function module

binaryninja.function.AddressRange(start, end)
binaryninja.function.AdvancedFunctionAnalysisDataRequestor([func])
binaryninja.function.ArchAndAddr(arch, addr)
binaryninja.function.BasicBlockList(function)
binaryninja.function.ConstantReference(...)
binaryninja.function.DisassemblySettings([...])
binaryninja.function.DisassemblyTextLine(tokens)
binaryninja.function.DisassemblyTextRenderer([...])
binaryninja.function.Function([view, handle])
binaryninja.function.HighLevelILBasicBlockList(...)
binaryninja.function.ILReferenceSource(func, ...)
binaryninja.function.IndirectBranchInfo(...)
binaryninja.function.InstructionBranch(type, ...)
binaryninja.function.InstructionInfo(length, ...)
binaryninja.function.InstructionTextToken(...)	class InstructionTextToken is used to tell the core about the various components in the disassembly views.
binaryninja.function.IntrinsicInfo(inputs, ...)
binaryninja.function.IntrinsicInput(type[, name])
binaryninja.function.LookupTableEntry(...)
binaryninja.function.LowLevelILBasicBlockList(...)
binaryninja.function.MediumLevelILBasicBlockList(...)
binaryninja.function.ParameterVariables(var_list)	Note This object is a "passive" object. Any changes you make to it will not be reflected in the core and vice-versa. If you wish to update a core version of this object you should use the appropriate API.
binaryninja.function.PossibleValueSet([...])	class PossibleValueSet PossibleValueSet is used to define possible values that a variable can take.
binaryninja.function.RegisterInfo(...)
binaryninja.function.RegisterStackInfo(...)
binaryninja.function.RegisterValue(value, ...)
binaryninja.function.StackVariableReference(...)
binaryninja.function.TagList(function)
binaryninja.function.ValueRange(start, end, step)
binaryninja.function.Variable(func, ...)
binaryninja.function.VariableReferenceSource(...)

class AdvancedFunctionAnalysisDataRequestor(func: Optional[Function] = None)

Bases: object

Parameters

func (Optional[Function]) –

close() → None

Return type

None

property function: Optional[Function]

class ArchAndAddr(arch: 'architecture.Architecture', addr: int)

Bases: object

Parameters

• arch (Architecture) –

• addr (int) –

Return type

None

addr: int

arch: Architecture

class BasicBlockList(function: Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction])

Bases: object

Parameters

function (Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]) –

class DisassemblySettings(handle: Optional[binaryninja._binaryninjacore.LP_BNDisassemblySettings] = None)

Bases: object

Parameters

handle (Optional[binaryninja._binaryninjacore.LP_BNDisassemblySettings]) –

is_option_set(option: DisassemblyOption) → bool

Parameters

option (DisassemblyOption) –

Return type

bool

set_option(option: DisassemblyOption, state: bool = True) → None

Parameters

• option (DisassemblyOption) –

• state (bool) –

Return type

None

property max_symbol_width: int

property width: int

class DisassemblyTextLine(tokens: List[ForwardRef('InstructionTextToken')], address: Union[int, NoneType] = None, il_instr: Union[ForwardRef('lowlevelil.LowLevelILInstruction'), ForwardRef('mediumlevelil.MediumLevelILInstruction'), ForwardRef('highlevelil.HighLevelILInstruction'), NoneType] = None, color: Union[ForwardRef('_highlight.HighlightColor'), binaryninja.enums.HighlightStandardColor, NoneType] = None)

Bases: object

Parameters

• tokens (List[InstructionTextToken]) –

• address (Optional[int]) –

• il_instr (Optional[Union[LowLevelILInstruction, MediumLevelILInstruction, HighLevelILInstruction]]) –

• color (Optional[Union[_highlight.HighlightColor, HighlightStandardColor]]) –

address: Optional[int]

highlight: HighlightColor

il_instruction: Optional[Union[LowLevelILInstruction, MediumLevelILInstruction, HighLevelILInstruction]]

tokens: List[InstructionTextToken]

class DisassemblyTextRenderer(func: Optional[Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]] = None, settings: Optional[DisassemblySettings] = None, handle: Optional[binaryninja._binaryninjacore.BNDisassemblySettings] = None)

Bases: object

Parameters

• func (Optional[Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]]) –

• settings (Optional[DisassemblySettings]) –

• handle (Optional[binaryninja._binaryninjacore.BNDisassemblySettings]) –

add_integer_token(tokens: List[InstructionTextToken], int_token: InstructionTextToken, addr: int, arch: Optional[Architecture] = None) → None

Parameters

• tokens (List[InstructionTextToken]) –

• int_token (InstructionTextToken) –

• addr (int) –

• arch (Optional[Architecture]) –

Return type

None

add_stack_var_reference_tokens(tokens: List[InstructionTextToken], ref: StackVariableReference) → None

Parameters

• tokens (List[InstructionTextToken]) –

• ref (StackVariableReference) –

Return type

None

add_symbol_token(tokens: List[InstructionTextToken], addr: int, size: int, operand: Optional[int] = None) → bool

Parameters

• tokens (List[InstructionTextToken]) –

• addr (int) –

• size (int) –

• operand (Optional[int]) –

Return type

bool

get_disassembly_text(addr: int) → Generator[Tuple[Optional[DisassemblyTextLine], int], None, None]

Parameters

addr (int) –

Return type

Generator[Tuple[Optional[DisassemblyTextLine], int], None, None]

get_instruction_annotations(addr: int) → List[InstructionTextToken]

Parameters

addr (int) –

Return type

List[InstructionTextToken]

get_instruction_text(addr: int) → Generator[Tuple[Optional[DisassemblyTextLine], int], None, None]

Parameters

addr (int) –

Return type

Generator[Tuple[Optional[DisassemblyTextLine], int], None, None]

static is_integer_token(token: InstructionTextToken) → bool

Parameters

token (InstructionTextToken) –

Return type

bool

post_process_lines(addr: int, length: int, in_lines: Union[str, List[str], List[DisassemblyTextLine]], indent_spaces: str = '')

Parameters

• addr (int) –

• length (int) –

• in_lines (Union[str, List[str], List[DisassemblyTextLine]]) –

• indent_spaces (str) –

reset_deduplicated_comments() → None

Return type

None

wrap_comment(lines: List[DisassemblyTextLine], cur_line: DisassemblyTextLine, comment: str, has_auto_annotations: bool, leading_spaces: str = '  ', indent_spaces: str = '') → None

Parameters

• lines (List[DisassemblyTextLine]) –

• cur_line (DisassemblyTextLine) –

• comment (str) –

• has_auto_annotations (bool) –

• leading_spaces (str) –

• indent_spaces (str) –

Return type

None

property arch: Architecture

property basic_block: Optional[BasicBlock]

property function: Function

property has_data_flow: bool

property il: bool

property il_function: Optional[Union[LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]]

property settings: DisassemblySettings

class Function(view: Optional[BinaryView] = None, handle: Optional[binaryninja._binaryninjacore.LP_BNFunction] = None)

Bases: object

Parameters

• view (Optional[BinaryView]) –

• handle (Optional[binaryninja._binaryninjacore.LP_BNFunction]) –

add_auto_address_tag(addr: int, tag: Tag, arch: Optional[Architecture] = None) → None

add_auto_address_tag adds an already-created Tag object at a given address. If you want to create the tag as well, consider using create_auto_address_tag

Parameters

• addr (int) – Address at which to add the tag

• tag (Tag) – Tag object to be added

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

add_auto_function_tag(tag: Tag) → None

add_auto_function_tag adds an already-created Tag object as a function tag. If you want to create the tag as well, consider using create_auto_function_tag

Parameters

tag (Tag) – Tag object to be added

Return type

None

add_user_address_tag(addr: int, tag: Tag, arch: Optional[Architecture] = None) → None

add_user_address_tag adds an already-created Tag object at a given address. Since this adds a user tag, it will be added to the current undo buffer. If you want to create the tag as well, consider using create_user_address_tag

Parameters

• addr (int) – Address at which to add the tag

• tag (Tag) – Tag object to be added

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

add_user_code_ref(from_addr: int, to_addr: int, arch: Optional[Architecture] = None) → None

add_user_code_ref places a user-defined cross-reference from the instruction at the given address and architecture to the specified target address. If the specified source instruction is not contained within this function, no action is performed. To remove the reference, use remove_user_code_ref.

Parameters

• from_addr (int) – virtual address of the source instruction

• to_addr (int) – virtual address of the xref’s destination.

• arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example

>>> current_function.add_user_code_ref(here, 0x400000)

add_user_function_tag(tag: Tag) → None

add_user_function_tag adds an already-created Tag object as a function tag. Since this adds a user tag, it will be added to the current undo buffer. If you want to create the tag as well, consider using create_user_function_tag

Parameters

tag (Tag) – Tag object to be added

Return type

None

add_user_type_field_ref(from_addr: int, name: Union[Iterable[Union[str, bytes]], str, QualifiedName], offset: int, from_arch: Optional[Architecture] = None, size: int = 0) → None

add_user_type_field_ref places a user-defined type field cross-reference from the instruction at the given address and architecture to the specified type. If the specified source instruction is not contained within this function, no action is performed. To remove the reference, use remove_user_type_field_ref.

Parameters

• from_addr (int) – virtual address of the source instruction

• name (QualifiedName) – name of the referenced type

• offset (int) – offset of the field, relative to the type

• from_arch (Architecture) – (optional) architecture of the source instruction

• size (int) – (optional) the size of the access

Return type

None

Example

>>> current_function.add_user_type_field_ref(here, 'A', 0x8)

add_user_type_ref(from_addr: int, name: Union[Iterable[Union[str, bytes]], str, QualifiedName], from_arch: Optional[Architecture] = None) → None

add_user_type_ref places a user-defined type cross-reference from the instruction at the given address and architecture to the specified type. If the specified source instruction is not contained within this function, no action is performed. To remove the reference, use remove_user_type_ref.

Parameters

• from_addr (int) – virtual address of the source instruction

• name (QualifiedName) – name of the referenced type

• from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example

>>> current_function.add_user_code_ref(here, 'A')

apply_auto_discovered_type(func_type: Union[str, Type, TypeBuilder]) → None

Parameters

func_type (Union[str, Type, TypeBuilder]) –

Return type

None

apply_imported_types(sym: CoreSymbol, type: Optional[Union[str, Type, TypeBuilder]] = None) → None

Parameters

• sym (CoreSymbol) –

• type (Optional[Union[str, Type, TypeBuilder]]) –

Return type

None

clear_all_user_var_values() → None

Clear all user defined variable values.

Return type

None

clear_user_var_value(var: Variable, def_addr: int) → None

Clears a previously defined user variable value.

Parameters

• var (Variable) – Variable for which the value was informed

• def_addr (int) – Address of the definition site of the variable

Return type

None

create_auto_address_tag(addr: int, type: TagType, data: str, unique: bool = False, arch: Optional[Architecture] = None) → Tag

create_auto_address_tag creates and adds a Tag object at a given address.

Parameters

• addr (int) – Address at which to add the tag

• type (TagType) – Tag Type for the Tag that is created

• data (str) – Additional data for the Tag

• unique (bool) – If a tag already exists at this location with this data, don’t add another

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Returns

The created Tag

Return type

Tag

create_auto_function_tag(type: TagType, data: str, unique: bool = False) → Tag

create_auto_function_tag creates and adds a Tag object as a function tag.

Parameters

• type (TagType) – Tag Type for the Tag that is created

• data (str) – Additional data for the Tag

• unique (bool) – If a tag already exists with this data, don’t add another

Returns

The created Tag

Return type

Tag

create_auto_stack_var(offset: int, var_type: Union[str, Type, TypeBuilder], name: str) → None

Parameters

• offset (int) –

• var_type (Union[str, Type, TypeBuilder]) –

• name (str) –

Return type

None

create_auto_tag(type: TagType, data: str = '') → Tag

Create an _auto_ Tag object

Parameters

• type (TagType) –

• data (str) –

Return type

Tag

create_auto_var(var: Variable, var_type: Union[str, Type, TypeBuilder], name: str, ignore_disjoint_uses: bool = False) → None

Parameters

• var (Variable) –

• var_type (Union[str, Type, TypeBuilder]) –

• name (str) –

• ignore_disjoint_uses (bool) –

Return type

None

create_graph(graph_type: FunctionGraphType = FunctionGraphType.NormalFunctionGraph, settings: Optional[DisassemblySettings] = None) → CoreFlowGraph

Parameters

• graph_type (FunctionGraphType) –

• settings (Optional[DisassemblySettings]) –

Return type

CoreFlowGraph

create_tag(type: TagType, data: str = '', user: bool = True) → Tag

create_tag creates a new Tag object but does not add it anywhere. Use create_user_address_tag or create_user_function_tag to create and add in one step.

Parameters

• type (TagType) – The Tag Type for this Tag

• data (str) – Additional data for the Tag

• user (bool) – Boolean indicating if this is a user tag or not

Returns

The created Tag

Return type

Tag

Example

>>> tt = bv.tag_types["Crashes"]
>>> tag = current_function.create_tag(tt, "Null pointer dereference", True)
>>> current_function.add_user_address_tag(here, tag)
>>>

create_user_address_tag(addr: int, tag_type: TagType, data: str, unique: bool = False, arch: Optional[Architecture] = None) → Tag

create_user_address_tag creates and adds a Tag object at a given address. Since this adds a user tag, it will be added to the current undo buffer. To create tags associated with an address that is not inside of a function, use create_user_data_tag.

Parameters

• addr (int) – Address at which to add the tag

• tag_type (TagType) – Tag Type for the Tag that is created

• data (str) – Additional data for the Tag

• unique (bool) – If a tag already exists at this location with this data, don’t add another

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Returns

The created Tag

Return type

Tag

create_user_function_tag(type: TagType, data: str, unique: bool = False) → Tag

add_user_function_tag creates and adds a Tag object as a function tag. Since this adds a user tag, it will be added to the current undo buffer.

Parameters

• type (TagType) – Tag Type for the Tag that is created

• data (str) – Additional data for the Tag

• unique (bool) – If a tag already exists with this data, don’t add another

Returns

The created Tag

Return type

Tag

create_user_stack_var(offset: int, var_type: Union[str, Type, TypeBuilder], name: str) → None

Parameters

• offset (int) –

• var_type (Union[str, Type, TypeBuilder]) –

• name (str) –

Return type

None

create_user_tag(type: TagType, data: str = '') → Tag

Create a _user_ Tag object

Parameters

• type (TagType) –

• data (str) –

Return type

Tag

create_user_var(var: Variable, var_type: Union[str, Type, TypeBuilder], name: str, ignore_disjoint_uses: bool = False) → None

Parameters

• var (Variable) –

• var_type (Union[str, Type, TypeBuilder]) –

• name (str) –

• ignore_disjoint_uses (bool) –

Return type

None

delete_auto_stack_var(offset: int) → None

Parameters

offset (int) –

Return type

None

delete_user_stack_var(offset: int) → None

Parameters

offset (int) –

Return type

None

delete_user_var(var: Variable) → None

Parameters

var (Variable) –

Return type

None

get_address_tags_at(addr: int, arch: Optional[Architecture] = None) → List[Tag]

get_address_tags_at gets a generator of all Tags in the function at a given address.

Parameters

• addr (int) – Address to get tags at

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Returns

A Generator of Tags

Return type

List[Tag]

get_address_tags_in_range(address_range: AddressRange, arch: Optional[Architecture] = None) → List[Tuple[Architecture, int, Tag]]

get_address_tags_in_range gets a list of all Tags in the function at a given address. Range is inclusive at the start, exclusive at the end.

Parameters

• address_range (AddressRange) – Address range from which to get tags

• arch (Architecture) – Architecture for the block in which the Tag is located (optional)

Returns

A list of (arch, address, Tag) tuples

Return type

list((Architecture, int, Tag))

get_address_tags_of_type(addr: int, tag_type: TagType, arch=None)

get_address_tags_of_type gets a list of all Tags in the function at a given address with a given type.

Parameters

• addr (int) – Address to get tags at

• tag_type (TagType) – TagType object to match in searching

• arch (Architecture) – Architecture for the block in which the Tags are located (optional)

Returns

A list of data Tags

Return type

list(Tag)

get_all_user_var_values() → Dict[Variable, Dict[ArchAndAddr, PossibleValueSet]]

Returns a map of current defined user variable values.

Returns

Map of user current defined user variable values and their definition sites.

Type

dict of (Variable, dict of (ArchAndAddr, PossibleValueSet))

Return type

Dict[Variable, Dict[ArchAndAddr, PossibleValueSet]]

get_auto_address_tags_at(addr, arch=None)

get_auto_address_tags_at gets a list of all auto-defined Tags in the function at a given address.

Parameters

• addr (int) – Address to get tags at

• arch (Architecture) – Architecture for the block in which the Tag is located (optional)

Returns

A list of Tags

Return type

list(Tag)

get_auto_address_tags_in_range(address_range: AddressRange, arch: Optional[Architecture] = None) → List[Tuple[Architecture, int, Tag]]

get_auto_address_tags_in_range gets a list of all auto-defined Tags in the function at a given address. Range is inclusive at the start, exclusive at the end.

Parameters

• address_range (AddressRange) – Address range from which to get tags

• arch (Architecture) – Architecture for the block in which the Tag is located (optional)

Returns

A list of (arch, address, Tag) tuples

Return type

list((Architecture, int, Tag))

get_auto_address_tags_of_type(addr: int, tag_type: TagType, arch: Optional[Architecture] = None)

get_auto_address_tags_of_type gets a list of all auto-defined Tags in the function at a given address with a given type.

Parameters

• addr (int) – Address to get tags at

• tag_type (TagType) – TagType object to match in searching

• arch (Architecture) – Architecture for the block in which the Tags are located (optional)

Returns

A list of data Tags

Return type

list(Tag)

get_auto_function_tags_of_type(tag_type)

get_auto_function_tags_of_type gets a list of all auto-defined function Tags with a given type.

Parameters

tag_type (TagType) – TagType object to match in searching

Returns

A list of data Tags

Return type

list(Tag)

get_basic_block_at(addr: int, arch: Optional[Architecture] = None) → Optional[BasicBlock]

get_basic_block_at returns the BasicBlock of the optionally specified Architecture arch at the given address addr.

Parameters

• addr (int) – Address of the BasicBlock to retrieve.

• arch (Architecture) – (optional) Architecture of the basic block if different from the Function’s self.arch

Example

>>> current_function.get_basic_block_at(current_function.start)
<block: [email protected]>

Return type

Optional[BasicBlock]

get_block_annotations(addr: int, arch: Optional[Architecture] = None) → List[List[InstructionTextToken]]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[List[InstructionTextToken]]

get_call_reg_stack_adjustment(addr: int, arch: Optional[Architecture] = None) → Dict[RegisterStackName, RegisterStackAdjustmentWithConfidence]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

Dict[RegisterStackName, RegisterStackAdjustmentWithConfidence]

get_call_reg_stack_adjustment_for_reg_stack(addr: int, reg_stack: Union[RegisterStackName, ILRegisterStack, RegisterStackIndex], arch: Optional[Architecture] = None) → RegisterStackAdjustmentWithConfidence

Parameters

• addr (int) –

• reg_stack (Union[RegisterStackName, ILRegisterStack, RegisterStackIndex]) –

• arch (Optional[Architecture]) –

Return type

RegisterStackAdjustmentWithConfidence

get_call_stack_adjustment(addr: int, arch: Optional[Architecture] = None) → OffsetWithConfidence

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

OffsetWithConfidence

get_call_type_adjustment(addr: int, arch: Optional[Architecture] = None) → Optional[Type]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

Optional[Type]

get_comment_at(addr: int) → str

Parameters

addr (int) –

Return type

str

get_constants_referenced_by(addr: int, arch: Optional[Architecture] = None) → List[ConstantReference]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[ConstantReference]

get_constants_referenced_by_address_if_available(addr: int, arch: Optional[Architecture] = None) → List[ConstantReference]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[ConstantReference]

get_flags_read_by_lifted_il_instruction(i: InstructionIndex) → List[FlagName]

Parameters

i (InstructionIndex) –

Return type

List[FlagName]

get_flags_written_by_lifted_il_instruction(i: InstructionIndex) → List[FlagName]

Parameters

i (InstructionIndex) –

Return type

List[FlagName]

get_function_tags_of_type(tag_type)

get_function_tags_of_type gets a list of all function Tags with a given type.

Parameters

tag_type (TagType) – TagType object to match in searching

Returns

A list of data Tags

Return type

list(Tag)

get_hlil_var_refs(var: Variable) → List[ILReferenceSource]

get_hlil_var_refs returns a list of ILReferenceSource objects (IL xrefs or cross-references) that reference the given variable. The variable is a local variable that can be either on the stack, in a register, or in a flag.

Parameters

var (Variable) – Variable for which to query the xref

Returns

List of IL References for the given variable

Return type

list(ILReferenceSource)

Example

>>> mlil_var = current_hlil[0].operands[0]
>>> current_function.get_hlil_var_refs(mlil_var)

get_hlil_var_refs_from(addr: int, length: Optional[int] = None, arch: Optional[Architecture] = None) → List[VariableReferenceSource]

get_hlil_var_refs_from returns a list of variables referenced by code in the function func, of the architecture arch, and at the address addr. If no function is specified, references from all functions and containing the address will be returned. If no architecture is specified, the architecture of the function will be used.

Parameters

• addr (int) – virtual address to query for variable references

• length (int) – optional length of query

• arch (Architecture) – optional architecture of query

Returns

list of variables reference sources

Return type

list(VariableReferenceSource)

get_indirect_branches_at(addr: int, arch: Optional[Architecture] = None) → List[IndirectBranchInfo]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[IndirectBranchInfo]

get_instr_highlight(addr: int, arch: Optional[Architecture] = None) → HighlightColor

Example

>>> current_function.set_user_instr_highlight(here, highlight.HighlightColor(red=0xff, blue=0xff, green=0))
>>> current_function.get_instr_highlight(here)
<color: #ff00ff>

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

HighlightColor

get_instruction_containing_address(addr: int, arch: Optional[Architecture] = None) → Optional[int]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

Optional[int]

get_int_display_type(instr_addr: int, value: int, operand: int, arch: Optional[Architecture] = None) → IntegerDisplayType

Get the current text display type for an integer token in the disassembly or IL views

Parameters

• instr_addr (int) – Address of the instruction or IL line containing the token

• value (int) – value field of the InstructionTextToken object for the token, usually the constant displayed

• operand (int) – Operand index of the token, defined as the number of OperandSeparatorTokens in the disassembly line before the token

• arch (Architecture) – (optional) Architecture of the instruction or IL line containing the token

Return type

IntegerDisplayType

get_lifted_il_at(addr: int, arch: Optional[Architecture] = None) → Optional[LowLevelILInstruction]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

Optional[LowLevelILInstruction]

get_lifted_il_flag_definitions_for_use(i: InstructionIndex, flag: Union[FlagName, ILFlag, FlagIndex]) → List[InstructionIndex]

Parameters

• i (InstructionIndex) –

• flag (Union[FlagName, ILFlag, FlagIndex]) –

Return type

List[InstructionIndex]

get_lifted_il_flag_uses_for_definition(i: InstructionIndex, flag: Union[FlagName, ILFlag, FlagIndex]) → List[LowLevelILInstruction]

Parameters

• i (InstructionIndex) –

• flag (Union[FlagName, ILFlag, FlagIndex]) –

Return type

List[LowLevelILInstruction]

get_lifted_ils_at(addr: int, arch: Optional[Architecture] = None) → List[LowLevelILInstruction]

get_lifted_ils_at gets the Lifted IL Instruction(s) corresponding to the given virtual address

Parameters

• addr (int) – virtual address of the function to be queried

• arch (Architecture) – (optional) Architecture for the given function

Return type

list(LowLevelILInstruction)

Example

>>> func = next(bv.functions)
>>> func.get_lifted_ils_at(func.start)
[<il: push(rbp)>]

get_llil_at(addr: int, arch: Optional[Architecture] = None) → Optional[LowLevelILInstruction]

get_llil_at gets the LowLevelILInstruction corresponding to the given virtual address

Parameters

• addr (int) – virtual address of the function to be queried

• arch (Architecture) – (optional) Architecture for the given function

Return type

LowLevelILInstruction

Example

>>> func = next(bv.functions)
>>> func.get_llil_at(func.start)
<il: push(rbp)>

get_llils_at(addr: int, arch: Optional[Architecture] = None) → List[LowLevelILInstruction]

get_llils_at gets the LowLevelILInstruction(s) corresponding to the given virtual address

Parameters

• addr (int) – virtual address of the function to be queried

• arch (Architecture) – (optional) Architecture for the given function

Return type

list(LowLevelILInstruction)

Example

>>> func = next(bv.functions)
>>> func.get_llils_at(func.start)
[<il: push(rbp)>]

get_low_level_il_at(addr: int, arch: Optional[Architecture] = None) → Optional[LowLevelILInstruction]

get_low_level_il_at gets the LowLevelILInstruction corresponding to the given virtual address

Parameters

• addr (int) – virtual address of the function to be queried

• arch (Architecture) – (optional) Architecture for the given function

Return type

LowLevelILInstruction

Example

>>> func = next(bv.functions)
>>> func.get_low_level_il_at(func.start)
<il: push(rbp)>

get_low_level_il_exits_at(addr: int, arch: Optional[Architecture] = None) → List[int]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[int]

get_mlil_var_refs(var: Variable) → List[ILReferenceSource]

get_mlil_var_refs returns a list of ILReferenceSource objects (IL xrefs or cross-references) that reference the given variable. The variable is a local variable that can be either on the stack, in a register, or in a flag. This function is related to get_hlil_var_refs(), which returns variable references collected from HLIL. The two can be different in several cases, e.g., multiple variables in MLIL can be merged into a single variable in HLIL.

Parameters

var (Variable) – Variable for which to query the xref

Returns

List of IL References for the given variable

Return type

list(ILReferenceSource)

Example

>>> mlil_var = current_mlil[0].operands[0]
>>> current_function.get_mlil_var_refs(mlil_var)

get_mlil_var_refs_from(addr: int, length: Optional[int] = None, arch: Optional[Architecture] = None) → List[VariableReferenceSource]

get_mlil_var_refs_from returns a list of variables referenced by code in the function func, of the architecture arch, and at the address addr. If no function is specified, references from all functions and containing the address will be returned. If no architecture is specified, the architecture of the function will be used. This function is related to get_hlil_var_refs_from(), which returns variable references collected from HLIL. The two can be different in several cases, e.g., multiple variables in MLIL can be merged into a single variable in HLIL.

Parameters

• addr (int) – virtual address to query for variable references

• length (int) – optional length of query

• arch (Architecture) – optional architecture of query

Returns

list of variable reference sources

Return type

list(VariableReferenceSource)

get_parameter_at(addr: int, func_type: Optional[Type], i: int, arch: Optional[Architecture] = None) → RegisterValue

Parameters

• addr (int) –

• func_type (Optional[Type]) –

• i (int) –

• arch (Optional[Architecture]) –

Return type

RegisterValue

get_parameter_at_low_level_il_instruction(instr: InstructionIndex, func_type: Type, i: int) → RegisterValue

Parameters

• instr (InstructionIndex) –

• func_type (Type) –

• i (int) –

Return type

RegisterValue

get_reg_value_after(addr: int, reg: Union[RegisterName, ILRegister, RegisterIndex], arch: Optional[Architecture] = None) → RegisterValue

get_reg_value_after gets the value instruction address corresponding to the given virtual address

Parameters

• addr (int) – virtual address of the instruction to query

• reg (str) – string value of native register to query

• arch (Architecture) – (optional) Architecture for the given function

Return type

RegisterValue

Example

>>> current_function.get_reg_value_after(0x400dbe, 'rdi')
<undetermined>

get_reg_value_at(addr: int, reg: Union[RegisterName, ILRegister, RegisterIndex], arch: Optional[Architecture] = None) → RegisterValue

get_reg_value_at gets the value the provided string register address corresponding to the given virtual address

Parameters

• addr (int) – virtual address of the instruction to query

• reg (str) – string value of native register to query

• arch (Architecture) – (optional) Architecture for the given function

Return type

RegisterValue

Example

>>> current_function.get_reg_value_at(0x400dbe, 'rdi')
<const 0x2>

get_reg_value_at_exit(reg: Union[RegisterName, ILRegister, RegisterIndex]) → RegisterValue

Parameters

reg (Union[RegisterName, ILRegister, RegisterIndex]) –

Return type

RegisterValue

get_regs_read_by(addr: int, arch: Optional[Architecture] = None) → List[RegisterName]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[RegisterName]

get_regs_written_by(addr: int, arch: Optional[Architecture] = None) → List[RegisterName]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[RegisterName]

get_stack_contents_after(addr: int, offset: int, size: int, arch: Optional[Architecture] = None) → RegisterValue

Parameters

• addr (int) –

• offset (int) –

• size (int) –

• arch (Optional[Architecture]) –

Return type

RegisterValue

get_stack_contents_at(addr: int, offset: int, size: int, arch: Optional[Architecture] = None) → RegisterValue

get_stack_contents_at returns the RegisterValue for the item on the stack in the current function at the given virtual address addr, stack offset offset and size of size. Optionally specifying the architecture.

Parameters

• addr (int) – virtual address of the instruction to query

• offset (int) – stack offset base of stack

• size (int) – size of memory to query

• arch (Architecture) – (optional) Architecture for the given function

Return type

RegisterValue

Note

Stack base is zero on entry into the function unless the architecture places the return address on the stack as in (x86/x86_64) where the stack base will start at address_size

Example

>>> current_function.get_stack_contents_at(0x400fad, -16, 4)
<range: 0x8 to 0xffffffff>

Parameters

• addr (int) –

• offset (int) –

• size (int) –

• arch (Optional[Architecture]) –

Return type

RegisterValue

get_stack_var_at_frame_offset(offset: int, addr: int, arch: Optional[Architecture] = None) → Optional[Variable]

Parameters

• offset (int) –

• addr (int) –

• arch (Optional[Architecture]) –

Return type

Optional[Variable]

get_stack_vars_referenced_by(addr: int, arch: Optional[Architecture] = None) → List[StackVariableReference]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[StackVariableReference]

get_stack_vars_referenced_by_address_if_available(addr: int, arch: Optional[Architecture] = None) → List[StackVariableReference]

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

List[StackVariableReference]

get_type_tokens(settings: Optional[DisassemblySettings] = None) → List[DisassemblyTextLine]

Parameters

settings (Optional[DisassemblySettings]) –

Return type

List[DisassemblyTextLine]

get_user_address_tags_at(addr, arch=None)

get_user_address_tags_at gets a list of all user Tags in the function at a given address.

Parameters

• addr (int) – Address to get tags at

• arch (Architecture) – Architecture for the block in which the Tag is located (optional)

Returns

A list of Tags

Return type

list(Tag)

get_user_address_tags_in_range(address_range: AddressRange, arch: Optional[Architecture] = None) → List[Tuple[Architecture, int, Tag]]

get_user_address_tags_in_range gets a list of all user Tags in the function at a given address. Range is inclusive at the start, exclusive at the end.

Parameters

• address_range (AddressRange) – Address range from which to get tags

• arch (Architecture) – Architecture for the block in which the Tag is located (optional)

Returns

A list of (arch, address, Tag) tuples

Return type

list((Architecture, int, Tag))

get_user_address_tags_of_type(addr: int, tag_type: TagType, arch: Optional[Architecture] = None)

get_user_address_tags_of_type gets a list of all user Tags in the function at a given address with a given type.

Parameters

• addr (int) – Address to get tags at

• tag_type (TagType) – TagType object to match in searching

• arch (Architecture) – Architecture for the block in which the Tags are located (optional)

Returns

A list of data Tags

Return type

list(Tag)

get_user_function_tags_of_type(tag_type)

get_user_function_tags_of_type gets a list of all user function Tags with a given type.

Parameters

tag_type (TagType) – TagType object to match in searching

Returns

A list of data Tags

Return type

list(Tag)

get_variable_by_name(name: str) → Optional[Variable]

Get a specific variable or None if it doesn’t exist

Parameters

name (str) –

Return type

Optional[Variable]

is_call_instruction(addr: int, arch: Optional[Architecture] = None) → bool

Parameters

• addr (int) –

• arch (Optional[Architecture]) –

Return type

bool

is_var_user_defined(var: Variable) → bool

Parameters

var (Variable) –

Return type

bool

mark_caller_updates_required(update_type: FunctionUpdateType = FunctionUpdateType.UserFunctionUpdate) → None

mark_caller_updates_required indicates that callers of this function need to be reanalyzed during the next update cycle

Parameters

update_type (FunctionUpdateType) – (optional) Desired update type

Return type

None

mark_recent_use() → None

Return type

None

mark_updates_required(update_type: FunctionUpdateType = FunctionUpdateType.UserFunctionUpdate) → None

mark_updates_required indicates that this function needs to be reanalyzed during the next update cycle

Parameters

update_type (FunctionUpdateType) – (optional) Desired update type

Return type

None

merge_vars(target: Variable, sources: Union[List[Variable], Variable]) → None

merge_vars merges one or more varibles in sources into the target variable. All variable accesses to the variables in sources will be rewritten to use target.

Parameters

• target (Variable) – target variable

• sources (list(Variable)) – list of source variables

Return type

None

reanalyze(update_type: FunctionUpdateType = FunctionUpdateType.UserFunctionUpdate) → None

reanalyze causes this functions to be reanalyzed. This function does not wait for the analysis to finish.

Parameters

update_type (FunctionUpdateType) – (optional) Desired update type

Return type

None

Warning

If analysis_skipped is True, using this API will not trigger re-analysis. Instead, set analysis_skipped to False.

Return type

None

Parameters

update_type (FunctionUpdateType) –

release_advanced_analysis_data() → None

Return type

None

remove_auto_address_tag(addr: int, tag: TagType, arch: Optional[Architecture] = None) → None

remove_auto_address_tag removes a Tag object at a given address.

Parameters

• addr (int) – Address at which to add the tag

• tag (Tag) – Tag object to be added

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

remove_auto_address_tags_of_type(addr, tag_type, arch=None)

remove_auto_address_tags_of_type removes all tags at the given address of the given type.

Parameters

• addr (int) – Address at which to remove the tags

• tag_type (Tag) – TagType object to match for removing

• arch (Architecture) – Architecture for the block in which the Tags is located (optional)

Return type

None

remove_auto_function_tag(tag: Tag) → None

remove_user_function_tag removes a Tag object as a function tag.

Parameters

tag (Tag) – Tag object to be added

Return type

None

remove_auto_function_tags_of_type(tag_type)

remove_user_function_tags_of_type removes all function Tag objects on a function of a given type

Parameters

tag_type (TagType) – TagType object to match for removing

Return type

None

remove_user_address_tag(addr: int, tag: Tag, arch: Optional[Architecture] = None) → None

remove_user_address_tag removes a Tag object at a given address. Since this removes a user tag, it will be added to the current undo buffer.

Parameters

• addr (int) – Address at which to remove the tag

• tag (Tag) – Tag object to be added

• arch (Architecture) – Architecture for the block in which the Tag is added (optional)

Return type

None

remove_user_address_tags_of_type(addr, tag_type, arch=None)

remove_user_address_tags_of_type removes all tags at the given address of the given type. Since this removes user tags, it will be added to the current undo buffer.

Parameters

• addr (int) – Address at which to remove the tag

• tag_type (Tag) – TagType object to match for removing

• arch (Architecture) – Architecture for the block in which the Tags is located (optional)

Return type

None

remove_user_code_ref(from_addr: int, to_addr: int, from_arch: Optional[Architecture] = None) → None

remove_user_code_ref removes a user-defined cross-reference. If the given address is not contained within this function, or if there is no such user-defined cross-reference, no action is performed.

Parameters

• from_addr (int) – virtual address of the source instruction

• to_addr (int) – virtual address of the xref’s destination.

• from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example

>>> current_function.remove_user_code_ref(here, 0x400000)

remove_user_function_tag(tag: Tag) → None

remove_user_function_tag removes a Tag object as a function tag. Since this removes a user tag, it will be added to the current undo buffer.

Parameters

tag (Tag) – Tag object to be added

Return type

None

remove_user_function_tags_of_type(tag_type)

remove_user_function_tags_of_type removes all function Tag objects on a function of a given type Since this removes user tags, it will be added to the current undo buffer.

Parameters

tag_type (TagType) – TagType object to match for removing

Return type

None

remove_user_type_field_ref(from_addr: int, name: Union[Iterable[Union[str, bytes]], str, QualifiedName], offset: int, from_arch: Optional[Architecture] = None, size: int = 0) → None

remove_user_type_field_ref removes a user-defined type field cross-reference. If the given address is not contained within this function, or if there is no such user-defined cross-reference, no action is performed.

Parameters

• from_addr (int) – virtual address of the source instruction

• name (QualifiedName) – name of the referenced type

• offset (int) – offset of the field, relative to the type

• from_arch (Architecture) – (optional) architecture of the source instruction

• size (int) – (optional) the size of the access

Return type

None

Example

>>> current_function.remove_user_type_field_ref(here, 'A', 0x8)

remove_user_type_ref(from_addr: int, name: Union[Iterable[Union[str, bytes]], str, QualifiedName], from_arch: Optional[Architecture] = None) → None

remove_user_type_ref removes a user-defined type cross-reference. If the given address is not contained within this function, or if there is no such user-defined cross-reference, no action is performed.

Parameters

• from_addr (int) – virtual address of the source instruction

• name (QualifiedName) – name of the referenced type

• from_arch (Architecture) – (optional) architecture of the source instruction

Return type

None

Example

>>> current_function.remove_user_type_ref(here, 'A')

request_advanced_analysis_data() → None

Return type

None

request_debug_report(name: str) → None

request_debug_report can generate internal debug reports for a variety of analysis. Current list of possible values include:

• mlil_translator

• stack_adjust_graph

• high_level_il

Parameters

name (str) – Name of the debug report

Return type

None

set_auto_call_reg_stack_adjustment(addr: int, adjust: Mapping[RegisterStackName, int], arch: Optional[Architecture] = None) → None

Parameters

• addr (int) –

• adjust (Mapping[RegisterStackName, int]) –

• arch (Optional[Architecture]) –

Return type

None

set_auto_call_reg_stack_adjustment_for_reg_stack(addr: int, reg_stack: Union[RegisterStackName, ILRegisterStack, RegisterStackIndex], adjust, arch: Optional[Architecture] = None) → None

Parameters

• addr (int) –

• reg_stack (Union[RegisterStackName, ILRegisterStack, RegisterStackIndex]) –

• arch (Optional[Architecture]) –

Return type

None

set_auto_call_stack_adjustment(addr: int, adjust: Union[int, OffsetWithConfidence], arch: Optional[Architecture] = None) → None

Parameters

• addr (int) –

• adjust (Union[int, OffsetWithConfidence]) –

• arch (Optional[Architecture]) –

Return type

None

set_auto_calling_convention(value: CallingConvention) → None

Parameters

value (CallingConvention) –

Return type

None

set_auto_can_return(value: Union[bool, BoolWithConfidence]) → None

Parameters

value (Union[bool, BoolWithConfidence]) –

Return type

None

set_auto_clobbered_regs(value: List[Union[RegisterName, ILRegister, RegisterIndex]]) → None

Parameters

value (List[Union[RegisterName, ILRegister, RegisterIndex]]) –

Return type

None

set_auto_has_variable_arguments(value: Union[bool, BoolWithConfidence]) → None

Parameters

value (Union[bool, BoolWithConfidence]) –

Return type

None

set_auto_indirect_branches(source: int, branches: List[Tuple[Architecture, int]], source_arch: Optional[Architecture] = None) → None

Parameters

• source (int) –

• branches (List[Tuple[Architecture, int]]) –

• source_arch (Optional[Architecture]) –

Return type

None

set_auto_inline_during_analysis(value: Union[bool, BoolWithConfidence])

Parameters

value (Union[bool, BoolWithConfidence]) –

set_auto_instr_highlight(addr: int, color: Union[HighlightColor, HighlightStandardColor], arch: Optional[Architecture] = None)

set_auto_instr_highlight highlights the instruction at the specified address with the supplied color

Warning

Use only in analysis plugins. Do not use in regular plugins, as colors won’t be saved to the database.

Parameters

• addr (int) – virtual address of the instruction to be highlighted

• color (HighlightStandardColor|HighlightColor) – Color value to use for highlighting

• arch (Architecture) – (optional) Architecture of the instruction if different from self.arch

set_auto_parameter_vars(value: Optional[Union[List[Variable], Variable, ParameterVariables]]) → None

Parameters

value (Optional[Union[List[Variable], Variable, ParameterVariables]]) –

Return type

None

set_auto_reg_stack_adjustments(value: Mapping[RegisterStackName, RegisterStackAdjustmentWithConfidence])

Parameters

value (Mapping[RegisterStackName, RegisterStackAdjustmentWithConfidence]) –

set_auto_return_regs(value: Union[RegisterSet, List[Union[RegisterName, ILRegister, RegisterIndex]]]) → None

Parameters

value (Union[RegisterSet, List[Union[RegisterName, ILRegister, RegisterIndex]]]) –

Return type

None

set_auto_return_type(value: Union[str, Type, TypeBuilder]) → None

Parameters

value (Union[str, Type, TypeBuilder]) –

Return type

None

set_auto_stack_adjustment(value: Union[int, OffsetWithConfidence]) → None

Parameters

value (Union[int, OffsetWithConfidence]) –

Return type

None

set_auto_type(value: Union[str, Type, TypeBuilder]) → None

Parameters

value (Union[str, Type, TypeBuilder]) –

Return type

None

set_call_reg_stack_adjustment(addr: int, adjust: Mapping[RegisterStackName, Union[int, RegisterStackAdjustmentWithConfidence]], arch: Optional[Architecture] = None) → None

Parameters

• addr (int) –

• adjust (Mapping[RegisterStackName, Union[int, RegisterStackAdjustmentWithConfidence]]) –

• arch (Optional[Architecture]) –

Return type

None

set_call_reg_stack_adjustment_for_reg_stack(addr: int, reg_stack: Union[RegisterStackName, ILRegisterStack, RegisterStackIndex], adjust: Union[int, RegisterStackAdjustmentWithConfidence], arch: Optional[Architecture] = None) → None

Parameters

• addr (int) –

• reg_stack (Union[RegisterStackName, ILRegisterStack, RegisterStackIndex]) –

• adjust (Union[int, RegisterStackAdjustmentWithConfidence]) –

• arch (Optional[Architecture]) –

Return type

None

set_call_stack_adjustment(addr: int, adjust: Union[int, OffsetWithConfidence], arch: Optional[Architecture] = None)

Parameters

• addr (int) –

• adjust (Union[int, OffsetWithConfidence]) –

• arch (Optional[Architecture]) –

set_call_type_adjustment(addr: int, adjust_type: Optional[Union[str, Type, TypeBuilder]] = None, arch: Optional[Architecture] = None) → None

set_call_type_adjustment sets or removes the call type override at a call site to the given type.

Parameters

• addr (int) – virtual address of the call instruction to adjust

• adjust_type (str|Type|TypeBuilder) – (optional) overridden call type, or None to remove an existing adjustment

• arch (Architecture) – (optional) Architecture of the instruction if different from self.arch

Example

>>> # Change the current call site to no-return
>>> target = bv.get_function_at(list(filter(lambda ref: ref.address == here, current_function.call_sites))[0].mlil.dest.value.value)
>>> ft = target.function_type.mutable_copy()
>>> ft.can_return = False
>>> current_function.set_call_type_adjustment(here, ft)

Return type

None

set_comment(addr: int, comment: str) → None

Note

Use set_comment_at instead.

Deprecated since version Use: Function.set_comment_at instead.

Parameters

• addr (int) –

• comment (str) –

Return type

None

set_comment_at(addr: int, comment: str) → None

set_comment_at sets a comment for the current function at the address specified

Parameters

• addr (int) – virtual address within the current function to apply the comment to

• comment (str) – string comment to apply

Return type

None

Example

>>> current_function.set_comment_at(here, "hi")

static set_default_session_data(name: str, value) → None

Parameters

name (str) –

Return type

None

set_int_display_type(instr_addr: int, value: int, operand: int, display_type: IntegerDisplayType, arch: Optional[Architecture] = None) → None

Change the text display type for an integer token in the disassembly or IL views

Parameters

• instr_addr (int) – Address of the instruction or IL line containing the token

• value (int) – value field of the InstructionTextToken object for the token, usually the constant displayed

• operand (int) – Operand index of the token, defined as the number of OperandSeparatorTokens in the disassembly line before the token

• display_type (IntegerDisplayType) – Desired display type

• arch (Architecture) – (optional) Architecture of the instruction or IL line containing the token

Return type

None

set_user_indirect_branches(source: int, branches: List[Tuple[Architecture, int]], source_arch: Optional[Architecture] = None) → None

Parameters

• source (int) –

• branches (List[Tuple[Architecture, int]]) –

• source_arch (Optional[Architecture]) –

Return type

None

set_user_inline_during_analysis(value: Union[bool, BoolWithConfidence])

Parameters

value (Union[bool, BoolWithConfidence]) –

set_user_instr_highlight(addr: int, color: Union[HighlightColor, HighlightStandardColor], arch: Optional[Architecture] = None)

set_user_instr_highlight highlights the instruction at the specified address with the supplied color

Parameters

• addr (int) – virtual address of the instruction to be highlighted

• color (HighlightStandardColor|HighlightColor) – Color value to use for highlighting

• arch (Architecture) – (optional) Architecture of the instruction if different from self.arch

Example

>>> current_function.set_user_instr_highlight(here, HighlightStandardColor.BlueHighlightColor)
>>> current_function.set_user_instr_highlight(here, highlight.HighlightColor(red=0xff, blue=0xff, green=0))

set_user_type(value: Union[str, Type, TypeBuilder]) → None

Parameters

value (Union[str, Type, TypeBuilder]) –

Return type

None

set_user_var_value(var: Variable, def_addr: int, value: PossibleValueSet) → None

set_user_var_value allows the user to specify a PossibleValueSet value for an MLIL variable at its definition site.

Warning

Setting the variable value, triggers a reanalysis of the function and allows the dataflow to compute and propagate values which depend on the current variable. This implies that branch conditions whose values can be determined statically will be computed, leading to potential branch elimination at the HLIL layer.

Parameters

• var (Variable) – Variable for which the value is to be set

• def_addr (int) – Address of the definition site of the variable

• value (PossibleValueSet) – Informed value of the variable

Return type

None

Example

>>> mlil_var = current_mlil[0].operands[0]
>>> def_address = 0x40108d
>>> var_value = PossibleValueSet.constant(5)
>>> current_function.set_user_var_value(mlil_var, def_address, var_value)

split_var(var: Variable) → None

split_var splits a varible at the definition site. The given var must be the variable unique to the definition and should be obtained by using MediumLevelILInstruction.get_split_var_for_definition at the definition site.

This function is not meant to split variables that have been previously merged. Use unmerge_vars to split previously merged variables.

Warning

Binary Ninja automatically splits all variables that the analysis determines to be safely splittable. Splitting a variable manually with split_var can cause IL and decompilation to be incorrect. There are some patterns where variables can be safely split semantically but analysis cannot determine that it is safe. This function is provided to allow variable splitting to be performed in these cases by plugins or by the user.

Parameters

var (Variable) – variable to split

Return type

None

unmerge_vars(target: Variable, sources: Union[List[Variable], Variable]) → None

unmerge_vars undoes variable merging performed with merge_vars. The variables in sources will no longer be merged into the target variable.

Parameters

• target (Variable) – target variable

• sources (list(Variable)) – list of source variables

Return type

None

unsplit_var(var: Variable) → None

unsplit_var undoes varible splitting performed with split_var. The given var must be the variable unique to the definition and should be obtained by using MediumLevelILInstruction.get_split_var_for_definition at the definition site.

Parameters

var (Variable) – variable to unsplit

Return type

None

property address_ranges: List[AddressRange]

All of the address ranges covered by a function

property address_tags: TagList

address_tags gets a TagList of all address Tags in the function. Tags are returned as an iterable indexable object TagList of (arch, address, Tag) tuples.

Return type

TagList((Architecture, int, Tag))

property analysis_performance_info: Dict[str, int]

property analysis_skip_override: FunctionAnalysisSkipOverride

Override for skipping of automatic analysis

property analysis_skip_reason: AnalysisSkipReason

Function analysis skip reason

property analysis_skipped: bool

Whether automatic analysis was skipped for this function. Can be set to false to re-enable analysis.

property arch: Architecture

Function architecture (read-only)

property auto: bool

Whether function was automatically discovered (read-only) as a result of some creation of a ‘user’ function. ‘user’ functions may or may not have been created by a user through the or API. For instance the entry point into a function is always created a ‘user’ function. ‘user’ functions should be considered the root of auto analysis.

property auto_address_tags: List[Tuple[Architecture, int, Tag]]

auto_address_tags gets a list of all auto-defined address Tags in the function. Tags are returned as a list of (arch, address, Tag) tuples.

Return type

list((Architecture, int, Tag))

property auto_function_tags

auto_function_tags gets a list of all auto-defined function Tags for the function.

Return type

list(Tag)

property basic_blocks: BasicBlockList

function.BasicBlockList of BasicBlocks in the current function (read-only)

property call_sites: List[ReferenceSource]

call_sites returns a list of possible call sites contained in this function. This includes ordinary calls, tail calls, and indirect jumps. Not all of the returned call sites are necessarily true call sites; some may simply be unresolved indirect jumps, for example.

Returns

List of References that represent the sources of possible calls in this function

Return type

list(ReferenceSource)

property callee_addresses: List[int]

callee_addressses returns a list of start addresses for functions that call this function. Does not point to the actual address where the call occurs, just the start of the function that contains the reference.

Returns

List of start addresess for Functions that call this function

Return type

list(int)

property callees: List[Function]

callees returns a list of functions that this function calls This does not include the address of those calls, rather just the function objects themselves. Use call_sites to identify the location of these calls.

Returns

List of Functions that this function calls

Return type

list(Function)

property caller_sites: Generator[ReferenceSource, None, None]

caller_sites returns a list of ReferenceSource objects corresponding to the addresses in functions which reference this function

Returns

List of ReferenceSource objects of the call sites to this function

Return type

list(ReferenceSource)

property callers: List[Function]

callers returns a list of functions that call this function Does not point to the actual address where the call occurs, just the start of the function that contains the call.

Returns

List of Functions that call this function

Return type

list(Function)

property calling_convention: Optional[CallingConvention]

Calling convention used by the function

property can_return: BoolWithConfidence

Whether function can return

property clobbered_regs: RegisterSet

Registers that are modified by this function

property comment: str

Gets the comment for the current function

property comments: Dict[int, str]

Dict of comments (read-only)

property core_var_stack_layout: List[CoreVariable]

List of function stack variables (read-only)

property core_vars: List[CoreVariable]

List of CoreVariable objects

property explicitly_defined_type: bool

Whether function has explicitly defined types (read-only)

property function_tags: List[Tag]

function_tags gets a list of all function Tags for the function.

Return type

List(Tag)

property function_type: FunctionType

Function type object, can be set with either a string representing the function prototype (str(function) shows examples) or a Type object

property global_pointer_value: RegisterValue

Discovered value of the global pointer register, if the function uses one (read-only)

property has_unresolved_indirect_branches: bool

Has unresolved indirect branches (read-only)

property has_user_annotations: bool

Whether the function has ever been ‘user’ modified

property has_variable_arguments: BoolWithConfidence

Whether the function takes a variable number of arguments

property high_level_il: HighLevelILFunction

Function high level IL (read-only)

property highest_address: int

The highest (largest) virtual address contained in a function.

property hlil: HighLevelILFunction

Function high level IL (read-only)

property hlil_if_available: Optional[HighLevelILFunction]

Function high level IL, or None if not loaded (read-only)

property indirect_branches: List[IndirectBranchInfo]

List of indirect branches (read-only)

property inline_during_analysis: BoolWithConfidence

Whether the function’s IL should be inlined into all callers’ IL

property instructions: Generator[Tuple[List[InstructionTextToken], int], None, None]

A generator of instruction tokens and their start addresses for the current function

property is_thunk: bool

Returns True if the function starts with a Tailcall (read-only)

property lifted_il: LowLevelILFunction

returns LowLevelILFunction used to represent lifted IL (read-only)

property lifted_il_if_available: Optional[LowLevelILFunction]

returns LowLevelILFunction used to represent lifted IL, or None if not loaded (read-only)

property llil: LowLevelILFunction

returns LowLevelILFunction used to represent Function low level IL (read-only)

property llil_basic_blocks: Generator[LowLevelILBasicBlock, None, None]

A generator of all LowLevelILBasicBlock objects in the current function

property llil_if_available: Optional[LowLevelILFunction]

returns LowLevelILFunction used to represent Function low level IL, or None if not loaded (read-only)

property llil_instructions: Generator[LowLevelILInstruction, None, None]

Note

Use LowLevelIlFunction.instructions instead.

Deprecated since version Use: LowLevelIlFunction.instructions instead.

property low_level_il: LowLevelILFunction

returns LowLevelILFunction used to represent Function low level IL (read-only)

property lowest_address: int

The lowest (smallest) virtual address contained in a function.

property mapped_medium_level_il: MediumLevelILFunction

Function mapped medium level IL (read-only)

property medium_level_il: MediumLevelILFunction

Function medium level IL (read-only)

property merged_vars: Dict[Variable, List[Variable]]

Map of merged variables, organized by target variable (read-only). Use merge_vars and unmerge_vars to update merged variables.

property mlil: MediumLevelILFunction

Function medium level IL (read-only)

property mlil_basic_blocks: Generator[MediumLevelILBasicBlock, None, None]

A generator of all MediumLevelILBasicBlock objects in the current function

property mlil_if_available: Optional[MediumLevelILFunction]

Function medium level IL, or None if not loaded (read-only)

property mlil_instructions: Generator[MediumLevelILInstruction, None, None]

Note

Use MediumLevelIlFunction.instructions instead.

Deprecated since version Use: MediumLevelIlFunction.instructions instead.

property mmlil: MediumLevelILFunction

Function mapped medium level IL (read-only)

property mmlil_if_available: Optional[MediumLevelILFunction]

Function mapped medium level IL, or None if not loaded (read-only)

property name: str

Symbol name for the function

property needs_update: bool

Whether the function has analysis that needs to be updated (read-only)

property parameter_vars: ParameterVariables

List of variables for the incoming function parameters

property parent_components

property platform: Optional[Platform]

Function platform (read-only)

property reg_stack_adjustments: Dict[RegisterStackName, RegisterStackAdjustmentWithConfidence]

Number of entries removed from each register stack after return

property return_regs: RegisterSet

Registers that are used for the return value

property return_type: Optional[Type]

Return type of the function

property session_data: Any

Dictionary object where plugins can store arbitrary data associated with the function

property split_vars: List[Variable]

Set of variables that have been split with split_var. These variables correspond to those unique to each definition site and are obtained by using MediumLevelILInstruction.get_split_var_for_definition at the definitions.

property stack_adjustment: OffsetWithConfidence

Number of bytes removed from the stack after return

property stack_layout: List[Variable]

List of function stack variables (read-only)

property start: int

Function start address (read-only)

property symbol: CoreSymbol

Function symbol(read-only)

property too_large: bool

Whether the function is too large to automatically perform analysis (read-only)

property total_bytes: int

Total bytes of a function calculated by summing each basic_block. Because basic blocks can overlap and have gaps between them this may or may not be equivalent to a .size property.

property type_tokens: List[InstructionTextToken]

Text tokens for this function’s prototype

property unresolved_indirect_branches: List[int]

List of unresolved indirect branches (read-only)

property unresolved_stack_adjustment_graph: Optional[CoreFlowGraph]

Flow graph of unresolved stack adjustments (read-only)

property user_address_tags

user_address_tags gets a list of all user address Tags in the function. Tags are returned as a list of (arch, address, Tag) tuples.

Return type

list((Architecture, int, Tag))

property user_function_tags

user_function_tags gets a list of all user function Tags for the function.

Return type

list(Tag)

property vars: List[Variable]

List of function variables (read-only)

property view: BinaryView

Function view (read-only)

property workflow

class HighLevelILBasicBlockList(function: Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction])

Bases: binaryninja.function.BasicBlockList

Parameters

function (Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]) –

class ILReferenceSource(func: Union[ForwardRef('Function'), NoneType], arch: Union[ForwardRef('architecture.Architecture'), NoneType], address: int, il_type: FunctionGraphType, expr_id: int)

Bases: object

Parameters

• func (Optional[Function]) –

• arch (Optional[Architecture]) –

• address (int) –

• il_type (FunctionGraphType) –

• expr_id (int) –

Return type

None

static get_il_name(il_type: FunctionGraphType) → str

Parameters

il_type (FunctionGraphType) –

Return type

str

address: int

arch: Optional[Architecture]

expr_id: int

func: Optional[Function]

il_type: FunctionGraphType

class LowLevelILBasicBlockList(function: Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction])

Bases: binaryninja.function.BasicBlockList

Parameters

function (Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]) –

class MediumLevelILBasicBlockList(function: Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction])

Bases: binaryninja.function.BasicBlockList

Parameters

function (Union[Function, LowLevelILFunction, MediumLevelILFunction, HighLevelILFunction]) –

class TagList(function: Function)

Bases: object

Parameters

function (Function) –

class VariableReferenceSource(var: 'variable.Variable', src: ILReferenceSource)

Bases: object

Parameters

• var (Variable) –

• src (ILReferenceSource) –

Return type

None

src: ILReferenceSource

var: Variable