angr.analyses.complete_calling_conventions

class angr.analyses.complete_calling_conventions.CallingConventionAnalysisMode

Bases: Enum

The mode of calling convention analysis.

FAST: Using FactCollector to collect facts, then use facts for calling convention analysis. FASTISH: Using FactCollector with additional introspection to identify behavior of function arguments. VARIABLES: Using variables in VariableManager for calling convention analysis.

FAST = 'fast'
FASTISH = 'fastish'
VARIABLES = 'variables'
class angr.analyses.complete_calling_conventions.CompleteCallingConventionsAnalysis

Bases: Analysis

Implements full-binary calling convention analysis. During the initial analysis of a binary, you may set recover_variables to True so that it will perform variable recovery on each function before performing calling convention analysis.

__init__(mode=CallingConventionAnalysisMode.FASTISH, recover_variables=False, low_priority=False, force=False, cfg=None, analyze_callsites=False, skip_signature_matched_functions=False, max_function_blocks=None, max_function_size=None, workers=0, cc_callback=None, prioritize_func_addrs=None, skip_other_funcs=False, auto_start=True, func_graphs=None, target_functions=None)
Parameters:

  • recover_variables – Recover variables on each function before performing calling convention analysis.

  • low_priority – Run in the background - periodically release GIL.

  • force – Perform calling convention analysis on functions even if they have calling conventions or prototypes already specified (or previously recovered).

  • cfg (CFGFast | CFGModel | None) – The control flow graph model, which will be passed to CallingConventionAnalysis.

  • analyze_callsites (bool) – Consider artifacts at call sites when performing calling convention analysis.

  • skip_signature_matched_functions (bool) – Do not perform calling convention analysis on functions that match against existing FLIRT signatures.

  • max_function_blocks (int | None) – Do not perform calling convention analysis on functions with more than the specified number of blocks. Setting it to None disables this check.

  • max_function_size (int | None) – Do not perform calling convention analysis on functions whose sizes are more than max_function_size. Setting it to None disables this check.

  • workers (int) – Number of multiprocessing workers.

  • mode (CallingConventionAnalysisMode)

  • cc_callback (Callable | None)

  • prioritize_func_addrs (list[int] | set[int] | None)

  • skip_other_funcs (bool)

  • auto_start (bool)

  • func_graphs (dict[int, DiGraph] | None)

  • target_functions (set[int] | None)

prototype_libnames: set[str]
work()
prioritize_functions(func_addrs_to_prioritize)

Prioritize the analysis of specified functions.

Parameters:

func_addrs_to_prioritize (Iterable[int]) – A collection of function addresses to analyze first.

static function_needs_variable_recovery(func)

Check if running variable recovery on the function is the only way to determine the calling convention of the this function.

We do not need to run variable recovery to determine the calling convention of a function if: - The function is a SimProcedure. - The function is a PLT stub. - The function is a library function and we already know its prototype.

Parameters:

func – The function object.

Returns:

True if we must run VariableRecovery before we can determine what the calling convention of this function is. False otherwise.

Return type:

bool