function module

binaryninja.function.AddressRange(start, end)

binaryninja.function.AdvancedFunctionAnalysisDataRequestor([func])

binaryninja.function.ArchAndAddr([arch, addr])

binaryninja.function.ConstantReference(val, …)

binaryninja.function.DisassemblySettings([…])

binaryninja.function.DisassemblyTextLine(tokens)

binaryninja.function.DisassemblyTextRenderer([…])

binaryninja.function.Function([view, handle])

binaryninja.function.ILReferenceSource(func, …)

binaryninja.function.IndirectBranchInfo(…)

binaryninja.function.InstructionBranch(…)

binaryninja.function.InstructionInfo()

binaryninja.function.InstructionTextToken(…)

class InstructionTextToken is used to tell the core about the various components in the disassembly views.

binaryninja.function.IntrinsicInfo(inputs, …)

binaryninja.function.IntrinsicInput(type_obj)

binaryninja.function.LookupTableEntry(…)

binaryninja.function.ParameterVariables(var_list)

binaryninja.function.PossibleValueSet([…])

class PossibleValueSet PossibleValueSet is used to define possible values that a variable can take.

binaryninja.function.RegisterInfo(…[, …])

binaryninja.function.RegisterStackInfo(…)

binaryninja.function.RegisterValue([arch, …])

binaryninja.function.StackVariableReference(…)

binaryninja.function.UserVariableValueInfo(…)

binaryninja.function.ValueRange(start, end, step)

binaryninja.function.Variable(func, …[, …])

Note

This object is a “passive” object. Any changes you make to it will not be reflected in the core and vice-versa. If you wish to update a core version of this object you should use the appropriate API.

binaryninja.function.VariableReferenceSource(…)

class AddressRange(start, end)[source]

Bases: object

property end
property length
property start
class AdvancedFunctionAnalysisDataRequestor(func=None)[source]

Bases: object

close()[source]
property function
class ArchAndAddr(arch=None, addr=0)[source]

Bases: object

property addr
property arch
class ConstantReference(val, size, ptr, intermediate)[source]

Bases: object

property intermediate
property pointer
property size
property value
class DisassemblySettings(handle=None)[source]

Bases: object

is_option_set(option)[source]
set_option(option, state=True)[source]
property max_symbol_width
property width
class DisassemblyTextLine(tokens, address=None, il_instr=None, color=None)[source]

Bases: object

property address
property highlight
property il_instruction
property tokens
class DisassemblyTextRenderer(func=None, settings=None, handle=None)[source]

Bases: object

add_integer_token(tokens, int_token, addr, arch=None)[source]
add_stack_var_reference_tokens(tokens, ref)[source]
add_symbol_token(tokens, addr, size, operand=None)[source]
get_disassembly_text(addr)[source]
get_instruction_annotations(addr)[source]
get_instruction_text(addr)[source]
classmethod is_integer_token(token)[source]
post_process_lines(addr, length, in_lines, indent_spaces='')[source]
reset_deduplicated_comments()[source]
wrap_comment(lines, cur_line, comment, has_auto_annotations, leading_spaces='  ', indent_spaces='')[source]
property arch
property basic_block
property function
property has_data_flow
property il
property il_function
property settings
class Function(view=None, handle=None)[source]

Bases: object

add_auto_address_tag(addr, tag, arch=None)[source]

add_auto_address_tag adds an already-created Tag object at a given address.

Parameters
  • addr (int) – Address at which to add the tag

  • tag (Tag) – Tag object to be added

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

add_auto_function_tag(tag)[source]

add_user_function_tag adds an already-created Tag object as a function tag.

Parameters

tag (Tag) – Tag object to be added

Return type

None

add_user_address_tag(addr, tag, arch=None)[source]

add_user_address_tag adds an already-created Tag object at a given address. Since this adds a user tag, it will be added to the current undo buffer.

Parameters
  • addr (int) – Address at which to add the tag

  • tag (Tag) – Tag object to be added

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

add_user_code_ref(from_addr, to_addr, from_arch=None)[source]

add_user_code_ref places a user-defined cross-reference from the instruction at the given address and architecture to the specified target address. If the specified source instruction is not contained within this function, no action is performed. To remove the reference, use remove_user_code_ref.

Parameters
  • from_addr (int) – virtual address of the source instruction

  • to_addr (int) – virtual address of the xref’s destination.

  • from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example
>>> current_function.add_user_code_ref(here, 0x400000)
add_user_function_tag(tag)[source]

add_user_function_tag adds an already-created Tag object as a function tag. Since this adds a user tag, it will be added to the current undo buffer.

Parameters

tag (Tag) – Tag object to be added

Return type

None

add_user_type_field_ref(from_addr, name, offset, from_arch=None, size=0)[source]

add_user_type_field_ref places a user-defined type field cross-reference from the instruction at the given address and architecture to the specified type. If the specified source instruction is not contained within this function, no action is performed. To remove the reference, use remove_user_type_field_ref.

Parameters
  • from_addr (int) – virtual address of the source instruction

  • name (QualifiedName) – name of the referenced type

  • offset (int) – offset of the field, relative to the type

  • from_arch (Architecture) – (optional) architecture of the source instruction

  • size (int) – (optional) the size of the access

Return type

None

Example
>>> current_function.add_user_type_field_ref(here, 'A', 0x8)
add_user_type_ref(from_addr, name, from_arch=None)[source]

add_user_type_ref places a user-defined type cross-reference from the instruction at the given address and architecture to the specified type. If the specified source instruction is not contained within this function, no action is performed. To remove the reference, use remove_user_type_ref.

Parameters
  • from_addr (int) – virtual address of the source instruction

  • name (QualifiedName) – name of the referenced type

  • from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example
>>> current_function.add_user_code_ref(here, 'A')
apply_auto_discovered_type(func_type)[source]
apply_imported_types(sym, type=None)[source]
clear_all_user_var_values()[source]

Clear all user defined variable values.

Return type

None

clear_user_var_value(var, def_addr)[source]

Clears a previously defined user variable value.

Parameters
  • var (Variable) – Variable for which the value was informed

  • def_addr (int) – Address of the definition site of the variable

Return type

None

create_auto_address_tag(addr, type, data, unique=False, arch=None)[source]

create_auto_address_tag creates and adds a Tag object at a given address.

Parameters
  • addr (int) – Address at which to add the tag

  • type (TagType) – Tag Type for the Tag that is created

  • data (str) – Additional data for the Tag

  • unique (bool) – If a tag already exists at this location with this data, don’t add another

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Returns

The created Tag

Return type

Tag

create_auto_function_tag(type, data, unique=False)[source]

add_user_function_tag creates and adds a Tag object as a function tag.

Parameters
  • type (TagType) – Tag Type for the Tag that is created

  • data (str) – Additional data for the Tag

  • unique (bool) – If a tag already exists with this data, don’t add another

Returns

The created Tag

Return type

Tag

create_auto_stack_var(offset, var_type, name)[source]
create_auto_tag(type, data)[source]
create_auto_var(var, var_type, name, ignore_disjoint_uses=False)[source]
create_graph(graph_type=<FunctionGraphType.NormalFunctionGraph: 0>, settings=None)[source]
create_tag(type, data, user=True)[source]

create_tag creates a new Tag object but does not add it anywhere. Use create_user_address_tag or create_user_function_tag to create and add in one step.

Parameters
  • type (TagType) – The Tag Type for this Tag

  • data (str) – Additional data for the Tag

Returns

The created Tag

Return type

Tag

Example
>>> tt = bv.tag_types["Crashes"]
>>> tag = current_function.create_tag(tt, "Null pointer dereference", True)
>>> current_function.add_user_address_tag(here, tag)
>>>
create_user_address_tag(addr, type, data, unique=False, arch=None)[source]

create_user_address_tag creates and adds a Tag object at a given address. Since this adds a user tag, it will be added to the current undo buffer. To create tags associated with an address that is not inside of a function, use create_user_data_tag.

Parameters
  • addr (int) – Address at which to add the tag

  • type (TagType) – Tag Type for the Tag that is created

  • data (str) – Additional data for the Tag

  • unique (bool) – If a tag already exists at this location with this data, don’t add another

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Returns

The created Tag

Return type

Tag

create_user_function_tag(type, data, unique=False)[source]

add_user_function_tag creates and adds a Tag object as a function tag. Since this adds a user tag, it will be added to the current undo buffer.

Parameters
  • type (TagType) – Tag Type for the Tag that is created

  • data (str) – Additional data for the Tag

  • unique (bool) – If a tag already exists with this data, don’t add another

Returns

The created Tag

Return type

Tag

create_user_stack_var(offset, var_type, name)[source]
create_user_tag(type, data)[source]
create_user_var(var, var_type, name, ignore_disjoint_uses=False)[source]
delete_auto_stack_var(offset)[source]
delete_auto_var(var)[source]
delete_user_stack_var(offset)[source]
delete_user_var(var)[source]
get_address_tags_at(addr, arch=None)[source]

get_address_tags_at gets a list of all Tags in the function at a given address.

Parameters
  • addr (int) – Address to get tags at

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Returns

A list of Tags

Return type

list(Tag)

get_all_user_var_values()[source]

Returns a map of current defined user variable values.

Returns

Map of user current defined user variable values and their definition sites.

Type

dict of (Variable, dict of (ArchAndAddr, PossibleValueSet))

get_basic_block_at(addr, arch=None)[source]

get_basic_block_at returns the BasicBlock of the optionally specified Architecture arch at the given address addr.

Parameters
  • addr (int) – Address of the BasicBlock to retrieve.

  • arch (Architecture) – (optional) Architecture of the basic block if different from the Function’s self.arch

Example
>>> current_function.get_basic_block_at(current_function.start)
<block: [email protected]>
get_block_annotations(addr, arch=None)[source]
get_call_reg_stack_adjustment(addr, arch=None)[source]
get_call_reg_stack_adjustment_for_reg_stack(addr, reg_stack, arch=None)[source]
get_call_stack_adjustment(addr, arch=None)[source]
get_call_type_adjustment(addr, arch=None)[source]
get_comment_at(addr)[source]
get_constants_referenced_by(addr, arch=None)[source]
get_flags_read_by_lifted_il_instruction(i)[source]
get_flags_written_by_lifted_il_instruction(i)[source]
get_hlil_var_refs(var)[source]

get_hlil_var_refs returns a list of ILReferenceSource objects (IL xrefs or cross-references) that reference the given variable. The variable is a local variable that can be either on the stack, in a register, or in a flag.

Parameters

var (Variable) – Variable for which to query the xref

Returns

List of IL References for the given variable

Return type

list(ILReferenceSource)

Example
>>> var = current_hlil[0].operands[0]
>>> current_function.get_hlil_var_refs(var)
get_hlil_var_refs_from(addr, length=None, arch=None)[source]

get_hlil_var_refs_from returns a list of variables referenced by code in the function func, of the architecture arch, and at the address addr. If no function is specified, references from all functions and containing the address will be returned. If no architecture is specified, the architecture of the function will be used.

Parameters
  • addr (int) – virtual address to query for variable references

  • length (int) – optional length of query

  • arch (Architecture) – optional architecture of query

Returns

list of variables reference sources

Return type

list(VariableReferenceSource)

get_indirect_branches_at(addr, arch=None)[source]
get_instr_highlight(addr, arch=None)[source]
Example
>>> current_function.set_user_instr_highlight(here, highlight.HighlightColor(red=0xff, blue=0xff, green=0))
>>> current_function.get_instr_highlight(here)
<color: #ff00ff>
get_instruction_containing_address(addr, arch=None)[source]
get_int_display_type(instr_addr, value, operand, arch=None)[source]
get_lifted_il_at(addr, arch=None)[source]
get_lifted_il_flag_definitions_for_use(i, flag)[source]
get_lifted_il_flag_uses_for_definition(i, flag)[source]
get_lifted_ils_at(addr, arch=None)[source]

get_lifted_ils_at gets the Lifted IL Instruction(s) corresponding to the given virtual address

Parameters
  • addr (int) – virtual address of the function to be queried

  • arch (Architecture) – (optional) Architecture for the given function

Return type

list(LowLevelILInstruction)

Example
>>> func = bv.functions[0]
>>> func.get_lifted_ils_at(func.start)
[<il: push(rbp)>]
get_llil_at(addr, arch=None)[source]

get_llil_at gets the LowLevelILInstruction corresponding to the given virtual address

Parameters
  • addr (int) – virtual address of the function to be queried

  • arch (Architecture) – (optional) Architecture for the given function

Return type

LowLevelILInstruction

Example
>>> func = bv.functions[0]
>>> func.get_llil_at(func.start)
<il: push(rbp)>
get_llils_at(addr, arch=None)[source]

get_llils_at gets the LowLevelILInstruction(s) corresponding to the given virtual address

Parameters
  • addr (int) – virtual address of the function to be queried

  • arch (Architecture) – (optional) Architecture for the given function

Return type

list(LowLevelILInstruction)

Example
>>> func = bv.functions[0]
>>> func.get_llils_at(func.start)
[<il: push(rbp)>]
get_low_level_il_at(addr, arch=None)[source]

get_low_level_il_at gets the LowLevelILInstruction corresponding to the given virtual address

Parameters
  • addr (int) – virtual address of the function to be queried

  • arch (Architecture) – (optional) Architecture for the given function

Return type

LowLevelILInstruction

Example
>>> func = bv.functions[0]
>>> func.get_low_level_il_at(func.start)
<il: push(rbp)>
get_low_level_il_exits_at(addr, arch=None)[source]
get_mlil_var_refs(var)[source]

get_mlil_var_refs returns a list of ILReferenceSource objects (IL xrefs or cross-references) that reference the given variable. The variable is a local variable that can be either on the stack, in a register, or in a flag. This function is related to get_hlil_var_refs(), which returns variable references collected from HLIL. The two can be different in several cases, e.g., multiple variables in MLIL can be merged into a single variable in HLIL.

Parameters

var (Variable) – Variable for which to query the xref

Returns

List of IL References for the given variable

Return type

list(ILReferenceSource)

Example
>>> var = current_mlil[0].operands[0]
>>> current_function.get_mlil_var_refs(var)
get_mlil_var_refs_from(addr, length=None, arch=None)[source]

get_mlil_var_refs_from returns a list of variables referenced by code in the function func, of the architecture arch, and at the address addr. If no function is specified, references from all functions and containing the address will be returned. If no architecture is specified, the architecture of the function will be used. This function is related to get_hlil_var_refs_from(), which returns variable references collected from HLIL. The two can be different in several cases, e.g., multiple variables in MLIL can be merged into a single variable in HLIL.

Parameters
  • addr (int) – virtual address to query for variable references

  • length (int) – optional length of query

  • arch (Architecture) – optional architecture of query

Returns

list of variable reference sources

Return type

list(VariableReferenceSource)

get_parameter_at(addr, func_type, i, arch=None)[source]
get_parameter_at_low_level_il_instruction(instr, func_type, i)[source]
get_reg_value_after(addr, reg, arch=None)[source]

get_reg_value_after gets the value instruction address corresponding to the given virtual address

Parameters
  • addr (int) – virtual address of the instruction to query

  • reg (str) – string value of native register to query

  • arch (Architecture) – (optional) Architecture for the given function

Return type

binaryninja.function.RegisterValue

Example
>>> func.get_reg_value_after(0x400dbe, 'rdi')
<undetermined>
get_reg_value_at(addr, reg, arch=None)[source]

get_reg_value_at gets the value the provided string register address corresponding to the given virtual address

Parameters
  • addr (int) – virtual address of the instruction to query

  • reg (str) – string value of native register to query

  • arch (Architecture) – (optional) Architecture for the given function

Return type

binaryninja.function.RegisterValue

Example
>>> func.get_reg_value_at(0x400dbe, 'rdi')
<const 0x2>
get_reg_value_at_exit(reg)[source]
get_regs_read_by(addr, arch=None)[source]
get_regs_written_by(addr, arch=None)[source]
get_stack_contents_after(addr, offset, size, arch=None)[source]
get_stack_contents_at(addr, offset, size, arch=None)[source]

get_stack_contents_at returns the RegisterValue for the item on the stack in the current function at the given virtual address addr, stack offset offset and size of size. Optionally specifying the architecture.

Parameters
  • addr (int) – virtual address of the instruction to query

  • offset (int) – stack offset base of stack

  • size (int) – size of memory to query

  • arch (Architecture) – (optional) Architecture for the given function

Return type

binaryninja.function.RegisterValue

Note

Stack base is zero on entry into the function unless the architecture places the return address on the stack as in (x86/x86_64) where the stack base will start at address_size

Example
>>> func.get_stack_contents_at(0x400fad, -16, 4)
<range: 0x8 to 0xffffffff>
get_stack_var_at_frame_offset(offset, addr, arch=None)[source]
get_stack_vars_referenced_by(addr, arch=None)[source]
get_type_tokens(settings=None)[source]
is_call_instruction(addr, arch=None)[source]
is_var_user_defined(var)[source]
mark_recent_use()[source]
reanalyze()[source]

reanalyze causes this functions to be reanalyzed. This function does not wait for the analysis to finish.

Return type

None

release_advanced_analysis_data()[source]
remove_auto_address_tag(addr, tag, arch=None)[source]

remove_auto_address_tag removes a Tag object at a given address.

Parameters
  • addr (int) – Address at which to add the tag

  • tag (Tag) – Tag object to be added

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

remove_auto_function_tag(tag)[source]

remove_user_function_tag removes a Tag object as a function tag.

Parameters

tag (Tag) – Tag object to be added

Return type

None

remove_user_address_tag(addr, tag, arch=None)[source]

remove_user_address_tag removes a Tag object at a given address. Since this removes a user tag, it will be added to the current undo buffer.

Parameters
  • addr (int) – Address at which to add the tag

  • tag (Tag) – Tag object to be added

  • arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

remove_user_code_ref(from_addr, to_addr, from_arch=None)[source]

remove_user_code_ref removes a user-defined cross-reference. If the given address is not contained within this function, or if there is no such user-defined cross-reference, no action is performed.

Parameters
  • from_addr (int) – virtual address of the source instruction

  • to_addr (int) – virtual address of the xref’s destination.

  • from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example
>>> current_function.remove_user_code_ref(here, 0x400000)
remove_user_function_tag(tag)[source]

remove_user_function_tag removes a Tag object as a function tag. Since this removes a user tag, it will be added to the current undo buffer.

Parameters

tag (Tag) – Tag object to be added

Return type

None

remove_user_type_field_ref(from_addr, name, offset, from_arch=None, size=0)[source]

remove_user_type_field_ref removes a user-defined type field cross-reference. If the given address is not contained within this function, or if there is no such user-defined cross-reference, no action is performed.

Parameters
  • from_addr (int) – virtual address of the source instruction

  • name (QualifiedName) – name of the referenced type

  • offset (int) – offset of the field, relative to the type

  • from_arch (Architecture) – (optional) architecture of the source instruction

  • size (int) – (optional) the size of the access

Return type

None

Example
>>> current_function.remove_user_type_field_ref(here, 'A', 0x8)
remove_user_type_ref(from_addr, name, from_arch=None)[source]

remove_user_type_ref removes a user-defined type cross-reference. If the given address is not contained within this function, or if there is no such user-defined cross-reference, no action is performed.

Parameters
  • from_addr (int) – virtual address of the source instruction

  • name (QualifiedName) – name of the referenced type

  • from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example
>>> current_function.remove_user_type_ref(here, 'A')
request_advanced_analysis_data()[source]
request_debug_report(name)[source]

request_debug_report can generate interanl debug reports for a variety of analysis. Current list of possible values include:

  • mlil_translator

  • stack_adjust_graph

  • high_level_il

Parameters

name (str) – Name of the debug report

Return type

None

set_auto_call_reg_stack_adjustment(addr, adjust, arch=None)[source]
set_auto_call_reg_stack_adjustment_for_reg_stack(addr, reg_stack, adjust, arch=None)[source]
set_auto_call_stack_adjustment(addr, adjust, arch=None)[source]
set_auto_calling_convention(value)[source]
set_auto_can_return(value)[source]
set_auto_clobbered_regs(value)[source]
set_auto_has_variable_arguments(value)[source]
set_auto_indirect_branches(source, branches, source_arch=None)[source]
set_auto_instr_highlight(addr, color, arch=None)[source]

set_auto_instr_highlight highlights the instruction at the specified address with the supplied color

Warning

Use only in analysis plugins. Do not use in regular plugins, as colors won’t be saved to the database.

Parameters
  • addr (int) – virtual address of the instruction to be highlighted

  • color (HighlightStandardColor|highlight.HighlightColor) – Color value to use for highlighting

  • arch (Architecture) – (optional) Architecture of the instruction if different from self.arch

set_auto_parameter_vars(value)[source]
set_auto_reg_stack_adjustments(value)[source]
set_auto_return_regs(value)[source]
set_auto_return_type(value)[source]
set_auto_stack_adjustment(value)[source]
set_auto_type(value)[source]
set_call_reg_stack_adjustment(addr, adjust, arch=None)[source]
set_call_reg_stack_adjustment_for_reg_stack(addr, reg_stack, adjust, arch=None)[source]
set_call_stack_adjustment(addr, adjust, arch=None)[source]
set_call_type_adjustment(addr, adjust_type, arch=None)[source]
set_comment(addr, comment)[source]

Deprecated method provided for compatibility. Use set_comment_at instead.

set_comment_at(addr, comment)[source]

set_comment_at sets a comment for the current function at the address specified

Parameters
  • addr (int) – virtual address within the current function to apply the comment to

  • comment (str) – string comment to apply

Return type

None

Example
>>> current_function.set_comment_at(here, "hi")
classmethod set_default_session_data(name, value)[source]
set_int_display_type(instr_addr, value, operand, display_type, arch=None)[source]
Parameters
set_user_indirect_branches(source, branches, source_arch=None)[source]
set_user_instr_highlight(addr, color, arch=None)[source]

set_user_instr_highlight highlights the instruction at the specified address with the supplied color

Parameters
  • addr (int) – virtual address of the instruction to be highlighted

  • color (HighlightStandardColor|highlight.HighlightColor) – Color value to use for highlighting

  • arch (Architecture) – (optional) Architecture of the instruction if different from self.arch

Example
>>> current_function.set_user_instr_highlight(here, HighlightStandardColor.BlueHighlightColor)
>>> current_function.set_user_instr_highlight(here, highlight.HighlightColor(red=0xff, blue=0xff, green=0))
set_user_type(value)[source]
set_user_var_value(var, def_addr, value)[source]

set_user_var_value allows the user to specify a PossibleValueSet value for an MLIL variable at its definition site.

Warning

Setting the variable value, triggers a reanalysis of the function and allows the dataflow to compute and propagate values which depend on the current variable. This implies that branch conditions whose values can be determined statically will be computed, leading to potential branch elimination at the HLIL layer.

Parameters
  • var (Variable) – Variable for which the value is to be set

  • def_addr (int) – Address of the definition site of the variable

  • value (PossibleValueSet) – Informed value of the variable

Return type

None

Example
>>> var = current_mlil[0].operands[0]
>>> def_site = 0x40108d
>>> value = PossibleValueSet.constant(5)
>>> current_function.set_user_var_value(var, def_site, value)
property address_ranges

All of the address ranges covered by a function

property address_tags

address_tags gets a list of all address Tags in the function. Tags are returned as a list of (arch, address, Tag) tuples.

Return type

list((Architecture, int, Tag))

property analysis_performance_info
property analysis_skip_override

Override for skipping of automatic analysis

property analysis_skip_reason

Function analysis skip reason

property analysis_skipped

Whether automatic analysis was skipped for this function, set to true to disable analysis.

property arch

Function architecture (read-only)

property auto

Whether function was automatically discovered (read-only)

property basic_blocks

List of basic blocks (read-only)

property call_sites

call_sites returns a list of possible call sites contained in this function. This includes ordinary calls, tail calls, and indirect jumps. Not all of the returned call sites are necessarily true call sites; some may simply be unresolved indirect jumps, for example.

Returns

List of References that represent the sources of possible calls in this function

Return type

list(ReferenceSource)

property callee_addresses

callee_addressses returns a list of start addresses for functions that call this function. Does not point to the actual address where the call occurs, just the start of the function that contains the reference.

Returns

List of start addresess for Functions that call this function

Return type

list(int)

property callees

callees returns a list of functions that this function calls This does not include the address of those calls, rather just the function objects themselves. Use call_sites to identify the location of these calls.

Returns

List of Functions that this function calls

Return type

list(Function)

property callers

callers returns a list of functions that call this function Does not point to the actual address where the call occurs, just the start of the function that contains the call.

Returns

List of start addresess for Functions that call this function

Return type

list(int)

property calling_convention

Calling convention used by the function

property can_return

Whether function can return

property clobbered_regs

Registers that are modified by this function

property comment

Gets the comment for the current function

property comments

Dict of comments (read-only)

property explicitly_defined_type

Whether function has explicitly defined types (read-only)

property function_tags

function_tags gets a list of all function Tags for the function.

Return type

list(Tag)

property function_type

Function type object, can be set with either a string representing the function prototype (str(function) shows examples) or a Type object

property global_pointer_value

Discovered value of the global pointer register, if the function uses one (read-only)

property has_unresolved_indirect_branches

Has unresolved indirect branches (read-only)

property has_variable_arguments

Whether the function takes a variable number of arguments

property high_level_il

Deprecated property provided for compatibility. Use hlil instead.

property highest_address

The highest virtual address contained in a function.

property hlil

Function high level IL (read-only)

property hlil_if_available

Function high level IL, or None if not loaded (read-only)

property indirect_branches

List of indirect branches (read-only)

property instructions

A generator of instruction tokens and their start addresses for the current function

property lifted_il

returns LowLevelILFunction used to represent lifted IL (read-only)

property lifted_il_if_available

returns LowLevelILFunction used to represent lifted IL, or None if not loaded (read-only)

property llil

returns LowLevelILFunction used to represent Function low level IL (read-only)

property llil_basic_blocks

A generator of all LowLevelILBasicBlock objects in the current function

property llil_if_available

returns LowLevelILFunction used to represent Function low level IL, or None if not loaded (read-only)

property llil_instructions

Deprecated method provided for compatibility. Use llil.instructions instead. Was: A generator of llil instructions of the current function

property low_level_il

Deprecated property provided for compatibility. Use llil instead.

property lowest_address

The lowest virtual address contained in a function.

property medium_level_il

Deprecated property provided for compatibility. Use mlil instead.

property mlil

Function medium level IL (read-only)

property mlil_basic_blocks

A generator of all MediumLevelILBasicBlock objects in the current function

property mlil_if_available

Function medium level IL, or None if not loaded (read-only)

property mlil_instructions

Deprecated method provided for compatibility. Use mlil.instructions instead. Was: A generator of mlil instructions of the current function

property name

Symbol name for the function

property needs_update

Whether the function has analysis that needs to be updated (read-only)

property parameter_vars

List of variables for the incoming function parameters

property platform

Function platform (read-only)

property reg_stack_adjustments

Number of entries removed from each register stack after return

property return_regs

Registers that are used for the return value

property return_type

Return type of the function

property session_data

Dictionary object where plugins can store arbitrary data associated with the function

property stack_adjustment

Number of bytes removed from the stack after return

property stack_layout

List of function stack variables (read-only)

property start

Function start address (read-only)

property symbol

Function symbol(read-only)

property too_large

Whether the function is too large to automatically perform analysis (read-only)

property total_bytes

Total bytes of a function calculated by summing each basic_block. Because basic blocks can overlap and have gaps between them this may or may not be equivalent to a .size property.

property type_tokens

Text tokens for this function’s prototype

property unresolved_indirect_branches

List of unresolved indirect branches (read-only)

property unresolved_stack_adjustment_graph

Flow graph of unresolved stack adjustments (read-only)

property vars

List of function variables (read-only)

property view

Function view (read-only)

class ILReferenceSource(func, arch, addr, il_type, expr_id)[source]

Bases: object

get_il_name(il_type)[source]
property address
property arch
property expr_id
property function
property il_type
class IndirectBranchInfo(source_arch, source_addr, dest_arch, dest_addr, auto_defined)[source]

Bases: object

class InstructionBranch(branch_type, target=0, arch=None)[source]

Bases: object

property arch
property target
property type
class InstructionInfo[source]

Bases: object

add_branch(branch_type, target=0, arch=None)[source]
property arch_transition_by_target_addr
property branch_delay
property branches
property length
class InstructionTextToken(token_type, text, value=0, size=0, operand=4294967295, context=<InstructionTextTokenContext.NoTokenContext: 0>, address=0, confidence=255, typeNames=[], width=0)[source]

Bases: object

class InstructionTextToken is used to tell the core about the various components in the disassembly views.

The below table is provided for documentation purposes but the complete list of TokenTypes is available at: enums.InstructionTextTokenType. Note that types marked as Not emitted by architectures are not intended to be used by Architectures during lifting. Rather, they are added by the core during analysis or display. UI plugins, however, may make use of them as appropriate.

Uses of tokens include plugins that parse the output of an architecture (though parsing IL is recommended), or additionally, applying color schemes appropriately.

InstructionTextTokenType

Description

AddressDisplayToken

Not emitted by architectures

AnnotationToken

Not emitted by architectures

ArgumentNameToken

Not emitted by architectures

BeginMemoryOperandToken

The start of memory operand

CharacterConstantToken

A printable character

CodeRelativeAddressToken

Not emitted by architectures

CodeSymbolToken

Not emitted by architectures

DataSymbolToken

Not emitted by architectures

EndMemoryOperandToken

The end of a memory operand

ExternalSymbolToken

Not emitted by architectures

FieldNameToken

Not emitted by architectures

FloatingPointToken

Floating point number

HexDumpByteValueToken

Not emitted by architectures

HexDumpInvalidByteToken

Not emitted by architectures

HexDumpSkippedByteToken

Not emitted by architectures

HexDumpTextToken

Not emitted by architectures

ImportToken

Not emitted by architectures

IndirectImportToken

Not emitted by architectures

InstructionToken

The instruction mnemonic

IntegerToken

Integers

KeywordToken

Not emitted by architectures

LocalVariableToken

Not emitted by architectures

NameSpaceSeparatorToken

Not emitted by architectures

NameSpaceToken

Not emitted by architectures

OpcodeToken

Not emitted by architectures

OperandSeparatorToken

The comma or delimiter that separates tokens

PossibleAddressToken

Integers that are likely addresses

RegisterToken

Registers

StringToken

Not emitted by architectures

StructOffsetToken

Not emitted by architectures

TagToken

Not emitted by architectures

TextToken

Used for anything not of another type.

CommentToken

Comments

TypeNameToken

Not emitted by architectures

classmethod get_instruction_lines(tokens, count=0)[source]

Helper method for converting between core.BNInstructionTextToken and InstructionTextToken lists

property address
property confidence
property context
property operand
property size
property text
property type
property typeNames
property value
property width
class IntrinsicInfo(inputs, outputs, index=None)[source]

Bases: object

property index
property inputs
property outputs
class IntrinsicInput(type_obj, name='')[source]

Bases: object

property name
property type
class LookupTableEntry(from_values, to_value)[source]

Bases: object

property from_values
property to_value
class ParameterVariables(var_list, confidence=255, func=None)[source]

Bases: object

with_confidence(confidence)[source]
property confidence
property vars
class PossibleValueSet(arch=None, value=None)[source]

Bases: object

class PossibleValueSet PossibleValueSet is used to define possible values that a variable can take. It contains methods to instantiate different value sets such as Constant, Signed/Unsigned Ranges, etc.

classmethod constant(value)[source]

Create a constant valued PossibleValueSet object.

Parameters

value (int) – Integer value of the constant

Return type

PossibleValueSet

classmethod constant_ptr(value)[source]

Create constant pointer valued PossibleValueSet object.

Parameters

value (int) – Integer value of the constant pointer

Return type

PossibleValueSet

classmethod in_set_of_values(values)[source]

Create a PossibleValueSet object for a value in a set of values.

Parameters

values (list(int)) – List of integer values

Return type

PossibleValueSet

classmethod lookup_table_value(lookup_table, mapping)[source]

Create a PossibleValueSet object for a value which is a member of a lookuptable.

Parameters
  • lookup_table (list(LookupTableEntry)) – List of table entries

  • of (int, int) mapping (dict) – Mapping used for resolution

Return type

PossibleValueSet

classmethod not_in_set_of_values(values)[source]

Create a PossibleValueSet object for a value NOT in a set of values.

Parameters

values (list(int)) – List of integer values

Return type

PossibleValueSet

classmethod signed_range_value(ranges)[source]

Create a PossibleValueSet object for a signed range of values.

Parameters

ranges (list(ValueRange)) – List of ValueRanges

Return type

PossibleValueSet

Example
>>> v_1 = ValueRange(-5, -1, 1)
>>> v_2 = ValueRange(7, 10, 1)
>>> val = PossibleValueSet.signed_range_value([v_1, v_2])
<signed ranges: [<range: -0x5 to -0x1>, <range: 0x7 to 0xa>]>
classmethod stack_frame_offset(offset)[source]

Create a PossibleValueSet object for a stack frame offset.

Parameters

value (int) – Integer value of the offset

Return type

PossibleValueSet

classmethod undetermined()[source]

Create a PossibleValueSet object of type UndeterminedValue.

Returns

PossibleValueSet object of type UndeterminedValue

Return type

PossibleValueSet

classmethod unsigned_range_value(ranges)[source]

Create a PossibleValueSet object for a unsigned signed range of values.

Parameters

ranges (list(ValueRange)) – List of ValueRanges

Return type

PossibleValueSet

Example
>>> v_1 = ValueRange(0, 5, 1)
>>> v_2 = ValueRange(7, 10, 1)
>>> val = PossibleValueSet.unsigned_range_value([v_1, v_2])
<unsigned ranges: [<range: 0x0 to 0x5>, <range: 0x7 to 0xa>]>
property count
property mapping
property offset
property ranges
property reg
property table
property type
property value
property values
class RegisterInfo(full_width_reg, size, offset=0, extend=<ImplicitRegisterExtend.NoExtend: 0>, index=None)[source]

Bases: object

property extend
property full_width_reg
property index
property offset
property size
class RegisterStackInfo(storage_regs, top_relative_regs, stack_top_reg, index=None)[source]

Bases: object

property index
property stack_top_reg
property storage_regs
property top_relative_regs
class RegisterValue(arch=None, value=None, confidence=255)[source]

Bases: object

classmethod constant(value)[source]
classmethod constant_ptr(value)[source]
classmethod entry_value(arch, reg)[source]
classmethod imported_address(value)[source]
classmethod return_address()[source]
classmethod stack_frame_offset(offset)[source]
classmethod undetermined()[source]
property arch

Architecture where it exists, None otherwise (read-only)

property confidence

Confidence where it exists, None otherwise (read-only)

property is_constant

Boolean for whether the RegisterValue is known to be constant (read-only)

property offset

Offset where it exists, None otherwise (read-only)

property reg

Register where the Architecture exists, None otherwise (read-only)

property type

RegisterValueType (read-only)

property value

Value where it exists, None otherwise (read-only)

class StackVariableReference(src_operand, t, name, var, ref_ofs, size)[source]

Bases: object

property name
property referenced_offset
property size
property source_operand
property type
property var
class UserVariableValueInfo(var, def_site, value)[source]

Bases: object

class ValueRange(start, end, step)[source]

Bases: object

property end
property start
property step
class Variable(func, source_type, index, storage, name=None, var_type=None, identifier=None)[source]

Bases: object

Note

This object is a “passive” object. Any changes you make to it will not be reflected in the core and vice-versa. If you wish to update a core version of this object you should use the appropriate API.

classmethod from_identifier(func, identifier, name=None, var_type=None)[source]
to_BNVariable()[source]
property dead_store_elimination
property function

Function where the variable is defined

property identifier
property index
property name

Name of the variable, set to an empty string to delete

property source_type

VariableSourceType

property storage

Stack offset for StackVariableSourceType, register index for RegisterVariableSourceType

property type
class VariableReferenceSource(var, src)[source]

Bases: object

property src
property var