angr.analyses.cfg.cfg_emulated¶
- class angr.analyses.cfg.cfg_emulated.CFGJob¶
Bases:
CFGJobBaseThe job class that CFGEmulated uses.
- __init__(*args, **kwargs)¶
- property block_id¶
- property is_syscall¶
- class angr.analyses.cfg.cfg_emulated.PendingJob¶
Bases:
objectA PendingJob is whatever will be put into our pending_exit list. A pending exit is an entry that created by the returning of a call or syscall. It is “pending” since we cannot immediately figure out whether this entry will be executed or not. If the corresponding call/syscall intentionally doesn’t return, then the pending exit will be removed. If the corresponding call/syscall returns, then the pending exit will be removed as well (since a real entry is created from the returning and will be analyzed later). If the corresponding call/syscall might return, but for some reason (for example, an unsupported instruction is met during the analysis) our analysis does not return properly, then the pending exit will be picked up and put into remaining_jobs list.
- __init__(caller_func_addr, returning_source, state, src_block_id, src_exit_stmt_idx, src_exit_ins_addr, call_stack)¶
- Parameters:
returning_source – Address of the callee function. It might be None if address of the callee is not resolvable.
state – The state after returning from the callee function. Of course there is no way to get a precise state without emulating the execution of the callee, but at least we can properly adjust the stack and registers to imitate the real returned state.
call_stack – A callstack.
- class angr.analyses.cfg.cfg_emulated.CFGEmulated¶
Bases:
ForwardAnalysis,CFGBaseThis class represents a control-flow graph.
- __init__(context_sensitivity_level=1, start=None, avoid_runs=None, enable_function_hints=False, call_depth=None, call_tracing_filter=None, initial_state=None, starts=None, keep_state=False, indirect_jump_target_limit=100000, resolve_indirect_jumps=True, enable_advanced_backward_slicing=False, enable_symbolic_back_traversal=False, indirect_jump_resolvers=None, additional_edges=None, no_construct=False, normalize=False, max_iterations=1, address_whitelist=None, base_graph=None, iropt_level=None, max_steps=None, state_add_options=None, state_remove_options=None, model=None)¶
All parameters are optional.
- Parameters:
context_sensitivity_level – The level of context-sensitivity of this CFG (see documentation for further details). It ranges from 0 to infinity. Default 1.
avoid_runs – A list of runs to avoid.
enable_function_hints – Whether to use function hints (constants that might be used as exit targets) or not.
call_depth – How deep in the call stack to trace.
call_tracing_filter – Filter to apply on a given path and jumpkind to determine if it should be skipped when call_depth is reached.
initial_state – An initial state to use to begin analysis.
starts (iterable) – A collection of starting points to begin analysis. It can contain the following three different types of entries: an address specified as an integer, a 2-tuple that includes an integer address and a jumpkind, or a SimState instance. Unsupported entries in starts will lead to an AngrCFGError being raised.
keep_state – Whether to keep the SimStates for each CFGNode.
resolve_indirect_jumps – Whether to enable the indirect jump resolvers for resolving indirect jumps
enable_advanced_backward_slicing – Whether to enable an intensive technique for resolving indirect jumps
enable_symbolic_back_traversal – Whether to enable an intensive technique for resolving indirect jumps
indirect_jump_resolvers (list) – A custom list of indirect jump resolvers. If this list is None or empty, default indirect jump resolvers specific to this architecture and binary types will be loaded.
additional_edges – A dict mapping addresses of basic blocks to addresses of successors to manually include and analyze forward from.
no_construct (bool) – Skip the construction procedure. Only used in unit-testing.
normalize (bool) – If the CFG as well as all Function graphs should be normalized or not.
max_iterations (int) – The maximum number of iterations that each basic block should be “executed”. 1 by default. Larger numbers of iterations are usually required for complex analyses like loop analysis.
address_whitelist (iterable) – A list of allowed addresses. Any basic blocks outside of this collection of addresses will be ignored.
base_graph (networkx.DiGraph) – A basic control flow graph to follow. Each node inside this graph must have the following properties: addr and size. CFG recovery will strictly follow nodes and edges shown in the graph, and discard any control flow that does not follow an existing edge in the base graph. For example, you can pass in a Function local transition graph as the base graph, and CFGEmulated will traverse nodes and edges and extract useful information.
iropt_level (int) – The optimization level of VEX IR (0, 1, 2). The default level will be used if iropt_level is None.
max_steps (int) – The maximum number of basic blocks to recover forthe longest path from each start before pausing the recovery procedure.
state_add_options – State options that will be added to the initial state.
state_remove_options – State options that will be removed from the initial state.
- copy()¶
Make a copy of the CFG.
- Return type:
- Returns:
A copy of the CFG instance.
- resume(starts=None, max_steps=None)¶
Resume a paused or terminated control flow graph recovery.
- Parameters:
starts (iterable) – A collection of new starts to resume from. If starts is None, we will resume CFG recovery from where it was paused before.
max_steps (int) – The maximum number of blocks on the longest path starting from each start before pausing the recovery.
- Returns:
None
- remove_cycles()¶
Forces graph to become acyclic, removes all loop back edges and edges between overlapped loop headers and their successors.
- downsize()¶
Remove saved states from all CFGNodes to reduce memory usage.
- Returns:
None
- unroll_loops(max_loop_unrolling_times)¶
Unroll loops for each function. The resulting CFG may still contain loops due to recursion, function calls, etc.
- Parameters:
max_loop_unrolling_times (int) – The maximum iterations of unrolling.
- Returns:
None
- force_unroll_loops(max_loop_unrolling_times)¶
Unroll loops globally. The resulting CFG does not contain any loop, but this method is slow on large graphs.
- Parameters:
max_loop_unrolling_times (int) – The maximum iterations of unrolling.
- Returns:
None
- immediate_dominators(start, target_graph=None)¶
Get all immediate dominators of sub graph from given node upwards.
- immediate_postdominators(end, target_graph=None)¶
Get all immediate postdominators of sub graph from given node upwards.
- remove_fakerets()¶
Get rid of fake returns (i.e., Ijk_FakeRet edges) from this CFG
- Returns:
None
- get_topological_order(cfg_node)¶
Get the topological order of a CFG Node.
- Parameters:
cfg_node – A CFGNode instance.
- Returns:
An integer representing its order, or None if the CFGNode does not exist in the graph.
- get_subgraph(starting_node, block_addresses)¶
Get a sub-graph out of a bunch of basic block addresses.
- Parameters:
starting_node (CFGNode) – The beginning of the subgraph
block_addresses (iterable) – A collection of block addresses that should be included in the subgraph if there is a path between starting_node and a CFGNode with the specified address, and all nodes on the path should also be included in the subgraph.
- Returns:
A new CFG that only contain the specific subgraph.
- Return type:
- get_function_subgraph(start, max_call_depth=None)¶
Get a sub-graph of a certain function.
- Parameters:
start – The function start. Currently it should be an integer.
max_call_depth – Call depth limit. None indicates no limit.
- Returns:
A CFG instance which is a sub-graph of self.graph
- property context_sensitivity_level¶
- property graph: SpillingCFG¶
- property unresolvables¶
Get those SimRuns that have non-resolvable exits.
- Returns:
A set of SimRuns
- Return type: