Difference between the analysis phases

[stianholsen]

What are the differences between the three analysis phases that is run when opening a binary in Binary Ninja?

[plafosse]

Phase 1: Initial Recursive Descent - This phase will take the longest if your binary has lots of known function entry points or symbols
Phase 2: Heuristic Function Start Detection - This phase looks for things that look like call instructions and adds them for analysis
Phase 3: LinearSweep - Disassemble looking for things that look like functions

More information on our algorithm can be found here: https://binary.ninja/2017/11/06/architecture-agnostic-function-detection-in-binaries.html

[psifertex]

Additionally, there's a summary in the user documentation I had forgotten about:

https://docs.binary.ninja/getting-started.html#analysis

For more details on some of the analysis steps and how they're related, check out this in the BN python console:

Workflow().show_topology()

Note that the linear sweep analysis isn't fully integrated into the Workflows model yet but will be at some point.

[stianholsen]

Is it possible to use Triage Mode with the API? For example with the OpenFileNameField or update_analysis()/update_analysis_and_wait()?

[psifertex]

It's an open source plugin so it's easy to copy/paste the code but it's not exposed to the API directly:

https://github.com/Vector35/binaryninja-api/tree/dev/python/examples/triage

Some of the features are simple API calls, some do a bit more work to extract things.

[psifertex]

Also, note that the version that ships in the UI is not the python one but the C++ one: https://github.com/Vector35/binaryninja-api/tree/dev/examples/triage

Python's just easier (for me anyway!) to read.