workflow module¶

Bases: object

Activity in Binary Ninja represents an individual analysis or action to be performed on a BinaryView or Function object.

Activities are the fundamental units of execution within a Workflow. Each Activity encapsulates a specific task and defines its own behavior, dependencies, and eligibility criteria. Activities are executed in the context of an AnalysisContext, which provides access to binary data, analysis state, and utility functions.

__init__(configuration: str = '', handle: LP_BNActivity | None = None, action: Callable[[Any], None] | None = None, eligibility: Callable[[Any], bool] | None = None)[source]¶

Parameters:

• configuration (str) –

• handle (LP_BNActivity | None) –

• action (Callable[[Any], None] | None) –

• eligibility (Callable[[Any], bool] | None) –

property name: str¶

Activity name (read-only)

Bases: object

AnalysisContext is a proxy object that provides access to the current analysis context, including the associated BinaryView, Function, and intermediate language (IL) representations. It provides APIs to retrieve and modify the in-progress analysis state and allows users to notify the analysis system of any changes or updates.

__init__(handle: LP_BNAnalysisContext)[source]¶

Parameters:

handle (LP_BNAnalysisContext) –

get_backed_address_ranges() → List[tuple][source]¶

Get all backed address ranges from the cached memory map.

Returns:

List of (start, end) tuples

Return type:

List[tuple]

get_end() → int[source]¶

Get the end address from the cached memory map.

Returns:

End address

Return type:

int

get_length() → int[source]¶

Get the length of the cached memory map.

Returns:

Length

Return type:

int

get_mapped_address_ranges() → List[tuple][source]¶

Get all mapped address ranges from the cached memory map.

Returns:

List of (start, end) tuples

Return type:

List[tuple]

get_next_backed_address(addr: int, flags: int = 0) → int[source]¶

Get the next backed address after the given address from the cached memory map.

Parameters:

• addr (int) – Starting address

• flags (int) – Optional flags to filter by

Returns:

Next backed address

Return type:

int

get_next_mapped_address(addr: int, flags: int = 0) → int[source]¶

Get the next mapped address after the given address from the cached memory map.

Parameters:

• addr (int) – Starting address

• flags (int) – Optional flags to filter by

Returns:

Next mapped address

Return type:

int

get_next_valid_offset(offset: int) → int[source]¶

Get the next valid offset after the given offset from the cached memory map.

Parameters:

offset (int) – Starting offset

Returns:

Next valid offset

Return type:

int

get_section_by_name(name: str) → Section | None[source]¶

Get a section by name from the cached section map.

Parameters:

name (str) – Section name

Returns:

Section with the given name, or None if not found

Return type:

Section | None

get_sections() → List[Section][source]¶

Get all sections from the cached section map.

Returns:

List of all sections

Return type:

List[Section]

get_sections_at(addr: int) → List[Section][source]¶

Get all sections containing the given address from the cached section map.

Parameters:

addr (int) – Address to query

Returns:

List of sections containing the address

Return type:

List[Section]

get_segment_at(addr: int) → Segment | None[source]¶

Get the segment containing the given address from the cached memory map.

Parameters:

addr (int) – Address to query

Returns:

Segment containing the address, or None

Return type:

Segment | None

get_setting_bool(key: str) → bool[source]¶

Get a boolean setting from the cached settings.

Parameters:

key (str) – Setting key

Returns:

Boolean setting value

Return type:

bool

get_setting_double(key: str) → float[source]¶

Get a double setting from the cached settings.

Parameters:

key (str) – Setting key

Returns:

Double setting value

Return type:

float

get_setting_int64(key: str) → int[source]¶

Get a 64-bit signed integer setting from the cached settings.

Parameters:

key (str) – Setting key

Returns:

Int64 setting value

Return type:

int

get_setting_string(key: str) → str[source]¶

Get a string setting from the cached settings.

Parameters:

key (str) – Setting key

Returns:

String setting value

Return type:

str

get_setting_string_list(key: str) → List[str][source]¶

Get a string list setting from the cached settings.

Parameters:

key (str) – Setting key

Returns:

List of strings

Return type:

List[str]

get_setting_uint64(key: str) → int[source]¶

Get a 64-bit unsigned integer setting from the cached settings.

Parameters:

key (str) – Setting key

Returns:

UInt64 setting value

Return type:

int

get_start() → int[source]¶

Get the start address from the cached memory map.

Returns:

Start address

Return type:

int

inform(request: str) → bool[source]¶

Parameters:

request (str) –

Return type:

bool

is_offset_backed_by_file(offset: int) → bool[source]¶

Check if an offset is backed by the file in the cached memory map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset is backed by file

Return type:

bool

is_offset_code_semantics(offset: int) → bool[source]¶

Check if an offset has code semantics in the cached section map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset has code semantics

Return type:

bool

is_offset_executable(offset: int) → bool[source]¶

Check if an offset is executable in the cached memory map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset is executable

Return type:

bool

is_offset_extern_semantics(offset: int) → bool[source]¶

Check if an offset has external semantics in the cached section map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset has external semantics

Return type:

bool

is_offset_readable(offset: int) → bool[source]¶

Check if an offset is readable in the cached memory map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset is readable

Return type:

bool

is_offset_readonly_semantics(offset: int) → bool[source]¶

Check if an offset has read-only semantics in the cached section map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset has read-only semantics

Return type:

bool

is_offset_writable(offset: int) → bool[source]¶

Check if an offset is writable in the cached memory map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset is writable

Return type:

bool

is_offset_writable_semantics(offset: int) → bool[source]¶

Check if an offset has writable semantics in the cached section map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset has writable semantics

Return type:

bool

is_valid_offset(offset: int) → bool[source]¶

Check if an offset is mapped in the cached memory map.

Parameters:

offset (int) – Offset to check

Returns:

True if offset is mapped

Return type:

bool

set_mlil_function(new_func: MediumLevelILFunction, llil_ssa_to_mlil_instr_map: mediumlevelil.LLILSSAToMLILInstructionMapping | None = None, llil_ssa_to_mlil_expr_map: mediumlevelil.LLILSSAToMLILExpressionMapping | None = None) → None[source]¶

Set the Medium Level IL function in the current analysis, giving updated Low Level IL (SSA) to Medium Level IL instruction and expression mappings. :param new_func: New MLIL function :param llil_ssa_to_mlil_instr_map: Mapping from every LLIL SSA instruction to every MLIL instruction :param llil_ssa_to_mlil_expr_map: Mapping from every LLIL SSA expression to one or more MLIL expressions (first expression will be the primary)

Parameters:

• new_func (MediumLevelILFunction) –

• llil_ssa_to_mlil_instr_map (mediumlevelil.LLILSSAToMLILInstructionMapping | None) –

• llil_ssa_to_mlil_expr_map (mediumlevelil.LLILSSAToMLILExpressionMapping | None) –

Return type:

None

property basic_blocks: BasicBlockList¶

function.BasicBlockList of BasicBlocks in the current function (writable)

property function: Function | None¶

Function for the current AnalysisContext (read-only)

property hlil: HighLevelILFunction | None¶

HighLevelILFunction used to represent High Level IL (writable)

property lifted_il: LowLevelILFunction | None¶

LowLevelILFunction used to represent lifted IL (writable)

property llil: LowLevelILFunction | None¶

LowLevelILFunction used to represent Low Level IL (writable)

property mlil: MediumLevelILFunction | None¶

MediumLevelILFunction used to represent Medium Level IL (writable)

property view: BinaryView | None¶

BinaryView for the current AnalysisContext (writable)

Bases: object

class Workflow in Binary Ninja defines the set of analyses to perform on a binary, including their dependencies and execution order.

Workflows are represented as Directed Acyclic Graphs (DAGs), where each node corresponds to an Activity (an individual analysis or action). Workflows are used to tailor the analysis process for BinaryView or Function objects, providing granular control over analysis tasks at module or function levels.

A Workflow starts in an unregistered state, either by creating a new empty Workflow or by cloning an existing one. While unregistered, it is possible to add and remove Activity objects, as well as modify the execution strategy. To apply a Workflow to a binary, it must be registered. Once registered, the Workflow becomes immutable and is available for use.

Example:

# Define the custom activity configuration
configuration = json.dumps({
        "name": "analysis.plugins.xorStringDecoder",
        "title": "XOR String Decoder",
        "description": "This analysis step transforms XOR-encoded strings within the current function.",
        "eligibility": {
                "auto": {
                        "default": False
                }
        }
})

# Clone the meta function workflow for customization
workflow = Workflow("core.function.metaAnalysis").clone()

# Register a new activity
workflow.register_activity(Activity(
        configuration,
        action=lambda analysis_context: log_warn(
                f"Decoder running for function: {hex(analysis_context.function.start)}"
                # Insert decoder logic here :P
        )
))

# Insert the new activity before the "generateHighLevelIL" step
workflow.insert("core.function.generateHighLevelIL", ["analysis.plugins.xorStringDecoder"])

# Register the modified meta function workflow
workflow.register()

__init__(name: str = '', handle: LP_BNWorkflow | None = None, query_registry: bool = True, object_handle: LP_BNFunction | LP_BNBinaryView | None = None)[source]¶

Parameters:

• name (str) –

• handle (LP_BNWorkflow | None) –

• query_registry (bool) –

• object_handle (LP_BNFunction | LP_BNBinaryView | None) –

activity_roots(activity: Activity | str = '') → List[str][source]¶

activity_roots Retrieve the list of activity roots for the Workflow, or if specified just for the given activity.

Parameters:

activity (str) – if specified, return the roots for the activity

Returns:

list of root activity names

Return type:

list[str]

assign_subactivities(activity: Activity, activities: List[str] | str) → bool[source]¶

assign_subactivities Assign the list of activities as the new set of children for the specified activity.

Parameters:

• activity (str) – the Activity node to assign children

• activities (list[str]) – the list of Activities to assign

Returns:

True on success, False otherwise

Return type:

bool

clear() → bool[source]¶

clear Remove all Activity nodes from this Workflow.

Returns:

True on success, False otherwise

Return type:

bool

clone(name: str | None = None, activity: Activity | str = '') → Workflow[source]¶

clone Clone a new Workflow, copying all Activities and the execution strategy.

Parameters:

• name (str) – if specified, name the new Workflow, otherwise the name is copied from the original

• activity (str) – if specified, perform the clone operation using activity as the root

Returns:

a new Workflow

Return type:

Workflow

configuration(activity: Activity | str = '') → str[source]¶

configuration Retrieve the configuration as an adjacency list in JSON for the Workflow, or if specified just for the given activity.

Parameters:

activity (ActivityType) – if specified, return the configuration for the activity

Returns:

an adjacency list representation of the configuration in JSON

Return type:

str

contains(activity: Activity | str) → bool[source]¶

contains Determine if an Activity exists in this Workflow.

Parameters:

activity (ActivityType) – the Activity name

Returns:

True if the Activity exists, False otherwise

Return type:

bool

eligibility_settings() → List[str][source]¶

eligibility_settings Retrieve the list of eligibility settings for the Workflow.

Returns:

list of eligibility settings

Return type:

list[str]

get_activity(activity: Activity | str) → Activity | None[source]¶

get_activity Retrieve the Activity object for the specified activity.

Parameters:

activity (str) – the Activity name

Returns:

the Activity object

Return type:

Activity

graph(activity: Activity | str = '', sequential: bool = False, show: bool = True) → FlowGraph | None[source]¶

graph Generate a FlowGraph object for the current Workflow and optionally show it in the UI.

Parameters:

• activity (str) – if specified, generate the Flowgraph using activity as the root

• sequential (bool) – whether to generate a Composite or Sequential style graph

• show (bool) – whether to show the graph in the UI or not

Returns:

FlowGraph object on success, None on failure

Return type:

FlowGraph

insert(activity: Activity | str, activities: List[str] | str) → bool[source]¶

insert Insert the list of activities before the specified activity and at the same level.

Parameters:

• activity (str) – the Activity node for which to insert activities before

• activities (list[str]) – the list of Activities to insert

Returns:

True on success, False otherwise

Return type:

bool

insert_after(activity: Activity | str, activities: List[str] | str) → bool[source]¶

insert_after Insert the list of activities after the specified activity and at the same level.

Parameters:

• activity (str) – the Activity node for which to insert activities after

• activities (list[str]) – the list of Activities to insert

Returns:

True on success, False otherwise

Return type:

bool

register(configuration: str = '') → bool[source]¶

register Register this Workflow, making it immutable and available for use.

Parameters:

configuration (str) – a JSON representation of the workflow configuration

Returns:

True on Success, False otherwise

Return type:

bool

register_activity(activity: Activity, subactivities: List[Activity | str] = []) → Activity | None[source]¶

register_activity Register an Activity with this Workflow.

Parameters:

• activity (Activity) – the Activity to register

• subactivities (list[str]) – the list of Activities to assign

Returns:

the registered Activity

Return type:

Activity

remove(activity: Activity | str) → bool[source]¶

remove Remove the specified activity.

Parameters:

activity (str) – the Activity to remove

Returns:

True on success, False otherwise

Return type:

bool

replace(activity: Activity | str, new_activity: str) → bool[source]¶

replace Replace the specified activity.

Parameters:

• activity (str) – the Activity to replace

• new_activity (str) – the replacement Activity

Returns:

True on success, False otherwise

Return type:

bool

show_topology() → None[source]¶

show_topology Show the Workflow topology in the UI.

Return type:

None

subactivities(activity: Activity | str = '', immediate: bool = True) → List[str][source]¶

subactivities Retrieve the list of all activities, or optionally a filtered list.

Parameters:

• activity (str) – if specified, return the direct children and optionally the descendants of the activity (includes activity)

• immediate (bool) – whether to include only direct children of activity or all descendants

Returns:

list of activity names

Return type:

list[str]

property machine¶

property name: str¶

property registered: bool¶

registered Whether this Workflow is registered or not. A Workflow becomes immutable once it is registered.

Type:

bool

Bases: object

__init__(handle: LP_BNFunction | LP_BNBinaryView | None = None)[source]¶

Parameters:

handle (LP_BNFunction | LP_BNBinaryView | None) –

breakpoint_delete(activities)[source]¶

breakpoint_query()[source]¶

breakpoint_set(activities)[source]¶

cli()[source]¶

configure(advanced: bool = True, incremental: bool = False)[source]¶

Parameters:

• advanced (bool) –

• incremental (bool) –

delay(duration)[source]¶

disable()[source]¶

dump()[source]¶

enable()[source]¶

halt()[source]¶

log(enable: bool = True, is_global: bool = False)[source]¶

Parameters:

• enable (bool) –

• is_global (bool) –

metrics(enable: bool = True, is_global: bool = False)[source]¶

Parameters:

• enable (bool) –

• is_global (bool) –

override_clear(activity)[source]¶

override_query(activity=None)[source]¶

override_set(activity, enable)[source]¶

request(request)[source]¶

reset()[source]¶

resume(advanced: bool = True, incremental: bool = False)[source]¶

Parameters:

• advanced (bool) –

• incremental (bool) –

run(advanced: bool = True, incremental: bool = False)[source]¶

Parameters:

• advanced (bool) –

• incremental (bool) –

show_metrics() → None[source]¶

Return type:

None

show_topology() → None[source]¶

Return type:

None

show_trace() → None[source]¶

Return type:

None

status()[source]¶

step()[source]¶

Bases: Cmd

__init__(machine: WorkflowMachine)[source]¶

Instantiate a line-oriented interpreter framework.

The optional argument ‘completekey’ is the readline name of a completion key; it defaults to the Tab key. If completekey is not None and the readline module is available, command completion is done automatically. The optional arguments stdin and stdout specify alternate input and output file objects; if not specified, sys.stdin and sys.stdout are used.

Parameters:

machine (WorkflowMachine) –

do_breakpoint(line)[source]¶

Handle breakpoint commands.

do_configure(line)[source]¶

Configure the workflow machine.

do_disable(line)[source]¶

Disable the workflow machine.

do_dump(line)[source]¶

Dump metrics from the workflow system.

do_enable(line)[source]¶

Enable the workflow machine.

do_halt(line)[source]¶

Halt the workflow machine.

do_log(line)[source]¶

Control workflow logging.

do_metrics(line)[source]¶

Control workflow metrics collection.

do_override(line)[source]¶

Handle override commands.

do_quit(line)[source]¶

Exit the WorkflowMachine CLI.

do_reset(line)[source]¶

Reset the workflow machine.

do_resume(line)[source]¶

Continue/Resume execution of a workflow.

do_run(line)[source]¶

Run the workflow machine and generate a default configuration if the workflow is not configured.

do_status(line)[source]¶

Retrieve the current machine status.

do_step(line)[source]¶

Step to the next activity in the workflow machine.

help(arg)[source]¶

precmd(line)[source]¶

Hook method executed just before the command line is interpreted, but after the input prompt is generated and issued.

aliases = {'b': 'breakpoint', 'c': 'resume', 'd': 'dump', 'h': 'halt', 'l': 'log', 'm': 'metrics', 'o': 'override', 'q': 'quit', 'r': 'run', 's': 'step'}¶

intro = "Welcome to the Workflow Orchestrator. Type 'help' to list available commands."¶

prompt = '(dechora) '¶