Getting Started¶
Welcome to Binary Ninja. This introduction document is meant to quickly guide you over some of the most common uses of Binary Ninja.
Directories¶
Binary Ninja uses two main locations. The first is the install path of the binary itself and the second is the user folders for user-installed content.
Binary Path¶
Binaries are installed in the following locations by default:
- MacOS:
/Applications/Binary Ninja.app - Windows (global install):
C:\Program Files\Vector35\BinaryNinja - Windows (user install):
%LOCALAPPDATA%\Vector35\BinaryNinja - Linux: Wherever you extract it! (No standard location)
Warning
Do not put any user content in the install-path of Binary Ninja. The auto-update process of Binary Ninja may replace any files included in these folders.
User Folder¶
The base locations of user folders are:
- MacOS:
~/Library/Application Support/Binary Ninja - Linux:
~/.binaryninja - Windows:
%APPDATA%\Binary Ninja
Contents of the user folder includes:
lastrun: A text file containing the directory of the last BinaryNinja binary path -- very useful for plugins to resolve the install locations in non-default settings or on Linux.license.dat: License fileplugins/: Folder containing all manually installed user pluginsrepositories/: Folder containing files and plugins managed by the Plugin Manager APIsettings.json: User settings file (see settings)keybindings.json: Custom key bindings (see key bindings)
License¶
When you first run Binary Ninja, it will prompt you for your license key. You should have received your license key via email after your purchase. If not, please contact support.
Once the license key is installed, you can change it, back it up, or otherwise inspect it simply by looking inside the base of the user folder for license.dat.
Linux Setup¶
Because Linux install locations can vary widely, we do not assume a Binary Ninja has been installed in any particular folder on Linux. Rather, you can simply run binaryninja/scripts/linux-setup.sh after extracting the zip and various file associations, icons, and other settings will be set up. Run it with -h to see the customization options.
Loading Files¶
You can load files in many ways:
- Drag-and-drop a file onto the Binary Ninja window (hold
[CMD/CTRL-SHIFT]while dropping to use theOpen with Optionsworkflow) - Use the
File/Openmenu orOpenbutton on the start screen ([CMD/CTRL] o) - Use the
File/Open with Optionsmenu which allows you to customize the analysis options ([CMD/CTRL-SHIFT] o) - Open a file from the Triage picker (
File/Open for Triage) which enables several minimal analysis options and shows a summary view first - Click an item in the recent files list (hold
[CMD/CTRL-SHIFT]while clicking to use theOpen with Optionsworkflow) - Run Binary Ninja with an optional command-line parameter
- Open a file from a URL via the
[CMD/CTRL] lhotkey - Open a file using the
binaryninja:URL handler. For security reasons, the URL handler requires you to confirm a warning before opening a file via the URL handler. URLs additionally support deep linking using theexprquery parameter where expression value is a valid parsable expression such as those possible in the navigation dialog, and fully documented in theparse_expressionAPI. Below a few examples are provided:- URLs For referencing files on the local file system.
binaryninja:///bin/ls?expr=sub_2830- open the given file and navigate to the function:sub_2830binaryninja:///bin/ls?expr=.text- open the given file and navigate to the start address of the.textsectionbinaryninja:///bin/ls?expr=.text+6b- open the given file and navigate to the hexadecimal offset6bfrom the.textsection.
- URLs For referencing remote file files either the URL should be prefixed with
binaryninja:and optionally suffixed with theexprquery parameterbinaryninja:file://<remote_path>?expr=[.data + 400]- Download the remote file and navigate to the address at.dataplus0x400
- URLs For referencing files on the local file system.
Status Bar¶
The status bar provides current information about the open file as well as some interactive controls. Summary features are listed below:
- Update Notification - perform updates, download status, and restart notification
- Analysis progress - ongoing analysis progress of current active file
- Cursor offset or selection
- BinaryView Switcher
- View Layer Selection - present a layer of analysis information from the BinaryView (e.g. hex, graph, linear, strings, types, etc.)
- File Contents Lock - interactive control to prevent accidental changes to the underlying file
Analysis¶
As soon as you open a file, Binary Ninja begins its auto-analysis which is fairly similar to decompiling the entire binary.
Even while Binary Ninja is analyzing a binary, the UI should be responsive. Not only that, but because the analysis prioritizes user-requested analysis, you can start navigating a binary immediately and wherever you are viewing will be prioritized for analysis. The current progress through a binary is shown in the status bar (more details are available via bv.analysis_info in the Python console), but note that the total number of items left to analyze will go up as well as the binary is processed and more items are discovered that require analysis.
Analysis proceeds through several phases summarized below:
- Phase 1 - Initial Recursive Descent
- Phase 2 - Call Target Analysis (Part of Linear Sweep)
- Phase 3.x - Control Flow Graph Analysis (Part of Linear Sweep)
Errors or warnings during the load of the binary are also shown in the status bar, along with an icon (in the case of the image above, a large number of warnings were shown). The most common warnings are from incomplete lifting and can be safely ignored. If the warnings include a message like Data flow for function at 0x41414141 did not terminate, then please report the binary to the bug database.
Analysis Speed¶
If you wish to speed up analysis, you have several options. The first is to use the File/Open for Triage menu which activates the Triage file picker. By default, Triage mode will enable a faster set of default analysis options that doesn't provide as much in-depth analysis but is significantly faster.
Additionally, using the open with options feature allows for customization of a number of analysis options on a per-binary basis. See all settings under the analysis category for more details.
Interacting¶
Navigating¶
Navigating code in Binary Ninja is usually a case of just double-clicking where you want to go. Addresses, references, functions, jump edges etc, can all be double-clicked to navigate. Additionally, the g hotkey can navigate to a specific address in the current view. Syntax for this field is very flexible. Full expressions can be entered including basic arithmetic, dereferencing, and name resolution (function names, data variable names, segment names, etc). Numerics default to hexadecimal but that can be controlled as well. Full documentation on the syntax of this field can be found here.
Switching Views¶
Switching views happens multiple ways. In some instances, it is automatic (clicking a data reference from graph view will navigate to linear view as data is not shown in the graph view), and there are multiple ways to manually change views as well. While navigating, you can use the view hotkeys (see below) to switch to a specific view at the same location as the current selection. Alternatively, the view menu in the bottom-right can be used to change views without navigating to any given location.
Command-Palette¶
One great feature for quickly navigating through a variety of options and actions is the command palette. Inspired by similar features in Sublime, and VS Code, the command-palette is a front end into an application-wide, context-sensitive action system that all actions, plugins, and hotkeys in the system are routed through.
To trigger it, simply use the [CMD/CTRL] p hotkey. Note that the command-palette is context-sensitive and therefore some actions (for example, Display as - Binary) may only be available depending on your current view or selection. This is also available to plugins. For example, a plugin may use PluginCommand.register with the optional is_valid callback to determine when the action should be available.
Custom Hotkeys¶
Any action in the action system can have a custom hotkey mapped to it. To access the keybindings menu, use the [CMD/CTRL-SHIFT] b hotkey, via the Edit / Keybindings... menu, or the Keybindings command palette entry.
Note
On MacOS, Ctrl refers to the Command key, while Meta refers to the Control key. This is a remapping performed by Qt to make cross-platform keybindings easier to define.
Tip
To search in the keybindings list, just click to make sure it's focused and start typing!
Default Hotkeys¶
h: Switch to hex viewp: Create a function[ESC]: Navigate backward[CMD] [(MacOS) : Navigate backward[CMD] ](MacOS) : Navigate forward[CTRL] [(Windows/Linux) : Navigate backward[CTRL] ](Windows/Linux) : Navigate forward[SPACE]: Toggle between linear view and graph viewg: Go To Address dialogn: Name a symbolu: Undefine an existing symbol (only for removing new user-defined names)e: Edits an instruction (by modifying the original binary -- currently only enabled for x86, and x64)x: Focuses the cross-reference pane;: Adds a commenti: Cycles between disassembly, LLIL, MLIL and HLIL in graph viewt: Switch to type viewy: Change typea: Change the data type to an ASCII string- [1248] : Change type directly to a data variable of the indicated widths
d: Switches between data variables of various widthsr: Change the data type to single ASCII charactero: Create a pointer data type[CMD-SHIFT] +(MacOS) : Graph view zoom in[CMD-SHIFT] -(MacOS) : Graph view zoom out[CTRL-SHIFT] +(Windows/Linux) : Graph view zoom in[CTRL-SHIFT] -(Windows/Linux) : Graph view zoom out
Graph View¶
The default view in Binary Ninja when opening a binary is a graph view that groups the basic blocks of disassembly into visually distinct blocks with edges showing control flow between them.
Features of the graph view include:
- Ability to double click edges to quickly jump between locations
- Zoom (CTRL-mouse wheel)
- Vertical Scrolling (Side scroll bar as well as mouse wheel)
- Horizontal Scrolling (Bottom scroll bar as well as SHIFT-mouse wheel)
- Individual highlighting of arguments, addresses, immediate values
- Edge colors indicate whether the path is the true or false case of a conditional jump (a color-blind option in the preferences is useful for those with red-green color blindness)
- Context menu that can trigger some function-wide actions as well as some specific to the highlighted instruction (such as inverting branch logic or replacing a specific function with a NOP)
View Options¶
Each of the views (Hex, Graph, Linear) have a variety of options configurable in the bottom-right of the UI.
Current options include:
- Hex
- Background highlight
- None
- Column
- Byte value
- Color highlight
- None
- ASCII and printable
- Modification
- Contrast
- Normal
- Medium
- Highlight
- Background highlight
- Graph
- Show address
- Show opcode bytes
- Assembly
- Lifted IL
- Show IL flag usage (if showing Lifted IL)
- Low Level IL
- Show basic block register state (if showing Low Level IL)
- Medium Level IL
- Show basic block register state (if showing Medium IL)
- High Level IL
- Show basic block register state (if showing High IL)
- Linear
- Show address
- Show call parameter names
- Show opcode bytes
- Show register set highlighting
- Show variable types
- List default register types
Hex View¶
The hexadecimal view is useful for view raw binary files that may or may not even be executable binaries. The hex view is particularly good for transforming data in various ways via the Copy as, Transform, and Paste from menus. Note that Transform menu options will transform the data in-place, and that these options will only work when the Hex View is in the Raw mode as opposed to any of the binary views (such as "ELF", "Mach-O", or "PE").
Tip
Any changes made in the Hex view will take effect immediately in any other views open into the same file (new views can be created via the Split to new tab, or Split to new window options under View.). This can, however, cause large amounts of re-analysis so be warned before making large edits or transformations in a large binary file.
Cross References Pane¶
The Cross References view in the lower-left shows all cross-references to the currently selected address, address range, variable or type. This pane will change depending on whether an entire line is selected (all cross-references to that address/type/variable are shown), or whether a specific token within the line is selected. For instance if you click on the symbol memmove in call memmove it will display all known cross-references to memmove, whereas if you click on the line the call instruction is on, you will only get cross-references to the address of the call instruction. Cross-references can be either incoming or outgoing, and they can be either data, code, type, or variable.
Code References¶
Code references are references to or from code, but not necessarily to code. Code References can reference, code, data, or structure types. Code References are interprocedural, and unfortunately due to speed considerations we currently only show disassembly (rather than an IL) when displaying these types of references. In a future version we hope to address this limitation.
Data References¶
Data References are references created by data (i.e. pointers), notnecessarily to data. Outgoing Data References are what is pointed to by the currently selected data. Incoming Data References are the set of data pointers which point to this address.
Variable References¶
Variable References are all the set of uses of a given variable. As these references are intraprocedural we're able to show the currently viewed IL in the preview.
Type References¶
Type References are references to types and type members made by other types, perhaps more accurately called Type-to-Type-References.
Tree-based Layout¶
The cross-references pane comes in two different layouts: tree-based (default and shown above) and table-based (this can be toggled through the context menu or the command palette). The tree-based layout provides the most condensed view, allowing users to quickly see (for instance) how many references are present to the current selection overall and by function. It also allows collapsing to quickly hide uninteresting results.
Table-based Layout¶
The table-based layout provides field-based sorting and multi-select. Clicking the Filter text expands the filter pane, showing options for filtering the current results.
Template Simplifier¶
The analysis.types.TemplateSimplifier setting can be helpful when working with C++ symbols.
- Before Simplification
- After Simplification
hover over the image to temporarily pause
Cross-Reference Filtering¶
The first of the two drop down boxes allows the selection of incoming, outgoing, or both incoming and outgoing (default). The second allows selection of code, data, type, or variable or any combination thereof. The text box allows regular expression matching of results. When a filter is selected the Filter display changes from Filter (<total-count>) to Filter (<total-filtered>/<total-count>)
Cross-Reference Pinning¶
By default Binary Ninja's cross-reference pane is dynamic, allowing quick navigation to relevant references. Sometimes you might rather have the current references stick around so they can be used as a sort of work-list. This workflow is supported in three different ways. First and most obviously by clicking the Pin checkbox (which is only visible if the Filter drop-down is open). This prevents the list of cross-references from being updated even after the current selection is changed. Alternatively, SHIFT+X (or selecting Focus Pinned Cross References in the context menu or command palette) pops up a Pinned Cross References pane. This pane has a static address range which can only be updated through the Pinned Cross References action. The third way would be to select (or multi-select in table view) a set of cross-references then right-click Tag Selected Rows. The tag pane can then be used to navigate those references. Tags allow for persistent lists to be saved to analysis database whereas the other options only last for the current session.
Cross-Reference Hotkeys¶
x- Focus the cross-references pane[SHIFT] xFocus the pinned cross-references pane[OPTION/ALT] x- Navigate to the next cross-reference[OPTION/ALT-SHIFT] x- Navigate to the previous cross-reference
The following are only available when the cross-references pane is in focus:
[CMD/CTRL] f- Open the filter dialog[ESC]- Clear the search dialog[CMD/CTRL] a- Select all cross-references[ARROW UP/DOWN]- Select (but don't navigate) next/previous cross-reference[ENTER]- Navigate to the selected reference
Linear View¶
Linear view is a hybrid view between a graph-based disassembly window and the raw hex view. It lists the entire binary's memory in a linear fashion and is especially useful when trying to find sections of a binary that were not properly identified as code or even just examining data.
Linear view is most commonly used for identifying and adding type information for unknown data. To this end, as you scroll, you'll see data and code interspersed. Much like the graph view, you can turn on and off addresses via the command palette Show Address or the Options menu in the lower right. Many other option are also available.
Function List¶
The function list in Binary Ninja shows the list of functions currently identified. As large binaries are analyzed, the list may grow during analysis. The function list starts with known functions such as the entry point, exports, or using other features of the binary file format and explores from there to identify other functions.
The function list also highlights imports, and functions identified with symbols in different colors to make them easier to identify.
Tip
To search in the function list, just click to make sure it's focused and start typing!
Reflection View¶
- View BNILs and assembly for the same file side-by-side
- Settings to control the synchronization behavior
- Right Click the Function Header for quick access to synchronization mode changes
-
Reflection currently presents in graph view only
-
When main view is linear, Mini Graph renders the Reflection View
High Level IL¶
Binary Ninja features a decompiler that produces High Level IL (HLIL) as output. HLIL is not intended to be a representation of the code in C, but some users prefer to have a more C-like scoping style.
You can control the way HLIL appears in the settings.
The different options are shown below:
Dead Store Elimination¶
Binary Ninja tries to be conservative with eliminating unused variables on the stack. When the analysis finds a variable that cannot be eliminated but does not appear to be used, the assignment will appear grayed out in the decompiler output. The first two lines of the function below show this:
In this case, these variables are actually unused and can be eliminated. You can tell Binary Ninja to do this by right clicking on the variable and choosing "Allow" from the "Dead Store Elimination" submenu.
Performing this action on both variables in the example results in the following output:
Script (Python) Console¶
The integrated script console is useful for small scripts that aren't worth writing as full plugins.
To trigger the console, either use <CTRL>-<BACKTICK>, or use the View/Native Docks/Show Python Console menu.
Once loaded, the script console can be docked in different locations or popped out into a stand-alone window. Note that at this time window locations are not saved on restart.
Multi-line input is possible just by doing what you'd normally do in python. If you leave a trailing : at the end of a line, the box will automatically turn into a multi-line edit box, complete with a command-history. To submit that multi-line input, use <CTRL>-<ENTER>
By default the interactive python prompt has a number of convenient helper functions and variables built in:
here/current_address: address of the current selectionbv/current_view/ : the current BinaryViewcurrent_function: the current Functioncurrent_basic_block: the current BasicBlockcurrent_llil: the current LowLevelILFunctioncurrent_mlil: the current MediumLevelILFunctioncurrent_selection: a tuple of the start and end addresses of the current selectionwrite_at_cursor(data): function that writes data to the start of the current selectionget_selected_data(): function that returns the data in the current selection
Note
The current script console only supports Python at the moment, but it's fully extensible for other programming languages for advanced users who wish to implement their own bindings.
Using Plugins¶
Plugins can be installed by one of two methods. First, they can be manually installed by adding the plugin (either a .py file or a folder implementing a python module with a __init__.py file) to the appropriate path:
- MacOS:
~/Library/Application Support/Binary Ninja/plugins/ - Linux:
~/.binaryninja/plugins/ - Windows:
%APPDATA%\Binary Ninja\plugins
Alternatively, plugins can be installed with the new pluginmanager API.
For more detailed information on plugins, see the plugin guide.
PDB Plugin¶
Binary Ninja supports loading PDB files through a built in PDB loader. When selected from the plugin menu it attempts to find the corresponding PDB file using the following search order:
- Look for in the same directory as the opened file/bndb (e.g. If you have
c:\foo.exeorc:\foo.bndbopen the PDB plugin looks forc:\foo.pdb) - Look in the local symbol store. This is the directory specified by the settings:
local-store-relativeorlocal-store-absolute. The format of this directory isfoo.pdb\<guid>\foo.pdb. - Attempt to connect and download the PDB from the list of symbol servers specified in setting
symbol-server-list. - Prompt the user for the PDB.
Settings¶
Binary Ninja provides various settings which are available via the [CMD/CTRL] , hotkey. These settings allow a wide variety of customization of the user interface and functional aspects of the analysis environment.
There are several scopes available for settings:
- User Settings - Settings that apply globally and override the defaults. These settings are stored in
settings.jsonwithin the User Folder. - Project Settings - Settings which only apply if a project is opened. These settings are stored in
.binaryninja/settings.jsonwithin a Project Folder. Project Folders can exist anywhere except within the User Folder. These settings apply to all files contained in the Project Folder and override the default and user settings. - Resource Settings - Settings which only apply to a specific BinaryView object within a file. These settings persist in a Binary Ninja Database (.bndb) database or ephemerally in a BinaryView object if a database does not yet exist for a file.
All settings are uniquely identified with an identifier string. Identifiers are available in the UI via the context menu and are useful for programmatically interacting with settings.
Note: In order to facilitate reproducible analysis results, when opening a file for the first time, all of the analysis settings are automatically serialized into the Resource Setting scope. This prevents subsequent User and Project setting modifications from unintentionally changing existing analysis results.
All Settings¶
Here's a list of all settings currently available from the UI:
| Category | Setting | Description | Type | Default | Scope | Key |
|---|---|---|---|---|---|---|
| analysis | Disallow Branch to String | Enable the ability to halt analysis of branch targets that fall within a string reference. This setting may be useful for malformed binaries. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.conservative.disallowBranchToString |
| analysis | Never Save Undo Data | Never save previous user actions to the database. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.database.neverSaveUndoData |
| analysis | Suppress Reanalysis | Disable function reanalysis on database load when the product version or analysis settings change. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.database.suppressReanalysis |
| analysis | Alternate Type Propagation | Enable an alternate approach for function type propagation. This setting is experimental and may be useful for some binaries. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.experimental.alternateTypePropagation |
| analysis | Correlated Memory Value Propagation | Attempt to propagate the value of an expression from a memory definition to a usage. Currently this feature is simplistic and the scope is a single basic block. This setting is experimental and may be useful for some binaries. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.experimental.correlatedMemoryValuePropagation |
| analysis | Heuristic Value Range Clamping | Use DataVariable state inferencing to help determine the possible size of a lookup table. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.experimental.heuristicRangeClamp |
| analysis | Always Analyze Indirect Branches | When using faster analysis modes, perform full analysis of functions containing indirect branches. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.forceIndirectBranches |
| analysis | Advanced Analysis Cache Size | Controls the number of functions for which the most recent generated advanced analysis is cached. Large values may result in very high memory utilization. | number |
64 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.cacheSize |
| analysis | Max Function Analysis Time | Any functions that exceed this analysis time are deferred. A value of 0 disables this feature. The default value is 20 seconds. Time is specified in milliseconds. | number |
20000 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.maxFunctionAnalysisTime |
| analysis | Max Function Size | Any functions over this size will not be automatically analyzed. A value of 0 disables analysis of functions and suppresses the related log warning. To override see FunctionAnalysisSkipOverride. Size is specified in bytes. | number |
65536 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.maxFunctionSize |
| analysis | Max Function Update Count | Any functions that exceed this incremental update count are deferred. A value of 0 disables this feature. | number |
100 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.maxFunctionUpdateCount |
| analysis | Max Lookup Table Size | Limits the maximum number of entries for a lookup table. | number |
4095 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.maxLookupTableSize |
| analysis | Maximum String Annotation Length | The maximum substring length that will be shown in string annotations. | number |
32 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.maxStringAnnotationLength |
| analysis | Minimum String Length | The minimum length for strings created during auto-analysis | number |
4 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.minStringLength |
| analysis | Worker Thread Count | The number of worker threads available for concurrent analysis activities. | number |
15 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.limits.workerThreadCount |
| analysis | Autorun Linear Sweep | Automatically run linear sweep when opening a binary for analysis. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.linearSweep.autorun |
| analysis | Control Flow Graph Analysis | Enable the control flow graph analysis (Analysis Phase 3) portion of linear sweep. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.linearSweep.controlFlowGraph |
| analysis | Detailed Linear Sweep Log Information | Linear sweep generates additional log information at the InfoLog level. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.linearSweep.detailedLogInfo |
| analysis | Entropy Heuristics for Linear Sweep | Enable the application of entropy based heuristics to the function search space for linear sweep. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.linearSweep.entropyHeuristics |
| analysis | Max Linear Sweep Work Queues | The number of binary regions under concurrent analysis. | number |
64 |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.linearSweep.maxWorkQueues |
| analysis | Analysis Mode | Controls the amount of analysis performed on functions. | string |
full |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.mode |
| enum: Only perform control flow analysis on the binary. Cross references are valid only for direct function calls. [Disassembly Only] | enum |
controlFlow |
||||
| enum: Perform fast initial analysis of the binary. This mode does not analyze types or data flow through stack variables. [LLIL and Equivalents] | enum |
basic |
||||
| enum: Perform analysis which includes type propagation and data flow. [MLIL and Equivalents] | enum |
intermediate |
||||
| enum: Perform full analysis of the binary. | enum |
full |
||||
| analysis | Autorun Function Signature Matcher | Automatically run the function signature matcher when opening a binary for analysis. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.signatureMatcher.autorun |
| analysis | Auto Function Analysis Suppression | Enable suppressing analysis of automatically discovered functions. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.suppressNewAutoFunctionAnalysis |
| analysis | Tail Call Heuristics | Attempts to recover function starts that may be obscured by tail call optimization (TCO). Specifically, branch targets within a function are analyzed as potential function starts. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.tailCallHeuristics |
| analysis | Tail Call Translation | Performs tail call translation for jump instructions where the target is an existing function start. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.tailCallTranslation |
| analysis | Simplify Templates | Simplify common C++ templates that are expanded with default arguments at compile time (eg. std::__cxx11::basic_string<wchar, std::char_traits<wchar>, std::allocator<wchar> > to std::wstring). |
boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.types.TemplateSimplifier |
| analysis | Unicode Blocks | Defines which unicode blocks to consider when searching for strings. | array |
[] | [SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.unicode.blocks |
| analysis | UTF-16 Encoding | Whether or not to consider UTF-16 code points when searching for strings. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.unicode.utf16 |
| analysis | UTF-32 Encoding | Whether or not to consider UTF-32 code points when searching for strings. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.unicode.utf32 |
| analysis | UTF-8 Encoding | Whether or not to consider UTF-8 code points when searching for strings. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
analysis.unicode.utf8 |
| arch | x86 Disassembly Case | Specify the case for opcodes, operands, and registers. | boolean |
True |
[SettingsUserScope] |
arch.x86.disassembly.lowercase |
| arch | x86 Disassembly Separator | Specify the token separator between operands. | string |
, |
[SettingsUserScope] |
arch.x86.disassembly.separator |
| arch | x86 Disassembly Syntax | Specify disassembly syntax for the x86/x86_64 architectures. | string |
BN_INTEL |
[SettingsUserScope] |
arch.x86.disassembly.syntax |
| enum: Sets the disassembly syntax to a simplified Intel format. (TBD) | enum |
BN_INTEL |
||||
| enum: Sets the disassembly syntax to Intel format. (Destination on the left) | enum |
INTEL |
||||
| enum: Sets the disassembly syntax to AT&T format. (Destination on the right) | enum |
AT&T |
||||
| corePlugins | Aarch64 Architecture | Enable the built-in Aarch64 architecture module. | boolean |
True |
[SettingsUserScope] |
corePlugins.architectures.aarch64 |
| corePlugins | ARMv7 Architecture | Enable the built-in ARMv7 architecture module. | boolean |
True |
[SettingsUserScope] |
corePlugins.architectures.armv7 |
| corePlugins | MIPS Architecture | Enable the built-in MIPS architecture module. | boolean |
True |
[SettingsUserScope] |
corePlugins.architectures.mips |
| corePlugins | PowerPC Architecture | Enable the built-in PowerPC architecture module. | boolean |
True |
[SettingsUserScope] |
corePlugins.architectures.powerpc |
| corePlugins | x86/x86_64 Architecture | Enable the built-in x86/x86_64 architecture module. | boolean |
True |
[SettingsUserScope] |
corePlugins.architectures.x86 |
| corePlugins | Crypto Plugin | Enable the built-in crypto plugin. | boolean |
True |
[SettingsUserScope] |
corePlugins.crypto |
| corePlugins | PDB Loader | Enable the built-in PDB loader plugin. | boolean |
True |
[SettingsUserScope] |
corePlugins.pdb |
| corePlugins | DECREE Platform | Enable the built-in DECREE platform module. | boolean |
True |
[SettingsUserScope] |
corePlugins.platforms.decree |
| corePlugins | FreeBSD Platform | Enable the built-in FreeBSD platform module. | boolean |
True |
[SettingsUserScope] |
corePlugins.platforms.freebsd |
| corePlugins | Linux Platform | Enable the built-in Linux platform module. | boolean |
True |
[SettingsUserScope] |
corePlugins.platforms.linux |
| corePlugins | macOS Platform | Enable the built-in macOS platform module. | boolean |
True |
[SettingsUserScope] |
corePlugins.platforms.mac |
| corePlugins | Windows Platform | Enable the built-in Windows platform module. | boolean |
True |
[SettingsUserScope] |
corePlugins.platforms.windows |
| corePlugins | Triage Plugin | Enable the built-in triage plugin. | boolean |
True |
[SettingsUserScope] |
corePlugins.triage |
| downloadClient | HTTPS Proxy | Override default HTTPS proxy settings. By default, HTTPS Proxy settings are detected and used automatically via environment variables (e.g., https_proxy). Alternatively, proxy settings are obtained from the Internet Settings section of the Windows registry, or the Mac OS X System Configuration Framework. | string |
[SettingsUserScope] |
downloadClient.httpsProxy | |
| downloadClient | Download Provider | Specify the registered DownloadProvider which enables resource fetching over HTTPS. | string |
CoreDownloadProvider |
[SettingsUserScope] |
downloadClient.providerName |
enum |
QtDownloadProvider |
|||||
enum |
CoreDownloadProvider |
|||||
enum |
PythonDownloadProvider |
|||||
| files | Auto Rebase Load File | When opening a file with options, automatically rebase an image which has a default load address of zero to 4MB for 64-bit binaries, or 64KB for 32-bit binaries. | boolean |
False |
[SettingsUserScope, SettingsProjectScope] |
files.pic.autoRebase |
| files | Universal Mach-O Architecture Preference | Specify an architecture preference for automatic loading of a Mach-O file from a Universal archive. By default, the first object file in the listing is loaded. | array |
[] | [SettingsUserScope] |
files.universal.architecturePreference |
enum |
alpha |
|||||
enum |
arm |
|||||
enum |
arm64 |
|||||
enum |
arm64_32 |
|||||
enum |
hppa |
|||||
enum |
i860 |
|||||
enum |
mc680x0 |
|||||
enum |
mc88000 |
|||||
enum |
mc98000 |
|||||
enum |
mips |
|||||
enum |
ppc |
|||||
enum |
ppc64 |
|||||
enum |
sparc |
|||||
enum |
vax |
|||||
enum |
x86 |
|||||
enum |
x86_64 |
|||||
| pdb | Auto Download PDBs | Automatically download pdb files from specified symbol servers. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
pdb.autoDownload |
| pdb | Absolute PDB Symbol Store Path | Absolute path specifying where the PDB symbol store exists on this machine, overrides relative path. | string |
[SettingsUserScope, SettingsProjectScope] |
pdb.localStoreAbsolute | |
| pdb | Relative PDB Symbol Store Path | Path relative to the binaryninja user directory, specifying the pdb symbol store. | string |
symbols |
[SettingsUserScope, SettingsProjectScope] |
pdb.localStoreRelative |
| pdb | Symbol Server List | List of servers to query for pdb symbols. | array |
[https://msdl.microsoft.com/download/symbols] |
[SettingsUserScope, SettingsProjectScope] |
pdb.symbolServerList |
| pluginManager | Community Plugin Manager Update Channel | Specify which community update channel the Plugin Manager should update plugins from. | string |
master |
[SettingsUserScope] |
pluginManager.communityUpdateChannel |
| enum: The default channel. This setting should be used unless you are testing the Plugin Manager. | enum |
master |
||||
| enum: Plugin Manager test channel. | enum |
test |
||||
| pluginManager | Official Plugin Manager Update Channel | Specify which official update channel the Plugin Manager should update plugins from. | string |
master |
[SettingsUserScope] |
pluginManager.officialUpdateChannel |
| enum: The default channel. This setting should be used unless you are testing the Plugin Manager. | enum |
master |
||||
| enum: Plugin Manager test channel. | enum |
test |
||||
| python | Python Interpreter | Python interpreter library(dylib/dll/so.1) to load if one is not already present when plugins are loaded. | string |
[SettingsUserScope] |
python.interpreter | |
| python | Minimum Python Log Level | Set the minimum Python log level which applies in headless operation only. The log is connected to stderr. Additionally, stderr must be associated with a terminal device. | string |
WarningLog |
[SettingsUserScope] |
python.log.minLevel |
| enum: Print Debug, Info, Warning, Error, and Alert messages to stderr on the terminal device. | enum |
DebugLog |
||||
| enum: Print Info, Warning, Error, and Alert messages to stderr on the terminal device. | enum |
InfoLog |
||||
| enum: Print Warning, Error, and Alert messages to stderr on the terminal device. | enum |
WarningLog |
||||
| enum: Print Error and Alert messages to stderr on the terminal device. | enum |
ErrorLog |
||||
| enum: Print Alert messages to stderr on the terminal device. | enum |
AlertLog |
||||
| enum: Disable all logging in headless operation. | enum |
Disabled |
||||
| triage | Triage Analysis Mode | Controls the amount of analysis performed on functions when opening for triage. | string |
basic |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
triage.analysisMode |
| enum: Only perform control flow analysis on the binary. Cross references are valid only for direct function calls. | enum |
controlFlow |
||||
| enum: Perform fast initial analysis of the binary. This mode does not analyze types or data flow through stack variables. | enum |
basic |
||||
| enum: Perform full analysis of the binary. | enum |
full |
||||
| triage | Triage Shows Hidden Files | Whether the Triage file picker shows hidden files. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
|
| triage | Triage Linear Sweep Mode | Controls the level of linear sweep performed when opening for triage. | string |
partial |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
triage.linearSweep |
| enum: Do not perform linear sweep of the binary. | enum |
none |
||||
| enum: Perform linear sweep on the binary, but skip the control flow graph analysis phase. | enum |
partial |
||||
| enum: Perform full linear sweep on the binary. | enum |
full |
||||
| triage | Always Prefer Triage Summary View | Always prefer opening binaries in Triage Summary view, even when performing full analysis. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
triage.preferSummaryView |
| triage | Prefer Triage Summary View for Raw Files | Prefer opening raw files in Triage Summary view. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
triage.preferSummaryViewForRaw |
| ui | Color Blind | Choose colors that are visible to those with red/green color blindness. | boolean |
False |
[SettingsUserScope] |
ui.colorBlind |
| ui | Debug Mode | Enable developer debugging features (Additional views: Lifted IL, and IL SSA forms). | boolean |
False |
[SettingsUserScope] |
ui.debugMode |
| ui | Dock Window Title Bars | Enable to display title bars for dockable windows attached to a main window. | boolean |
True |
[SettingsUserScope] |
ui.docks.titleBars |
| ui | Feature Map Auto-Rotate | Automatically rotate the feature map orientation based on the current layout and dimensions. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
ui.featureMap.autoRotate |
| ui | Feature Map | Enable the feature map which displays a visual overview of the BinaryView. | boolean |
True |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
ui.featureMap.enable |
| ui | Feature Map File-Backed Only Mode | Exclude mapped regions that are not backed by a load file. | boolean |
False |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
ui.featureMap.fileBackedOnly |
| ui | File Contents Lock | Lock the file contents to prevent accidental edits from the UI. File modification via API and menu based patching is explicitly allowed while the lock is enabled. | boolean |
True |
[SettingsUserScope] |
ui.fileContentsLock |
| ui | Auto Open with Options | Specify the file types which automatically open with the options dialog. | array |
[Mapped, Universal] |
[SettingsUserScope] |
ui.files.openWithOptions |
enum |
Mapped |
|||||
enum |
ELF |
|||||
enum |
Mach-O |
|||||
enum |
PE |
|||||
enum |
Universal |
|||||
| ui | Antialiasing | Select font antialiasing style. | string |
subpixel |
[SettingsUserScope] |
ui.font.antialiasing |
| enum: Perform subpixel antialiasing on fonts. | enum |
subpixel |
||||
| enum: Avoid subpixel antialiasing on fonts if possible. | enum |
grayscale |
||||
| enum: No subpixel antialiasing at High DPI. | enum |
hidpi |
||||
| enum: No font antialiasing. | enum |
none |
||||
| ui | Bold Fonts | Allow bold fonts. | boolean |
True |
[SettingsUserScope] |
ui.font.bold |
| ui | Font Name | Font family selection. | string |
Source Code Pro |
[SettingsUserScope] |
ui.font.name |
| ui | Font Size | Font point size selection. | number |
12 |
[SettingsUserScope] |
ui.font.size |
| ui | Line Spacing | Specify an additional distance between adjacent baselines. | number |
1 |
[SettingsUserScope] |
ui.font.spacing |
| ui | Font Style | Font Style selection. | string |
[SettingsUserScope] |
ui.font.style | |
| ui | Number of history entries to store. | Controls the number of history entries to store for input dialogs. | number |
50 |
[SettingsUserScope] |
ui.inputHistoryCount |
| ui | Maximum UI Log Size | Set the maximum number of lines for the UI log. | number |
10000 |
[SettingsUserScope] |
ui.log.maxSize |
| ui | Minimum UI Log Level | Set the minimum log level for the UI log. | string |
InfoLog |
[SettingsUserScope] |
ui.log.minLevel |
| enum: Display Debug, Info, Warning, Error, and Alert messages to log console. | enum |
DebugLog |
||||
| enum: Display Info, Warning, Error, and Alert messages to log console. | enum |
InfoLog |
||||
| enum: Display Warning, Error, and Alert messages to log console. | enum |
WarningLog |
||||
| enum: Display Error and Alert messages to log console. | enum |
ErrorLog |
||||
| enum: Display Alert messages to log console. | enum |
AlertLog |
||||
| ui | Manual Tooltip | Enable to prevent tooltips from showing without <ctrl> being held. | boolean |
False |
[SettingsUserScope] |
ui.manualTooltip |
| ui | Recent Command Limit | Specify a limit for the recent command palette history. | number |
5 |
[SettingsUserScope] |
ui.recentCommandLimit |
| ui | Recent File Limit | Specify a limit for the recent file history in the new tab window. | number |
10 |
[SettingsUserScope] |
ui.recentFileLimit |
| ui | Show Indentation Guides | Show indentation markers in linear high-level IL | boolean |
True |
[SettingsUserScope] |
ui.renderIndentGuides |
| ui | Default Scripting Provider | Specify the registered ScriptingProvider for the default scripting console in the UI. | string |
Python |
[SettingsUserScope] |
ui.scripting.defaultProvider |
enum |
Python |
|||||
| ui | Scripting Provider History Size | Specify the maximum number of lines contained in the scripting history. | number |
1000 |
[SettingsUserScope] |
ui.scripting.historySize |
| ui | Display Settings Identifiers | Display setting identifiers in the UI settings view. | boolean |
False |
[SettingsUserScope] |
ui.settings.displayIdentifiers |
| ui | HLIL Scoping Style | Controls the display of new scopes in HLIL. | string |
default |
[SettingsResourceScope, SettingsUserScope, SettingsProjectScope] |
ui.style.hlil.scoping |
| enum: Default BNIL scoping style. | enum |
default |
||||
| enum: Braces around scopes, same line. | enum |
braces |
||||
| enum: Braces around scopes, new line. | enum |
bracesNewLine |
||||
| ui | Show Exported Data Variables | Show exported data variables in the symbol list. | boolean |
False |
[SettingsUserScope, SettingsProjectScope] |
ui.symbolList.showExportedDataVars |
| ui | Show Exported Functions | Show exported functions in the symbol list. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
ui.symbolList.showExportedFunctions |
| ui | Show Imports | Show imports in the symbol list. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
ui.symbolList.showImports |
| ui | Show Local Data Variables | Show local data variables in the symbol list. | boolean |
False |
[SettingsUserScope, SettingsProjectScope] |
ui.symbolList.showLocalDataVars |
| ui | Show Local Functions | Show local functions in the symbol list. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
ui.symbolList.showLocalFunctions |
| ui | Theme | Customize the appearance and style of Binary Ninja. | string |
Dark |
[SettingsUserScope] |
ui.theme |
| ui | Graph View IL Carousel | Specify the IL view types and order for use with the 'Cycle IL' actions in Graph view. | array |
[Disassembly, LowLevelIL, MediumLevelIL, HighLevelIL] |
[SettingsUserScope] |
ui.view.graph.carousel |
enum |
Disassembly |
|||||
enum |
LowLevelIL |
|||||
enum |
LiftedIL |
|||||
enum |
LowLevelILSSAForm |
|||||
enum |
MediumLevelIL |
|||||
enum |
MediumLevelILSSAForm |
|||||
enum |
MappedMediumLevelIL |
|||||
enum |
MappedMediumLevelILSSAForm |
|||||
enum |
HighLevelIL |
|||||
enum |
HighLevelILSSAForm |
|||||
| ui | Default IL for Graph View | Default IL for graph view on startup. | string |
Disassembly |
[SettingsUserScope] |
ui.view.graph.il |
enum |
Disassembly |
|||||
enum |
LowLevelIL |
|||||
enum |
LiftedIL |
|||||
enum |
LowLevelILSSAForm |
|||||
enum |
MediumLevelIL |
|||||
enum |
MediumLevelILSSAForm |
|||||
enum |
MappedMediumLevelIL |
|||||
enum |
MappedMediumLevelILSSAForm |
|||||
enum |
HighLevelIL |
|||||
enum |
HighLevelILSSAForm |
|||||
| ui | Prefer Disassembly Graph | Prefer graph view over linear view on startup. | boolean |
False |
[SettingsUserScope] |
ui.view.graph.preferred |
| ui | Linear View IL Carousel | Specify the IL view types and order for use with the 'Cycle IL' actions in Linear view. | array |
[Disassembly, LowLevelIL, MediumLevelIL, HighLevelIL] |
[SettingsUserScope] |
ui.view.linear.carousel |
enum |
Disassembly |
|||||
enum |
LowLevelIL |
|||||
enum |
LiftedIL |
|||||
enum |
LowLevelILSSAForm |
|||||
enum |
MediumLevelIL |
|||||
enum |
MediumLevelILSSAForm |
|||||
enum |
MappedMediumLevelIL |
|||||
enum |
MappedMediumLevelILSSAForm |
|||||
enum |
HighLevelIL |
|||||
enum |
HighLevelILSSAForm |
|||||
| ui | Linear View Gutter Width | Linear view gutter and tags width, in characters. | number |
5 |
[SettingsUserScope] |
ui.view.linear.gutterWidth |
| ui | Default IL for Linear View | Default linear view type to display on startup. | string |
HighLevelIL |
[SettingsUserScope] |
ui.view.linear.il |
enum |
Disassembly |
|||||
enum |
LowLevelIL |
|||||
enum |
LiftedIL |
|||||
enum |
LowLevelILSSAForm |
|||||
enum |
MediumLevelIL |
|||||
enum |
MediumLevelILSSAForm |
|||||
enum |
MappedMediumLevelIL |
|||||
enum |
MappedMediumLevelILSSAForm |
|||||
enum |
HighLevelIL |
|||||
enum |
HighLevelILSSAForm |
|||||
| ui | Default IL for Reflection View | Default IL for reflection view on startup. | string |
Disassembly |
[SettingsUserScope, SettingsProjectScope] |
ui.view.reflection.il |
enum |
Disassembly |
|||||
enum |
LowLevelIL |
|||||
enum |
LiftedIL |
|||||
enum |
LowLevelILSSAForm |
|||||
enum |
MediumLevelIL |
|||||
enum |
MediumLevelILSSAForm |
|||||
enum |
MappedMediumLevelIL |
|||||
enum |
MappedMediumLevelILSSAForm |
|||||
enum |
HighLevelIL |
|||||
enum |
HighLevelILSSAForm |
|||||
| ui | Reflection View IL Map | Specify the IL view to display based on a given source IL view. The source IL view is encoded as the index of this array and corresponds to the values defined in BNFunctionGraphType. | array |
[LowLevelIL, Disassembly, Disassembly, Disassembly, LowLevelIL, LowLevelILSSAForm, LowLevelIL, LowLevelILSSAForm, MediumLevelIL, MediumLevelILSSAForm] |
[SettingsUserScope, SettingsProjectScope] |
ui.view.reflection.ilMap |
enum |
Disassembly |
|||||
enum |
LowLevelIL |
|||||
enum |
LiftedIL |
|||||
enum |
LowLevelILSSAForm |
|||||
enum |
MediumLevelIL |
|||||
enum |
MediumLevelILSSAForm |
|||||
enum |
MappedMediumLevelIL |
|||||
enum |
MappedMediumLevelILSSAForm |
|||||
enum |
HighLevelIL |
|||||
enum |
HighLevelILSSAForm |
|||||
| ui | Reflection View IL Synchronization | Reflection view follows main view IL changes according to the Reflection View IL Map. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
ui.view.reflection.ilSync |
| ui | Reflection View Location Synchronization | Reflection view follows navigation actions in the main view. | boolean |
True |
[SettingsUserScope, SettingsProjectScope] |
ui.view.reflection.locationSync |
| ui | TypeView Line Numbers | Controls the display of line numbers in the types view. | boolean |
True |
[SettingsUserScope] |
ui.view.types.lineNumbers |
| ui | File Path in Window Title | Controls whether the window title includes the full file path for the current file. | boolean |
False |
[SettingsUserScope] |
ui.window.title.showPath |
| updates | Active Content | Allow Binary Ninja to connect to the update server to check for updates and release notes. | boolean |
True |
[SettingsUserScope] |
updates.activeContent |
| updates | Update Channel Preferences | Select update channel and version. | string |
dev (2.2.2657-dev) |
[] | updates.channelPreferences |
| updates | Show All Versions | Show all versions that are available for the current update channel in the UI. | boolean |
False |
[SettingsUserScope] |
updates.showAllVersions |
| user | The email that will be shown when collaborating with other users. | string |
[SettingsUserScope] |
user.email | ||
| user | Name | The name that will be shown when collaborating with other users. | string |
[SettingsUserScope] |
user.name |
Updates¶
Binary Ninja automatically updates itself by default. This functionality can be disabled in the Update Channel dialog ([CMD/CTRL] p, Update Channel, or under the Preferences sub menu available under Edit on Linux and Windows, and the Application menu on MacOS) preferences by turning off the Update to latest version automatically option.
Updates are silently downloaded in the background and when complete an option to restart is displayed in the status bar. Whenever Binary Ninja restarts next, it will replace itself with the new version as it launches.
On windows, this is achieved through a separate launcher that loads first and replaces the installation before launching the new version which you'll notice as a separate window. On MacOS and Linux, the original installation is overwritten after the update occurs as these operating systems allow files to be replaced while running. The update on restart is thus immediate.
Note
If you have any trouble with the self-updater, you can always request a fresh set of download links as long as you are under active support.
Development Branch¶
Binary Ninja stable builds releases happen on semi-regular intervals throughout the year. However, we also make development builds available to customers with active support. Simply use the update dialog, and select one of the "Development" channels in the Update Channel field.
Unicode Support¶
Currently, Unicode support for Big Endian strings is very limited. Also, UTF-16 only supports Basic Latin code points.
Getting Support¶
Vector 35 offers a number of ways to receive support.