.

Returns:

None

make_functions()

Revisit the entire control flow graph, create Function instances accordingly, and correctly put blocks into each function.

Although Function objects are created during the CFG recovery, they are neither sound nor accurate. With a pre-constructed CFG, this method rebuilds all functions bearing the following rules:

  • A block may only belong to one function.

  • Small functions lying inside the startpoint and the endpoint of another function will be merged with the other function

  • Tail call optimizations are detected.

  • PLT stubs are aligned by 16.

Returns:

None