Documentation Index
Fetch the complete documentation index at: https://mintlify.com/angr/angr/llms.txt
Use this file to discover all available pages before exploring further.
The KnowledgeBase class represents a “model” of knowledge about a binary artifact, containing analysis results like CFGs, function information, variables, type information, and cross-references.
Class Definition
class KnowledgeBase:
"""Represents a model of knowledge about an artifact.
Contains things like a CFG, data references, etc.
"""
Constructor
The angr Project instance this knowledge base belongs to
Deprecated - This parameter is deprecated and should not be used
Optional name for this knowledge base instance. If not provided, a default name like kb_0 is assigned
kb = KnowledgeBase(project)
kb_named = KnowledgeBase(project, name="my_kb")
Properties
The KnowledgeBase provides access to various knowledge plugins through properties:
Manages all functions discovered in the binary. Access functions by address or name, iterate through all functions, and manage the call graph.
Manages variables across the binary, including local variables, stack variables, registers, and global variables.
Manages reaching definitions and key definitions for variables.
Manages Control Flow Graphs (CFGs) for the binary.
Stores and manages type information recovered from the binary.
Manages propagation analysis results.
Manages cross-references between code and data locations.
Stores decompilation results and structured code representations.
Tracks detected obfuscation techniques in the binary.
Runtime database for storing temporary analysis data.
The call graph of the binary. This is a convenience property that accesses kb.functions.callgraph.
unresolved_indirect_jumps
Dictionary of unresolved indirect jumps in the binary.
Dictionary of resolved indirect jumps in the binary.
Plugin Management
The KnowledgeBase uses a plugin architecture to manage different types of knowledge.
has_plugin
kb.has_plugin(name: str) -> bool
Name of the plugin to check
bool - True if the plugin exists, False otherwise
get_plugin
kb.get_plugin(name: str) -> KnowledgeBasePlugin
Name of the plugin to retrieve
KeyError if the plugin doesn’t exist and is not a default plugin
register_plugin
kb.register_plugin(name: str, plugin: KnowledgeBasePlugin) -> KnowledgeBasePlugin
Name to register the plugin under
plugin
KnowledgeBasePlugin
required
The plugin instance to register
release_plugin
kb.release_plugin(name: str) -> None
Name of the plugin to release
Type-Safe Plugin Access
For better type inference and IDE support, use these type-safe methods:
get_knowledge
kb.get_knowledge(requested_plugin_cls: type[K]) -> K | None
The class type of the plugin to retrieve
from angr.knowledge_plugins import FunctionManager
func_manager = kb.get_knowledge(FunctionManager)
if func_manager is not None:
# func_manager is properly typed as FunctionManager
print(len(func_manager))
request_knowledge
kb.request_knowledge(requested_plugin_cls: type[K]) -> K
The class type of the plugin to retrieve or create
from angr.knowledge_plugins import PropagationManager
prop_manager = kb.request_knowledge(PropagationManager)
# prop_manager is guaranteed to be a valid PropagationManager instance
Magic Methods
Container Protocol
'functions' in kb # Check if plugin exists
kb.functions # Access plugin via attribute
kb['functions'] # Access plugin via key (calls get_plugin)
Attribute Access
Plugins can be accessed as attributes:
# These are equivalent:
funcs1 = kb.functions
funcs2 = kb.get_plugin('functions')
Usage Examples
Basic Usage
import angr
# Create project and access knowledge base
project = angr.Project('binary')
kb = project.kb
# Access functions
for addr, func in kb.functions.items():
print(f"Function at {hex(addr)}: {func.name}")
# Access the call graph
for caller, callee in kb.callgraph.edges():
print(f"{hex(caller)} -> {hex(callee)}")
Working with Variables
# Get variable manager for a specific function
func_addr = 0x401000
var_manager = kb.variables[func_addr]
# Access stack variables
stack_vars = var_manager.get_variables(sort='stack')
for var in stack_vars:
print(f"Stack variable: {var.name} at offset {var.offset}")
Custom Plugins
from angr.knowledge_plugins.plugin import KnowledgeBasePlugin
class MyCustomPlugin(KnowledgeBasePlugin):
def __init__(self, kb):
super().__init__(kb)
self.data = {}
def add_data(self, key, value):
self.data[key] = value
# Register the plugin
plugin = MyCustomPlugin(kb)
kb.register_plugin('custom', plugin)
# Use the plugin
kb.custom.add_data('key1', 'value1')
# Access type store
types_store = kb.types
# Register a type
from angr.sim_type import SimStruct, SimTypeInt
my_struct = SimStruct({
'field1': SimTypeInt(),
'field2': SimTypeInt()
}, name='MyStruct')
types_store['MyStruct'] = my_struct
Notes
- The KnowledgeBase is automatically created when you create an angr Project
- Most plugins are lazily initialized - they’re created only when first accessed
- The knowledge base is picklable and can be saved/loaded for analysis persistence
- Plugins are accessed via attribute syntax (e.g.,
kb.functions) for convenience