angr.knowledge_plugins.cfg

class angr.knowledge_plugins.cfg.BlockID

Bases: object

A context-sensitive key for a SimRun object.

__init__(addr, callsite_tuples, jump_type)

Parameters:

• addr (int)

• callsite_tuples (tuple[int, ...] | None)

• jump_type (str)

callsite_repr()

static new(addr, callstack_suffix, jumpkind)

property func_addr

class angr.knowledge_plugins.cfg.CFGENode

Bases: CFGNode

The CFGNode that is used in CFGEmulated.

input_state

looping_times

depth

creation_failure_info

final_states

syscall

return_target

property callstack_key

property creation_failed

property syscall_name: str | None

downsize()

Drop saved states.

copy()

class angr.knowledge_plugins.cfg.CFGManager

Bases: KnowledgeBasePlugin

This is the CFG manager, it manages CFGs

__init__(kb)

new_model(prefix, addr_type='int')

Parameters:

addr_type (Literal['int', 'block_id', 'soot'])

copy()

get_most_accurate()

Return type:

CFGModel | None

Returns:

The most accurate CFG present in the CFGManager, or None if it does not hold any.

class angr.knowledge_plugins.cfg.CFGModel

Bases: Serializable

This class describes a Control Flow Graph for a specific range of code.

__init__(ident, cfg_manager=None, is_arm=False, cache_limit=None, db_batch_size=800, edge_cache_limit=None, edge_db_batch_size=800, addr_type='int')

Parameters:

• cache_limit (int | None)

• db_batch_size (int)

• edge_cache_limit (int | None)

• edge_db_batch_size (int)

• addr_type (Literal['int', 'block_id', 'soot'])

ident

is_arm

graph: SpillingCFG

jump_tables: dict[int, IndirectJump]

memory_data: SortedDict[int, MemoryData]

insn_addr_to_memory_data: dict[int, MemoryData]

normalized

edges_to_repair

property addr_type: Literal['int', 'block_id', 'soot']

property project

property node_addrs: SortedList[int]

nodes_by_addr(addr)

Return type:

Iterator[CFGNode]

Parameters:

addr (int)

has_node_addr(addr)

Return type:

bool

Parameters:

addr (int)

mark_node_addr_has_return(node_addr, has_return=True)

Return type:

None

Parameters:

• node_addr (int | SootAddressDescriptor)

• has_return (bool)

node_addr_has_return(node_addr)

Return type:

bool

Parameters:

node_addr (int | SootAddressDescriptor)

copy()

add_node(block_id, node)

Return type:

None

Parameters:

• block_id (int)

• node (CFGNode)

remove_node(block_id, node)

Remove the given CFGNode instance. Note that this method does not remove the node from the graph.

Parameters:

• block_id (int) – The Unique ID of the CFGNode.

• node (CFGNode) – The CFGNode instance to remove.

Return type:

None

Returns:

None

has_node_id(node_id)

Return type:

bool

get_node(block_id)

Get a single node from Block ID.

Parameters:

block_id (BlockID) – Block ID of the node.

Return type:

CFGNode | None

Returns:

The CFGNode, or None if the node does not exist.

get_any_node(addr, is_syscall=None, anyaddr=False, force_fastpath=False)

Get an arbitrary CFGNode (without considering their contexts) from our graph.

Parameters:

• addr (int) – Address of the beginning of the basic block. Set anyaddr to True to support arbitrary address.

• is_syscall (bool | None) – Whether you want to get the syscall node or any other node. This is due to the fact that syscall SimProcedures have the same address as the target it returns to. None means get either, True means get a syscall node, False means get something that isn’t a syscall node.

• anyaddr (bool) – If anyaddr is True, then addr doesn’t have to be the beginning address of a basic block. By default the entire graph.nodes() will be iterated, and the first node containing the specific address is returned, which can be slow.

• force_fastpath (bool) – If force_fastpath is True, it will only perform a dict lookup in the graph._keys_by_addr dict.

Return type:

CFGNode | None

Returns:

A CFGNode if there is any that satisfies given conditions, or None otherwise

get_all_nodes(addr, is_syscall=None, anyaddr=False)

Get all CFGNodes whose address is the specified one.

Parameters:

• addr (int) – Address of the node

• is_syscall (bool | None) – True returns the syscall node, False returns the normal CFGNode, None returns both

• anyaddr (bool)

Return type:

list[CFGNode]

Returns:

all CFGNodes

get_all_nodes_intersecting_region(addr, size=1)

Get all CFGNodes that intersect the given region.

Parameters:

• addr (int) – Minimum address of target region.

• size (int) – Size of region, in bytes.

Return type:

set[CFGNode]

floor_addr(addr)

Get the largest address that is less than or equal to the given address and has a CFGNode.

Parameters:

addr (int) – The address to floor.

Return type:

int | None

Returns:

The largest address that is less than or equal to the given address and has a CFGNode, or None if no such address exists.

ceil_addr(addr)

Get the smallest address that is greater than or equal to the given address and has a CFGNode.

Parameters:

addr (int) – The address to ceil.

Return type:

int | None

Returns:

The smallest address that is greater than or equal to the given address and has a CFGNode, or None if no such address exists.

nodes()

An iterator of all nodes in the graph.

Returns:

The iterator.

Return type:

iterator

get_predecessors(cfgnode, excluding_fakeret=True, jumpkind=None)

Get predecessors of a node in the control flow graph.

Parameters:

• cfgnode (CFGNode) – The node.

• excluding_fakeret (bool) – True if you want to exclude all predecessors that is connected to the node with a fakeret edge.

• jumpkind (str | None) – Only return predecessors with the specified jumpkind. This argument will be ignored if set to None.

Return type:

list[CFGNode]

Returns:

A list of predecessors

get_successors(node, excluding_fakeret=True, jumpkind=None)

Get successors of a node in the control flow graph.

Parameters:

• node (CFGNode) – The node.

• excluding_fakeret (bool) – True if you want to exclude all successors that is connected to the node with a fakeret edge.

• jumpkind (str | None) – Only return successors with the specified jumpkind. This argument will be ignored if set to None.

Returns:

A list of successors

Return type:

list[CFGNode]

get_successors_and_jumpkinds(node, excluding_fakeret=True)

Get a list of tuples where the first element is the successor of the CFG node and the second element is the jumpkind of the successor.

Parameters:

• node (CFGNode) – The node.

• excluding_fakeret (bool) – True if you want to exclude all successors that are fall-through successors.

Returns:

A list of successors and their corresponding jumpkinds.

Return type:

list[tuple[CFGNode, str]]

get_successors_and_jumpkind(node, excluding_fakeret=True)

Get a list of tuples where the first element is the successor of the CFG node and the second element is the jumpkind of the successor.

Parameters:

• node (CFGNode) – The node.

• excluding_fakeret (bool) – True if you want to exclude all successors that are fall-through successors.

Returns:

A list of successors and their corresponding jumpkinds.

Return type:

list[tuple[CFGNode, str]]

get_predecessors_and_jumpkinds(node, excluding_fakeret=True)

Get a list of tuples where the first element is the predecessor of the CFG node and the second element is the jumpkind of the predecessor.

Parameters:

• node (CFGNode) – The node.

• excluding_fakeret (bool) – True if you want to exclude all predecessors that are fall-through predecessors.

Return type:

list[tuple[CFGNode, str]]

Returns:

A list of predecessors and their corresponding jumpkinds.

get_predecessors_and_jumpkind(node, excluding_fakeret=True)

Get a list of tuples where the first element is the predecessor of the CFG node and the second element is the jumpkind of the predecessor.

Parameters:

• node (CFGNode) – The node.

• excluding_fakeret (bool) – True if you want to exclude all predecessors that are fall-through predecessors.

Return type:

list[tuple[CFGNode, str]]

Returns:

A list of predecessors and their corresponding jumpkinds.

get_all_predecessors(cfgnode, depth_limit=None)

Get all predecessors of a specific node on the control flow graph.

Parameters:

• cfgnode (CFGNode) – The CFGNode object

• depth_limit (int) – Optional depth limit for the depth-first search

Returns:

A list of predecessors in the CFG

Return type:

list

get_all_successors(cfgnode, depth_limit=None)

Get all successors of a specific node on the control flow graph.

Parameters:

• cfgnode (CFGNode) – The CFGNode object

• depth_limit (int) – Optional depth limit for the depth-first search

Returns:

A list of successors in the CFG

Return type:

list

get_branching_nodes()

Returns all nodes that has an out degree >= 2

get_exit_stmt_idx(src_block, dst_block)

Get the corresponding exit statement ID for control flow to reach destination block from source block. The exit statement ID was put on the edge when creating the CFG. Note that there must be a direct edge between the two blocks, otherwise an exception will be raised.

Returns:

The exit statement ID

add_memory_data(data_addr, data_type, data_size=None)

Add a MemoryData entry to self.memory_data.

Parameters:

• data_addr (int) – Address of the data

• data_type (MemoryDataSort | None) – Type of the memory data

• data_size (int | None) – Size of the memory data, or None if unknown for now.

Return type:

bool

Returns:

True if a new memory data entry is added, False otherwise.

tidy_data_references(memory_data_addrs=None, exec_mem_regions=None, xrefs=None, seg_list=None, data_type_guessing_handlers=None, fill_gaps=True, new_mem_data_addrs=None)

Go through all data references (or the ones as specified by memory_data_addrs) and determine their sizes and types if possible.

Parameters:

• memory_data_addrs (list[int] | None) – A list of addresses of memory data, or None if tidying all known memory data entries.

• exec_mem_regions (list[tuple[int, int]] | None) – A list of start and end addresses of executable memory regions.

• seg_list (SegmentList | None) – The segment list that CFGFast uses during CFG recovery.

• data_type_guessing_handlers (list[Callable] | None) – A list of Python functions that will guess data types. They will be called in sequence to determine data types for memory data whose type is unknown.

• fill_gaps (bool) – If True, when a memory data entry is found to have a gap between its end and the next data entry, a new memory data entry will be created to fill the gap. fill_gaps should only be set to True at the end of CFG recovery when traversing the entire memory_data dict for the last time.

• xrefs (XRefManager | None)

• new_mem_data_addrs (set[int] | None)

Return type:

bool

Returns:

True if new data entries are found, False otherwise.

remove_node_and_graph_node(node)

Like remove_node, but also removes node from the graph.

Parameters:

node (CFGNode) – The node to remove.

Return type:

None

get_intersecting_functions(addr, size=1, kb=None)

Find all functions with nodes intersecting [addr, addr + size).

Parameters:

• addr (int) – Minimum address of target region.

• size (int) – Size of region, in bytes.

• kb (KnowledgeBase | None) – Knowledge base to search for functions in.

Return type:

set[Function]

find_function_for_reflow_into_addr(addr, kb=None)

Look for a function that flows into a new node at addr.

Parameters:

• addr (int) – Address of new block.

• kb (KnowledgeBase | None) – Knowledge base to search for functions in.

Return type:

Function | None

clear_region_for_reflow(addr, size=1, kb=None)

Remove nodes in the graph intersecting region [addr, addr + size).

Any functions that intersect the range, and their associated nodes in the CFG, will also be removed from the knowledge base for analysis.

Parameters:

• addr (int) – Minimum address of target region.

• size (int) – Size of the region, in bytes.

• kb (KnowledgeBase | None) – Knowledge base to search for functions in.

Return type:

None

class angr.knowledge_plugins.cfg.CFGNode

Bases: Serializable

This class stands for each single node in CFG.

__init__(addr, size, cfg, simprocedure_name=None, no_ret=False, function_address=None, block_id=None, irsb=None, soot_block=None, instruction_addrs=None, thumb=False, byte_string=None, is_syscall=None, name=None)

Note: simprocedure_name is not used to recreate the SimProcedure object. It’s only there for better __repr__.

Parameters:

block_id (BlockID | int | None)

simprocedure_name

instruction_addrs

irsb

soot_block

property dirty

property function_address

property addr

property block_id

property byte_string: bytes | None

property is_syscall: bool

property thumb: bool

property size: int

property no_ret: bool

property name

property successors

property predecessors

successors_and_jumpkinds(excluding_fakeret=True)

predecessors_and_jumpkinds(excluding_fakeret=True)

get_data_references(kb=None)

Get the known data references for this CFGNode via the knowledge base.

Parameters:

kb – Which knowledge base to use; uses the global KB by default if none is provided

Returns:

Generator yielding xrefs to this CFGNode’s block.

Return type:

iter

property accessed_data_references

Property providing a view of all the known data references for this CFGNode via the global knowledge base

Returns:

Generator yielding xrefs to this CFGNode’s block.

Return type:

iter

property is_simprocedure

property callstack_key

copy()

merge(other)

Merges this node with the other, returning a new node that spans the both.

to_codenode()

property block: Block | SootBlock | None

class angr.knowledge_plugins.cfg.IndirectJump

Bases: Serializable

Describes an indirect jump or call site.

__init__(addr, ins_addr, func_addr, jumpkind, stmt_idx, resolved_targets=None, jumptable=False, jumptable_addr=None, jumptable_size=None, jumptable_entry_size=None, jumptable_entries=None, type_=255)

Parameters:

• addr (int)

• ins_addr (int)

• func_addr (int)

• jumpkind (str)

• stmt_idx (int)

• resolved_targets (list[int] | None)

• jumptable (bool)

• jumptable_addr (int | None)

• jumptable_size (int | None)

• jumptable_entry_size (int | None)

• jumptable_entries (list[int] | None)

• type_ (int | None)

addr

ins_addr

func_addr

jumpkind

stmt_idx

resolved_targets

jumptable

jumptables: list[JumptableInfo]

type

add_jumptable(addr, size, entry_size, entries, is_primary=False)

Return type:

None

Parameters:

• addr (int | None)

• size (int)

• entry_size (int)

• entries (list[int])

• is_primary (bool)

property jumptable_addr: int | None

property jumptable_size: int | None

property jumptable_entry_size: int | None

property jumptable_entries: list[int] | None

class angr.knowledge_plugins.cfg.IndirectJumpType

Bases: object

The type of an indirect jump or call.

Jumptable_AddressLoadedFromMemory = 0

Jumptable_AddressComputed = 1

Vtable = 3

Unknown = 255

class angr.knowledge_plugins.cfg.MemoryData

Bases: Serializable

MemoryData describes the syntactic content of a single address of memory.

reference_size reflects the size of content. It can be different from size, which is the actual size of the memory data item in memory. The intended way to get the actual content in memory is self.content[:self.size].

__init__(address, size, sort, pointer_addr=None, max_size=None, reference_size=None)

Parameters:

• address (int)

• size (int)

• sort (str | None)

• pointer_addr (int | None)

• max_size (int | None)

• reference_size (int | None)

addr: int

size: int

reference_size: int

sort: str | None

max_size: int | None

pointer_addr: int | None

content: bytes | None

property address

copy()

Make a copy of the MemoryData.

Returns:

A copy of the MemoryData instance.

Return type:

MemoryData

fill_content(loader)

Load data to fill self.content.

Parameters:

loader – The project loader.

Returns:

None

class angr.knowledge_plugins.cfg.MemoryDataSort

Bases: object

Unspecified = None

Unknown = 'unknown'

Integer = 'integer'

PointerArray = 'pointer-array'

String = 'string'

UnicodeString = 'unicode'

SegmentBoundary = 'segment-boundary'

CodeReference = 'code reference'

GOTPLTEntry = 'GOT PLT Entry'

ELFHeader = 'elf-header'

FloatingPoint = 'fp'

Alignment = 'alignment'

PEImportDirectory = 'pe-import-directory'

PEExportDirectory = 'pe-export-directory'

PEDelayImportDirectory = 'pe-delay-import-directory'

EHFuncInfo = 'eh-funcinfo'

EHUnwindMapEntry = 'eh-unwindmapentry'

EH4ScopeTable = 'eh4-scopetable'

EHTryBlockMap = 'eh-tryblockmap'

EHHandlerType = 'eh-handlertype'

Submodules

block_id
cfg_manager
cfg_model
cfg_node
indirect_jump
memory_data
spilling_cfg	Spilling CFG Graph implementation with LRU caching and LMDB persistence.
spilling_digraph	SpillingDiGraph - a networkx.DiGraph subclass with LMDB-backed edge spilling.
types