binaryview module

binaryninja.binaryview.ActiveAnalysisInfo(...)
binaryninja.binaryview.AddressRange(start, end)
binaryninja.binaryview.AnalysisCompletionEvent(...) The AnalysisCompletionEvent object provides an asynchronous mechanism for receiving callbacks when analysis is complete.
binaryninja.binaryview.AnalysisInfo(state, ...)
binaryninja.binaryview.AnalysisProgress(...)
binaryninja.binaryview.BinaryDataNotification()
binaryninja.binaryview.BinaryDataNotificationCallbacks(...)
binaryninja.binaryview.BinaryReader(view[, ...]) class BinaryReader is a convenience class for reading binary data.
binaryninja.binaryview.BinaryView([...]) class BinaryView implements a view on binary data, and presents a queryable interface of a binary file. One key
binaryninja.binaryview.BinaryViewType(handle)
binaryninja.binaryview.BinaryWriter(view[, ...]) class BinaryWriter is a convenience class for writing binary data.
binaryninja.binaryview.DataVariable(addr, ...)
binaryninja.binaryview.Section(name, ...)
binaryninja.binaryview.Segment(start, ...)
binaryninja.binaryview.StringReference(bv, ...)
binaryninja.binaryview.range(*args) A Python2 and Python3 Compatible Range Generator
binaryninja.binaryview.with_metaclass(meta, ...) Create a base class with a metaclass.
class binaryninja.binaryview.ActiveAnalysisInfo(func, analysis_time, update_count, submit_count)[source]

Bases: object

class binaryninja.binaryview.AddressRange(start, end)[source]

Bases: object

length
class binaryninja.binaryview.AnalysisCompletionEvent(view, callback)[source]

Bases: object

The AnalysisCompletionEvent object provides an asynchronous mechanism for receiving callbacks when analysis is complete. The callback runs once. A completion event must be added for each new analysis in order to be notified of each analysis completion. The AnalysisCompletionEvent class takes responcibility for keeping track of the object’s lifetime.

Example:
>>> def on_complete(self):
...     print("Analysis Complete", self.view)
...
>>> evt = AnalysisCompletionEvent(bv, on_complete)
>>>
cancel()[source]

shut down and no further analysis should be done afterward.

class binaryninja.binaryview.AnalysisInfo(state, analysis_time, active_info)[source]

Bases: object

class binaryninja.binaryview.AnalysisProgress(state, count, total)[source]

Bases: object

class binaryninja.binaryview.BinaryDataNotification[source]

Bases: object

data_inserted(view, offset, length)[source]
data_removed(view, offset, length)[source]
data_var_added(view, var)[source]
data_var_removed(view, var)[source]
data_var_updated(view, var)[source]
data_written(view, offset, length)[source]
function_added(view, func)[source]
function_removed(view, func)[source]
function_update_requested(view, func)[source]
function_updated(view, func)[source]
string_found(view, string_type, offset, length)[source]
string_removed(view, string_type, offset, length)[source]
type_defined(view, name, type)[source]
type_undefined(view, name, type)[source]
class binaryninja.binaryview.BinaryDataNotificationCallbacks(view, notify)[source]

Bases: object

class binaryninja.binaryview.BinaryReader(view, endian=None)[source]

Bases: object

class BinaryReader is a convenience class for reading binary data.

BinaryReader can be instantiated as follows and the rest of the document will start from this context

>>> from binaryninja import *
>>> bv = BinaryViewType['Mach-O'].open("/bin/ls")
>>> br = BinaryReader(bv)
>>> hex(br.read32())
'0xfeedfacfL'
>>>

Or using the optional endian parameter

>>> from binaryninja import *
>>> br = BinaryReader(bv, Endianness.BigEndian)
>>> hex(br.read32())
'0xcffaedfeL'
>>>
endianness

The Endianness to read data. (read/write)

Getter:returns the endianness of the reader
Setter:sets the endianness of the reader (BigEndian or LittleEndian)
Type:Endianness
eof

Is end of file (read-only)

Getter:returns boolean, true if end of file, false otherwise
Type:bool
offset

The current read offset (read/write).

Getter:returns the current internal offset
Setter:sets the internal offset
Type:int
read(length)[source]

read returns length bytes read from the current offset, adding length to offset.

Parameters:

length (int) – number of bytes to read.
Returns:

length bytes from current offset
Return type:

str, or None on failure
Example:
>>> br.read(8)
'\xcf\xfa\xed\xfe\x07\x00\x00\x01'
>>>
read16()[source]

read16 returns a two byte integer from offet incrementing the offset by two, using specified endianness.

Returns:

a two byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read16())
'0xfacf'
>>>
read16be()[source]

read16be returns a two byte big endian integer from offet incrementing the offset by two.

Returns:

a two byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read16be())
'0xcffa'
>>>
read16le()[source]

read16le returns a two byte little endian integer from offet incrementing the offset by two.

Returns:

a two byte integer at offset.
Return type:

int, or None on failure
Exmaple:
>>> br.seek(0x100000000)
>>> hex(br.read16le())
'0xfacf'
>>>
read32()[source]

read32 returns a four byte integer from offet incrementing the offset by four, using specified endianness.

Returns:

a four byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read32())
'0xfeedfacfL'
>>>
read32be()[source]

read32be returns a four byte big endian integer from offet incrementing the offset by four.

Returns:

a four byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read32be())
'0xcffaedfe'
>>>
read32le()[source]

read32le returns a four byte little endian integer from offet incrementing the offset by four.

Returns:

a four byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read32le())
'0xfeedfacf'
>>>
read64()[source]

read64 returns an eight byte integer from offet incrementing the offset by eight, using specified endianness.

Returns:

an eight byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read64())
'0x1000007feedfacfL'
>>>
read64be()[source]

read64be returns an eight byte big endian integer from offet incrementing the offset by eight.

Returns:

a eight byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read64be())
'0xcffaedfe07000001L'
read64le()[source]

read64le returns an eight byte little endian integer from offet incrementing the offset by eight.

Returns:

a eight byte integer at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> hex(br.read64le())
'0x1000007feedfacf'
>>>
read8()[source]

read8 returns a one byte integer from offet incrementing the offset.

Returns:

byte at offset.
Return type:

int, or None on failure
Example:
>>> br.seek(0x100000000)
>>> br.read8()
207
>>>
seek(offset)[source]

seek update internal offset to offset.

Parameters:

offset (int) – offset to set the internal offset to
Return type:

None
Example:
>>> hex(br.offset)
'0x100000008L'
>>> br.seek(0x100000000)
>>> hex(br.offset)
'0x100000000L'
>>>
seek_relative(offset)[source]

seek_relative updates the internal offset by offset.

Parameters:

offset (int) – offset to add to the internal offset
Return type:

None
Example:
>>> hex(br.offset)
'0x100000008L'
>>> br.seek_relative(-8)
>>> hex(br.offset)
'0x100000000L'
>>>
class binaryninja.binaryview.BinaryView(file_metadata=None, parent_view=None, handle=None)[source]

Bases: object

class BinaryView implements a view on binary data, and presents a queryable interface of a binary file. One key job of BinaryView is file format parsing which allows Binary Ninja to read, write, insert, remove portions of the file given a virtual address. For the purposes of this documentation we define a virtual address as the memory address that the various pieces of the physical file will be loaded at.

A binary file does not have to have just one BinaryView, thus much of the interface to manipulate disassembly exists within or is accessed through a BinaryView. All files are guaranteed to have at least the Raw BinaryView. The Raw BinaryView is simply a hex editor, but is helpful for manipulating binary files via their absolute addresses.

BinaryViews are plugins and thus registered with Binary Ninja at startup, and thus should never be instantiated directly as this is already done. The list of available BinaryViews can be seen in the BinaryViewType class which provides an iterator and map of the various installed BinaryViews:

>>> list(BinaryViewType)
[<view type: 'Raw'>, <view type: 'ELF'>, <view type: 'Mach-O'>, <view type: 'PE'>]
>>> BinaryViewType['ELF']
<view type: 'ELF'>

To open a file with a given BinaryView the following code can be used:

>>> bv = BinaryViewType['Mach-O'].open("/bin/ls")
>>> bv
<BinaryView: '/bin/ls', start 0x100000000, len 0xa000>

By convention in the rest of this document we will use bv to mean an open BinaryView of an executable file. When a BinaryView is open on an executable view, analysis does not automatically run, this can be done by running the update_analysis_and_wait() method which disassembles the executable and returns when all disassembly is finished:

>>> bv.update_analysis_and_wait()
>>>

Since BinaryNinja’s analysis is multi-threaded (depending on version) this can also be done in the background by using the update_analysis() method instead.

By standard python convention methods which start with ‘_’ should be considered private and should not be called externally. Additionanlly, methods which begin with perform_ should not be called either and are used explicitly for subclassing the BinaryView.

Note

An important note on the *_user_*() methods. Binary Ninja makes a distinction between edits performed by the user and actions performed by auto analysis. Auto analysis actions that can quickly be recalculated are not saved to the database. Auto analysis actions that take a long time and all user edits are stored in the database (e.g. remove_user_function() rather than remove_function()). Thus use _user_ methods if saving to the database is desired.

abort_analysis()[source]

abort_analysis will abort the currently running analysis.

Return type:None
add_analysis_completion_event(callback)[source]

add_analysis_completion_event sets up a call back function to be called when analysis has been completed. This is helpful when using update_analysis which does not wait for analysis completion before returning.

The callee of this function is not resposible for maintaining the lifetime of the returned AnalysisCompletionEvent object.

Parameters:

callback (callable()) – A function to be called with no parameters when analysis has completed.
Returns:

An initialized AnalysisCompletionEvent object.
Return type:

AnalysisCompletionEvent
Example:
>>> def completionEvent():
...   print("done")
...
>>> bv.add_analysis_completion_event(completionEvent)
<binaryninja.AnalysisCompletionEvent object at 0x10a2c9f10>
>>> bv.update_analysis()
done
>>>
add_analysis_option(name)[source]

add_analysis_option adds an analysis option. Analysis options elaborate the analysis phase. The user must start analysis by calling either update_analysis() or update_analysis_and_wait().

Parameters:

name (str) – name of the analysis option. Available options: “linearsweep” : apply linearsweep analysis during the next analysis update (run-once semantics)
Return type:

None
Example:
>>> bv.add_analysis_option("linearsweep")
>>> bv.update_analysis_and_wait()
add_auto_section(name, start, length, semantics=<SectionSemantics.DefaultSectionSemantics: 0>, type='', align=1, entry_size=1, linked_section='', info_section='', info_data=0)[source]
add_auto_segment(start, length, data_offset, data_length, flags)[source]
add_entry_point(addr, plat=None)[source]

add_entry_point adds an virtual address to start analysis from for a given plat.

Parameters:
  • addr (int) – virtual address to start analysis from
  • plat (Platform) – Platform for the entry point analysis
Return type:

None
Example:
>>> bv.add_entry_point(0xdeadbeef)
>>>
add_function(addr, plat=None)[source]

add_function add a new function of the given plat at the virtual address addr

Parameters:
  • addr (int) – virtual address of the function to be added
  • plat (Platform) – Platform for the function to be added
Return type:

None
Example:
>>> bv.add_function(1)
>>> bv.functions
[<func: x86_64@0x1>]
add_undo_action(action)[source]
add_user_section(name, start, length, semantics=<SectionSemantics.DefaultSectionSemantics: 0>, type='', align=1, entry_size=1, linked_section='', info_section='', info_data=0)[source]
add_user_segment(start, length, data_offset, data_length, flags)[source]
address_size

Address size of the binary (read-only)

allocated_ranges

List of valid address ranges for this view (read-only)

always_branch(addr, arch=None)[source]

always_branch convert the instruction of architecture arch at the virtual address addr to an unconditional branch.

Note

This API performs a binary patch, analysis may need to be updated afterward. Additionally the binary file must be saved in order to preserve the changes made.

Parameters:
  • addr (int) – virtual address of the instruction to be modified
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True on success, False on falure.
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012ef)
'jg      0x100012f5'
>>> bv.always_branch(0x100012ef)
True
>>> bv.get_disassembly(0x100012ef)
'jmp     0x100012f5'
>>>
analysis_changed

boolean analysis state changed of the currently running analysis (read-only)

analysis_info

Relevant analysis information with list of functions under active analysis (read-only)

analysis_progress

Status of current analysis (read-only)

arch

The architecture associated with the current BinaryView (read/write)

available_view_types

Available view types (read-only)

basic_blocks

A generator of all BasicBlock objects in the BinaryView

begin_undo_actions()[source]

begin_undo_actions start recording actions taken so the can be undone at some point.

Return type:

None
Example:
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.begin_undo_actions()
>>> bv.convert_to_nop(0x100012f1)
True
>>> bv.commit_undo_actions()
>>> bv.get_disassembly(0x100012f1)
'nop'
>>> bv.undo()
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>>
commit_undo_actions()[source]

commit_undo_actions commit the actions taken since the last commit to the undo database.

Return type:

None
Example:
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.begin_undo_actions()
>>> bv.convert_to_nop(0x100012f1)
True
>>> bv.commit_undo_actions()
>>> bv.get_disassembly(0x100012f1)
'nop'
>>> bv.undo()
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>>
convert_to_nop(addr, arch=None)[source]

convert_to_nop converts the instruction at virtual address addr to a nop of the provided architecture.

Note

This API performs a binary patch, analysis may need to be updated afterward. Additionally the binary file must be saved in order to preserve the changes made.

Parameters:
  • addr (int) – virtual address of the instruction to conver to nops
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True on success, False on falure.
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012fb)
'call    0x10001629'
>>> bv.convert_to_nop(0x100012fb)
True
>>> #The above 'call' instruction is 5 bytes, a nop in x86 is 1 byte,
>>> # thus 5 nops are used:
>>> bv.get_disassembly(0x100012fb)
'nop'
>>> bv.get_next_disassembly()
'nop'
>>> bv.get_next_disassembly()
'nop'
>>> bv.get_next_disassembly()
'nop'
>>> bv.get_next_disassembly()
'nop'
>>> bv.get_next_disassembly()
'mov     byte [ebp-0x1c], al'
create_database(filename, progress_func=None)[source]

create_database writes the current database (.bndb) file out to the specified file.

Parameters:
  • filename (str) – path and filename to write the bndb to, this string should have ”.bndb” appended to it.
  • progress_func (callable()) – optional function to be called with the current progress and total count.
Returns:

true on success, false on failure
Return type:

bool
create_user_function(addr, plat=None)[source]

create_user_function add a new user function of the given plat at the virtual address addr

Parameters:
  • addr (int) – virtual address of the user function to be added
  • plat (Platform) – Platform for the function to be added
Return type:

None
Example:
>>> bv.create_user_function(1)
>>> bv.functions
[<func: x86_64@0x1>]
data_vars

List of data variables (read-only)

define_auto_symbol(sym)[source]

define_auto_symbol adds a symbol to the internal list of automatically discovered Symbol objects.

Warning

If multiple symbols for the same address are defined, only the most recent symbol will ever be used.

Parameters:sym (Symbol) – the symbol to define
Return type:None
define_auto_symbol_and_var_or_function(sym, sym_type, plat=None)[source]

define_auto_symbol_and_var_or_function

Warning

If multiple symbols for the same address are defined, only the most recent symbol will ever be used.

Parameters:
  • sym (Symbol) – the symbol to define
  • sym_type (SymbolType) – Type of symbol being defined
  • plat (Platform) – (optional) platform
Return type:

None
define_data_var(addr, var_type)[source]

define_data_var defines a non-user data variable var_type at the virtual address addr.

Parameters:
  • addr (int) – virtual address to define the given data variable
  • var_type (Type) – type to be defined at the given virtual address
Return type:

None
Example:
>>> t = bv.parse_type_string("int foo")
>>> t
(<type: int32_t>, 'foo')
>>> bv.define_data_var(bv.entry_point, t[0])
>>>
define_imported_function(import_addr_sym, func)[source]

define_imported_function defines an imported Function func with a ImportedFunctionSymbol type.

Parameters:
  • import_addr_sym (Symbol) – A Symbol object with type ImportedFunctionSymbol
  • func (Function) – A Function object to define as an imported function
Return type:

None
define_type(type_id, default_name, type_obj)[source]

define_type registers a Type type_obj of the given name in the global list of types for the current BinaryView. This method should only be used for automatically generated types.

Parameters:
  • type_id (str) – Unique identifier for the automatically generated type
  • default_name (QualifiedName) – Name of the type to be registered
  • type_obj (Type) – Type object to be registered
Returns:

Registered name of the type. May not be the same as the requested name if the user has renamed types.
Return type:

QualifiedName
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> registered_name = bv.define_type(Type.generate_auto_type_id("source", name), name, type)
>>> bv.get_type_by_name(registered_name)
<type: int32_t>
define_user_data_var(addr, var_type)[source]

define_user_data_var defines a user data variable var_type at the virtual address addr.

Parameters:
  • addr (int) – virtual address to define the given data variable
  • var_type (binaryninja.Type) – type to be defined at the given virtual address
Return type:

None
Example:
>>> t = bv.parse_type_string("int foo")
>>> t
(<type: int32_t>, 'foo')
>>> bv.define_user_data_var(bv.entry_point, t[0])
>>>
define_user_symbol(sym)[source]

define_user_symbol adds a symbol to the internal list of user added Symbol objects.

Warning

If multiple symbols for the same address are defined, only the most recent symbol will ever be used.

Parameters:sym (Symbol) – the symbol to define
Return type:None
define_user_type(name, type_obj)[source]

define_user_type registers a Type type_obj of the given name in the global list of user types for the current BinaryView.

Parameters:
  • name (QualifiedName) – Name of the user type to be registered
  • type_obj (Type) – Type object to be registered
Return type:

None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> bv.define_user_type(name, type)
>>> bv.get_type_by_name(name)
<type: int32_t>
end

End offset of the binary (read-only)

endianness

Endianness of the binary (read-only)

entry_function

Entry function (read-only)

entry_point

Entry point of the binary (read-only)

executable

Whether the binary is an executable (read-only)

find_next_data(start, data, flags=0)[source]

find_next_data searchs for the bytes in data starting at the virtual address start either, case-sensitive, or case-insensitive.

Parameters:
  • start (int) – virtual address to start searching from.
  • data (str) – bytes to search for
  • flags (FindFlags) –

    case-sensitivity flag, one of the following:

    FindFlags Description
    NoFindFlags Case-sensitive find
    FindCaseInsensitive Case-insensitive find
functions

List of functions (read-only)

get_address_for_data_offset(offset)[source]
get_address_input(prompt, title, current_address=None)[source]
get_basic_blocks_at(addr)[source]

get_basic_blocks_at get a list of BasicBlock objects which exist at the provided virtual address.

Parameters:addr (int) – virtual address of BasicBlock desired
Returns:a list of BasicBlock objects
Return type:list(BasicBlock)
get_basic_blocks_starting_at(addr)[source]

get_basic_blocks_starting_at get a list of BasicBlock objects which start at the provided virtual address.

Parameters:addr (int) – virtual address of BasicBlock desired
Returns:a list of BasicBlock objects
Return type:list(BasicBlock)
get_code_refs(addr, length=None)[source]

get_code_refs returns a list of ReferenceSource objects (xrefs or cross-references) that point to the provided virtual address.

Parameters:

addr (int) – virtual address to query for references
Returns:

List of References for the given virtual address
Return type:

list(ReferenceSource)
Example:
>>> bv.get_code_refs(here)
[<ref: x86@0x4165ff>]
>>>
get_data_var_at(addr)[source]

get_data_var_at returns the data type at a given virtual address.

Parameters:

addr (int) – virtual address to get the data type from
Returns:

returns the DataVariable at the given virtual address, None on error.
Return type:

DataVariable
Example:
>>> t = bv.parse_type_string("int foo")
>>> bv.define_data_var(bv.entry_point, t[0])
>>> bv.get_data_var_at(bv.entry_point)
<var 0x100001174: int32_t>
get_disassembly(addr, arch=None)[source]

get_disassembly simple helper function for printing disassembly of a given address

Parameters:
  • addr (int) – virtual address of instruction
  • arch (Architecture) – optional Architecture, self.arch is used if this parameter is None
Returns:

a str representation of the instruction at virtual address addr or None
Return type:

str or None
Example:
>>> bv.get_disassembly(bv.entry_point)
'push    ebp'
>>>
get_function_at(addr, plat=None)[source]

get_function_at gets a Function object for the function that starts at virtual address addr:

Parameters:
  • addr (int) – starting virtual address of the desired function
  • plat (Platform) – plat of the desired function
Returns:

returns a Function object or None for the function at the virtual address provided
Return type:

Function
Example:
>>> bv.get_function_at(bv.entry_point)
<func: x86_64@0x100001174>
>>>
get_functions_at(addr)[source]

get_functions_at get a list of binaryninja.Function objects (one for each valid plat) at the given virtual address. Binary Ninja does not limit the number of platforms in a given file thus there may be multiple functions defined from different architectures at the same location. This API allows you to query all of valid platforms.

Parameters:addr (int) – virtual address of the desired Function object list.
Returns:a list of binaryninja.Function objects defined at the provided virtual address
Return type:list(Function)
get_functions_containing(addr)[source]

get_functions_containing returns a list of functions which contain the given address or None on failure.

Parameters:addr (int) – virtual address to query.
Return type:list of Function objects or None
get_instruction_length(addr, arch=None)[source]

get_instruction_length returns the number of bytes in the instruction of Architecture arch at the virtual address addr

Parameters:
  • addr (int) – virtual address of the instruction query
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

Number of bytes in instruction
Return type:

int
Example:
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.get_instruction_length(0x100012f1)
2L
>>>
get_linear_disassembly(settings)[source]

get_linear_disassembly gets an iterator for all lines in the linear disassembly of the view for the given disassembly settings.

Note

linear_disassembly doesn’t just return disassembly it will return a single line from the linear view, and thus will contain both data views, and disassembly.

Parameters:

settings (DisassemblySettings) – instance specifying the desired output formatting.
Returns:

An iterator containing formatted dissassembly lines.
Return type:

LinearDisassemblyIterator
Example:
>>> settings = DisassemblySettings()
>>> lines = bv.get_linear_disassembly(settings)
>>> for line in lines:
...  print(line)
...  break
...
cf fa ed fe 07 00 00 01  ........
get_linear_disassembly_position_at(addr, settings)[source]

get_linear_disassembly_position_at instantiates a LinearDisassemblyPosition object for use in get_previous_linear_disassembly_lines() or get_next_linear_disassembly_lines().

Parameters:
  • addr (int) – virtual address of linear disassembly position
  • settings (DisassemblySettings) – an instantiated DisassemblySettings object
Returns:

An instantied LinearDisassemblyPosition object for the provided virtual address
Return type:

LinearDisassemblyPosition
Example:
>>> settings = DisassemblySettings()
>>> pos = bv.get_linear_disassembly_position_at(0x1000149f, settings)
>>> lines = bv.get_previous_linear_disassembly_lines(pos, settings)
>>> lines
[<0x1000149a: pop     esi>, <0x1000149b: pop     ebp>,
<0x1000149c: retn    0xc>, <0x1000149f: >]
get_modification(addr, length=None)[source]

get_modification returns the modified bytes of up to length bytes from virtual address addr, or if length is None returns the ModificationStatus.

Parameters:
  • addr (int) – virtual address to get modification from
  • length (int) – optional length of modification
Returns:

Either ModificationStatus of the byte at addr, or string of modified bytes at addr
Return type:

ModificationStatus or str
get_next_basic_block_start_after(addr)[source]
get_next_basic_block_start_after returns the virtual address of the BasicBlock that occurs after the virtual
address addr
Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the next BasicBlock
Return type:

int
Example:
>>> hex(bv.get_next_basic_block_start_after(bv.entry_point))
'0x100014a8L'
>>> hex(bv.get_next_basic_block_start_after(0x100014a8))
'0x100014adL'
>>>
get_next_data_after(addr)[source]

get_next_data_after retrieves the virtual address of the next non-code byte.

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the next data byte which is data, not code
Return type:

int
Example:
>>> hex(bv.get_next_data_after(0x10000000))
'0x10000001L'
get_next_data_var_after(addr)[source]

get_next_data_var_after retrieves the next virtual address of the next DataVariable

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the next DataVariable
Return type:

int
Example:
>>> hex(bv.get_next_data_var_after(0x10000000))
'0x1000003cL'
>>> bv.get_data_var_at(0x1000003c)
<var 0x1000003c: int32_t>
>>>
get_next_disassembly(arch=None)[source]

get_next_disassembly simple helper function for printing disassembly of the next instruction. The internal state of the instruction to be printed is stored in the next_address attribute

Parameters:

arch (Architecture) – optional Architecture, self.arch is used if this parameter is None
Returns:

a str representation of the instruction at virtual address self.next_address
Return type:

str or None
Example:
>>> bv.get_next_disassembly()
'push    ebp'
>>> bv.get_next_disassembly()
'mov     ebp, esp'
>>> #Now reset the starting point back to the entry point
>>> bv.next_address = bv.entry_point
>>> bv.get_next_disassembly()
'push    ebp'
>>>
get_next_function_start_after(addr)[source]

get_next_function_start_after returns the virtual address of the Function that occurs after the virtual address addr

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the next Function
Return type:

int
Example:
>>> bv.get_next_function_start_after(bv.entry_point)
268441061L
>>> hex(bv.get_next_function_start_after(bv.entry_point))
'0x100015e5L'
>>> hex(bv.get_next_function_start_after(0x100015e5))
'0x10001629L'
>>> hex(bv.get_next_function_start_after(0x10001629))
'0x1000165eL'
>>>
get_next_linear_disassembly_lines(pos, settings)[source]

get_next_linear_disassembly_lines retrieves a list of LinearDisassemblyLine objects for the next disassembly lines, and updates the LinearDisassemblyPosition passed in. This function can be called repeatedly to get more lines of linear disassembly.

Parameters:
Returns:

a list of LinearDisassemblyLine objects for the next lines.
Example:
>>> settings = DisassemblySettings()
>>> pos = bv.get_linear_disassembly_position_at(0x10001483, settings)
>>> bv.get_next_linear_disassembly_lines(pos, settings)
[<0x10001483: xor     eax, eax  {0x0}>, <0x10001485: inc     eax  {0x1}>, ... , <0x10001488: >]
>>> bv.get_next_linear_disassembly_lines(pos, settings)
[<0x10001488: push    dword [ebp+0x10 {arg_c}]>, ... , <0x1000149a: >]
>>>
get_previous_basic_block_end_before(addr)[source]

get_previous_basic_block_end_before

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the previous BasicBlock end
Return type:

int
Example:
>>> hex(bv.entry_point)
'0x1000149fL'
>>> hex(bv.get_next_basic_block_start_after(bv.entry_point))
'0x100014a8L'
>>> hex(bv.get_previous_basic_block_end_before(0x100014a8))
'0x100014a8L'
get_previous_basic_block_start_before(addr)[source]

get_previous_basic_block_start_before returns the virtual address of the BasicBlock that occurs prior to the provided virtual address

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the previous BasicBlock
Return type:

int
Example:
>>> hex(bv.entry_point)
'0x1000149fL'
>>> hex(bv.get_next_basic_block_start_after(bv.entry_point))
'0x100014a8L'
>>> hex(bv.get_previous_basic_block_start_before(0x100014a8))
'0x1000149fL'
>>>
get_previous_data_before(addr)[source]

get_previous_data_before

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the previous data (non-code) byte
Return type:

int
Example:
>>> hex(bv.get_previous_data_before(0x1000001))
'0x1000000L'
>>>
get_previous_data_var_before(addr)[source]

get_previous_data_var_before

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the previous DataVariable
Return type:

int
Example:
>>> hex(bv.get_previous_data_var_before(0x1000003c))
'0x10000000L'
>>> bv.get_data_var_at(0x10000000)
<var 0x10000000: int16_t>
>>>
get_previous_function_start_before(addr)[source]

get_previous_function_start_before returns the virtual address of the Function that occurs prior to the virtual address provided

Parameters:

addr (int) – the virtual address to start looking from.
Returns:

the virtual address of the previous Function
Return type:

int
Example:
>>> hex(bv.entry_point)
'0x1000149fL'
>>> hex(bv.get_next_function_start_after(bv.entry_point))
'0x100015e5L'
>>> hex(bv.get_previous_function_start_before(0x100015e5))
'0x1000149fL'
>>>
get_previous_linear_disassembly_lines(pos, settings)[source]

get_previous_linear_disassembly_lines retrieves a list of LinearDisassemblyLine objects for the previous disassembly lines, and updates the LinearDisassemblyPosition passed in. This function can be called repeatedly to get more lines of linear disassembly.

Parameters:
Returns:

a list of LinearDisassemblyLine objects for the previous lines.
Example:
>>> settings = DisassemblySettings()
>>> pos = bv.get_linear_disassembly_position_at(0x1000149a, settings)
>>> bv.get_previous_linear_disassembly_lines(pos, settings)
[<0x10001488: push    dword [ebp+0x10 {arg_c}]>, ... , <0x1000149a: >]
>>> bv.get_previous_linear_disassembly_lines(pos, settings)
[<0x10001483: xor     eax, eax  {0x0}>, ... , <0x10001488: >]
get_recent_basic_block_at(addr)[source]
get_recent_function_at(addr)[source]
get_section_by_name(name)[source]
get_sections_at(addr)[source]
get_segment_at(addr)[source]
get_strings(start=None, length=None)[source]

get_strings returns a list of strings defined in the binary in the optional virtual address range: start-(start+length)

Parameters:
  • start (int) – optional virtual address to start the string list from, defaults to start of the binary
  • length (int) – optional length range to return strings from, defaults to length of the binary
Returns:

a list of all strings or a list of strings defined between start and start+length
Return type:

list(str())
Example:
>>> bv.get_strings(0x1000004d, 1)
[<AsciiString: 0x1000004d, len 0x2c>]
>>>
get_symbol_at(addr)[source]

get_symbol_at returns the Symbol at the provided virtual address.

Parameters:

addr (int) – virtual address to query for symbol
Returns:

Symbol for the given virtual address
Return type:

Symbol
Example:
>>> bv.get_symbol_at(bv.entry_point)
<FunctionSymbol: "_start" @ 0x100001174>
>>>
get_symbol_by_raw_name(name)[source]

get_symbol_by_raw_name retrieves a Symbol object for the given a raw (mangled) name.

Parameters:

name (str) – raw (mangled) name of Symbol to be retrieved
Returns:

Symbol object corresponding to the provided raw name
Return type:

Symbol
Example:
>>> bv.get_symbol_by_raw_name('?testf@Foobar@@SA?AW4foo@1@W421@@Z')
<FunctionSymbol: "public: static enum Foobar::foo __cdecl Foobar::testf(enum Foobar::foo)" @ 0x10001100>
>>>
get_symbols(start=None, length=None)[source]

get_symbols retrieves the list of all Symbol objects in the optionally provided range.

Parameters:
  • start (int) – optional start virtual address
  • length (int) – optional length
Returns:

list of all Symbol objects, or those Symbol objects in the range of start-start+length
Return type:

list(Symbol)
Example:
>>> bv.get_symbols(0x1000200c, 1)
[<ImportAddressSymbol: "KERNEL32!IsProcessorFeaturePresent@IAT" @ 0x1000200c>]
>>>
get_symbols_by_name(name)[source]

get_symbols_by_name retrieves a list of Symbol objects for the given symbol name.

Parameters:

name (str) – name of Symbol object to be retrieved
Returns:

Symbol object corresponding to the provided name
Return type:

Symbol
Example:
>>> bv.get_symbols_by_name('?testf@Foobar@@SA?AW4foo@1@W421@@Z')
[<FunctionSymbol: "public: static enum Foobar::foo __cdecl Foobar::testf(enum Foobar::foo)" @ 0x10001100>]
>>>
get_symbols_of_type(sym_type, start=None, length=None)[source]
get_symbols_of_type retrieves a list of all Symbol objects of the provided symbol type in the optionally
provided range.
Parameters:
  • sym_type (SymbolType) – A Symbol type: Symbol.
  • start (int) – optional start virtual address
  • length (int) – optional length
Returns:

list of all Symbol objects of type sym_type, or those Symbol objects in the range of start-start+length
Return type:

list(Symbol)
Example:
>>> bv.get_symbols_of_type(SymbolType.ImportAddressSymbol, 0x10002028, 1)
[<ImportAddressSymbol: "KERNEL32!GetCurrentThreadId@IAT" @ 0x10002028>]
>>>
get_type_by_id(id)[source]

get_type_by_id returns the defined type whose unique identifier corresponds with the provided id

Parameters:

id (str) – Unique identifier to lookup
Returns:

A Type or None if the type does not exist
Return type:

Type or None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> type_id = Type.generate_auto_type_id("source", name)
>>> bv.define_type(type_id, name, type)
>>> bv.get_type_by_id(type_id)
<type: int32_t>
>>>
get_type_by_name(name)[source]

get_type_by_name returns the defined type whose name corresponds with the provided name

Parameters:

name (QualifiedName) – Type name to lookup
Returns:

A Type or None if the type does not exist
Return type:

Type or None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> bv.define_user_type(name, type)
>>> bv.get_type_by_name(name)
<type: int32_t>
>>>
get_type_id(name)[source]

get_type_id returns the unique indentifier of the defined type whose name corresponds with the provided name

Parameters:

name (QualifiedName) – Type name to lookup
Returns:

The unique identifier of the type
Return type:

str
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> type_id = Type.generate_auto_type_id("source", name)
>>> registered_name = bv.define_type(type_id, name, type)
>>> bv.get_type_id(registered_name) == type_id
True
>>>
get_type_name_by_id(id)[source]

get_type_name_by_id returns the defined type name whose unique identifier corresponds with the provided id

Parameters:

id (str) – Unique identifier to lookup
Returns:

A QualifiedName or None if the type does not exist
Return type:

QualifiedName or None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> type_id = Type.generate_auto_type_id("source", name)
>>> bv.define_type(type_id, name, type)
'foo'
>>> bv.get_type_name_by_id(type_id)
'foo'
>>>
get_unique_section_names(name_list)[source]
get_view_of_type(name)[source]

get_view_of_type returns the BinaryView associated with the provided name if it exists.

Parameters:name (str) – Name of the view to be retrieved
Returns:BinaryView object assocated with the provided name or None on failure
Return type:BinaryView or None
global_pointer_value

Discovered value of the global pointer register, if the binary uses one (read-only)

has_database

boolean has a database been written to disk (read-only)

has_functions

Boolean whether the binary has functions (read-only)

init()[source]
insert(addr, data)[source]

insert inserts the bytes in data to the virtual address addr.

Parameters:
  • addr (int) – virtual address to write to.
  • data (str) – data to be inserted at addr.
Returns:

number of bytes inserted to virtual address addr
Return type:

int
Example:
>>> bv.insert(0,"BBBB")
4L
>>> bv.read(0,8)
'BBBBAAAA'
instructions

A generator of instruction tokens and their start addresses

invert_branch(addr, arch=None)[source]

invert_branch convert the branch instruction of architecture arch at the virtual address addr to the inverse branch.

Note

This API performs a binary patch, analysis may need to be updated afterward. Additionally the binary

file must be saved in order to preserve the changes made.

Parameters:
  • addr (int) – virtual address of the instruction to be modified
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True on success, False on falure.
Return type:

bool
Example:
>>> bv.get_disassembly(0x1000130e)
'je      0x10001317'
>>> bv.invert_branch(0x1000130e)
True
>>>
>>> bv.get_disassembly(0x1000130e)
'jne     0x10001317'
>>>
is_always_branch_patch_available(addr, arch=None)[source]

is_always_branch_patch_available queries the architecture plugin to determine if the instruction at addr can be made to always branch. The actual logic of which is implemented in the perform_is_always_branch_patch_available in the corresponding architecture.

Parameters:
  • addr (int) – the virtual address of the instruction to be patched
  • arch (Architecture) – (optional) the architecture for the current view
Returns:

True if the instruction can be patched, False otherwise
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012ed)
'test    eax, eax'
>>> bv.is_always_branch_patch_available(0x100012ed)
False
>>> bv.get_disassembly(0x100012ef)
'jg      0x100012f5'
>>> bv.is_always_branch_patch_available(0x100012ef)
True
>>>
is_invert_branch_patch_available(addr, arch=None)[source]

is_invert_branch_patch_available queries the architecture plugin to determine if the instruction at addr is a branch that can be inverted. The actual logic of which is implemented in the perform_is_invert_branch_patch_available in the corresponding architecture.

Parameters:
  • addr (int) – the virtual address of the instruction to be patched
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True if the instruction can be patched, False otherwise
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012ed)
'test    eax, eax'
>>> bv.is_invert_branch_patch_available(0x100012ed)
False
>>> bv.get_disassembly(0x100012ef)
'jg      0x100012f5'
>>> bv.is_invert_branch_patch_available(0x100012ef)
True
>>>
is_never_branch_patch_available(addr, arch=None)[source]

is_never_branch_patch_available queries the architecture plugin to determine if the instruction at the instruction at addr can be made to never branch. The actual logic of which is implemented in the perform_is_never_branch_patch_available in the corresponding architecture.

Parameters:
  • addr (int) – the virtual address of the instruction to be patched
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True if the instruction can be patched, False otherwise
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012ed)
'test    eax, eax'
>>> bv.is_never_branch_patch_available(0x100012ed)
False
>>> bv.get_disassembly(0x100012ef)
'jg      0x100012f5'
>>> bv.is_never_branch_patch_available(0x100012ef)
True
>>>
is_offset_code_semantics(addr)[source]

is_offset_code_semantics checks if an virtual address addr is semantically valid for code.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid for writing, false if the virtual address is invalid or error
Return type:bool
is_offset_executable(addr)[source]

is_offset_executable checks if an virtual address addr is valid for executing.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid for executing, false if the virtual address is invalid or error
Return type:bool
is_offset_readable(addr)[source]

is_offset_readable checks if an virtual address addr is valid for reading.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid for reading, false if the virtual address is invalid or error
Return type:bool
is_offset_writable(addr)[source]

is_offset_writable checks if an virtual address addr is valid for writing.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid for writing, false if the virtual address is invalid or error
Return type:bool
is_offset_writable_semantics(addr)[source]

is_offset_writable_semantics checks if an virtual address addr is semantically writable. Some sections may have writable permissions for linking purposes but can be treated as read-only for the purposes of analysis.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid for writing, false if the virtual address is invalid or error
Return type:bool
is_skip_and_return_value_patch_available(addr, arch=None)[source]

is_skip_and_return_value_patch_available queries the architecture plugin to determine if the instruction at addr is similar to an x86 “call” instruction which can be made to return a value. The actual logic of which is implemented in the perform_is_skip_and_return_value_patch_available in the corresponding architecture.

Parameters:
  • addr (int) – the virtual address of the instruction to be patched
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True if the instruction can be patched, False otherwise
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012f6)
'mov     dword [0x10003020], eax'
>>> bv.is_skip_and_return_value_patch_available(0x100012f6)
False
>>> bv.get_disassembly(0x100012fb)
'call    0x10001629'
>>> bv.is_skip_and_return_value_patch_available(0x100012fb)
True
>>>
is_skip_and_return_zero_patch_available(addr, arch=None)[source]

is_skip_and_return_zero_patch_available queries the architecture plugin to determine if the instruction at addr is similar to an x86 “call” instruction which can be made to return zero. The actual logic of which is implemented in the perform_is_skip_and_return_zero_patch_available in the corresponding architecture.

Parameters:
  • addr (int) – the virtual address of the instruction to be patched
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True if the instruction can be patched, False otherwise
Return type:

bool
Example:
>>> bv.get_disassembly(0x100012f6)
'mov     dword [0x10003020], eax'
>>> bv.is_skip_and_return_zero_patch_available(0x100012f6)
False
>>> bv.get_disassembly(0x100012fb)
'call    0x10001629'
>>> bv.is_skip_and_return_zero_patch_available(0x100012fb)
True
>>>
is_type_auto_defined(name)[source]

is_type_auto_defined queries the user type list of name. If name is not in the user type list then the name is considered an auto type.

Parameters:

name (QualifiedName) – Name of type to query
Returns:

True if the type is not a user type. False if the type is a user type.
Example:
>>> bv.is_type_auto_defined("foo")
True
>>> bv.define_user_type("foo", bv.parse_type_string("struct {int x,y;}")[0])
>>> bv.is_type_auto_defined("foo")
False
>>>
is_valid_offset(addr)[source]

is_valid_offset checks if an virtual address addr is valid .

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid, false if the virtual address is invalid or error
Return type:bool
linear_disassembly

Iterator for all lines in the linear disassembly of the view

llil_basic_blocks

A generator of all LowLevelILBasicBlock objects in the BinaryView

llil_instructions

A generator of llil instructions

long_name = None
max_function_size_for_analysis

Maximum size of function (sum of basic block sizes in bytes) for auto analysis

mlil_basic_blocks

A generator of all MediumLevelILBasicBlock objects in the BinaryView

mlil_instructions

A generator of mlil instructions

modified

boolean modification state of the BinaryView (read/write)

name = None
navigate(view, offset)[source]
never_branch(addr, arch=None)[source]

never_branch convert the branch instruction of architecture arch at the virtual address addr to a fall through.

Note

This API performs a binary patch, analysis may need to be updated afterward. Additionally the binary file must be saved in order to preserve the changes made.

Parameters:
  • addr (int) – virtual address of the instruction to be modified
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True on success, False on falure.
Return type:

bool
Example:
>>> bv.get_disassembly(0x1000130e)
'jne     0x10001317'
>>> bv.never_branch(0x1000130e)
True
>>> bv.get_disassembly(0x1000130e)
'nop'
>>>
classmethod new(data=None, file_metadata=None)[source]
next_address = 0
notify_data_inserted(offset, length)[source]
notify_data_removed(offset, length)[source]
notify_data_written(offset, length)[source]
offset
classmethod open(src, file_metadata=None)[source]
parameters_for_analysis
parent_view

View that contains the raw data used by this view (read-only)

parse_type_string(text)[source]

parse_type_string converts C-style string into a Type.

Parameters:

text (str) – C-style string of type to create
Returns:

A tuple of a Type and type name
Return type:

tuple(Type, QualifiedName)
Example:
>>> bv.parse_type_string("int foo")
(<type: int32_t>, 'foo')
>>>
perform_get_address_size()[source]
perform_get_default_endianness()[source]

perform_get_default_endianness implements a check which returns true if the BinaryView is executable.

Note

This method may be implemented for custom BinaryViews that are not LittleEndian.

Warning

This method must not be called directly.

Returns:either Endianness.LittleEndian or Endianness.BigEndian
Return type:Endianness
perform_get_entry_point()[source]

perform_get_entry_point implements a query for the initial entry point for code execution.

Note

This method should be implmented for custom BinaryViews that are executable.

Warning

This method must not be called directly.

Returns:the virtual address of the entry point
Return type:int
perform_get_length()[source]

perform_get_length implements a query for the size of the virtual address range used by the BinaryView.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Returns:returns the size of the virtual address range used by the BinaryView.
Return type:int
perform_get_modification(addr)[source]

perform_get_modification implements query to the whether the virtual address addr is modified.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:addr (int) – a virtual address to be checked
Returns:One of the following: Original = 0, Changed = 1, Inserted = 2
Return type:ModificationStatus
perform_get_next_valid_offset(addr)[source]

perform_get_next_valid_offset implements a query for the next valid readable, writable, or executable virtual memory address.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:addr (int) – a virtual address to start checking from.
Returns:the next readable, writable, or executable virtual memory address
Return type:int
perform_get_start()[source]

perform_get_start implements a query for the first readable, writable, or executable virtual address in the BinaryView.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Returns:returns the first virtual address in the BinaryView.
Return type:int
perform_insert(addr, data)[source]

perform_insert implements a mapping between a virtual address and an absolute file offset, inserting the bytes data to rebased address addr.

Note

This method may be overridden by custom BinaryViews. If not overridden, inserting is disallowed

Warning

This method must not be called directly.

Parameters:
  • addr (int) – a virtual address
  • data (str) – the data to be inserted
Returns:

length of data inserted, should return 0 on error
Return type:

int
perform_is_executable()[source]

perform_is_executable implements a check which returns true if the BinaryView is executable.

Note

This method must be implemented for custom BinaryViews that are executable.

Warning

This method must not be called directly.

Returns:true if the current BinaryView is executable, false if it is not executable or on error
Return type:bool
perform_is_offset_executable(addr)[source]

perform_is_offset_executable implements a check if a virtual address addr is executable.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is executable, false if the virtual address is not executable or error
Return type:int
perform_is_offset_readable(offset)[source]

perform_is_offset_readable implements a check if an virtual address is readable.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:offset (int) – a virtual address to be checked
Returns:true if the virtual address is readable, false if the virtual address is not readable or error
Return type:bool
perform_is_offset_writable(addr)[source]

perform_is_offset_writable implements a check if a virtual address addr is writable.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is writable, false if the virtual address is not writable or error
Return type:bool
perform_is_relocatable()[source]

perform_is_relocatable implements a check which returns true if the BinaryView is relocatable. Defaults to True.

Note

This method may be implemented for custom BinaryViews that are relocatable.

Warning

This method must not be called directly.

Returns:True if the BinaryView is relocatable, False otherwise
Return type:boolean
perform_is_valid_offset(addr)[source]

perform_is_valid_offset implements a check if an virtual address addr is valid.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:addr (int) – a virtual address to be checked
Returns:true if the virtual address is valid, false if the virtual address is invalid or error
Return type:bool
perform_read(addr, length)[source]

perform_read implements a mapping between a virtual address and an absolute file offset, reading length bytes from the rebased address addr.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:
  • addr (int) – a virtual address to attempt to read from
  • length (int) – the number of bytes to be read
Returns:

length bytes read from addr, should return empty string on error
Return type:

str
perform_remove(addr, length)[source]

perform_remove implements a mapping between a virtual address and an absolute file offset, removing length bytes from the rebased address addr.

Note

This method may be overridden by custom BinaryViews. If not overridden, removing data is disallowed

Warning

This method must not be called directly.

Parameters:
  • addr (int) – a virtual address
  • data (str) – the data to be removed
Returns:

length of data removed, should return 0 on error
Return type:

int
perform_save(accessor)[source]
perform_write(addr, data)[source]

perform_write implements a mapping between a virtual address and an absolute file offset, writing the bytes data to rebased address addr.

Note

This method may be overridden by custom BinaryViews. Use add_auto_segment to provide

data without overriding this method. .. warning:: This method must not be called directly.

Parameters:
  • addr (int) – a virtual address
  • data (str) – the data to be written
Returns:

length of data written, should return 0 on error
Return type:

int
platform

The platform associated with the current BinaryView (read/write)

query_metadata(key)[source]

query_metadata retrieves a metadata associated with the given key stored in the current BinaryView.

Parameters:

key (string) – key to query
Return type:

metadata associated with the key
Example:
>>> bv.store_metadata("integer", 1337)
>>> bv.query_metadata("integer")
1337L
>>> bv.store_metadata("list", [1,2,3])
>>> bv.query_metadata("list")
[1L, 2L, 3L]
>>> bv.store_metadata("string", "my_data")
>>> bv.query_metadata("string")
'my_data'
read(addr, length)[source]

read returns the data reads at most length bytes from virtual address addr.

Note: Python2 returns a str, but Python3 returns a bytes object. str(DataBufferObject) will still get you a str in either case.

Parameters:
  • addr (int) – virtual address to read from.
  • length (int) – number of bytes to read.
Returns:

at most length bytes from the virtual address addr, empty string on error or no data.
Return type:

python2 - str; python3 - bytes
Example:
>>> #Opening a x86_64 Mach-O binary
>>> bv = BinaryViewType['Raw'].open("/bin/ls")
>>> bv.read(0,4)
'\xcf\xfa\xed\xfe'
reanalyze()[source]

reanalyze causes all functions to be reanalyzed. This function does not wait for the analysis to finish.

Return type:None
redo()[source]

redo redo the last commited action in the undo database.

Return type:

None
Example:
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.begin_undo_actions()
>>> bv.convert_to_nop(0x100012f1)
True
>>> bv.commit_undo_actions()
>>> bv.get_disassembly(0x100012f1)
'nop'
>>> bv.undo()
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.redo()
>>> bv.get_disassembly(0x100012f1)
'nop'
>>>
classmethod register()[source]
register_notification(notify)[source]

register_notification provides a mechanism for receiving callbacks for various analysis events. A full list of callbacks can be seen in BinaryDataNotification.

Parameters:notify (BinaryDataNotification) – notify is a subclassed instance of BinaryDataNotification.
Return type:None
register_platform_types(platform)[source]

register_platform_types ensures that the platform-specific types for a Platform are available for the current BinaryView. This is automatically performed when adding a new function or setting the default platform.

Parameters:

platform (Platform) – Platform containing types to be registered
Return type:

None
Example:
>>> platform = Platform["linux-x86"]
>>> bv.register_platform_types(platform)
>>>
registered_view_type = None
relocatable

Boolean - is the binary relocatable (read-only)

remove(addr, length)[source]

remove removes at most length bytes from virtual address addr.

Parameters:
  • addr (int) – virtual address to remove from.
  • length (int) – number of bytes to remove.
Returns:

number of bytes removed from virtual address addr
Return type:

int
Example:
>>> bv.read(0,8)
'BBBBAAAA'
>>> bv.remove(0,4)
4L
>>> bv.read(0,4)
'AAAA'
remove_auto_section(name)[source]
remove_auto_segment(start, length)[source]
remove_function(func)[source]

remove_function removes the function func from the list of functions

Parameters:

func (Function) – a Function object.
Return type:

None
Example:
>>> bv.functions
[<func: x86_64@0x1>]
>>> bv.remove_function(bv.functions[0])
>>> bv.functions
[]
remove_metadata(key)[source]

remove_metadata removes the metadata associated with key from the current BinaryView.

Parameters:

key (string) – key associated with metadata to remove from the BinaryView
Return type:

None
Example:
>>> bv.store_metadata("integer", 1337)
>>> bv.remove_metadata("integer")
remove_user_function(func)[source]

remove_user_function removes the user function func from the list of functions

Parameters:

func (Function) – a Function object.
Return type:

None
Example:
>>> bv.functions
[<func: x86_64@0x1>]
>>> bv.remove_user_function(bv.functions[0])
>>> bv.functions
[]
remove_user_section(name)[source]
remove_user_segment(start, length)[source]
rename_type(old_name, new_name)[source]

rename_type renames a type in the global list of types for the current BinaryView

Parameters:
Return type:

None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> bv.define_user_type(name, type)
>>> bv.get_type_by_name("foo")
<type: int32_t>
>>> bv.rename_type("foo", "bar")
>>> bv.get_type_by_name("bar")
<type: int32_t>
>>>
save(dest)[source]

save saves the original binary file to the provided destination dest along with any modifications.

Parameters:dest (str) – destination path and filename of file to be written
Returns:boolean True on success, False on failure
Return type:bool
save_auto_snapshot(progress_func=None)[source]

save_auto_snapshot saves the current database to the already created file.

Note

create_database() should have been called prior to executing this method

Parameters:progress_func (callable()) – optional function to be called with the current progress and total count.
Returns:True if it successfully saved the snapshot, False otherwise
Return type:bool
saved

boolean state of whether or not the file has been saved (read/write)

sections

List of sections (read-only)

segments

List of segments (read-only)

session_data

Dictionary object where plugins can store arbitrary data associated with the view

classmethod set_default_session_data(name, value)[source]

set_default_session_data saves a variable to the BinaryView. :param name: name of the variable to be saved :param value: value of the variable to be saved

Example:
>>> BinaryView.set_default_session_data("variable_name", "value")
>>> bv.session_data.variable_name
'value'
show_html_report(title, contents, plaintext='')[source]
show_markdown_report(title, contents, plaintext='')[source]
show_plain_text_report(title, contents)[source]
skip_and_return_value(addr, value, arch=None)[source]

skip_and_return_value convert the call instruction of architecture arch at the virtual address addr to the equivilent of returning a value.

Parameters:
  • addr (int) – virtual address of the instruction to be modified
  • value (int) – value to make the instruction return
  • arch (Architecture) – (optional) the architecture of the instructions if different from the default
Returns:

True on success, False on falure.
Return type:

bool
Example:
>>> bv.get_disassembly(0x1000132a)
'call    0x1000134a'
>>> bv.skip_and_return_value(0x1000132a, 42)
True
>>> #The return value from x86 functions is stored in eax thus:
>>> bv.get_disassembly(0x1000132a)
'mov     eax, 0x2a'
>>>
start

Start offset of the binary (read-only)

store_metadata(key, md)[source]

store_metadata stores an object for the given key in the current BinaryView. Objects stored using store_metadata can be retrieved when the database is reopend. Objects stored are not arbitrary python objects! The values stored must be able to be held in a Metadata object. See Metadata for more information. Python objects could obviously be serialized using pickle but this intentionally a task left to the user since there is the potential security issues.

Parameters:
  • key (string) – key value to associate the Metadata object with
  • md (Varies) – object to store.
Return type:

None
Example:
>>> bv.store_metadata("integer", 1337)
>>> bv.query_metadata("integer")
1337L
>>> bv.store_metadata("list", [1,2,3])
>>> bv.query_metadata("list")
[1L, 2L, 3L]
>>> bv.store_metadata("string", "my_data")
>>> bv.query_metadata("string")
'my_data'
strings

List of strings (read-only)

symbols

Dict of symbols (read-only)

types

List of defined types (read-only)

undefine_auto_symbol(sym)[source]

undefine_auto_symbol removes a symbol from the internal list of automatically discovered Symbol objects.

Parameters:sym (Symbol) – the symbol to undefine
Return type:None
undefine_data_var(addr)[source]

undefine_data_var removes the non-user data variable at the virtual address addr.

Parameters:

addr (int) – virtual address to define the data variable to be removed
Return type:

None
Example:
>>> bv.undefine_data_var(bv.entry_point)
>>>
undefine_type(type_id)[source]

undefine_type removes a Type from the global list of types for the current BinaryView

Parameters:

type_id (str) – Unique identifier of type to be undefined
Return type:

None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> type_id = Type.generate_auto_type_id("source", name)
>>> bv.define_type(type_id, name, type)
>>> bv.get_type_by_name(name)
<type: int32_t>
>>> bv.undefine_type(type_id)
>>> bv.get_type_by_name(name)
>>>
undefine_user_data_var(addr)[source]

undefine_user_data_var removes the user data variable at the virtual address addr.

Parameters:

addr (int) – virtual address to define the data variable to be removed
Return type:

None
Example:
>>> bv.undefine_user_data_var(bv.entry_point)
>>>
undefine_user_symbol(sym)[source]

undefine_user_symbol removes a symbol from the internal list of user added Symbol objects.

Parameters:sym (Symbol) – the symbol to undefine
Return type:None
undefine_user_type(name)[source]

undefine_user_type removes a Type from the global list of user types for the current BinaryView

Parameters:

name (QualifiedName) – Name of user type to be undefined
Return type:

None
Example:
>>> type, name = bv.parse_type_string("int foo")
>>> bv.define_user_type(name, type)
>>> bv.get_type_by_name(name)
<type: int32_t>
>>> bv.undefine_user_type(name)
>>> bv.get_type_by_name(name)
>>>
undo()[source]

undo undo the last commited action in the undo database.

Return type:

None
Example:
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.begin_undo_actions()
>>> bv.convert_to_nop(0x100012f1)
True
>>> bv.commit_undo_actions()
>>> bv.get_disassembly(0x100012f1)
'nop'
>>> bv.undo()
>>> bv.get_disassembly(0x100012f1)
'xor     eax, eax'
>>> bv.redo()
>>> bv.get_disassembly(0x100012f1)
'nop'
>>>
unregister_notification(notify)[source]

unregister_notification unregisters the BinaryDataNotification object passed to register_notification

Parameters:notify (BinaryDataNotification) – notify is a subclassed instance of BinaryDataNotification.
Return type:None
update_analysis()[source]

update_analysis asynchronously starts the analysis running and returns immediately. Analysis of BinaryViews does not occur automatically, the user must start analysis by calling either update_analysis() or update_analysis_and_wait(). An analysis update must be run after changes are made which could change analysis results such as adding functions.

Return type:None
update_analysis_and_wait()[source]

update_analysis_and_wait blocking call to update the analysis, this call returns when the analysis is complete. Analysis of BinaryViews does not occur automatically, the user must start analysis by calling either update_analysis() or update_analysis_and_wait(). An analysis update must be run after changes are made which could change analysis results such as adding functions.

Return type:None
view
view_type

View type (read-only)

write(addr, data)[source]

write writes the bytes in data to the virtual address addr.

Parameters:
  • addr (int) – virtual address to write to.
  • data (str) – data to be written at addr.
Returns:

number of bytes written to virtual address addr
Return type:

int
Example:
>>> bv.read(0,4)
'BBBB'
>>> bv.write(0, "AAAA")
4L
>>> bv.read(0,4)
'AAAA'
class binaryninja.binaryview.BinaryViewType(handle)[source]

Bases: object

create(data)[source]
get_arch(ident, endian)[source]
get_platform(ident, arch)[source]
classmethod get_view_of_file(filename, update_analysis=True)[source]

get_view_of_file returns the first available, non-Raw BinaryView available.

Parameters:
  • filename (str) – Path to filename or bndb
  • update_analysis (bool) – defaults to True. Pass False to not run update_analysis_and_wait.
Returns:

returns a BinaryView object for the given filename.
Return type:

BinaryView or None
is_valid_for_data(data)[source]
list = [<view type: 'Raw'>, <view type: 'ELF'>, <view type: 'Mach-O'>, <view type: 'PE'>]
long_name

BinaryView long name (read-only)

name

BinaryView name (read-only)

open(src, file_metadata=None)[source]
register_arch(ident, endian, arch)[source]
register_default_platform(arch, plat)[source]
register_platform(ident, arch, plat)[source]
class binaryninja.binaryview.BinaryWriter(view, endian=None)[source]

Bases: object

class BinaryWriter is a convenience class for writing binary data.

BinaryWriter can be instantiated as follows and the rest of the document will start from this context

>>> from binaryninja import *
>>> bv = BinaryViewType['Mach-O'].open("/bin/ls")
>>> br = BinaryReader(bv)
>>> bw = BinaryWriter(bv)
>>>

Or using the optional endian parameter

>>> from binaryninja import *
>>> br = BinaryReader(bv, Endianness.BigEndian)
>>> bw = BinaryWriter(bv, Endianness.BigEndian)
>>>
endianness

The Endianness to written data. (read/write)

Getter:returns the endianness of the reader
Setter:sets the endianness of the reader (BigEndian or LittleEndian)
Type:Endianness
offset

The current write offset (read/write).

Getter:returns the current internal offset
Setter:sets the internal offset
Type:int
seek(offset)[source]

seek update internal offset to offset.

Parameters:

offset (int) – offset to set the internal offset to
Return type:

None
Example:
>>> hex(bw.offset)
'0x100000008L'
>>> bw.seek(0x100000000)
>>> hex(bw.offset)
'0x100000000L'
>>>
seek_relative(offset)[source]

seek_relative updates the internal offset by offset.

Parameters:

offset (int) – offset to add to the internal offset
Return type:

None
Example:
>>> hex(bw.offset)
'0x100000008L'
>>> bw.seek_relative(-8)
>>> hex(bw.offset)
'0x100000000L'
>>>
write(value)[source]

write writes len(value) bytes to the internal offset, without regard to endianness.

Parameters:

value (str) – bytes to be written at current offset
Returns:

boolean True on success, False on failure.
Return type:

bool
Example:
>>> bw.write("AAAA")
True
>>> br.read(4)
'AAAA'
>>>
write16(value)[source]

write16 writes the lowest order two bytes from the integer value to the current offset, using internal endianness.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write16be(value)[source]

write16be writes the lowest order two bytes from the big endian integer value to the current offset.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write16le(value)[source]

write16le writes the lowest order two bytes from the little endian integer value to the current offset.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write32(value)[source]

write32 writes the lowest order four bytes from the integer value to the current offset, using internal endianness.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write32be(value)[source]

write32be writes the lowest order four bytes from the big endian integer value to the current offset.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write32le(value)[source]

write32le writes the lowest order four bytes from the little endian integer value to the current offset.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write64(value)[source]

write64 writes the lowest order eight bytes from the integer value to the current offset, using internal endianness.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write64be(value)[source]

write64be writes the lowest order eight bytes from the big endian integer value to the current offset.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write64le(value)[source]

write64le writes the lowest order eight bytes from the little endian integer value to the current offset.

Parameters:value (int) – integer value to write.
Returns:boolean True on success, False on failure.
Return type:bool
write8(value)[source]

write8 lowest order byte from the integer value to the current offset.

Parameters:

value (str) – bytes to be written at current offset
Returns:

boolean
Return type:

int
Example:
>>> bw.write8(0x42)
True
>>> br.read(1)
'B'
>>>
class binaryninja.binaryview.DataVariable(addr, var_type, auto_discovered)[source]

Bases: object

class binaryninja.binaryview.Section(name, section_type, start, length, linked_section, info_section, info_data, align, entry_size, semantics, auto_defined)[source]

Bases: object

end
class binaryninja.binaryview.Segment(start, length, data_offset, data_length, flags, auto_defined)[source]

Bases: object

end
executable
readable
writable
class binaryninja.binaryview.StringReference(bv, string_type, start, length)[source]

Bases: object

value