angr 9.2.138__py3-none-manylinux2014_x86_64.whl → 9.2.140__py3-none-manylinux2014_x86_64.whl

angr/analyses/deobfuscator/api_obf_type2_finder.py

@@ -0,0 +1,166 @@
+from __future__ import annotations
+from typing import TYPE_CHECKING, cast
+
+from collections.abc import Iterator
+from dataclasses import dataclass
+import logging
+
+from angr.project import Project
+from angr.knowledge_base import KnowledgeBase
+from angr.knowledge_plugins.functions.function import Function
+from angr.knowledge_plugins.key_definitions import DerefSize
+from angr.knowledge_plugins.key_definitions.constants import ObservationPointType
+from angr.knowledge_plugins.key_definitions.atoms import MemoryLocation
+from angr.sim_variable import SimMemoryVariable
+
+if TYPE_CHECKING:
+    from angr.analyses.reaching_definitions import (
+        ReachingDefinitionsAnalysis,
+        FunctionCallRelationships,
+    )
+
+
+log = logging.getLogger(__name__)
+
+
+@dataclass
+class APIObfuscationType2:
+    """
+    API Obfuscation Type 2 result.
+    """
+
+    resolved_func_name: str
+    resolved_func_ptr: MemoryLocation
+    resolved_in: Function
+    resolved_by: Function
+
+
+class APIObfuscationType2Finder:
+    """
+    Finds global function pointers initialized by calls to dlsym/GetProcAddress and names
+    them accordingly.
+    """
+
+    results: list[APIObfuscationType2]
+
+    def __init__(self, project: Project, variable_kb: KnowledgeBase | None = None):
+        self.project = project
+        self.variable_kb = variable_kb or self.project.kb
+        self.results = []
+
+    def analyze(self) -> list[APIObfuscationType2]:
+        self.results = []
+        for caller, callee in self._get_candidates():
+            rda = self.project.analyses.ReachingDefinitions(caller, observe_all=True)
+            for info in rda.callsites_to(callee):
+                self._process_callsite(caller, callee, rda, info)
+        self._mark_globals()
+        return self.results
+
+    def _get_candidates(self) -> Iterator[tuple[Function, Function]]:
+        """
+        Returns a tuple of (caller, callee) where callee is GetProcAddress/dlsym.
+        """
+        targets = ["GetProcAddress"] if self.project.simos.name == "Win32" else ["dlsym", "dlvsym"]
+        for callee in self.project.kb.functions.values():
+            if callee.name not in targets:
+                continue
+            for caller_addr in self.project.kb.callgraph.predecessors(callee.addr):
+                caller = self.project.kb.functions[caller_addr]
+                yield (caller, callee)
+
+    def _process_callsite(
+        self,
+        caller: Function,
+        callee: Function,
+        rda: ReachingDefinitionsAnalysis,
+        callsite_info: FunctionCallRelationships,
+    ) -> None:
+        """
+        Process a resolver function callsite looking for function name concrete string argument.
+        """
+        func_name_arg_idx = 1
+        if len(callsite_info.args_defns) <= func_name_arg_idx:
+            return
+
+        log.debug("Examining call to %r from %r at %r", callee, caller, callsite_info.callsite.ins_addr)
+        ld = rda.model.get_observation_by_insn(callsite_info.callsite, ObservationPointType.OP_BEFORE)
+        if ld is None:
+            return
+
+        # Attempt resolving static function name from callsite
+        string_atom = ld.deref(callsite_info.args_defns[func_name_arg_idx], DerefSize.NULL_TERMINATE)
+        result = ld.get_concrete_value(string_atom, cast_to=bytes)
+        if result is None:
+            log.debug("...Failed to resolve a function name")
+            return
+
+        try:
+            func_name = result.rstrip(b"\x00").decode("utf-8")
+            log.debug("...Resolved concrete function name: %s", func_name)
+        except UnicodeDecodeError:
+            log.debug("...Failed to decode utf-8 function name")
+            return
+
+        # Examine successor definitions to find where the function pointer is written
+        for successor in rda.dep_graph.find_all_successors(callsite_info.ret_defns):
+            if not (
+                isinstance(successor.atom, MemoryLocation)
+                and isinstance(successor.atom.addr, int)
+                and successor.atom.size == self.project.arch.bytes
+            ):
+                continue
+
+            ptr = successor.atom
+            ptr_addr: int = cast(int, ptr.addr)
+            log.debug("...Found function pointer %r", ptr)
+
+            sym = self.project.loader.find_symbol(ptr_addr)
+            if sym is not None:
+                log.debug("...Already have pointer symbol: %r. Skipping.", sym)
+                continue
+            if ptr_addr in self.project.kb.labels:
+                log.debug("...Already have pointer label. Skipping.")
+                continue
+            sec = self.project.loader.find_section_containing(ptr_addr)
+            if not sec or not sec.is_writable:
+                log.debug("...Bogus section. Skipping.")
+                continue
+
+            self.results.append(
+                APIObfuscationType2(
+                    resolved_func_name=func_name,
+                    resolved_func_ptr=ptr,
+                    resolved_in=caller,
+                    resolved_by=callee,
+                )
+            )
+
+    def _mark_globals(self):
+        """
+        Create function pointer labels/variables.
+        """
+        for result in self.results:
+            # Create a label
+            lbl = self.project.kb.labels.get_unique_label(f"p_{result.resolved_func_name}")
+            self.project.kb.labels[result.resolved_func_ptr.addr] = lbl
+            log.debug("...Created label %s for address %x", lbl, result.resolved_func_ptr.addr)
+
+            # Create a variable
+            global_variables = self.variable_kb.variables["global"]
+            variables = global_variables.get_global_variables(result.resolved_func_ptr.addr)
+            if not variables:
+                ident = global_variables.next_variable_ident("global")
+                var = SimMemoryVariable(
+                    result.resolved_func_ptr.addr, result.resolved_func_ptr.size, name=lbl, ident=ident
+                )
+                global_variables.set_variable("global", result.resolved_func_ptr.addr, var)
+                log.debug("...Created variable %r", var)
+            elif len(variables) == 1:
+                (var,) = variables
+                log.debug("...Renaming variable %r -> %s", var, lbl)
+                var.name = lbl
+
+            self.project.kb.obfuscations.type2_deobfuscated_apis[result.resolved_func_ptr.addr] = (
+                result.resolved_func_name
+            )

angr/analyses/deobfuscator/string_obf_finder.py

@@ -9,11 +9,11 @@ import networkx
 
 import claripy
 
-from angr import sim_options
 from angr.analyses import Analysis, AnalysesHub
-from angr.errors import SimMemoryMissingError, AngrCallableMultistateError, AngrCallableError
+from angr.errors import SimMemoryMissingError, AngrCallableMultistateError, AngrCallableError, AngrAnalysisError
 from angr.calling_conventions import SimRegArg, default_cc
 from angr.state_plugins.sim_action import SimActionData
+from angr.sim_options import ZERO_FILL_UNCONSTRAINED_REGISTERS, ZERO_FILL_UNCONSTRAINED_MEMORY, TRACK_MEMORY_ACTIONS
 from angr.sim_type import SimTypeFunction, SimTypeBottom, SimTypePointer
 from angr.analyses.reaching_definitions import ObservationPointType
 from angr.utils.graph import GraphUtils
@@ -23,12 +23,23 @@ from .irsb_reg_collector import IRSBRegisterCollector
 _l = logging.getLogger(__name__)
 
 
+STEP_LIMIT_FIND = 500
+STEP_LIMIT_ANALYSIS = 5000
+
+
 class StringDeobFuncDescriptor:
+    """
+    Describes a string deobfuscation function.
+    """
+
+    string_input_arg_idx: int
+    string_output_arg_idx: int
+    string_length_arg_idx: int | None
+    string_null_terminating: bool | None
+
     def __init__(self):
-        self.string_input_arg_idx = None
-        self.string_output_arg_idx = None
         self.string_length_arg_idx = None
-        self.string_null_terminating: bool | None = None
+        self.string_null_terminating = None
 
 
 class StringObfuscationFinder(Analysis):
@@ -89,6 +100,9 @@ class StringObfuscationFinder(Analysis):
         # Type 1 string deobfuscation functions will decrypt each string once and for good.
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         arch = self.project.arch
 
         type1_candidates: list[tuple[int, StringDeobFuncDescriptor]] = []
@@ -100,6 +114,10 @@ class StringObfuscationFinder(Analysis):
             if func.prototype is None or len(func.prototype.args) < 1:
                 continue
 
+            if len(func.arguments) != len(func.prototype.args):
+                # function argument locations and function prototype arguments do not match
+                continue
+
             if self.project.kb.functions.callgraph.out_degree[func.addr] != 0:
                 continue
 
@@ -123,14 +141,22 @@ class StringObfuscationFinder(Analysis):
                 dec = self.project.analyses.Decompiler(func, cfg=cfg)
             except Exception:  # pylint:disable=broad-exception-caught
                 continue
-            if dec.codegen is None or not self._like_type1_deobfuscation_function(dec.codegen.text):
+            if (
+                dec.codegen is None
+                or not dec.codegen.text
+                or not self._like_type1_deobfuscation_function(dec.codegen.text)
+            ):
+                continue
+
+            func_node = cfg.get_any_node(func.addr)
+            if func_node is None:
                 continue
 
             args_list = []
             for caller in callers:
                 callsite_nodes = [
                     pred
-                    for pred in cfg.get_predecessors(cfg.get_any_node(func.addr))
+                    for pred in cfg.get_predecessors(func_node)
                     if pred.function_address == caller and pred.instruction_addrs
                 ]
                 observation_points = []
@@ -148,15 +174,21 @@ class StringObfuscationFinder(Analysis):
                         callsite_node.instruction_addrs[-1],
                         ObservationPointType.OP_BEFORE,
                     )
+                    if observ is None:
+                        continue
                     # load values for each function argument
                     args: list[tuple[int, Any]] = []
                     for arg_idx, func_arg in enumerate(func.arguments):
                         # FIXME: We are ignoring all non-register function arguments until we see a test case where
                         # FIXME: stack-passing arguments are used
+                        real_arg = func.prototype.args[arg_idx]
                         if isinstance(func_arg, SimRegArg):
                             reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                            arg_size = (
+                                real_arg.size if real_arg.size is not None else reg_size
+                            ) // self.project.arch.byte_width
                             try:
-                                mv = observ.registers.load(reg_offset, size=reg_size)
+                                mv = observ.registers.load(reg_offset, size=arg_size)
                             except SimMemoryMissingError:
                                 args.append((arg_idx, claripy.BVV(0xDEADBEEF, self.project.arch.bits)))
                                 continue
@@ -185,7 +217,15 @@ class StringObfuscationFinder(Analysis):
             # now that we have good arguments, let's test the function!
             for args in args_list:
                 func_call = self.project.factory.callable(
-                    func.addr, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                    func.addr,
+                    concrete_only=True,
+                    cc=func.calling_convention,
+                    prototype=func.prototype,
+                    add_options={
+                        ZERO_FILL_UNCONSTRAINED_MEMORY,
+                        ZERO_FILL_UNCONSTRAINED_REGISTERS,
+                    },
+                    step_limit=STEP_LIMIT_FIND,
                 )
 
                 # before calling the function, let's record the crime scene
@@ -202,6 +242,9 @@ class StringObfuscationFinder(Analysis):
                 except (AngrCallableMultistateError, AngrCallableError):
                     continue
 
+                if func_call.result_state is None:
+                    continue
+
                 # let's see what this amazing function has done
                 # TODO: Support cases where input and output are using different function arguments
                 for arg_idx, addr, old_value in values:
@@ -240,6 +283,9 @@ class StringObfuscationFinder(Analysis):
 
         arch = self.project.arch
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         func = self.kb.functions.get_by_addr(func_addr)
         func_node = cfg.get_any_node(func_addr)
         assert func_node is not None
@@ -260,14 +306,20 @@ class StringObfuscationFinder(Analysis):
                 callsite_node.instruction_addrs[-1],
                 ObservationPointType.OP_BEFORE,
             )
+            if observ is None:
+                continue
             args = []
-            for func_arg in func.arguments:
+            assert func.prototype is not None and len(func.arguments) == len(func.prototype.args)
+            for func_arg, real_arg in zip(func.arguments, func.prototype.args):
                 # FIXME: We are ignoring all non-register function arguments until we see a test case where
                 # FIXME: stack-passing arguments are used
                 if isinstance(func_arg, SimRegArg):
                     reg_offset, reg_size = arch.registers[func_arg.reg_name]
+                    arg_size = (
+                        real_arg.size if real_arg.size is not None else reg_size
+                    ) // self.project.arch.byte_width
                     try:
-                        mv = observ.registers.load(reg_offset, size=reg_size)
+                        mv = observ.registers.load(reg_offset, size=arg_size)
                     except SimMemoryMissingError:
                         args.append(claripy.BVV(0xDEADBEEF, self.project.arch.bits))
                         continue
@@ -286,7 +338,12 @@ class StringObfuscationFinder(Analysis):
 
             # call the function
             func_call = self.project.factory.callable(
-                func.addr, concrete_only=True, cc=func.calling_convention, prototype=func.prototype
+                func.addr,
+                concrete_only=True,
+                cc=func.calling_convention,
+                prototype=func.prototype,
+                add_options={ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+                step_limit=STEP_LIMIT_ANALYSIS,
             )
             try:
                 func_call(*args)
@@ -303,6 +360,9 @@ class StringObfuscationFinder(Analysis):
                 )
                 continue
 
+            if func_call.result_state is None:
+                continue
+
             # dump the decrypted string!
             output_addr = args[desc.string_output_arg_idx]
             length = args[desc.string_length_arg_idx].concrete_value if desc.string_length_arg_idx is not None else 256
@@ -322,6 +382,8 @@ class StringObfuscationFinder(Analysis):
             xref_set = xrefs.get_xrefs_by_dst(str_addr)
             block_addrs = {xref.block_addr for xref in xref_set}
             for block_addr in block_addrs:
+                if block_addr is None:
+                    continue
                 node = cfg.get_any_node(block_addr)
                 if node is not None:
                     callees = list(self.kb.functions.callgraph.successors(node.function_address))
@@ -340,6 +402,8 @@ class StringObfuscationFinder(Analysis):
         # Type 2 string deobfuscation functions will decrypt each string once and for good.
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         type2_candidates: list[tuple[int, StringDeobFuncDescriptor, list[tuple[int, int, bytes]]]] = []
 
@@ -374,7 +438,11 @@ class StringObfuscationFinder(Analysis):
                 dec = self.project.analyses.Decompiler(func, cfg=cfg, expr_collapse_depth=64)
             except Exception:  # pylint:disable=broad-exception-caught
                 continue
-            if dec.codegen is None or not self._like_type2_deobfuscation_function(dec.codegen.text):
+            if (
+                dec.codegen is None
+                or not dec.codegen.text
+                or not self._like_type2_deobfuscation_function(dec.codegen.text)
+            ):
                 continue
 
             desc = StringDeobFuncDescriptor()
@@ -384,7 +452,8 @@ class StringObfuscationFinder(Analysis):
                 concrete_only=True,
                 cc=func.calling_convention,
                 prototype=func.prototype,
-                add_options={sim_options.TRACK_MEMORY_ACTIONS},
+                add_options={TRACK_MEMORY_ACTIONS, ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+                step_limit=STEP_LIMIT_FIND,
             )
 
             try:
@@ -392,6 +461,9 @@ class StringObfuscationFinder(Analysis):
             except (AngrCallableMultistateError, AngrCallableError):
                 continue
 
+            if func_call.result_state is None:
+                continue
+
             # where are the reads and writes?
             all_global_reads = []
             all_global_writes = []
@@ -399,7 +471,7 @@ class StringObfuscationFinder(Analysis):
                 if not isinstance(action, SimActionData):
                     continue
                 if not action.actual_addrs:
-                    if not action.addr.ast.concrete:
+                    if action.addr is None or not action.addr.ast.concrete:
                         continue
                     actual_addrs = [action.addr.ast.concrete_value]
                 else:
@@ -469,6 +541,8 @@ class StringObfuscationFinder(Analysis):
         """
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         # for each string table address, we find its string loader function
         # an obvious candidate function is 0x140001b20
@@ -478,6 +552,8 @@ class StringObfuscationFinder(Analysis):
             xref_set = xrefs.get_xrefs_by_dst(table_addr)
             block_addrs = {xref.block_addr for xref in xref_set}
             for block_addr in block_addrs:
+                if block_addr is None:
+                    continue
                 node = cfg.get_any_node(block_addr)
                 if node is not None:
                     callees = list(self.kb.functions.callgraph.successors(node.function_address))
@@ -496,6 +572,9 @@ class StringObfuscationFinder(Analysis):
         #   not have a SimProcedure for)
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
+
         functions = self.kb.functions
         callgraph_digraph = networkx.DiGraph(functions.callgraph)
 
@@ -554,7 +633,7 @@ class StringObfuscationFinder(Analysis):
             except Exception:  # pylint:disable=broad-exception-caught
                 # catch all exceptions
                 continue
-            if dec.codegen is None:
+            if dec.codegen is None or not dec.codegen.text:
                 continue
             if not self._like_type3_deobfuscation_function(dec.codegen.text):
                 continue
@@ -605,6 +684,8 @@ class StringObfuscationFinder(Analysis):
         """
 
         cfg = self.kb.cfgs.get_most_accurate()
+        if cfg is None:
+            raise AngrAnalysisError("StringObfuscationFinder needs a CFG for the analysis")
 
         call_sites = cfg.get_predecessors(cfg.get_any_node(func_addr))
         callinsn2content = {}
@@ -687,7 +768,7 @@ class StringObfuscationFinder(Analysis):
         # execute the block at the call site
         state = self.project.factory.blank_state(
             addr=call_site_addr,
-            add_options={sim_options.ZERO_FILL_UNCONSTRAINED_REGISTERS, sim_options.ZERO_FILL_UNCONSTRAINED_MEMORY},
+            add_options={ZERO_FILL_UNCONSTRAINED_REGISTERS, ZERO_FILL_UNCONSTRAINED_MEMORY},
         )
         # setup sp and bp, just in case
         state.regs._sp = 0x7FFF0000
@@ -728,7 +809,13 @@ class StringObfuscationFinder(Analysis):
             self.project.arch
         )
         callable_0 = self.project.factory.callable(
-            func_addr, concrete_only=True, base_state=in_state, cc=cc, prototype=prototype_0
+            func_addr,
+            concrete_only=True,
+            base_state=in_state,
+            cc=cc,
+            prototype=prototype_0,
+            add_options={ZERO_FILL_UNCONSTRAINED_MEMORY, ZERO_FILL_UNCONSTRAINED_REGISTERS},
+            step_limit=STEP_LIMIT_ANALYSIS,
         )
 
         try:

angr/analyses/forward_analysis/forward_analysis.py

@@ -181,7 +181,7 @@ class ForwardAnalysis(Generic[AnalysisState, NodeType, JobType, JobKey]):
         """
         return node
 
-    def _run_on_node(self, node: NodeType, state: AnalysisState) -> tuple[bool, AnalysisState]:
+    def _run_on_node(self, node: NodeType, state: AnalysisState) -> tuple[bool | None, AnalysisState]:
         """
         The analysis routine that runs on each node in the graph.
 

angr/analyses/propagator/top_checker_mixin.py

@@ -31,7 +31,7 @@ class ClaripyDataEngineMixin(
 
 
 def _vex_make_comparison(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool],
 ) -> Callable[[ClaripyDataEngineMixin, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binop_handler
     def inner(self, expr):
@@ -44,7 +44,7 @@ def _vex_make_comparison(
 
 
 def _vex_make_vec_comparison(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.Bool],
 ) -> Callable[[ClaripyDataEngineMixin, int, int, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binopv_handler
     def inner(self, size, count, expr):
@@ -56,7 +56,7 @@ def _vex_make_vec_comparison(
 
 
 def _vex_make_operation(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binop_handler
     def inner(self, expr: Binop):
@@ -70,7 +70,7 @@ def _vex_make_operation(
 
 
 def _vex_make_unary_operation(
-    func: Callable[[claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, Unop], claripy.ast.BV]:
     @SimEngineLightVEX.unop_handler
     def inner(self, expr):
@@ -84,7 +84,7 @@ def _vex_make_unary_operation(
 
 
 def _vex_make_shift_operation(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, Binop], claripy.ast.BV]:
     @_vex_make_operation
     def inner(a, b):
@@ -99,7 +99,7 @@ def _vex_make_shift_operation(
 
 
 def _vex_make_vec_operation(
-    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV]
+    func: Callable[[claripy.ast.BV, claripy.ast.BV], claripy.ast.BV],
 ) -> Callable[[ClaripyDataEngineMixin, int, int, Binop], claripy.ast.BV]:
     @SimEngineLightVEX.binopv_handler
     def inner(self, size, count, expr):

angr/analyses/reaching_definitions/__init__.py

@@ -15,7 +15,7 @@ from angr.knowledge_plugins.key_definitions.atoms import (
 from angr.knowledge_plugins.key_definitions.definition import Definition
 from angr.analyses import register_analysis
 from .reaching_definitions import ReachingDefinitionsAnalysis, ReachingDefinitionsModel
-from .function_handler import FunctionHandler, FunctionCallData
+from .function_handler import FunctionHandler, FunctionCallData, FunctionCallRelationships
 from .rd_state import ReachingDefinitionsState
 
 if TYPE_CHECKING:
@@ -29,6 +29,7 @@ __all__ = (
     "ConstantSrc",
     "Definition",
     "FunctionCallData",
+    "FunctionCallRelationships",
     "FunctionHandler",
     "GuardUse",
     "LiveDefinitions",

angr/analyses/reaching_definitions/dep_graph.py

@@ -6,7 +6,6 @@ from typing import (
     Any,
 )
 from collections.abc import Iterable, Iterator
-from dataclasses import dataclass
 
 import networkx
 
@@ -35,16 +34,6 @@ def _is_definition(node):
     return isinstance(node, Definition)
 
 
-@dataclass
-class FunctionCallRelationships:  # TODO this doesn't belong in this file anymore
-    callsite: CodeLocation
-    target: int | None
-    args_defns: list[set[Definition]]
-    other_input_defns: set[Definition]
-    ret_defns: set[Definition]
-    other_output_defns: set[Definition]
-
-
 class DepGraph:
     """
     The representation of a dependency graph: a directed graph, where nodes are definitions, and edges represent uses.
@@ -84,7 +73,7 @@ class DepGraph:
         """
         self._graph.add_edge(source, destination, **labels)
 
-    def nodes(self) -> networkx.classes.reportviews.NodeView[Definition]:
+    def nodes(self) -> Iterator[Definition]:
         return self._graph.nodes()
 
     def predecessors(self, node: Definition) -> Iterator[Definition]: