Skip to content

Binary Ninja Intermediate Language: Overview

The Binary Ninja Intermediate Language (BNIL) is a semantic representation of the assembly language instructions for a native architecture in Binary Ninja. BNIL is actually a family of intermediate languages that work together to provide functionality at different abstraction layers.

BNIL is a tree-based, architecture-independent intermediate representation of machine code used throughout Binary Ninja.

BNIL-Overview

During each step a number of optimizations and analysis passes occur, resulting in a higher and higher level of abstraction the further through the analysis binaries are processed.

Except that overview isn't telling the whole story! The real stack of BNIL actually looks like this:

BNIL-Stack

This short introduction is a very brief guide to BNIL with much more details in Part 1: LLIL and Part 2: MLIL.

Summary

While the image above shows a bit of the logical relationships between each IL in terms of analysis, it's only an approximation. The actual analysis includes more edges than just those shown. That said, here's a short overview of some of the differences between each IL and when you might wish to use a given one:

  • Lifted IL is intended to be a straight-forward translation from native instruction semantics to LLIL instructions. Note that Lifted IL and LLIL share the same instructions and are substantively similar with a few small differences.
  • Low Level IL (LLIL) is converted from Lifted IL, LLIL removes NOP instructions and folds flags into conditional instructions but otherwise contains the same operations as Lifted IL.
  • Low Level IL SSA Form is an SSA form of LLIL.
  • Mapped Medium Level IL is a translation layer between LLIL that is rarely needed for analysis but is useful for the translation process.
  • Medium Level IL (MLIL) translates registers and memory accesses into variables, types are associated with variables, platform information is used to generate call sites with types (both inferred and explicit) and parameters, data flow is calculated and constants are propagated.
  • Medium Level IL SSA Form is an SSA form of MLIL.
  • High Level IL (HLIL) builds on (use the high_level_il report type) MLIL by adding higher level control flow instructions, a number of dead-code and variable passes as well as other simplification/folding. It also includes an AST.

Reading IL

All of the various ILs (with the exception of the SSA forms) are intended to be easily human-readable and look much like pseudo-code. There is some shorthand notation that is used throughout the ILs, though, explained below:

Comparisons

First, all comparisons are either signed s<= or unsigned u>=.

Bitwise operations

Besides the typical && bitwise operators, BNIL makes use of sx and zx to indicate sign-extended and zero-extended operations.

Size Specifiers

Expressions in BNIL can have one of the following suffixes to indicate a size:

.q -- Qword (8 bytes)
.d -- Dword (4 bytes)
.w -- Word (2 bytes)
.b -- Byte (1 byte)

Note that floating point IL instructions have their own possible size suffixes:

.h -- Half (2 bytes)
.s -- Single (4 bytes)
.d -- Double (8 bytes)
.t -- Ten (10 bytes)
.o -- Oword (16 bytes)

Additionally, floating point IL operations are indicated with a prefixed f, like:

f* -- Floating-point multiplication
f/ -- Floating-point division
f+ -- Floating-point addition
f- -- Floating-point subtraction

Variable Offsets

Offsets into variables are specified with a :$offset syntax indicating how many bits from the bottom of the variable the expression is referencing.

Example

So putting all that together, if you were to see the following in an IL expression:

sx.q(rax_2:0.d)

It represents the lower 32-bits of variable rax_2, sign-extended into a 64-bit variable.

Using the API with ILs

When you want to use the API to access BNIL instructions, here are a few tips that will help you with the task. First, if you want to learn what properties different instructions have, instead of manually using dir() or looking in the documentation (1, 2) lists is to use the BNIL Graph plugin. Another very useful plugin is the IL Hierarch plugin. This plugin is extremely useful for showing the structure of IL instructions relative to one another. You can use several APIS (1, 2, 3) to see this overall structure, but the IL Hierarchy plugin lets you select a single IL instructions and see visually which categories of IL instructions it are in.

LLIL Hierarchy

So for example, if you want to try to determine whether a given instruction is a Call (which includes syscalls) you can use:

for h in current_hlil.instructions:
    if isinstance(h, Call):
        print(f"{str(h)} is a Call of some sort")
    if isinstance(h, LocalCall):
        print(f"{str(h)} is a LocalCall which means no syscalls! It has {len(h.params)} parameters.")

Here's what that instruction might look like when selected with the IL Hierarchy plugin:

HLIL Hierarchy Call Instruction

Be warned though! HLIL in particular is very tree-based. LLIL and MLIL are much safer to use the above paradigm of simply iterating through top-level instructions.

Make sure to also check out the specifics of each IL level for more details: LLIL, MLIL (HLIL not yet complete)

Back to top