Skip to main content
angr provides a comprehensive suite of program analysis techniques for binary executables. These analyses range from control-flow graph recovery to high-level decompilation, enabling deep understanding of binary behavior.

Available Analyses

angr’s analysis framework is built around the AnalysesHub, which provides access to all registered analyses through the project.analyses interface.

Control Flow Analysis

CFGFast

Fast static control-flow graph recovery

CFGEmulated

Dynamic CFG recovery through symbolic execution

Data Flow Analysis

DDG

Data Dependence Graph analysis

VFG

Value-Flow Graph with abstract interpretation

Program Understanding

Decompiler

Decompile binary code to pseudocode

Variable Recovery

Identify and recover program variables

Identifier

Identify common library functions

Analysis Framework

All analyses in angr inherit from the base Analysis class and are registered with the framework: 
import angr

# Load a binary
p = angr.Project('/bin/ls', load_options={'auto_load_libs': False})

# Access analyses through the hub
cfg = p.analyses.CFGFast()
decomp = p.analyses.Decompiler(func)
ddg = p.analyses.DDG(cfg)

Analysis Categories

Static Analyses

Static analyses examine the binary without executing it:
  • CFGFast: Fast control-flow recovery
  • Variable Recovery: Identify stack and register variables
  • Identifier: Match against known library functions

Dynamic Analyses

Dynamic analyses use symbolic or concrete execution:
  • CFGEmulated: CFG recovery through symbolic execution
  • VFG: Value-flow analysis with abstract interpretation
  • DDG: Data dependence tracking during execution

Hybrid Analyses

Combining multiple techniques:
  • Decompiler: Uses CFG, variable recovery, reaching definitions, and structuring
  • Reaching Definitions: Data-flow analysis for definition-use chains

Common Patterns

Running an Analysis

# Most analyses are accessed through project.analyses
result = p.analyses.AnalysisName(parameters)

# Results are stored in the analysis object
print(result.graph)
print(result.nodes)

Using Knowledge Base

Many analyses store results in the knowledge base: 
# CFG stores functions
cfg = p.analyses.CFGFast()
for func in cfg.kb.functions.values():
    print(f"Function at {func.addr:#x}: {func.name}")

# Decompiler stores decompiled code
decomp = p.analyses.Decompiler(func)
print(decomp.codegen.text)

Analysis Options

Most analyses accept common parameters:
  • fail_fast: Stop on first error (default: False)
  • Progress callbacks for long-running analyses
  • Knowledge base selection: kb=custom_kb

Forward Analysis Framework

Many analyses inherit from ForwardAnalysis, which provides:
  • Job-based worklist algorithm
  • State merging and widening
  • Context-sensitive analysis
  • Progress tracking
from angr.analyses import ForwardAnalysis

class CustomAnalysis(ForwardAnalysis, Analysis):
    def _pre_analysis(self):
        # Initialize
        pass
    
    def _get_successors(self, job):
        # Return successor jobs
        pass

Next Steps

CFG Recovery

Learn about control-flow graph analysis

Decompilation

Decompile binaries to readable code

Data Flow

Track data dependencies in programs

Variable Recovery

Identify program variables and types

Build docs developers (and LLMs) love

Get started for freeTalk to us