Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Below is the full source code of a sample plugin. It performs a quite useful transformation of the pseudocode: replaces zeroes in pointer contexts with NULLs. A NULL immediately conveys the idea that the current expression is pointer-related. This is especially useful for unknown function arguments.
The plugin is fully automatic. It hooks to the decompiler events and waits for the pseudocode to be ready. At that moment it takes control and modifies the ctree.
The conversion is performed by the convert_zeroes() function. It visits all expressions of the ctree and checks for pointer contexts. If a expression has a pointer type, then the make_null_if_zero() function is called for it. This function checks if the expression is a zero constant and converts it if necessary.
The plugin can be turned on or off by its menu item in the Plugins submenu.
The code is short and straightforward. Use it as a template for your plugins.
\
IN PROGRESS
The IDA C++ SDK provides set of tools to interact with IDA Pro's disassembler, allowing you to navigate, analyze, and manipulate various elements such as functions, instructions, and data. This guide is designed to accelerate your learning curve with the IDA C++ SDK and kickstart your development journey, assuming you are already familiar with IDA Pro and its basic usage.
First, check Basics for core concepts and commonly used variables. Next, explore our Code Snippets to see examples of commonly used functions. Once you're comfortable with these, you can delve into more complex Examples that showcase advanced usage of the SDK.
You can download the latest C++ SDK Zip file from our Download Center in My Hex-Rays portal. The SDK package includes in the top-level directory a README file with instructions on how to install it on your local machine and additional README files in other directories for processor modules templates, loaders and so on.
One of the most extensivly used type is ea_t, commonly used to represent an effective address (EA) within a binary.
The IDA C++ SDK is organized into header files containing various classes and functions. Below is a short desription of commonly used IDA SDK header files:
pro.h: This is the first header included in the IDA project. It defines the most common types, functions, and data. It also contains compiler- and platform-related definitions.
ida.hpp: In this file the 'inf' structure is defined: it keeps all parameters of the disassembled file.
idp.hpp: The 'main' header file for IDP modules. Contains definition of the interface to IDP modules. The interface consists of 2 structures: processor_t - description of processor
asm_t - description of assembler
Each IDP has one processor_t and several asm_t structures.
loader.hpp: Definitions of IDP, LDR, and PLUGIN module interfaces. This file also contains:
functions to load files into the database
functions to generate output files
high level functions to work with the database (open, save, close)
ua.hpp: Functions that deal with the disassembling of program instructions. Disassembly of an instruction is made in three steps:
analysis
emulation
conversion to text
kernwin.hpp: Defines the interface between the kernel and the UI. Some string processing functions are also kept in this header.
idd.hpp: Debugger plugin API for debugger module writers. Contains definition of the interface to IDD modules.
bytes.hpp: Functions and definitions used to describe and manipulate each byte of the disassembled program. Information about the byte includes associated features (comments, names, references, etc), data types (dword, qword, string literal, etc), instruction operands, status (mapped, loaded, patched, etc), among others.
netnode.hpp: Functions that provide the lowest level public interface to the database. Modules can use this to keep some private information in the database. A description of the concept is available in the header file itself.
allins.hpp: List of instructions available from all processor modules.
auto.hpp: Auto-analysis related functions.
compress.hpp: Data compression functions.
config.hpp: Functions that deal with configuration options and files.
dbg.hpp: Contains functions to control the debugging of a process.
diskio.hpp: File I/O functions for IDA. You should not use standard C file I/O functions in modules. Use functions from this header, pro.h, and fpro.h instead.
entry.hpp: Functions that deal with entry points to the program being disassembled.
enum.hpp: Enumeration type management (assembly level types).
err.h: Thread safe functions that deal with error codes.
expr.hpp: Functions that deal with C-like expressions, external languages, and the built-in IDC language.
fixup.hpp: Functions that deal with fixup (relocation) information.
fpro.h: System independent counterparts of file I/O functions. These functions do check errors but never exit even if an error occurs. They return extended error code in qerrno variable. NOTE: You must use these functions instead of the C standard I/O functions.
frame.hpp: Routines to manipulate function stack frames, stack variables, register variables and local labels.
funcs.hpp: Routines for working with functions within the disassembled program. This file also contains routines for working with library signatures (e.g. FLIRT).
gdl.hpp: Low level graph drawing operations.
graph.hpp: Graph view management.
help.h: Help subsystem. This subsystem is not used in IDP files. We put it just in case.
ieee.h: IEEE floating point functions.
intel.hpp: Header file from the IBM PC module. For information only. It will not compile because it contains references to internal files!
lex.hpp: Tools for parsing C-like input.
lines.hpp: High level functions that deal with the generation of the disassembled text lines.
nalt.hpp: Definitions of various information kept in netnodes. These functions should not be used directly since they are very low level.
moves.hpp: Functions and classes related to location history.
name.hpp: Functions that deal with names (setting, deleting, getting, validating, etc).
offset.hpp: Functions that deal with offsets.
problems.hpp: Functions that deal with the list of problems.
prodir.h: Low level functions to find files in the file system. It is better to use enumerate_files2() from diskio.hpp.
pronet.h: Network related functions.
range.hpp: Contains the definition of the 'range_t' class. This is a base class used by many parts of IDA, such as the 'segment_t' and 'segreg_range_t' (segment register) classes.
registry.hpp: Registry related functions. IDA uses the registry to store global configuration options that must persist after IDA has been closed.
segment.hpp: Functions that deal with program segmentation.
segregs.hpp: Functions that deal with the segment registers. If your processor doesn't use segment registers, then you don't need this file.
strlist.hpp: Functions that deal with the strings list.
struct.hpp: Structure type management (assembly level types).
typeinf.hpp: Describes the type information records in IDA.
xref.hpp: Functions that deal with cross-references.
All functions usable in the modules are marked by the "ida_export" keyword.
Here are the most common namespaces to start with:
idc: This namespace provides access to IDC scripting functions via C++ SDK. It is often used for common tasks like setting comments or modifying bytes.
idati: This namespace is used for interacting with type information, such as function signatures and type definitions.
idaapi: This namespace contains core classes and functions for interacting with IDA's API, including functions for handling UI elements, plugins, and database access.
idamisc: This namespace includes utility functions for various tasks, such as working with the address space and disassembly.
Here are common functions and examples grouped by topics:
If you’re comfortable with the basics, explore advanced examples included in the SDK itself. These examples often leverage multiple modules to accomplish more sophisticated tasks.
Explore our tutorial on how to create your first custom plugin in IDA using C++.
The C++ SDK allows developers to create powerful plugins that can extend the IDA Pro capabilities, that enable deeper integration and more control over IDA's core functionality.
This guide will walk you through creating a basic plugin using the C++ SDK, demonstrating the structure and best practices for developing C++ plugins for IDA Pro.
Installed the lastest C++ SDK. You can get it from our Download Center in My Hex-Rays portal.
A working C++ development environment (compiler, debugger, etc.). For the Windows Visual Studio users, a plugin template has been created that can be used to create plugin solutions. It can be found in the C++ SDK with a corresponding README file.
Check the C++ SDK Reference Documentation for a comprehensive list of classes, functions, and available APIs.
Familiarize yourself with the plugin_t class and plugmod_t, that are fundamental for creating plugins using the C++ SDK.
Ensure compatibility with the latest version of IDA Pro and refer to the C++ SDK Porting Guide for any recent changes that might affect your plugin.
An IDA Pro plugin written in C++ typically involves:
A class that inherits from plugmod_t, this class will implement the actual plugin functionality.
An init() function that will return a pointer to the above mentioned class.
Flags that specify when and how the plugin should be loaded and unloaded.
Start by creating a new C++ source file for your plugin. This file will contain the main logic and define the necessary classes and methods for your plugin.
When creating a plugin, it's recommended to create an instace of the class plugin_t with specific flags and a class inheriting from plugmod_t that performs the core functionality.
Example of `implementation:
In our example:
MyPlugmod class: This class inherits from plugmod_t and overrides the run() method to perform the plugin's main functionality. The constructor and destructor provide initialization and cleanup messages.
PLUGIN exported plugin_t instance: This object sets the PLUGIN_MULTI flag to allow the plugin to be loaded multiple times if needed.
init function: This function is called by the by the kernel in order to initialize the plugin. It returns an instance of MyPlugmod.
Compile your plugin. Once your plugin code is ready, Use your C++ development environment to compile the plugin source code into a shared library (.dll on Windows, .so on Linux, or .dylib on macOS).
Install your plugin. Copy the compiled plugin binary to the plugins directory in your IDA installation folder.
Run your plugin. Execute the plugin via the specified hotkey or by selecting it from the Edit -> Plugins submenu.
Welcome to the Hex-Rays Developer Guide, where you can learn how to enhance IDA's capabilities and extend its features.
Utilize scripting options with the IDC language (IDA's native language) or IDAPython, or delve deeper into our SDK to build advanced modules and plugins.
Check our reference documentation for C++ SDK and IDAPython.
Begin your journey by learning about core concepts and exploring common examples relevant to your language of choice.
Our IDA SDK exposes API in the form of C++ libraries and header files, allowing you to create custom processor modules and plugins, automate tasks, or integrate new features directly into IDA. Our IDA API is defined and organized by the contents of the header files, that you can browse in our IDA C++ SDK Reference.
With IDA SDK, you can develop loaders for unsupported binary formats or custom processors modules to disassemble and analyze non-standard files. What's more, you can write plugins to perform complex, automated tasks and more, allowing you to go far beyong the basic IDC scripting.
Check out our Porting Guide, which is prepared to help you migrate and adapt your existing modules and plugins from IDA 8.x to IDA 8.5.
The IDAPython API provides you a range of functions to interact with the disassembler, navigate through the output, and manipulate various elements such as functions, instructions, data, and comments.
IDAPython API is organized in modules, however their number may be a bit overwhelming for the first sigh. Here's the list of modules that should catch your attention first:
idautils: This module extracts the most useful and handy functions allowing you to jump right away and interact with the disassembly without the need to scrutinize the whole IDAPython API from the start. You can find here functions to iterate through whole segments, functions (founded by IDA and also user-defined), named locations, etc.
ida_idaapi: The ida_idaapi module comes handy when you want to create custom plugins or handle events, as it gives you access to more advanced functions and allows interaction with overall system
idc: This module provides functions that were originally part of native IDA IDC scripting language, wrapped for use in IDAPython API. This is a great starting point if you're already familiar with IDC scripting.
ida_funcs: This module gives you tools to create and manipulate functions within IDA.
ida_kernwin: This module provides functionality to interact with IDA UI, so you can create custom dialogs and more.
When you start working with IDAPython, you'll realize that one of the most commonly passed variables is ea, which refers to the valid memory address (effective address). On the other hand, the BADADDR is a constant that indicates an invalid address. It is used to indicate that an operation (such as querying a function) has failed or returned an invalid result, or signify that a specific memory location is unusable. Whenever you're working with functions that return memory addresses, it's a best practice to check whether the result equals BADADDR to ensure the operation was successful.
Here you can check the most common functions grouped by topics and short code samples that can serve as building blocks for longer scripts. They are usually focused on performing one specific action and can be easily reusable in more complex scripts, which you can find later under examples.
get_first_seg()
IDC is an IDA native, embedded scripting language semantically similar to C/C++.
With IDC, you can write simple scripts for automating repetitive tasks and extending out-of-the-box IDA functionality (for example, for getting the list of all functions or marked positions) without creating more complex plugins with C++ SDK or IDAPython.
IDAPython allows you to use the Python code in IDA to write scripts and customize basic IDA functionality. It offers more advanced and powerful automation than the IDC language and gives you access to Python modules and native Python abilities to interact with our API.
When you are asking yourself how to automate work in IDA, like renaming variables or performing custom analyses, the IDAPython API comes in handy. You can use simple code snippets directly inside the IDA output window to perform specific tasks or more advanced scripts for complex usage. Moreover, with IDAPython, you can write plugins to expand basic IDA capabilities even further.
The IDAPython API enables you to extend IDA’s core functionality and create custom plugins. Whether running as standalone scripts in the output window or leveraging advanced UI features, these plugins can significantly enhance your workflow.
Compared to C++ SDK plugins, IDAPython plugins are faster and easier to develop—no need for lengthy build or compilation steps—while maintaining almost the same capabilities.
This tutorial outlines how to write plugins using the updated plugin framework and best practices to streamline your development process.
Get familiar with the ida_idaapi.plugin_t class, a basic and required class that provides the necessary structure for your plugin. It mirrors the C++ SDK plugin_t class.
In this tutorial, we’ll use a simple sample plugin designed to work with the new plugin framework, that simplifies plugin development. The plugin performs a straightforward task: once invoked by the user after loading a database, it lists all functions and their addresses for the current IDA database before exiting.
You can download "My First Plugin" from here:
.py file to startTo begin, your plugin should consist of a single Python file that serves as the entry point. This file should define the main logic and include necessary imports and primary functions that will be executed when the plugin runs.
It’s recommended to create a class that inherits from plugin_t with specific flags and a class inheriting from plugmod_t that performs the core functionality.
ida_idaapi.plugin_tInclude a class that inherits from plugin_t. This base class will outline the core functionality and lifecycle of your plugin.
Example of plugin_t class implementation:
ida_idaapi.plugmod_tTo implement the main functionality of your plugin within the new framework, it is recommended to define a subclass of plugmod_t, that performs the main task of the plugin.
Example of plugmod_t class implementation:
MyPlugin class attributesflags attribute
The flags attribute defines the behavior and plugin properties, and what is crucial, describe its lifecycle: how and when it is loaded into IDA.
Your plugin may have no flags (flags = 0). It is usually a good strategy for basic plugins that perform a specific task once and then are no longer needed. Assigning 0 to flags apply a default behavior to your plugin:
it can be loaded and reloaded at any time;
it is triggered by the user and does not run constantly in the background;
it does not modify the database.
Common flags for plugins:
PLUGIN_MULTI: Recommended for all plugins; this flag enables the plugin to run simultaneously across multiple opened IDBs within the same IDA instance.
PLUGIN_FIX: The plugin loads when IDA launches and stays loaded until IDA exits.
PLUGIN_DRAW: The plugin needs to be invoked for every screen refresh.
PLUGIN_MOD: The plugin modifies the IDA database.
PLUGIN_PROC: The plugin is a processor module extension.
PLUGIN_DBG: The plugin will be loaded only when a debugger is active (for debugger-related plugins)
PLUGIN_UNL: The plugin will be unloaded immediately after calling the run method.
In our example, we used PLUGIN_UNL flag, as after performing a specific task—listing functions in the current database—is no longer needed.
comment attribute The comment attribute allows you to provide a brief description of your plugin.
wanted_name attribute The wanted_name attribute specifies the preferred short name of the plugin, as it apperas under Edit -> Plugins submenu.
wanted_hotkey attribute The wanted_hotkey attribute specifies a preferred shortcut to run the plugin.
The preferred name and hotkey may be overridden by changing the settings in the plugins.cfg file.
Below we scrutinize the key components for defining your plugin lifecycle.
Define a PLUGIN_ENTRY function Declare a function called PLUGIN_ENTRY that returns a plugin_t instance (or an object containing all attributes of a plugin_t object).
Initialization
The init() method is called when the plugin is loaded into IDA and is responsible for initializing your plugin.
The init() method returns an pointer to a plugmod_t object and indicate that this object run method is going to be used.
In the new plugin framework, run/term functions of plugin_t are not used. Virtual functions of plugmod_t are used instead.
In our example, when MyPlugin.init() is called it initalizes the plugin and returns a new instance of MyPlugmod.
Activation
The run method is executed when the user triggers your plugin activation, whether via hotkey or Edit -> Plugins submenu.
An alternative way of activation your plugin is via IDA events and registering a callback functions.
In our example, when the run() method of MyPlugmod is called, it prints function names and addresses in Output window.
Unloading
The __del__() is called automatically when the plugin is going to be unloaded (destroyed). The conditions that define the circumstances under which the plugin should be unloaded depend on the flags setting.
Example of plugin lifecycle implementation:
In our example:
PLUGIN_ENTRY() returns an instance of the MyPlugin class.
MyPlugin.init() is called to initialize the plugin and returns an instance of MyPlugmod. MyPlugmod.run() is called when the plugin is activated by the user via the hotkey or the Plugins menu. Then, the run() method of MyPlugmod is called, which prints function names and addresses in the current IDA database.
ida-plugin.json fileTo ensure your plugin is well-organized, it's recommended to add an ida-plugin.json file to your plugin directory with essential metadata. This file eases the organization of your plugin files (allows it to be self-contained in its own sub-directory) and smooths the process for accepting your plugin into our official plugin repository if you decide to share it with the Hex-Rays community.
To work properly, the ida-plugin.json file must contain at the very least the IDAMetadataDescriptorVersion field as well as a plugin object containing the name and entryPoint fields.
The name will be used to identify the plugin and also generate a namespace name for it if necessary (e.g. an IDAPython plugin). The namespace name is generated by converting all non alphanumeric characters of the plugin name to underscores (_) and prepending __plugins__ to it. For example "my plugin" would become __plugins__my_plugin.
The entryPoint must be the filename of the "main" file for the plugin. It should be stored in the same directory as its ida-plugin.json file.
If the entryPoint has no file extension, IDA will assume it is a native plugin and append the appropriate file extension for dynamic shared objects for the host platform (.dll, .so, .dylib).
Example of the ida-plugin.json file:
Copy the plugin directory (in our example, the folder containing my-first-plugin.py and ida.plugin.json files) or single script to plugins directory in your IDA installation folder. Once it's done, you may need to restart your IDA to see your plugin name under Edit -> Plugins submenu.
Run the plugin by pressing the specified hotkey or execute it from Edit -> Plugins -> <your_plugin>.
This guide is is designed to speed up the learning curve in IDAPython API and kickstart your journey with scripting in IDA, assuming that you are already found your way around IDA and got familiar with .
First, check for the core concepts like common variables, then dive into our simple, short and reusable showing basic examples of commonly used functions.
When you feel comfortable with most popular IDAPython API usage, you can delve into our set of more complex . The full library of our examples is shipped with your IDA instance in the python/examples folder. You can find them also in the .
If you feel more comfortable with IDAPython now, you can delve into more complex and advanced examples shipped with your IDA instance. You can find them in the python/examples folder where your IDA is installed or check them from our These collection gathered more advanced code samples, which usually make use of more modules and APIs.
Delve into our tutorial on .
Check out our , which is prepared to help you migrate and adapt your existing scripts and plugins from IDA 8.x to IDA 8.5.
Check our for an up-to-date list of all modules, classes, functions, and so on.
Ensure compatibility with the latest IDA version by reviewing our for recent updates.
For a full list of available flags, refer to the .
MyPlugmod.__del__() is called automatically when the plugin is destroyed (unloaded), and it prints a termination message. As we defined in , our exemplary plugin unloads directly after performing its task.
C++ SDK reference
IDAPython reference
Start using C++ SDK
Start using IDAPython
Start using IDC
C++ SDK Getting Started
Explore this guide to introduce yourself to the core capabilities of IDA SDK.
C++ SDK Examples
Try complex examples that show the full power and and flexibility of our SDK.
C++ SDK Reference
Check in-depth overview of header files with extensive description of data structures and functions.
Writing Plugins in C++
Learn the best practices for creating plugins with IDA SDK
This page is currently a stub. We're working on additional examples tailored for beginners, so expect more samples soon.
The IDA SDK, which you can get from our Download Center in My Hex-Rays Portal, provides sample code in addition to necessary libraries and headers. These exemplary plugins, processor modules, or file loaders are designed to help you create your own plugins, modules, and more.
The IDA SDK is shipped with plenty of samples (including, for example, sample processor modules or loaders) and exemplary plugins that you can find in the IDA SDK folder. To kickstart your journey with the IDA SDK, we encourage you to check out the included samples, compile them, and run them.
The plugins folder contains sample plugins written in C++. Usually, the subfolders contains at minimum the cpp file(s) and a makefile.
Below, we present only a selection of samples to familiarize yourself with the possibilities of the C++ SDK. All of these samples and their corresponding makefiles can be found in your plugins folder inside the SDK directory.
Simple hello word plugin ideal to get started with IDA SDK.
Sample plugin, ideal to get familiar with plugins structure.
Sample plugin that allows the user to change the address of the called function.
Sample plugin module that demonstrates the use of the choose() function.
This sample plugin demonstates how to install a custom data type and a custom data format.
This sample plugin demonstates how to create and manipulate a simple custom viewer, that allows you to create a view which displays colored lines.
Plugin with CVT64 examples.
The source code of the dwarf plugin
This sample Debugger IDC Helper executes IDC script when the process is launched and allows to hook IDC scripts to various debugger events.
Sample plugin illustrating analysis improvement; it checks branch targets for newly created instructions.
Sample plugin that illustrates how to register a thid party language interpreter.
This plugin demonstrates how to use complex forms.
This sample plugin demonstrates how to get the the entry point prototypes.
This sample plugin demonstrates how to get the disassembly lines for one address.
This plugin will display a colored box at the executed instructions.
This sample plugin demonstrates receiving output window notification callbacks and usage of new output window functions.
This sample plugin demonstrates usage of the view callbacks and adding custom menu items to popup menus.
Sample multi-threaded plugin module.
This sample plugin demonstrates how to customize navigation band colors.
This plugin demonstrates how to use non modal forms.
Sample plugin that extends the IBM PC processor module to disassemble some NEC V20 instructions.
This plugin demonstrates the UI requests and the process_ui_action()
We encourage you to browse the plugins folder inside the SDK directory to check out all of examples, including more complex and advances ones, like FindCrypt program, that finds constants used in crypto algorithms, or qproject, that demonstrates how to fully use the Qt environment in IDA.
The modules folder contains sample processor modules, that are used to add support for new instruction sets or architectures to IDA. Inside the README file you will find instructions on how to compile and run the modules.
If you are going to write a new processor module, it's recommended to follow the below steps:
copy the sample module files to a new directory
edit ins.cpp and ins.hpp files
write the analyser ana.cpp
then outputter
and emulator (you can start with an almost empty emulator)
describe the processor & assembler, write the notify() function
The ldr folder includes source code for new file format loaders:
aif ARM Image File
amiga Amige Hunk File
aof ARM Object File
aout a.out
dos MS DOS File
dump Memory Dump File
geos GEOS File
hex Intel/Motorola HEX File
hpsom HP SOM
intelomf Intel Object File
javaldr Java Class Loader
mas Macro Assembler
nlm Netware Loader Module
os9 FLEX/9
pef Portable Executable Format (MAC)
pilot Palm Pilot
qnx Qnx
rt11 RT/11
w32run Watcom RUN32
ready to be compiled, similarly as processor module samples.
The exemplary decompiler plugins are shipped with the C++ SDK and can be found in the plugins folder (vds1-vds20) alongside other plugins.
Below are descriptions of sample decompiler plugins.
This plugin decompiles the current function and prints the result in the message window. It is useful to learn how to initialize a decompiler plugin. Please note that all decompiler sample plugins have the "hexrays_" prefix in their names. This is done to make sure that the decompiler plugins are loaded after the hexrays plugin. Otherwise they would see that the decompiler is missing and immediately terminate.
We recommend you to keep the same naming scheme: please use the "hexrays_" prefix for your decompiler plugins.
N.B.: if you're writing a plugin for non-x86 version of the decompiler, you should use another prefix. For example, the x64 decompiler is named "hexx64", ARM is "hexarm" and so on. To be certain, check IDA's "plugins" directory. To debug plugin loading issues, you can use -z20 switch when running IDA.
This plugin shows how to hook to decompiler events and react to them. It also shows how to visit all ctree elements and modify them.
This plugin waits for the decompilation result to be ready and replaces zeroes in pointer contexts with NULLs. One might say that this is just cosmetic change, but it makes the output more readable.
Since the plugin hooks to events, it is fully automatic. The user can disable it by selecting it from the Edit, Plugins menu.
This plugin shows
This is a quite complex plugin but it is thoroughly commented.
This plugin dumps all user-defined information to the message window. Read the source code to learn how to access various user-defined data from your plugins:
This plugin generates a graph from the current pseudocode and displays it with wingraph32.
The source code can be used to learn ctree details.
This plugin modifies the decompilation output: removes some space characters.
The source code can be used to learn the output text.
This plugin demonstrates how to use the cblock_t::iterator class. It enumerates all instructions of a block statement.
This plugin demonstrates how to use the udc_filter_t (User-Defined Call generator) class, which allows replacing cryptic function calls, with a simpler/more-readable counterpart.
This plugin demonstrates how to generate microcode for a given function and print it into the output window. It displays fully optimized microcode but it is also possible to retrieve microcode from earlier stages of decompilation. Generating the microcode text should be used only for debugging purposes. Printing microcode in production code may lead to crashes or wrong info.
This plugin installs a custom microcode optimization rule: call !DbgRaiseAssertionFailure fast:.0 => call !DbgRaiseAssertionFailure <fast:"char *" "assertion text">.0
See also sample19 for another example.
This plugin installs a custom inter-block optimization rule:
L1: goto L2
In other words we fix a goto target if it points to a chain of gotos. This improves the decompiler output is some cases.
This plugin displays list of direct references to a register from the current instruction.
This plugin generates microcode for selection and dumps it to the output window.
This plugin shows xrefs to the called function as the decompiler output. All calls are displayed with the call arguments.
This plugin shows list of possible values of a register using the value range analysis.
This plugin installs a custom instruction optimization rule:
We need this rule because the decompiler cannot propagate the second byte of VAR into the xor instruction.
The XOR opcode can be replaced by any other, we do not rely on it. Also operand sizes can vary.
This plugin shows how to use "Select offsets" widget (select_udt_by_offset() API). This plugin repeats the Alt-Y functionality.
This plugin shows how to specify a register value at a desired location. Such a functionality may be useful when the code to decompile is obfuscated and uses opaque predicates.
This plugin shows how to install a custom microcode optimization rule. Custom rules are useful to handle obfuscated code. See also sample10 for another example.
This plugin shows how to modify the decompiler output on the fly by adding dynamic comments.
IDC language is a C-like language. It has the same lexical tokens as C does: character set, constants, identifiers, keywords, etc. However, since it is a scripting language, there are no pointers, and all variable types can be handled by the interpreter. Any variable may hold any value; variables are declared without specifying their type;
auto myvar;
An IDC program consists of function declarations. By default, execution starts from a function named 'main'.
Select a topic to read:
In IDC there are the following statements:
expression; (expression-statement) if (expression) statement if (expression) statement else statement for ( expr1; expr2; expr3 ) statement while (expression) statement do statement while (expression); break; continue; return ; return; the same as 'return 0;' { statements... } try statement catch ( var ) statement throw ; ; (empty statement)
Please note that the 'switch' statement is not supported.
An IDC function always returns a value. There are 2 kinds of functions:
built-in functions
user-defined functions A user-defined function is declared this way: static func(arg1,arg2,arg3) { statements ... } It is not necessary to specify the parameter types because all necessary type conversions are performed automatically.
By default all function arguments are passed by value, except:
If the function to call does not exist, IDA tries to resolve the name using the debugged program labels. If it succeeds, an dbg_appcall is performed.
The following constants can be used in IDC:
In the IDC expressions you can use almost all C operations except:
Constants are defined more or less like in C, with some minor differences.
There are four type conversion operations:
However, explicit type conversions are rarely required because all type conversions are made automatically:
If any of the long operands is 64bit, the other operand is converted to 64bit too.
There is one notable exception concerning type conversions: if one operand is a string and the other is zero (0), then a string operation is performed. Zero is converted to an empty string in this case.
The & operator is used to take a reference to a variable. References themselves cannot be modified once created. Any assignment to them will modify the target variable. For example:
References to references are immediately resolved:
Since all non-object arguments are passed to functions by value, references are a good way to pass arguments by reference.
There are two kinds of variables in IDC:
A variable can contain:
LONG: a 32-bit signed long integer (64-bit in 64-bit version of IDA)
INT64: a 64-bit signed long integer
STR: a character string
FLOAT: a floating point number (extra precision, up to 25 decimal digits)
OBJECT: an object with attributes and methods (a concept very close to C++ class) more
REF: a reference to another variable
FUNC: a function reference
A local variable is declared this way:
Global variables are declared like this:
Global variables can be redefined many times. IDA will silently ignore subsequent declarations. Please note that global variables cannot be initialized at the declaration time.
All C and C++ keywords are reserved and cannot be used as a variable name.
While it is possible to declare a variable anywhere in the function body, all variables are initialized at the function entry and all of them are destroyed only at the exit. So, a variable declared in a loop body will not be reinitialized at each loop iteration, unless explicitly specified with an assignment operator.
If a variable or function name cannot be recognized, IDA tries to resolve them using the names from the disassembled application. In it succeeds, the name is replaced by its value in the disassembly listing. For example:
will print 413060. If the label denotes a structure, it is possible to refer to its fields:
will print 413064. Please note that IDA does not try to read the data but just returns the address of the structure field. The field address can also be calculated using the get_field_ea function.
NOTE: The processor register names can be used in the IDC scripts when the debugger is active. Reading from such a variable return the corresponding register value. Writing to such a variable modifies the register value in the debugged process. Such variables are accessible only when the application is in the suspended mode.
NOTE: another way to emulate global scope variables is to use array functions and create global persistent arrays.
Any runtime error generates an exception. Exceptions terminate the execution. It is possible to catch an exception instead of terminating the execution:
See the details of classes.
The try/catch blocks can be nested. If the current function has no try/catch blocks, the calling function will be examined, and so on, until we find a try/catch block or exit the main function. If no try/catch block is found, an unhandled exception is reported.
It is also possible to throw an exception explicitly. Any object can be thrown. For example:
will throw value '5'.
IDA 8.5 API Changes and porting guide
The largest change is the removal of two headers:
struct.hpp
enum.hpp
The functionalities for working with user-defined types are now available in typeinf.hpp (tinfo_t class).
class member_t;
class struc_t;
struc_t is replaced by the notion of "user-defined type" (udt_type_data_t class) and member_t by dt member (udm_t class).
get_struc_qty() Rough equivalent is get_ordinal_limit() or get_ordinal_count() but note that it also includes enums and typedefs.
get_first_struc_idx()
get_last_struc_idx()
get_prev_struc_idx()
get_next_struc_idx()
Local type ordinals always start at 1 (0 is invalid ordinal) and go up to get_ordinal_limit().
get_struc_idx(tid_t id)
get_struc_by_idx(uval_t idx)
Enumerations are now manipulated via:
tinfo_t class
enum_type_data_t class
edm_t class. in typeinf.hpp
get_enum_qty(void)
getn_enum(size_t idx)
get_enum_idx(enum_t id)
get_enum(const char *name)
is_bf(enum_t id)
is_enum_hidden(enum_t id)
set_enum_hidden(enum_t id, bool hidden)
is_enum_fromtil(enum_t id)
set_enum_fromtil(enum_t id, bool fromtil)
is_ghost_enum(enum_t id)
set_enum_ghost(enum_t id, bool ghost)
get_enum_name(qstring *out, enum_t id)
get_enum_name2(qstring *out, enum_t id, int flags=0)
get_enum_name(tid_t id, int flags=0)
get_enum_width(enum_t id)
set_enum_width(enum_t id, int width)
get_enum_cmt(qstring *buf, enum_t id, bool repeatable)
get_enum_size(enum_t id)
get_enum_flag(enum_t id)
get_enum_member_by_name(const char *name)
get_enum_member_value(const_t id)
get_enum_member_enum(const_t id)
get_enum_member_bmask(const_t id)
get_enum_member(enum_t id, uval_t value, int serial, bmask_t mask)
get_first_bmask(enum_t enum_id)
get_last_bmask(enum_t enum_id)
get_next_bmask(enum_t enum_id, bmask_t bmask\)
get_prev_bmask(enum_t enum_id, bmask_t bmask)
get_first_enum_member(enum_t id, bmask_t bmask=DEFMASK)
get_last_enum_member(enum_t id, bmask_t bmask=DEFMASK)
get_next_enum_member(enum_t id, uval_t value, bmask_t bmask=DEFMASK)
get_prev_enum_member(enum_t id, uval_t value, bmask_t bmask=DEFMASK)
get_enum_member_name(qstring *out, const_t id)
get_enum_member_cmt(qstring *buf, const_t id, bool repeatable)
get_first_serial_enum_member(uchar *out_serial, enum_t id, uval_t value, bmask_t bmask)
get_last_serial_enum_member(uchar *out_serial, enum_t id, uval_t value, bmask_t bmask)
get_next_serial_enum_member(uchar *in_out_serial, const_t first_cid)
get_prev_serial_enum_member(uchar *in_out_serial, const_t first_cid)
for_all_enum_members(enum_t id, enum_member_visitor_t &cv)
ida_export get_enum_member_serial(const_t cid)
get_enum_type_ordinal(enum_t id)
set_enum_type_ordinal(enum_t id, int32 ord)
add_enum(size_t idx, const char *name, flags64_t flag)
del_enum(enum_t id)
set_enum_idx(enum_t id, size_t idx)
set_enum_bf(enum_t id, bool bf)
set_enum_name(enum_t id, const char *name)
set_enum_cmt(enum_t id, const char *cmt, bool repeatable)
set_enum_flag(enum_t id, flags64_t flag)
add_enum_member(enum_t id, const char *name, uval_t value, bmask_t bmask=DEFMASK)
del_enum_member(enum_t id, uval_t value, uchar serial, bmask_t bmask)
set_enum_member_name(const_t id, const char *name)
set_enum_member_cmt(const_t id, const char *cmt, bool repeatable)
is_one_bit_mask(bmask_t mask)
set_bmask_name(enum_t id, bmask_t bmask, const char *name)
get_bmask_name(qstring *out, enum_t id, bmask_t bmask)
set_bmask_cmt(enum_t id, bmask_t bmask, const char *cmt, bool repeatable)
get_bmask_cmt(qstring *buf, enum_t id, bmask_t bmask, bool repeatable)
idaman ea_t ida_export find_binary(ea_t startea, ea_t endea, const char *ubinstr, int radix, int sflag, int strlits_encoding=0)
idaman bool ida_export get_octet2(uchar *out, octet_generator_t *ogen)
idaman bool ida_export get_octet(uchar *out, octet_generator_t *ogen)
idaman bool ida_export op_enum(ea_t ea, int n, enum_t id, uchar serial=0)
idaman bool ida_export op_enum(ea_t ea, int n, tid_t id, uchar serial=0)
idaman enum_t ida_export get_enum_id(uchar *serial, ea_t ea, int n)
idaman tid_t ida_export get_enum_id(uchar *serial, ea_t ea, int n)
idaman ea_t ida_export bin_search3(size_t *out_matched_idx, ea_t start_ea, ea_t end_ea, const compiled_binpat_vec_t &data, int flags)
idaman ea_t ida_export bin_search(ea_t start_ea, ea_t end_ea, const compiled_binpat_vec_t &data, int flags, size_t *out_matched_idx=nullptr)
bin_search2(ea_t start_ea, ea_t end_ea, const compiled_binpat_vec_t &data, int flags)
bin_search(ea_t, ea_t, const uchar *, const uchar *, size_t, int, int)
get_8bit(ea_t *ea, uint32 *v, int *nbit)
get_octet(ea_t *ea, uint64 *v, int *nbit)
free_chunk(ea_t bottom, asize_t size, int32 step)
idaman bool ida_export dirtree_get_abspath_by_cursor2(qstring *out, const dirtree_impl_t *d, const dirtree_cursor_t &cursor, uint32 name_flags)
idaman bool ida_export dirtree_get_abspath_by_cursor(qstring *out, const dirtree_impl_t *d, const dirtree_cursor_t &cursor, uint32 name_flags)
idaman THREAD_SAFE int ida_export enumerate_files2(char *answer, size_t answer_size, const char *path, const char *fname, file_enumerator_t &fv)
idaman THREAD_SAFE int ida_export enumerate_files(char *answer, size_t answer_size, const char *path, const char *fname, file_enumerator_t &fv)
ecreate(const char *file)
eclose(FILE *fp)
eread(FILE *fp, void *buf, size_t size)
ewrite(FILE *fp, const void *buf, size_t size)
eseek(FILE *fp, qoff64_t pos)
enumerate_files(char *answer, size_t answer_size, const char *path, const char *fname, int (idaapi*func)(const char *file,void *ud), void *ud=nullptr)
qerrcode(int new_code=-1)
bool extlang_t::(idaapi *compile_file)(const char *file, qstring *errbuf)
bool extlang_t::(idaapi *compile_file)(const char *file, const char *requested_namespace, qstring *errbuf)
idaman bool ida_export add_frame_member(const func_t *pfn, const char *name, uval_t offset, const tinfo_t &tif, const struct value_repr_t *repr=nullptr, uint etf_flags=0)
THREAD_SAFE bool is_anonymous_member_name(const char *name)
THREAD_SAFE bool is_dummy_member_name(const char *name)
idaman bool ida_export is_special_frame_member(tid_t tid)
idaman bool ida_export set_frame_member_type(const func_t *pfn, uval_t offset, const tinfo_t &tif, const struct value_repr_t *repr=nullptr, uint etf_flags=0)
idaman bool ida_export delete_frame_members(const func_t *pfn, uval_t start_offset, uval_t end_offset)
idaman sval_t ida_export calc_frame_offset(func_t *pfn, sval_t off, const insn_t *insn = nullptr, const op_t *op = nullptr)
idaman struc_t *ida_export get_frame(const func_t *pfn)
idaman bool ida_export get_func_frame(tinfo_t *out, const func_t *pfn)
idaman bool ida_export define_stkvar(func_t *pfn, const char *name, sval_t off, flags64_t flags, const opinfo_t *ti, asize_t nbytes)
idaman bool ida_export define_stkvar(func_t *pfn, const char *name, sval_t off, const tinfo_t &tif, const struct value_repr_t *repr=nullptr)
idaman void ida_export build_stkvar_xrefs(xreflist_t *out, func_t *pfn, const member_t *mptr)
idaman void ida_export build_stkvar_xrefs(xreflist_t *out, func_t *pfn, uval_t start_offset, uval_t end_offset)
get_frame_member_by_id(qstring *out_mname, struc_t **out_fptr, tid_t mid)
get_stkvar(sval_t *actval, const insn_t &insn, const op_t &x, sval_t v) See get_stkvar in ida_typeinf.tinfo_t
get_min_spd_ea(func_t *pfn)
delete_unreferenced_stkvars(func_t *pfn)
delete_wrong_stkvar_ops(func_t *pfn)
bool func_item_iterator_t::set_ea(ea_t _ea)
save_signatures(void)
invalidate_sp_analysis(func_t *pfn)
invalidate_sp_analysis(ea_t ea)
struct edge_t
class node_ordering_t
class control_graph_t
class edge_mapper_t
class node_bitset_t
class array_of_node_bitset_t
struct ctry_t
struct cthrow_t
struct catchexpr_t
struct ccatch_t
struct cblock_pos_t
uvlr_t max_vlr_value(int size)
uvlr_t min_vlr_svalue(int size)
uvlr_t max_vlr_svalue(int size)
bool is_unsigned_cmpop(cmpop_t cmpop)
bool is_signed_cmpop(cmpop_t cmpop)
bool is_cmpop_with_eq(cmpop_t cmpop)
bool is_cmpop_without_eq(cmpop_t cmpop)
bool was_scattered_arg() const
void set_scattered_arg()
void clr_scattered_arg()
int find_input_reg(int reg, int _size=1)
virtual bool ignore_edge(int /*src*/, int /*dst*/ ) const
void hexapi compute_dominators(array_of_node_bitset_t &domin, bool post=false) const
void hexapi compute_immediate_dominators(const array_of_node_bitset_t &domin, intvec_t &idomin, bool post=false) const
int hexapi depth_first_preorder(node_ordering_t *pre) const
int hexapi depth_first_postorder(node_ordering_t *post) const
void depth_first_postorder(node_ordering_t *post, edge_mapper_t *et) const
void depth_first_postorder_for_all_entries(node_ordering_t *post) const
intvec_t find_dead_nodes() const
void find_reaching_nodes(int n, node_bitset_t &reaching) const
bool path_exists(int m, int n) const
bool path_back(const array_of_node_bitset_t &domin, int m, int n) const
bool path_back(const edge_mapper_t &et, int m, int n) const
iterator begin() const
iterator end()
int front()
void inc(iterator &p, int n=1) const
virtual int hexapi goup(int node) const
int calc_max_exp() const
bool is_nan() const
bool was_unpaired() const
mblock_t *hexapi split_block(mblock_t *blk, minsn_t *start_insn)
merror_t hexapi inline_func(codegen_t &cdg, int blknum, mba_ranges_t &ranges, int decomp_flags=0, int inline_flags=0)
const stkpnt_t *hexapi locate_stkpnt(ea_t ea) const
void hexapi clear()
virtual const char *what() const noexcept override
void hexapi save_user_labels2(ea_t func_ea, const user_labels_t *user_labels, const cfunc_t *func=nullptr)
void hexapi save_user_labels(ea_t func_ea, const user_labels_t *user_labels, const cfunc_t *func=nullptr)
user_labels_t *hexapi restore_user_labels2(ea_t func_ea, const cfunc_t *func=nullptr)
user_labels_t *hexapi restore_user_labels(ea_t func_ea, const cfunc_t *func=nullptr)
member_t *hexapi get_stkvar(uval_t *p_off=nullptr) const
ssize_t hexapi get_stkvar(udm_t *udm=nullptr, uval_t *p_off=nullptr) const
member_t *get_stkvar(uval_t *p_off) const
ssize_t get_stkvar(udm_t *udm=nullptr, uval_t *p_off=nullptr) const
member_t *get_stkvar(sval_t vd_stkoff, uval_t *poff) const
ssize_t get_stkvar(udm_t *udm, sval_t vd_stkoff, uval_t *poff=nullptr) const
const mblock_t *get_mblock(int n) const
const mblock_t *get_mblock(uint n) const
mblock_t *get_mblock(int n)
mblock_t *get_mblock(uint n)
bool hexapi combine_blocks()
bool hexapi merge_blocks()
bool cvt_to_cmp(cmpop_t *cmp, uvlr_t *val, bool strict) const
bool valrng_t::cvt_to_cmp(cmpop_t *cmp, uvlr_t *val) const
bool hexapi get_member_type(const member_t *mptr, tinfo_t *type)
bool hexapi checkout_hexrays_license(bool silent)
bool get_member_type(const member_t *mptr, tinfo_t *type)
static uvlr_t max_value(int size_)
static uvlr_t min_svalue(int size_)
static uvlr_t max_svalue(int size_)
member_t *hexapi get_memptr(struc_t **p_sptr=nullptr) const
cblock_t *get_block()
bool hexapi set_strmem_type(struc_t *sptr, member_t *mptr)
bool hexapi rename_strmem(struc_t *sptr, member_t *mptr)
class abstract_graph_t
class drawable_graph_t
class mutable_graph_t
class interactive_graph_t
mutable_graph_t *idaapi create_mutable_graph(uval_t id)
interactive_graph_t *idaapi create_interactive_graph(uval_t id)
mutable_graph_t *idaapi create_disasm_graph(ea_t ea)
interactive_graph_t *idaapi create_disasm_graph(ea_t ea)
mutable_graph_t *idaapi create_disasm_graph(const rangevec_t &ranges)
interactive_graph_t *idaapi create_disasm_graph(const rangevec_t &ranges)
mutable_graph_t *idaapi get_viewer_graph(graph_viewer_t *gv)
interactive_graph_t *idaapi get_viewer_graph(graph_viewer_t *gv)
void idaapi set_viewer_graph(graph_viewer_t *gv, mutable_graph_t *g)
void idaapi set_viewer_graph(graph_viewer_t *gv, interactive_graph_t *g)
void idaapi delete_mutable_graph(mutable_graph_t *g)
void idaapi delete_interactive_graph(interactive_graph_t *g)
void idaapi mutable_graph_t::del_custom_layout(void)
void idaapi interactive_graph_t::del_custom_layout(void)
void idaapi mutable_graph_t::set_custom_layout(void) const
void idaapi interactive_graph_t::set_custom_layout(void) const
void idaapi mutable_graph_t::set_graph_groups(void) const
void idaapi interactive_graph_t::set_graph_groups(void) const
void idaapi mutable_graph_t::clear(void)
void idaapi interactive_graph_t::clear(void)
bool idaapi mutable_graph_t::create_digraph_layout(void)
bool idaapi interactive_graph_t::create_digraph_layout(void)
bool idaapi abstract_graph_t::create_tree_layout(void)
bool idaapi drawable_graph_t::create_tree_layout(void)
bool idaapi abstract_graph_t::create_circle_layout(point_t c, int radius)
bool idaapi drawable_graph_t::create_circle_layout(point_t c, int radius)
int idaapi mutable_graph_t::get_node_representative(int node)
int idaapi interactive_graph_t::get_node_representative(int node)
int idaapi mutable_graph_t::_find_subgraph_node(int gr, int n) const
int idaapi interactive_graph_t::_find_subgraph_node(int gr, int n) const
int idaapi mutable_graph_t::create_group(const intvec_t &_nodes)
int idaapi interactive_graph_t::create_group(const intvec_t &_nodes)
bool idaapi mutable_graph_t::get_custom_layout(void)
bool idaapi interactive_graph_t::get_custom_layout(void)
bool idaapi mutable_graph_t::get_graph_groups(void)
bool idaapi interactive_graph_t::get_graph_groups(void)
bool idaapi mutable_graph_t::empty(void) const
bool idaapi interactive_graph_t::empty(void) const
bool idaapi mutable_graph_t::is_visible_node(int node) const
bool idaapi interactive_graph_t::is_visible_node(int node) const
bool idaapi mutable_graph_t::delete_group(int group)
bool idaapi interactive_graph_t::delete_group(int group)
bool idaapi mutable_graph_t::change_group_visibility(int gr, bool exp)
bool idaapi interactive_graph_t::change_group_visibility(int gr, bool exp)
bool idaapi mutable_graph_t::set_edge(edge_t e, const edge_info_t *ei)
bool idaapi interactive_graph_t::set_edge(edge_t e, const edge_info_t *ei)
int idaapi mutable_graph_t::node_qty(void) const
int idaapi interactive_graph_t::node_qty(void) const
rect_t &idaapi mutable_graph_t::nrect(int n)
rect_t &idaapi interactive_graph_t::nrect(int n)
The new header for the IDA library
idaman int ida_export init_library(int argc = 0, char *argv[] = nullptr)
idaman int ida_export open_database(const char *file_path, bool run_auto)
idaman void ida_export close_database(bool save)
idaman int ida_export cpu2ieee(fpvalue_t *ieee_out, const void *cpu_fpval, int size)
idaman int ida_export ieee2cpu(void *cpu_fpval, const fpvalue_t &ieee_out, int size)
processor_t::has_realcvt(void) const
static ssize_t processor_t::gen_stkvar_def(outctx_t &ctx, const class member_t *mptr, sval_t v)
static ssize_t processor_t::gen_stkvar_def(outctx_t &ctx, const struct udm_t *mptr, sval_t v, tid_t tid)
const op_t *procmod_t::make_op_reg(op_t *op, int reg, int8 dtype = -1) const
const op_t *procmod_t::make_op_imm(op_t *op, uval_t val, int8 dtype = -1) const
const op_t *procmod_t::make_op_displ(op_t *op, int base_reg, uval_t displ, int8 dtype = -1) const
const op_t *procmod_t::make_op_phrase(op_t *op, int base_reg, int index_reg, int8 dtype = -1) const
See also IDB events for a table providing a list a event replacement and removal.
open_enums_window(tid_t const_id=BADADDR)
open_structs_window(tid_t id=BADADDR, uval_t offset=0)
choose_struc(const char *title)
choose_enum_by_value(const char *title, enum_t default_id, uint64 value, int nbytes, uchar *serial)
class enumplace_t
class structplace_t
bool is_ida_library(char *path, size_t pathsize, void** handle)
const tagged_line_section_t::tagged_line_section_t *nearest_before(const tagged_line_section_t &range, cpidx_t start, color_t tag=0) const
const tagged_line_section_t::tagged_line_section_t *nearest_after(const tagged_line_section_t &range, cpidx_t start, color_t tag=0) const
bool chooser_base_t::has_widget_lifecycle() const
ea_t choose_stkvar_xref(func_t *pfn, member_t *mptr)
ea_t choose_stkvar_xref(func_t *pfn, tid_t srkvar_tid)
bool tagged_line_section_t::substr(qstring *out, const qstring &in) const
bool tagged_line_section_t::substr(qstring *out,,const qstring &in, const tagged_line_section_t *end = nullptr) const
idaman lexer_t *ida_export create_lexer(const char *const *keys, size_t size, void *ud=nullptr)
idaman lexer_t *ida_export create_lexer(const char *const *keys, size_t size, void *ud=nullptr, uint32 macro_flags=0)
set_user_defined_prefix(size_t width, void (idaapi *get_user_defined_prefix)(qstring *buf, ea_t ea, int lnnum, int indent, const char *line))
idaman void ida_export update_extra_cmt(ea_t ea, int what, const char *str)
idaman bool ida_export update_extra_cmt(ea_t ea, int what, const char *str)
idaman void ida_export del_extra_cmt(ea_t ea, int what)
idaman bool ida_export del_extra_cmt(ea_t ea, int what)
idaman int ida_export validate_idb_names2(bool do_repair)
idaman int ida_export validate_idb_names(bool do_repair)
void jvalue_t::set_str(const char *s)
void jobj_t::put(const char *key, const jobj_t &value)
unpack_memory(void *buf, size_t size, const uchar **pptr, const uchar *end)
idaman THREAD_SAFE bool ida_export get_login_name(qstring *out)
idaman void *ida_export pipe_process(qhandle_t *read_handle, qhandle_t *write_handle, launch_process_params_t *lpp, qstring *errbuf=nullptr)
qstring bytevec_t::tohex(bool upper_case=true) const
void qlist::splice(iterator pos, qlist &other, iterator first, iterator last)
struct memory_serializer_t
regcomp(struct regex_t *preg, const char *pattern, int cflags)
regerror(int errcode, const struct regex_t *preg, char *errbuf, size_t errbuf_size)
regexec(const struct regex_t *preg, const char *str, size_t nmatch, struct regmatch_t pmatch[], int eflags)
regfree(struct regex_t *preg)
void ida_export reg_finder_invalidate_cache(reg_finder_t *_this, ea_t ea)
void ida_export reg_finder_invalidate_cache(reg_finder_t *_this, ea_t to, ea_t from)
bool ida_export reg_finder_calc_op_addr(reg_finder_t *_this, reg_value_info_t *addr, const op_t *memop, const insn_t *insn, ea_t ea, ea_t ds)
bool ida_export reg_finder_calc_op_addr(reg_finder_t *_this, reg_value_info_t *addr, const op_t *memop, const insn_t *insn, ea_t ea, ea_t ds, int max_depth)
bool ida_export reg_finder_may_modify_stkvars(const reg_finder_t *_this, reg_finder_op_t op, const insn_t *insn)
bool ida_export reg_finder_may_modify_stkvar(const reg_finder_t *_this, reg_finder_op_t op, const insn_t *insn)
void idaapi invalidate_regfinder_cache(ea_t ea = BADADDR)
void idaapi invalidate_regfinder_cache(ea_t to = BADADDR, ea_t from = BADADDR)
reg_finder_op_make_rfop(func_t *pfn, const insn_t &insn, const op_t &op)
void reg_value_info_t::movt(const reg_value_info_t &r, const insn_t &insn)
static int reg_finder_op_t::get_op_width(const op_t &op)
static reg_finder_op_t reg_finder_op_t::make_stkoff(sval_t stkoff, int width)
reg_load(void)
reg_flush(void)
user2bin(uchar *, uchar *, ea_t, const char *, int, bool)
find_binary(ea_t, ea_t, const char *, int, int)
set_numbered_type(til_t *ti, uint32 ordinal, int ntf_flags, const char *name, const type_t *type, const p_list *fields=nullptr, const char *cmt=nullptr, const p_list *fldcmts=nullptr, const sclass_t *sclass=nullptr)
get_ordinal_from_idb_type(const char *name, const type_t *type)
is_autosync(const char *name, const type_t *type)
is_autosync(const char *name, const tinfo_t &tif)
import_type(const til_t *til, int idx, const char *name, int flags=0)
get_udm_tid(const udm_t *udm, const char *udt_name)
bool ida_export create_tinfo2(tinfo_t *_this, type_t bt, type_t bt2, void *ptr)
bool ida_export create_tinfo(tinfo_t *_this, type_t bt, type_t bt2, void *ptr)
int ida_export verify_tinfo(uint32 typid)
int ida_export verify_tinfo(typid_t typid)
bool ida_export get_tinfo_details2(uint32 typid, type_t bt2, void *buf)
bool ida_export get_tinfo_details(typid_t typid, type_t bt2, void *buf)
size_t ida_export get_tinfo_size(uint32 *p_effalign, uint32 typid, int gts_code)
size_t ida_export get_tinfo_size(uint32 *p_effalign, typid_t typid, int gts_code)
size_t ida_export get_tinfo_pdata(void *outptr, uint32 typid, int what)
size_t ida_export get_tinfo_pdata(void *outptr, typid_t typid, int what)
size_t ida_export get_tinfo_property(uint32 typid, int gta_prop)
size_t ida_export get_tinfo_property(typid_t typid, int gta_prop)
size_t ida_export get_tinfo_property4(uint32 typid, int gta_prop, size_t p1, size_t p2, size_t p3, size_t p4)
size_t ida_export get_tinfo_property4(typid_t typid, int gta_prop, size_t p1, size_t p2, size_t p3, size_t p4)
bool ida_export deserialize_tinfo2(tinfo_t *tif, const til_t *til, const type_t **ptype, const p_list **pfields, const p_list **pfldcmts, const char *cmt)
bool ida_export deserialize_tinfo(tinfo_t *tif, const til_t *til, const type_t **ptype, const p_list **pfields, const p_list **pfldcmts, const char *cmt)
int ida_export find_tinfo_udt_member(udm_t *udm, uint32 typid, int strmem_flags)
int ida_export find_tinfo_udt_member(udm_t *udm, typid_t typid, int strmem_flags)
bool ida_export compare_tinfo(uint32 t1, uint32 t2, int tcflags)
bool ida_export compare_tinfo(typid_t t1, typid_t t2, int tcflags)
int ida_export lexcompare_tinfo(uint32 t1, uint32 t2, int)
int ida_export lexcompare_tinfo(typid_t t1, typid_t t2, int)
uint64 ida_export read_tinfo_bitfield_value(uint32 typid, uint64 v, int bitoff)
uint64 ida_export read_tinfo_bitfield_value(typid_t typid, uint64 v, int bitoff)
uint64 ida_export write_tinfo_bitfield_value(uint32 typid, uint64 dst, uint64 v, int bitoff)
uint64 ida_export write_tinfo_bitfield_value(typid_t typid, uint64 dst, uint64 v, int bitoff)
bool ida_export get_tinfo_attr(uint32 typid, const qstring &key, bytevec_t *bv, bool all_attrs)
bool ida_export get_tinfo_attr(typid_t typid, const qstring &key, bytevec_t *bv, bool all_attrs)
bool ida_export get_tinfo_attrs(uint32 typid, type_attrs_t *tav, bool include_ref_attrs)
bool ida_export get_tinfo_attrs(typid_t typid, type_attrs_t *tav, bool include_ref_attrs)
bool ida_export append_tinfo_covered(rangeset_t *out, uint32 typid, uint64 offset)
bool ida_export append_tinfo_covered(rangeset_t *out, typid_t typid, uint64 offset)
bool ida_export calc_tinfo_gaps(rangeset_t *out, uint32 typid)
bool ida_export calc_tinfo_gaps(rangeset_t *out, typid_t typid)
bool ida_export name_requires_qualifier(qstring *out, uint32 typid, const char *name, uint64 offset)
bool ida_export name_requires_qualifier(qstring *out, typid_t typid, const char *name, uint64 offset)
void ida_export tinfo_get_innermost_udm(tinfo_t *itif, const tinfo_t *tif, uint64 offset, size_t *udm_idx, uint64 *bit_offset)
void ida_export tinfo_get_innermost_udm(tinfo_t *itif, const tinfo_t *tif, uint64 offset, size_t *udm_idx, uint64 *bit_offset, bool return_member_type)
tinfo_code_t tinfo_t::find_edm(edm_t *edm, uint64 value, bmask64_t bmask=DEFMASK64, uchar serial=0) const
ssize_t tinfo_t::find_edm(edm_t *edm, uint64 value, bmask64_t bmask=DEFMASK64, uchar serial=0) const
tinfo_code_t tinfo_t::find_edm(edm_t *edm, const char *name) const
ssize_t tinfo_t::find_edm(edm_t *edm, const char *name) const
bool tinfo_t::get_type_by_edm_name(const char *mname, til_t *til=nullptr)
ssize_t tinfo_t::get_edm_by_name(const char *mname, const til_t *til=nullptr)
void ida_export gen_use_arg_tinfos2(struct argtinfo_helper_t *_this, ea_t caller, func_type_data_t *fti, funcargvec_t *rargs)
void ida_export gen_use_arg_tinfos(struct argtinfo_helper_t *_this, ea_t caller, func_type_data_t *fti, funcargvec_t *rargs)
struct udm_visitor_t
bool ida_export detach_tinfo_t(tinfo_t *_this)
bool stroff_as_size(int plen, const tinfo_t &tif, asize_t value)
int ida_export visit_stroff_udms(udm_visitor_t &sfv, const tid_t *path, int plen, adiff_t *disp, bool appzero)
bool is_one_bit_mask(uval_t mask)
til_t *til_t::find_base(const char *n)
void callregs_t::set_registers(reg_kind_t kind, int first_reg, int last_reg)
bool tinfo_t::get_named_type(const char *name, type_t decl_type=BTF_TYPEDEF, bool resolve=true, bool try_ordinal=true)
bool tinfo_t::get_numbered_type(uint32 ordinal, type_t decl_type=BTF_TYPEDEF, bool resolve=true)
bool tinfo_t::detach()
bool tinfo_t::is_punknown()
int tinfo_t::find_udm(uint64 offset, int strmem_flags=0) const
int tinfo_t::find_udm(const char *name, int strmem_flags=0) const
size_t tinfo_t::get_enum_nmembers() const
bool tinfo_t::is_empty_enum() const
tinfo_code_t tinfo_t::get_enum_repr(value_repr_t *repr) const
int tinfo_t::get_enum_width() const
uint64 tinfo_t::calc_enum_mask() const
tid_t tnfo_t::get_edm_tid(size_t idx) const
tinfo_t tinfo_t::get_innermost_member_type(uint64 bitoffset, uint64 *out_bitoffset=nullptr) const
bool tinfo_t::is_udm_by_til(size_t idx) const
tinfo_code_t tinfo_t::set_udm_by_til(size_t idx, bool on=true, uint etf_flags=0)
tinfo_code_t tinfo_t::set_fixed_struct(bool on=true)
tinfo_code_t tinfo_t::set_struct_size(size_t new_size)
bool tinfo_t::is_fixed_struct() const
bool tinfo_t::get_func_frame(const func_t *pfn)
bool tinfo_t::is_frame() const
ea_t tinfo_t::get_frame_func() const
ssize_t tinfo_t::get_stkvar(sval_t *actval, const insn_t &insn, const op_t *x, sval_t v)
tinfo_code_t tinfo_t::set_enum_radix(int radix, bool sign, uint etf_flags=0)
tinfo_code_t tinfo_t::set_funcarg_type(size_t index, const tinfo_t &tif, uint etf_flags=0)
tinfo_code_t tinfo_t::set_func_rettype(const tinfo_t &tif, uint etf_flags=0)
tinfo_code_t tinfo_t::del_funcargs(size_t idx1, size_t idx2, uint etf_flags=0)
tinfo_code_t tinfo_t::del_funcarg(size_t idx, uint etf_flags=0)
tinfo_code_t tinfo_t::add_funcarg(const funcarg_t &farg, uint etf_flags=0, ssize_t idx=-1)
tinfo_code_t tinfo_t::set_func_cc(cm_t cc, uint etf_flags=0)
tinfo_code_t tinfo_t::set_funcarg_loc(size_t index, const argloc_t &argloc, uint etf_flags=0)
tinfo_code_t tinfo_t::et_func_retloc(const argloc_t &argloc, uint etf_flags=0)
ssize_t func_type_data_t::find_argument(const char *name, size_t from=0, size_t to=size_t(-1)) const
tinfo_code_t enum_type_data_t::get_value_repr(value_repr_t *repr) const
uchar enum_type_data_t::get_serial(size_t index) const
uchar enum_type_data_t::get_max_serial(uint64 value) const
bool udm_t::is_retaddr() const
bool udm_t::is_savregs() const
bool udm_t::is_special_member() const
bool udm_t::is_by_til() const
void udm_t::set_retaddr(bool on=true)
void udm_t::set_savregs(bool on=true)
void udm_t::set_by_til(bool on=true)
bool udt_type_data_t::is_fixed() const
void udt_type_data_t::set_fixed(bool on=true)
The following table provide a list of IDB events that have been replaced or, in some cases, removed.
truc_created
local_types_changed
deleting_struc
none
struc_deleted
local_types_changed
changing_struc_align
none
struc_align_changed
local_types_changed
renaming_struc
none
struc_renamed
local_types_changed
expanding_struc
none
struc_expanded
lt_udt_expanded, frame_expanded, local_types_changed
struc_member_created
lt_udm_created, frame_udm_created, local_types_changed
deleting_struc_member
none
struc_member_deleted
lt_udm_deleted, frame_udm_deleted, local_types_changed
renaming_struc_member
none
struc_member_renamed
lt_udm_renamed, frame_udm_renamed, local_types_changed
changing_struc_member
none
struc_member_changed
lt_udm_changed, frame_udm_changed, local_types_changed
changing_struc_cmt
none
struc_cmt_changed
local_types_changed
enum_created
local_types_changed
deleting_enum
none
enum_deleted
local_types_changed
renaming_enum
none
enum_renamed
local_types_changed
changing_enum_bf
local_types_changed
enum_bf_changed
local_types_changed
changing_enum_cmt
none
enum_cmt_changed
local_types_changed
enum_member_created
local_types_changed
deleting_enum_member
none
enum_member_deleted
local_types_changed
enum_width_changed
local_types_changed
enum_flag_changed
local_types_changed
enum_ordinal_changed
none
Classes can be declared the following way:
Inside the class, method functions are declared without the 'static' keyword. The method with the name of the class is the class constructor. For example:
Inside the class methods, the 'this' variable can be used to refer to the current object.
Only one constructor per class is allowed.
Class instances are created like this:
And object attributes (or fields) are accessed like this:
A new attribute is created upon assigning to it:
Accessing an unexisting attribute generates an exception, which can be caught.
The following special method names exist:
Simple class inheritance is support. Derived classed are declared like this:
Here we declare the 'derived' class that is derived from the 'base' class. For derived classes, the base class constructor can be called explicitly:
If the base class constructor is not called explicitly, IDA will call it implicitly, without any arguments.
It is possible to call base class methods using full names:
The 'this' argument must be passed explicitly in this case.
When there are no more references to an object, it is automatically destroyed. We use a simple reference count algorithm to track the object use. Circularly dependent objects are not detected: they are never destroyed.
The following built-in object classes exist:
Human readable form of the typeinfo can be obtained by calling the print() method. The type size can be calculated using the size() method.
loader_input_t: class to read files.
The following symbols are predefined in the IDC preprocessor:
These symbols are also defined when parsing C header files.
The slice operator can be applied IDC objects are strings.
For strings, the slice operator denotes a substring:
Any indexes that are out of bounds are silently adjusted to correct values. If i1 >= i2, empty string is returned. Negative indexes are used to denote positions counting from the end of the string.
String slices can be used on the right side of an assignment. For example:
will replace 2 characters at the beginning of the string by "abc".
For objects, the slice operator denotes a subset of attributes. It can be used to emulate arrays:
x[i1:i2] denotes all attributes with numeric values between i1 and i2 (i2 is excluded).
Any non-numeric attributes are ignored by the slice operator.
The loader_input_t class can read from input files. It has the following methods:
Instances of this class can be created by calling the open_loader_input function.
See other IDC classes.
IDA 8.5 IDAPython changes and porting guide
How to use this Porting Guide? This guide provides a comprehensive list of all changes in IDAPython API between IDA 8.4 and 8.5. Here’s how you can make the most of it:
Explore by module: navigate directly to a specific module and review the changes affecting it
Jump to alternative examples demonstrating how to port removed functions
Check how-to examples that demonstrate the usage of new/udpated APIs
This guide provides information about what has been changed in the IDAPython API between IDA 8.4 and 8.5.
The largest change is due to the removal of two modules:
ida_struct
ida_enum
For years now, those 2 modules have been superseded by the ida_typeinf module, which offers similar functionality.
In case you are not familiar with ida_typeinf's main concepts, we recommend having a look at them first.
ida_struct structures were accessed mostly through their index (or ID), while ida_typeinf adopts another approach using type names (or ordinals). Consequently, the notion of "structure index" bears less importance, and doesn't have a direct alternative.
many ida_struct.get_struc_* operations were accepting a tid_t. While the notion of tid_t is still present in IDA 8.5, it is not part of identifying a type anymore (a type is now identified either by its name, or its ordinal). The notion of tid_t is mostly used to "bind" types to data & functions in the IDB. For example, calling ida_nalt.get_strid(address) will return you such a tid_t. From a tid_t, you can load the corresponding tinfo_t object by using tinfo_t(tid=id).
The table below provides alternatives to the functions that have been removed in IDA 8.5.
add_struc
tinfo_t.create_udt
add_struc_member
tinfo_t.add_udm
del_struc
del_numbered_type, del_named_type
del_struc_member
tinfo_t.del_udm
del_struc_members
expand_struc
tinfo_t.expand_udt
get_best_fit_member
udt_type_data_t.get_best_fit_member
get_first_struc_idx
get_innermost_member
tinfo_t.get_innermost_udm
get_last_struc_idx
get_max_offset
tinfo_t.get_size (structures), or tinfo_t.get_udt_nmembers (unions)
get_member
tinfo_t.get_udm / tinfo_t.get_udm_by_offset
get_member_by_fullname
get_udm_by_fullname
get_member_by_id
tinfo_t.get_udm_by_tid
get_member_by_name
tinfo_t.get_udm
get_member_cmt
tinfo_t.get_udm + udm_t.cmt
get_member_fullname
get_tif_name
get_member_id
tinfo_t(tid=...) + tinfo_t.get_udm_tid
get_member_name
tinfo_t(tid=...) + tinfo_t.get_udm + udm_t.name
get_member_size
tinfo_t(tid=...) + tinfo_t.get_udm + udm_t.size
get_member_struc
get_udm_by_fullname
get_member_tinfo
udm_t.type
get_next_member_idx
get_next_struc_idx
get_or_guess_member_tinfo
get_prev_member_idx
get_prev_struc_idx
get_sptr
get_struc
tinfo_t(tid=...)
get_struc_by_idx
get_struc_cmt
tinfo_t.get_type_cmt
get_struc_first_offset
get_struc_id
get_named_type_tid
get_struc_idx
get_struc_last_offset
tinfo_t.get_udt_details + udm_t.offset
get_struc_name
get_tid_name
get_struc_next_offset
get_struc_prev_offset
get_struc_qty
get_struc_size
tinfo_t(tid=...) + tinfo_t.get_size
is_anonymous_member_name
ida_frame.is_anonymous_member_name
is_dummy_member_name
ida_frame.is_dummy_member_name
is_member_id
idc.is_member_id
is_special_member
is_union
tinfo_t(tid=...) + tinfo_t.is_union
is_varmember
udm_t.is_varmember
is_varstr
tinfo_t(tid=...) + tinfo_t.is_varstruct
retrieve_member_info
save_struc
tinfo_t.save_type / tinfo_t.set_named_type / tinfo_t.set_numbered_type
set_member_cmt
tinfo_t(tid=...) + tinfo_t.set_udm_cmt
set_member_name
tinfo_t(tid=...) + tinfo_t.rename_udm
set_member_tinfo
set_member_type
tinfo_t(tid=...) + tinfo_t.set_udm_type
set_struc_align
set_struc_cmt
tinfo_t(tid=...) + tinfo_t.set_type_cmt
set_struc_hidden
set_struc_idx
set_struc_listed
set_type_choosable
set_struc_name
tinfo_t(tid=...) + tinfo_t.rename_type
stroff_as_size
ida_typeinf.stroff_as_size
struct_field_visitor_t
ida_typeinf.tinfo_visitor_t
unsync_and_delete_struc
visit_stroff_fields
visit_stroff_udms
ida_typeinf.visit_stroff_udms
by_til see ida_typeinf.udm_t.is_by_til
eoff
flag
get_size use ida_typeinf.udm_t.size // 8 instead.
get_soff see soff below.
has_ti
has_union
id
is_baseclass see ida_typeinf.udm_t.is_baseclass
is_destructor see ida_typeinf.udm_t.can_be_dtor
is_dupname
props
soff use ida_typeinf.udm_t.offset // 8 instead.
this
thisown
unimem
age
from_til
get_alignment
get_last_member
get_member
has_union see ida_typeinf.tinfo_t.has_union
id see ida_typeinf.tinfo_t.get_tid
is_choosable
is_copyof
is_frame see ida_typeinf.tinfo_t.is_frame
is_ghost
is_hidden
is_mappedto
is_synced
is_union see ida_typeinf.tinfo_t.is_union
is_varstr see ida_typeinf.tinfo_t.is_varstruct
like_union
members
memqty see ida_typeinf.tinfo_t.get_udt_nmembers
ordinal see ida_typeinf.tinfo_t.get_ordinal
props
set_alignment
thisown
visit_field
visit_udm
The functions below 8.4 are removed those under 8.5 are alternatives.
The idc alternatives are based on:
ida_typeinf module
ida_typeinf.tinfo_t, the type info class
ida_typeinf.enum_type_data_t, the enumeration type class
ida_typeinf.edm_t, the enumeration member class
add_enum
idc.add_enum
add_enum_member
idc.add_enum_member
del_enum
idc.del_enum
del_enum_member
idc.del_enum_member
for_all_enum_members
get_bmask_cmt
idc.get_bmask_cmt
get_bmask_name
idc.get_bmask_name
get_enum
idc.get_enum
get_enum_cmt
idc.get_enum_cmt
get_enum_flag
idc.get_enum_flag
get_enum_idx
get_enum_member
idc.get_enum_member
get_enum_member_bmask
idc.get_enum_member_bmask
get_enum_member_by_name
idc.get_enum_member_by_name
get_enum_member_cmt
idc.get_enum_member_cmt
get_enum_member_enum
idc.get_enum_member_enum
get_enum_member_name
idc.get_enum_member_name
get_enum_member_serial
get_enum_member_value
idc.get_enum_member_value
get_enum_name
idc.get_enum_name
get_enum_name2
get_enum_qty
get_enum_size
idc.get_enum_size
get_enum_type_ordinal
get_enum_width
idc.get_enum_width
get_first_bmask
idc.get_first_bmask
get_first_enum_member
idc.get_first_enum_member
get_first_serial_enum_member
get_last_bmask
idc.get_last_bmask
get_last_enum_member
idc.get_last_enum_member
get_last_serial_enum_member
get_next_bmask
idc.get_next_bmask
get_next_enum_member
idc.get_next_enum_member
get_next_serial_enum_member
get_prev_bmask
idc.get_prev_bmask
get_prev_enum_member
idc.get_prev_enum_member
get_prev_serial_enum_member
getn_enum
is_bf
idc.is_bf
is_enum_fromtil
is_enum_hidden
is_ghost_enum
is_one_bit_mask
set_bmask_cmt
idc.set_bmask_cmt
set_bmask_name
idc.set_bmask_name
set_enum_bf
idc.set_enum_bf
set_enum_cmt
idc.set_enum_cmt
set_enum_flag
idc.set_enum_flag
set_enum_fromtil
set_enum_ghost
set_enum_hidden
set_enum_idx
set_enum_member_cmt
idc.set_enum_member_cmt
set_enum_member_name
idc.set_enum_member_name
set_enum_name
idc.set_enum_name
set_enum_type_ordinal
set_enum_width
idc.set_enum_width
visit_enum_member
callregs_t_regcount
get_ordinal_from_idb_type
is_autosync
get_udm_tid: use tinfo_t.get_udm_tid as an alternative.
get_tinfo_tid: use tinfo_t.get_tid as an alternative.
tinfo_t_get_stock
get_ordinal_qty: use ida_typeinf.get_ordinal_count or ida_typeinf.get_ordinal_limit as alternatives.
import_type: use idc.import_type as an alternative.
detach_tinfo_t(_this: "tinfo_t") -> "bool"
get_tinfo_by_edm_name(tif: "tinfo_t", til: "til_t", mname: "char const *") -> "ssize_t"
stroff_as_size(plen: "int", tif: "tinfo_t", value: "asize_t") -> "bool"
visit_stroff_udms(sfv: "udm_visitor_t", path: "tid_t const *", disp: "adiff_t *", appzero: "bool") -> "adiff_t *"
is_one_bit_mask(mask: "uval_t") -> "bool"
get_idainfo_by_udm(flags: "flags64_t *", ti: "opinfo_t", set_lzero: "bool *", ap: "array_parameters_t", udm: "udm_t") -> "bool"
visit_udm
get_constant_group
set_registers(self, kind: "callregs_t::reg_kind_t", first_reg: "int", last_reg: "int") -> "void"
all_constants(self)
all_groups(self, skip_trivial=False)
get_constant_group(self, *args) -> "PyObject *"
get_max_serial(self, value: "uint64") -> "uchar"
get_serial(self, index: "size_t") -> "uchar"
find_argument(self, *args) -> "ssize_t"
find_base(self, n: "char const *") -> "til_t *"
get_type_names(self) -> "const char *"
detach(self) -> "bool"
is_punknown(self) -> "bool"
get_enum_nmembers(self) -> "size_t"
is_empty_enum(self) -> "bool"
get_enum_width(self) -> "int"
calc_enum_mask(self) -> "uint64"
get_edm_tid(self, idx: "size_t") -> "tid_t"
is_udm_by_til(self, idx: "size_t") -> "bool"
set_udm_by_til(self, idx: "size_t", on: "bool"=True, etf_flags: "uint"=0) -> "tinfo_code_t"
set_fixed_struct(self, on: "bool"=True) -> "tinfo_code_t"
set_struct_size(self, new_size: "size_t") -> "tinfo_code_t"
is_fixed_struct(self) -> "bool"
get_func_frame(self, pfn: "func_t const *") -> "bool"
is_frame(self) -> "bool"
get_frame_func(self) -> "ea_t"
set_enum_radix(self, radix: "int", sign: "bool", etf_flags: "uint"=0) -> "tinfo_code_t"
rename_funcarg(self, index: "size_t", name: "char const *", etf_flags: "uint"=0) -> "tinfo_code_t"
set_funcarg_type(self, index: "size_t", tif: "tinfo_t", etf_flags: "uint"=0) -> "tinfo_code_t"
set_func_rettype(self, tif: "tinfo_t", etf_flags: "uint"=0) -> "tinfo_code_t"
del_funcargs(self, idx1: "size_t", idx2: "size_t", etf_flags: "uint"=0) -> "tinfo_code_t"
del_funcarg(self, idx: "size_t", etf_flags: "uint"=0) -> "tinfo_code_t"
add_funcarg(self, farg: "funcarg_t", etf_flags: "uint"=0, idx: "ssize_t"=-1) -> "tinfo_code_t"
set_func_cc(self, cc: "cm_t", etf_flags: "uint"=0) -> "tinfo_code_t"
set_funcarg_loc(self, index: "size_t", argloc: "argloc_t", etf_flags: "uint"=0) -> "tinfo_code_t"
set_func_retloc(self, argloc: "argloc_t", etf_flags: "uint"=0) -> "tinfo_code_t"
get_stkvar(self, insn: "insn_t const &", x: "op_t const", v: "sval_t") -> "ssize_t"
is_retaddr(self) -> "bool"
is_savregs(self) -> "bool"
is_special_member(self) -> "bool"
is_by_til(self) -> "bool"
set_retaddr(self, on: "bool"=True) -> "void"
set_savregs(self, on: "bool"=True) -> "void
set_by_til(self, on: "bool"=True) -> "void"
set_fixed(self, on: "bool"=True) -> "void"
find_udm(self, udm: "udmt_t *", strmem_flags: "int") -> "int"
find_udm(self, udm: "udmt_t *", strmem_flags: "int") -> "int"
find_udm(self, name: "char const *", strmem_flags: "int") -> "int"
get_type_by_edm_name(self, mname: "const char *", til: "til_t"=None) -> "bool"
get_edm_by_name(self, mname: "char const *", til: "til_t"=None) -> "ssize_t"
8.4 To access the structure of a function frame, use:
get_struc() (use func_t::frame as structure ID)
get_frame(const func_t *pfn)
get_frame(ea_t ea)
8.5 To access the structure of a function frame, use:
tinfo_t::get_func_frame(const func_t *pfn) as the preferred way.
get_func_frame(tinfo_t *out, const func_t *pfn)
get_stkvar: see tinfo_t
get_frame: see tinfo_t.get-func_frame
get_frame_member_by_id
get_min_spd_ea
delete_unreferenced_stkvars
delete_wrong_stkvar_ops
get_func_frame(out: "tinfo_t",pfn: "func_t const *") -> "bool"
add_frame_member(pfn: "func_t const *", name: "char const *", offset: "uval_t", tif: "tinfo_t", repr: "value_repr_t"=None, etf_flags: "uint"=0) -> "bool"
is_anonymous_member_name(name: "char const *") -> "bool"
is_dummy_member_name(name: "char const *") -> "bool"
is_special_frame_member(tid: "tid_t") -> "bool"
set_frame_member_type(pfn: "func_t const *",offset: "uval_t", tif: "tinfo_t", repr: "value_repr_t"=None, etf_flags: "uint"=0) -> "bool"
delete_frame_members(pfn: "func_t const *",start_offset: "uval_t", end_offset: "uval_t") -> "bool"
calc_frame_offset(pfn: "func_t *", off: "sval_t", insn: "insn_t const *"=None, op: "op_t const *"=None) -> "sval_t"
define_stkvar(pfn: "func_t *", name: "const char *", off: "sval_t", flags: "flags64_t", ti: "const opinfo_t *", nbytes: "asize_t") -> bool
define_stkvar(pfn: "func_t *", name: "char const *", off: "sval_t", tif: "tinfo_t", repr: "value_repr_t"=None) -> "bool"
free_chunck
get_8bit
find_bytes(bs: typing.Union[bytes, bytearray, str], range_start: int, range_size: typing.Optional[int] = None, range_end: typing.Optional[int] = ida_idaapi.BADADDR, mask: typing.Optional[typing.Union[bytes, bytearray]] = None, flags: typing.Optional[int] = BIN_SEARCH_FORWARD | BIN_SEARCH_NOSHOW, radix: typing.Optional[int] = 16, strlit_encoding: typing.Optional[typing.Union[int, str]] = PBSENC_DEF1BPU) -> int
find_string(_str: str, range_start: int, range_end: typing.Optional[int] = ida_idaapi.BADADDR, range_size: typing.Optional[int] = None, strlit_encoding: typing.Optional[typing.Union[int, str]] = PBSENC_DEF1BPU, flags: typing.Optional[int] = BIN_SEARCH_FORWARD | BIN_SEARCH_NOSHOW) -> int
op_enum(ea: "ea_t", n: "int", id: "enum_t", serial: "uchar"=0) -> "bool"
op_enum(ea: "ea_t", n: "int", id: "tid_t", serial: "uchar"=0) -> "bool"
get_enum_id(ea: "ea_t", n: "int") -> "tid_t"
get_enum_id(ea: "ea_t", n: "int") -> "enum_t"
parse_binpat_str(out: "compiled_binpat_vec_t", ea: "ea_t", _in: "char const *", radix: "int", strlits_encoding: "int"=0) -> "str"
parse_binpat_str(out: "compiled_binpat_vec_t", ea: "ea_t", _in: "char const *", radix: "int", strlits_encoding: "int"=0) -> "bool"
bin_search3(start_ea: "ea_t", end_ea: "ea_t", data: "compiled_binpat_vec_t", flags: "int) -> ea_t
bin_search(start_ea: "ea_t", end_ea: "ea_t", data: "compiled_binpat_vec_t const &", flags: "int") -> (ea_t, size_t)
bin_search(start_ea: "ea_t", end_ea: "ea_t", image: "uchar const *", mask: "uchar const *", len: "size_t", flags: "int") -> ea_t
get_octet2(ogen: "octet_generator_t") -> "uchar_t*"
get_octet(ogen: "octet_generator_t") -> "uchar_t*"
dirtree_cursor_root_cursor
dirtree_t_errstr
enumerate_files2
eclose
qflcose(fp: "FILE *") -> "int"
set_ea(self, _ea: "ea_t") -> "bool"
clear(self)
resize(self, n: "int") -> "void"
size(self) -> "size_t"
set(self, _node: "int", num: "int") -> "void"
clr(self, _node: "int") -> "bool"
node(self, _order: "size_t") -> "int"
order(self, _node: "int") -> "int"
See ida-gdl node_ordering_t has been made an alias of ida_gdl.node_ordering_t
See ida-gdl edge_t has been made an alias of ida_gdl.edge_t
abstract_graph_t
drawable_graph_t
mutable_graph_t
interactive_graph_t
abstract_graph_t has been made an alias of drawable_graph_t mutbale_graph_t has been made an alias of interactive_graph_t
create_mutable_graph
create_interactive_graph
delete_mutable_graph
delete_interactive_graph
grcode_create_mutable_graph
grcode_create_interactive_graph
create_mutable_graph has been made an alias of create_interactive_graph delete_mutable_graph has been made an alias of delete_interactive_graph grcode_create_mutable_graph has been made an alias of grcode_create_interactive_graph
get_member_type
checkout_hexrays_license
cinsn_t_insn_is_epilog
save_user_labels2(func_ea: "ea_t", user_labels: "user_labels_t", func: "cfunc_t"=None) -> "void"
save_user_labels(func_ea: "ea_t", user_labels: "user_labels_t", func: "cfunc_t"=None) -> "void"
restore_user_labels2(func_ea: "ea_t", func: "cfunc_t"=None) -> "user_labels_t *"
restore_user_labels(func_ea: "ea_t", func: "cfunc_t"=None) -> "user_labels_t *"
max_vlr_value(size: "int") -> "uvlr_t"
min_vlr_svalue(size: "int") -> "uvlr_t"
max_vlr_svalue(size: "int") -> "uvlr_t"
is_unsigned_cmpop(cmpop: "cmpop_t") -> "bool"
is_signed_cmpop(cmpop: "cmpop_t") -> "bool"
is_cmpop_with_eq(cmpop: "cmpop_t") -> "bool"
is_cmpop_without_eq(cmpop: "cmpop_t") -> "bool"
catchexpr_t
ccatch_t
ctry_t
cthrow_t
cblock_pos_t
set_strmem_type
rename_strmem
splice(self, pos: "qlist< cinsn_t >::iterator", other: "cinsn_list_t", first: "qlist< cinsn_t >::iterator", last: "qlist< cinsn_t >::iterator") -> "void"
pre_structural(self, ct: "control_graph_t *", cfunc: "cfunc_t", g: "simple_graph_t") -> "int"
begin_inlining(self, cdg: "codegen_t", decomp_flags: "int") -> "int"
inlining_func(self, cdg: "codegen_t", blk: "int", mbr: "mba_ranges_t") -> "int"
inlined_func(self, cdg: "codegen_t", blk: "int", mbr: "mba_ranges_t", i1: "int", i2: "int") -> "int"
collect_warnings(self, warnings: "qstrvec_t *", cfunc: "cfunc_t") -> "int"
was_scattered_arg(self) -> "bool"
set_scattered_arg(self) -> "void"
clr_scattered_arg(self) -> "void"
find_input_reg(self, reg: "int", _size: "int"=1) -> "int"
compute_dominators(self, domin: "array_of_node_bitset_t &", post: "bool"=False) -> "void"
compute_immediate_dominators(self, domin: "array_of_node_bitset_t const &", idomin: "intvec_t", post: "bool"=False) -> "void"
depth_first_preorder(self, pre: "node_ordering_t") -> "int"
depth_first_postorder(self, post: "node_ordering_t") -> "int"
begin(self) -> "simple_graph_t::iterator"
end(self) -> "simple_graph_t::iterator"
front(self) -> "int"
inc(self, p: "simple_graph_t::iterator &", n: "int"=1) -> "void"
goup(self, node: "int") -> "int"
calc_max_exp(self) -> "int"
is_nan(self) -> "bool"
was_unpaired(self) -> "bool"
split_block(self, blk: "mblock_t", start_insn: "minsn_t") -> "mblock_t *"
inline_func(self, cdg: "codegen_t", blknum: "int", ranges: "mba_ranges_t", decomp_flags: "int"=0, inline_flags: "int"=0) -> "merror_t"
locate_stkpnt(self, ea: "ea_t") -> "stkpnt_t const *"
clear(self) -> "void"
flowchart(self, fc: "qflow_chart_t") -> "int"
flowchart(self, fc: "qflow_chart_t", mba: "mba_t") -> "int"
cvt_to_cmp(self, strict: "bool") -> "bool"
cvt_to_cmp(self) -> "bool"
max_value(self, size_ : "int") -> "uvlr_t"
max_value(self) -> "uvlr_t"
min_svalue(self, size_: "int") -> "uvlr_t"
min_svalue(self) -> "uvlr_t"
max_svalue(self, size_: "int") -> "uvlr_t"
max_svalue(self) -> "uvlr_t"
get_stkvar(self, p_off=None: "uval_t *") -> "member_t *"
get_stkvar(self, udm: "udm_t"=None, p_off: "uval_t *"=None) -> "ssize_t"
get_stkvar(self, p_off: "uval_t *") -> "member_t *"
get_stkvar(self, udm: "udm_t"=None, p_off: "uval_t *"=None) -> "ssize_t"
is_node_altval(self) -> "bool"
is_node_supval(self) -> "bool"
is_node_valobj(self) -> "bool"
is_node_blob(self) -> "bool"
is_node_var(self) -> "bool"
is_struc_field(self) -> "bool"
is_cstr(self) -> "bool"
is_qstring(self) -> "bool"
is_bytearray(self) -> "bool"
is_buf_var(self) -> "bool"
is_decimal(self) -> "bool"
is_hexadecimal(self) -> "bool"
is_readonly_var(self) -> "bool"
is_incremented(self) -> "bool"
is_val_mapped(self) -> "bool"
is_hash(self) -> "bool"
use_hlpstruc(self) -> "bool"
is_bitmap(self) -> "bool"
is_onoff(self) -> "bool"
is_scalar_var(self) -> "bool"
is_bitfield(self) -> "bool"
is_boolean(self) -> "bool"
has_individual_node(self) -> "bool"
str_true(self) -> "char const *"
str_false(self) -> "char const *"
ridx(self) -> "size_t"
hashname(self) -> "char const *"
As will be shown in ida_idaapi Removed functions get_inf_structure has been removed. It has been replaced by the following accessors.
ida_idaapi.get_inf_structure().procname
ida_ida.inf_get_procname()
ida_idaapi.get_inf_structure().max_ea
ida_ida.inf_get_max_ea()
ida_idaapi.get_inf_structure().is_32bit()
ida_ida.inf_is_32bit_exactly()
The list of getters and setters is given below.
inf_get_version() -> "ushort"
inf_get_genflags() -> "ushort"
inf_get_lflags() -> "uint32"
inf_get_app_bitness() -> "uint"
inf_get_database_change_count() -> "uint32"
inf_get_filetype() -> "filetype_t"
inf_get_ostype() -> "ushort"
inf_get_apptype() -> "ushort"
inf_get_asmtype() -> "uchar"
inf_get_specsegs() -> "uchar"
inf_get_af() -> "uint32"
inf_get_af2() -> "uint32"
inf_get_baseaddr() -> "uval_t"
inf_get_start_ss() -> "sel_t"
inf_get_start_cs() -> "sel_t"
inf_get_start_ip() -> "ea_t"
inf_get_start_ea() -> "ea_t"
inf_get_start_sp() -> "ea_t"
inf_get_main() -> "ea_t"
inf_get_min_ea() -> "ea_t"
inf_get_max_ea() -> "ea_t"
inf_get_omin_ea() -> "ea_t"
inf_get_omax_ea() -> "ea_t"
inf_get_lowoff() -> "ea_t"
inf_get_highoff() -> "ea_t"
inf_get_maxref() -> "uval_t"
inf_get_netdelta() -> "sval_t"
inf_get_xrefnum() -> "uchar"
inf_get_type_xrefnum() -> "uchar"
inf_get_refcmtnum() -> "uchar"
inf_get_xrefflag() -> "uchar"
inf_get_max_autoname_len() -> "ushort"
inf_get_nametype() -> "char"
inf_get_short_demnames() -> "uint32"
inf_get_long_demnames() -> "uint32"
inf_get_demnames() -> "uchar"
inf_get_listnames() -> "uchar"
inf_get_indent() -> "uchar"
inf_get_cmt_indent() -> "uchar"
inf_get_margin() -> "ushort"
inf_get_lenxref() -> "ushort"
inf_get_outflags() -> "uint32"
inf_get_cmtflg() -> "uchar"
inf_get_limiter() -> "uchar"
inf_get_bin_prefix_size() -> "short"
inf_get_prefflag() -> "uchar"
inf_get_strlit_flags() -> "uchar"
inf_get_strlit_break() -> "uchar"
inf_get_strlit_zeroes() -> "char"
inf_get_strtype() -> "int32"
inf_get_strlit_sernum() -> "uval_t"
inf_get_datatypes() -> "uval_t"
inf_get_abibits() -> "uint32"
inf_get_appcall_options() -> "uint32"
inf_get_privrange_start_ea() -> "ea_t"
inf_get_privrange_end_ea() -> "ea_t"
inf_get_cc_id() -> "comp_t"
inf_get_cc_cm() -> "cm_t"
inf_get_cc_size_i() -> "uchar"
inf_get_cc_size_b() -> "uchar"
inf_get_cc_size_e() -> "uchar"
inf_get_cc_defalign() -> "uchar"
inf_get_cc_size_s() -> "uchar"
inf_get_cc_size_l() -> "uchar"
inf_get_cc_size_ll() -> "uchar"
inf_get_cc_size_ldbl() -> "uchar"
inf_get_procname() -> "size_t"
inf_get_strlit_pref() -> "size_t"
inf_get_cc(out: "compiler_info_t") -> "bool"
inf_get_privrange(*args) -> "range_t"
inf_get_af_low() -> "ushort"
inf_get_af_high() -> "ushort"
inf_get_af2_low() -> "ushort"
inf_get_pack_mode() -> "int"
inf_get_demname_form() -> "uchar"
inf_is_auto_enabled() -> "bool"
inf_is_graph_view() -> "bool"
inf_is_32bit_or_higher() -> "bool"
inf_is_32bit_exactly() -> "bool"
inf_is_16bit() -> "bool"
inf_is_64bit() -> "bool"
inf_is_dll() -> "bool"
inf_is_flat_off32() -> "bool"
inf_is_be() -> "bool"
inf_is_wide_high_byte_first() -> "bool"
inf_is_snapshot() -> "bool"
inf_is_kernel_mode() -> "bool"
inf_is_limiter_thin() -> "bool"
inf_is_limiter_thick() -> "bool"
inf_is_limiter_empty() -> "bool"
inf_is_mem_aligned4() -> "bool"
inf_is_hard_float() -> "bool"
inf_abi_set_by_user() -> "bool"
inf_allow_non_matched_ops() -> "bool"
inf_allow_sigmulti() -> "bool"
inf_append_sigcmt() -> "bool"
inf_big_arg_align(*args) -> "bool"
inf_check_manual_ops() -> "bool"
inf_check_unicode_strlits() -> "bool"
inf_coagulate_code() -> "bool"
inf_coagulate_data() -> "bool"
inf_compress_idb() -> "bool"
inf_create_all_xrefs() -> "bool"
inf_create_func_from_call() -> "bool"
inf_create_func_from_ptr() -> "bool"
inf_create_func_tails() -> "bool"
inf_create_jump_tables() -> "bool"
inf_create_off_on_dref() -> "bool"
inf_create_off_using_fixup() -> "bool"
inf_create_strlit_on_xref() -> "bool"
inf_data_offset() -> "bool"
inf_dbg_no_store_path() -> "bool"
inf_decode_fpp() -> "bool"
inf_del_no_xref_insns() -> "bool"
inf_final_pass() -> "bool"
inf_full_sp_ana() -> "bool"
inf_gen_assume() -> "bool"
inf_gen_lzero() -> "bool"
inf_gen_null() -> "bool"
inf_gen_org() -> "bool"
inf_huge_arg_align(cc: cm_t) -> "bool"
inf_like_binary() -> "bool":
inf_line_pref_with_seg() -> "bool"
inf_loading_idc() -> "bool"
inf_macros_enabled() -> "bool"
inf_map_stkargs() -> "bool"
inf_mark_code() -> "bool"
inf_merge_strlits() -> "bool"
inf_no_store_user_info() -> "bool"
inf_noflow_to_data() -> "bool"
inf_noret_ana() -> "bool"
inf_op_offset() -> "bool"
inf_pack_idb() -> "bool"
inf_pack_stkargs(*args) -> "bool"
inf_prefix_show_funcoff() -> "bool"
inf_prefix_show_segaddr() -> "bool"
inf_prefix_show_stack() -> "bool"
inf_prefix_truncate_opcode_bytes() -> "bool"
inf_propagate_regargs() -> "bool"
inf_propagate_stkargs() -> "bool"
inf_readonly_idb() -> "bool"
inf_rename_jumpfunc() -> "bool"
inf_rename_nullsub() -> "bool"
inf_should_create_stkvars() -> "bool"
inf_should_trace_sp() -> "bool"
inf_show_all_comments() -> "bool"
inf_show_auto() -> "bool"
inf_show_hidden_funcs() -> "bool"
inf_show_hidden_insns() -> "bool"
inf_show_hidden_segms() -> "bool"
inf_show_line_pref() -> "bool"
inf_show_repeatables() -> "bool"
inf_show_src_linnum() -> "bool"
inf_show_void() -> "bool"
inf_show_xref_fncoff() -> "bool"
inf_show_xref_seg() -> "bool"
inf_show_xref_tmarks() -> "bool"
inf_show_xref_val() -> "bool"
inf_stack_ldbl() -> "bool"
inf_stack_varargs() -> "bool"
inf_strlit_autocmt() -> "bool"
inf_strlit_name_bit() -> "bool"
inf_strlit_names() -> "bool"
inf_strlit_savecase() -> "bool"
inf_strlit_serial_names() -> "bool"
inf_test_mode() -> "bool"
inf_trace_flow() -> "bool"
inf_truncate_on_del() -> "bool"
inf_unicode_strlits() -> "bool"
inf_use_allasm() -> "bool"
inf_use_flirt() -> "bool"
inf_use_gcc_layout() -> "bool"
inf_set_allow_non_matched_ops(_v: "bool"=True) -> "bool"
inf_set_graph_view(_v: "bool"=True) -> "bool"
inf_set_lflags(_v: "uint32") -> "bool"
inf_set_decode_fpp(_v: "bool"=True) -> "bool"
inf_set_32bit(_v: "bool"=True) -> "bool"
inf_set_64bit(_v: "bool"=True) -> "bool"
inf_set_dll(_v: "bool"=True) -> "bool"
inf_set_flat_off32(_v: "bool"=True) -> "bool"
inf_set_be(_v: "bool"=True) -> "bool"
inf_set_wide_high_byte_first(_v: "bool"=True) -> "bool"
inf_set_dbg_no_store_path(_v: "bool"=True) -> "bool"
inf_set_snapshot(_v: "bool"=True) -> "bool"
inf_set_pack_idb(_v: "bool"=True) -> "bool"
inf_set_compress_idb(_v: "bool"=True) -> "bool"
inf_set_kernel_mode(_v: "bool"=True) -> "bool"
inf_set_app_bitness(bitness: "uint") -> "void"
inf_set_database_change_count(_v: "uint32") -> "bool"
inf_set_filetype(_v: "filetype_t") -> "bool"
inf_set_ostype(_v: "ushort") -> "bool"
inf_set_apptype(_v: "ushort") -> "bool"
inf_set_asmtype(_v: "uchar") -> "bool"
inf_set_specsegs(_v: "uchar") -> "bool"
inf_set_af(_v: "uint32") -> "bool"
inf_set_trace_flow(_v: "bool"=True) -> "bool"
inf_set_mark_code(_v: "bool"=True) -> "bool"
inf_set_create_jump_tables(_v: "bool"=True) -> "bool"
inf_set_noflow_to_data(_v: "bool"=True) -> "bool"
inf_set_create_all_xrefs(_v: "bool"=True) -> "bool"
inf_set_del_no_xref_insns(_v: "bool"=True) -> "bool"
inf_set_create_func_from_ptr(_v: "bool"=True) -> "bool"
inf_set_create_func_from_call(_v: "bool"=True) -> "bool"
inf_set_create_func_tails(_v: "bool"=True) -> "bool"
inf_set_should_create_stkvars(_v: "bool"=True) -> "bool"
inf_set_propagate_stkargs(_v: "bool"=True) -> "bool"
inf_set_propagate_regargs(_v: "bool"=True) -> "bool"
inf_set_should_trace_sp(_v: "bool"=True) -> "bool"
inf_set_full_sp_ana(_v: "bool"=True) -> "bool"
inf_set_noret_ana(_v: "bool"=True) -> "bool"
inf_set_guess_func_type(_v: "bool"=True) -> "bool"
inf_set_truncate_on_del(_v: "bool"=True) -> "bool"
inf_set_create_strlit_on_xref(_v: "bool"=True) -> "bool"
inf_set_check_unicode_strlits(_v: "bool"=True) -> "bool"
inf_set_create_off_using_fixup(_v: "bool"=True) -> "bool"
inf_set_create_off_on_dref(_v: "bool"=True) -> "bool"
inf_set_op_offset(_v: "bool"=True) -> "bool"
inf_set_data_offset(_v: "bool"=True) -> "bool"
inf_set_use_flirt(_v: "bool"=True) -> "bool"
inf_set_append_sigcmt(_v: "bool"=True) -> "bool"
inf_set_allow_sigmulti(_v: "bool"=True) -> "bool"
inf_set_hide_libfuncs(_v: "bool"=True) -> "bool"
inf_set_rename_jumpfunc(_v: "bool"=True) -> "bool"
inf_set_rename_nullsub(_v: "bool"=True) -> "bool"
inf_set_coagulate_data(_v: "bool"=True) -> "bool"
inf_set_coagulate_code(_v: "bool"=True) -> "bool"
inf_set_final_pass(_v: "bool"=True) -> "bool"
inf_set_af2(_v: "uint32") -> "bool"
inf_set_handle_eh(_v: "bool"=True) -> "bool"
inf_set_handle_rtti(_v: "bool"=True) -> "bool"
inf_set_macros_enabled(_v: "bool"=True) -> "bool"
inf_set_merge_strlits(_v: "bool"=True) -> "bool"
inf_set_baseaddr(_v: "uval_t") -> "bool"
inf_set_start_ss(_v: "sel_t") -> "bool"
inf_set_start_cs(_v: "sel_t") -> "bool"
inf_set_start_ip(_v: "ea_t") -> "bool"
inf_set_start_ea(_v: "ea_t") -> "bool"
inf_set_start_sp(_v: "ea_t") -> "bool"
inf_set_main(_v: "ea_t") -> "bool"
inf_set_min_ea(_v: "ea_t") -> "bool"
inf_set_max_ea(_v: "ea_t") -> "bool"
inf_set_omin_ea(_v: "ea_t") -> "bool"
inf_set_omax_ea(_v: "ea_t") -> "bool"
inf_set_lowoff(_v: "ea_t") -> "bool"
inf_set_highoff(_v: "ea_t") -> "bool"
inf_set_maxref(_v: "uval_t") -> "bool"
inf_set_netdelta(_v: "sval_t") -> "bool"
inf_set_xrefnum(_v: "uchar") -> "bool"
inf_set_type_xrefnum(_v: "uchar") -> "bool"
inf_set_refcmtnum(_v: "uchar") -> "bool"
inf_set_xrefflag(_v: "uchar") -> "bool"
inf_set_show_xref_seg(_v: "bool"=True) -> "bool"
inf_set_show_xref_tmarks(_v: "bool"=True) -> "bool"
inf_set_show_xref_fncoff(_v: "bool"=True) -> "bool"
inf_set_show_xref_val(_v: "bool"=True) -> "bool"
inf_set_max_autoname_len(_v: "ushort") -> "bool"
inf_set_nametype(_v: "char") -> "bool"
inf_set_short_demnames(_v: "uint32") -> "bool"
inf_set_long_demnames(_v: "uint32") -> "bool"
inf_set_demnames(_v: "uchar") -> "bool"
inf_set_listnames(_v: "uchar") -> "bool"
inf_set_indent(_v: "uchar") -> "bool"
inf_set_cmt_indent(_v: "uchar") -> "bool"
inf_set_margin(_v: "ushort") -> "bool"
inf_set_lenxref(_v: "ushort") -> "bool"
inf_set_outflags(_v: "uint32") -> "bool"
inf_set_show_void(_v: "bool"=True) -> "bool"
inf_set_show_auto(_v: "bool"=True) -> "bool"
inf_set_gen_null(_v: "bool"=True) -> "bool"
inf_set_show_line_pref(_v: "bool"=True) -> "bool"
inf_set_line_pref_with_seg(_v: "bool"=True) -> "bool"
inf_set_gen_lzero(_v: "bool"=True) -> "bool"
inf_set_gen_org(_v: "bool"=True) -> "bool"
inf_set_gen_assume(_v: "bool"=True) -> "bool"
inf_set_gen_tryblks(_v: "bool"=True) -> "bool"
inf_set_cmtflg(_v: "uchar") -> "bool"
inf_set_show_repeatables(_v: "bool"=True) -> "bool"
inf_set_show_all_comments(_v: "bool"=True) -> "bool"
inf_set_hide_comments(_v: "bool"=True) -> "bool"
inf_set_show_src_linnum(_v: "bool"=True) -> "bool"
inf_set_show_hidden_insns(_v: "bool"=True) -> "bool"
inf_set_show_hidden_funcs(_v: "bool"=True) -> "bool"
inf_set_show_hidden_segms(_v: "bool"=True) -> "bool"
inf_set_limiter(_v: "uchar") -> "bool"
inf_set_limiter_thin(_v: "bool"=True) -> "bool"
inf_set_limiter_thick(_v: "bool"=True) -> "bool"
inf_set_limiter_empty(_v: "bool"=True) -> "bool"
inf_set_bin_prefix_size(_v: "short") -> "bool"
inf_set_prefflag(_v: "uchar") -> "bool"
inf_set_prefix_show_segaddr(_v: "bool"=True) -> "bool"
inf_set_prefix_show_funcoff(_v: "bool"=True) -> "bool"
inf_set_prefix_show_stack(_v: "bool"=True) -> "bool"
inf_set_prefix_truncate_opcode_bytes(_v: "bool"=True) -> "bool"
inf_set_strlit_flags(_v: "uchar") -> "bool"
inf_set_strlit_names(_v: "bool"=True) -> "bool"
inf_set_strlit_name_bit(_v: "bool"=True) -> "bool"
inf_set_strlit_serial_names(_v: "bool"=True) -> "bool"
inf_set_unicode_strlits(_v: "bool"=True) -> "bool"
inf_set_strlit_autocmt(_v: "bool"=True) -> "bool"
inf_set_strlit_savecase(_v: "bool"=True) -> "bool"
inf_set_strlit_break(_v: "uchar") -> "bool"
inf_set_strlit_zeroes(_v: "char") -> "bool"
inf_set_strtype(_v: "int32") -> "bool"
inf_set_strlit_sernum(_v: "uval_t") -> "bool"
inf_set_datatypes(_v: "uval_t") -> "bool"
inf_set_abibits(_v: "uint32") -> "bool"
inf_set_mem_aligned4(_v: "bool"=True) -> "bool"
inf_set_pack_stkargs(_v: "bool"=True) -> "bool"
inf_set_big_arg_align(_v: "bool"=True) -> "bool"
inf_set_stack_ldbl(_v: "bool"=True) -> "bool"
inf_set_stack_varargs(_v: "bool"=True) -> "bool"
inf_set_hard_float(_v: "bool"=True) -> "bool"
inf_set_abi_set_by_user(_v: "bool"=True) -> "bool"
inf_set_use_gcc_layout(_v: "bool"=True) -> "bool"
inf_set_map_stkargs(_v: "bool"=True) -> "bool"
inf_set_huge_arg_align(_v: "bool"=True) -> "bool"
inf_set_appcall_options(_v: "uint32") -> "bool"
inf_set_privrange_start_ea(_v: "ea_t") -> "bool"
inf_set_privrange_end_ea(_v: "ea_t") -> "bool"
inf_set_cc_id(_v: "comp_t") -> "bool"
inf_set_cc_cm(_v: "cm_t") -> "bool"
inf_set_cc_size_i(_v: "uchar") -> "bool"
inf_set_cc_size_b(_v: "uchar") -> "bool"
inf_set_cc_size_e(_v: "uchar") -> "bool"
inf_set_cc_defalign(_v: "uchar") -> "bool"
inf_set_cc_size_s(_v: "uchar") -> "bool"
inf_set_cc_size_l(_v: "uchar") -> "bool"
inf_set_cc_size_ll(_v: "uchar") -> "bool"
inf_set_cc_size_ldbl(_v: "uchar") -> "bool"
inf_set_procname(*args) -> "bool"
inf_set_strlit_pref(*args) -> "bool"
inf_set_cc(_v: "compiler_info_t") -> "bool"
inf_set_privrange(_v: "range_t") -> "bool"
inf_set_af_low(saf: "ushort") -> "void"
inf_set_af_high(saf2: "ushort") -> "void"
inf_set_af2_low(saf: "ushort") -> "void"
inf_set_pack_mode(pack_mode: "int") -> "int"
inf_inc_database_change_count(cnt: "int"=1) -> "void"
get_inf_structure see inf_structure getters and inf_structure setters
loader_input_t_from_linput
loader_input_t_from_capsule
loader_input_t_from_fp
cpu2ieee(ieee_out: "fpvalue_t *", cpu_fpval: "void const *", size: "int") -> "int"
ieee2cpu(cpu_fpval: "void *", ieee_out: "fpvalue_t const &", size: "int") -> "int"
See also IDB events below.
has_realcvt
get_uFlag
gen_stkvar_def(ctx: "outctx_t &", mptr: "member_t const *", v: : "sval_t") -> ssize_t
gen_stkvar_def(ctx: "outctx_t &", mptr: "udm_t", v: "sval_t", tid: "tid_t") -> "ssize_t"
ev_gen_stkvar_def(self, *args) -> "int"
ev_gen_stkvar_def(self, outctx: "outctx_t *", stkvar: "udm_t", v: "sval_t", tid: "tid_t") -> "int"
lt_udm_created(self, udtname: "char const *", udm: "udm_t") -> "void"
lt_udm_deleted(self, udtname: "char const *", udm_tid: "tid_t", udm: "udm_t") -> "void"
lt_udm_renamed(self, udtname: "char const *", udm: "udm_t", oldname: "char const *") -> "void"
lt_udm_changed(self, udtname: "char const *", udm_tid: "tid_t", udmold: "udm_t", udmnew: "udm_t") -> "void"
lt_udt_expanded(self, udtname: "char const *", udm_tid: "tid_t", delta: "adiff_t") -> "void"
frame_created(self, func_ea: "ea_t") -> "void"
frame_udm_created(self, func_ea: "ea_t", udm: "udm_t") -> "void"
frame_udm_deleted(self, func_ea: "ea_t", udm_tid: "tid_t", udm: "udm_t") -> "void"
frame_udm_renamed(self, func_ea: "ea_t", udm: "udm_t", oldname: "char const *") -> "void"
frame_udm_changed(self, func_ea: "ea_t", udm_tid: "tid_t", udmold: "udm_t", udmnew: "udm_t") -> "void"
frame_expanded(self, func_ea: "ea_t", udm_tid: "tid_t", delta: "adiff_t") -> "void"
All the _processor_t functions have been removed from ida_idp.
_get_10bytes
_set_10bytes
place_t_as_enumplace_t
place_t_as_structplace_t
open_enums_window
open_structs_window
choose_struc
choose_enum(title, default_id) -> "enum_t"
choose_enum_by_value(title, default_id, value, nbytes) -> "enum_t"
place_t_as_idaplace_t has been made an alias of place_t.as_idaplace_t
place_t_as_simpleline_place_t has been made an alias of place_t.as_simpleline_place_t
place_t_as_tiplace_t has been made an alias of place_t.as_tiplace_t
enumplace_t
structplace_t
as_enumplace_t
as_structplace_t
place_as_enumplace_t
place_as_structplace_t
find_in
nearest_before(self, range: "tagged_line_section_t", start: "cpidx_t", tag: "color_t"=0) -> "tagged_line_section_t const *"
nearest_after(self, range: "tagged_line_section_t", start: "cpidx_t", tag: "color_t"=0) -> "tagged_line_section_t const *"
has_widget_lifecycle(self) -> "bool"
is_ida_library(path: "char *", pathsize: "size_t", handle: "void **") -> "bool"
set_user_defined_prefix
bookmarks_t_mark has been made an alias of bookmarks_t.mark
bookmarks_t_get_desc has been made an alias of bookmarks_t.get_desc
bookmarks_t_find_index has been made an alias of bookmarks_t.find_index
bookmarks_t_size has been made an alias of bookmarks_t.size
bookmarks_t_erase has been made an alias of bookmarks_t.erase
bookmarks_t_get_dirtree_id has been made an alias of bookmarks_t.get_dirtree_id
bookmarks_t_get has been made an alias of bookmarks_t.get
validate_idb_names
netnode.exist has been made an alias of netnode.exist
uchar_array_frompointer
tid_array_frompointer
ea_array_frompointer
sel_array_frompointer
int_pointer_frompointer
sel_pointer_frompointer
ea_pointer_frompointer
See Added classes below
erase(self, name: "char const *") -> "bool"
assign(self, value: "uchar") -> "void"
value(self) -> "uchar"
cast(self) -> "uchar *"
frompointer(t: "uchar *") -> "uchar_pointer *"
assign(self, value: "ushort") -> "void"
value(self) -> "ushort"
cast(self) -> "ushort *"
frompointer(t: "ushort *") -> "ushort_pointer *"
assign(self, value: "uint") -> "void"
value(self) -> "uint"
cast(self) -> "uint *"
frompointer(t: "uint *") -> "uint_pointer *"
assign(self, value: "sint8") -> "void"
value(self) -> "sint8"
cast(self) -> "sint8 *"
frompointer(t: "sint8 *") -> "sint8_pointer *"
assign(self, value: "int8") -> "void"
value(self) -> "int8"
cast(self) -> "int8 *"
frompointer(t: "int8 *") -> "int8_pointer *"
assign(self, value: "uint8") -> "void"
value(self) -> "uint8"
cast(self) -> "uint8 *"
frompointer(t: "uint8 *") -> "uint8_pointer *"
assign(self, value: "int16") -> "void"
value(self) -> "int16"
cast(self) -> "int16 *"
frompointer(t: "int16 *") -> "int16_pointer *"
assign(self, value: "uint16") -> "void"
value(self) -> "uint16"
cast(self) -> "uint16 *"
frompointer(t: "uint16 *") -> "uint16_pointer *"
assign(self, value: "int32") -> "void"
value(self) -> "int32"
cast(self) -> "int32 *"
frompointer(t: "int32 *") -> "int32_pointer *"
assign(self, value: "uint32") -> "void"
value(self) -> "uint32"
cast(self) -> "uint32 *"
frompointer(t: "uint32 *") -> "uint32_pointer *"
assign(self, value: "int64") -> "void"
value(self) -> "int64"
cast(self) -> "int64 *"
frompointer(t: "int64 *") -> "int64_pointer *"
assign(self, value: "uint64") -> "void"
value(self) -> "uint64"
cast(self) -> "uint64 *"
frompointer(t: "uint64 *") -> "uint64_pointer *"
assign(self, value: "ssize_t") -> "void"
value(self) -> "ssize_t"
cast(self) -> "ssize_t *"
frompointer(t: "ssize_t *") -> "ssize_pointer *"
assign(self, value: "bool") -> "void"
value(self) -> "bool"
cast(self) -> "bool *"
frompointer(t: "bool *") -> "bool_pointer *"
assign(self, value: "short") -> "void"
value(self) -> "short"
cast(self) -> "short *"
frompointer(t: "short *") -> "short_pointer *"
assign(self, value: "char") -> "void"
value(self) -> "char"
cast(self) -> "char *"
frompointer(t: "char *") -> "char_pointer *"
assign(self, value: "sel_t") -> "void"
value(self) -> "sel_t"
cast(self) -> "sel_t *"
frompointer(t: "sel_t *") -> "sel_pointer *"
assign(self, value: "asize_t") -> "void"
value(self) -> "asize_t"
cast(self) -> "asize_t *"
frompointer(t: "asize_t *") -> "asize_pointer *"
assign(self, value: "adiff_t") -> "void"
value(self) -> "adiff_t"
cast(self) -> "adiff_t *"
from_pointer(t: "adiff_t*") -> "adiff_pointer *"
assign(self, value: "uval_t") -> "void"
value(self) -> "uval_t"
cast(self) -> "uval_t *"
frompointer(t: "uval_t *") -> "uval_pointer *"
assign(self, value: "ea32_t") -> "void"
value(self) -> "ea32_t"
cast(self) -> "ea32_t *"
frompointer(t: "ea32_t *") -> "ea32_pointer *"
assign(self, value: "ea64_t") -> "void"
value(self) -> "ea64_t"
cast(self) -> "ea64_t *"
frompointer(t: "ea64_t *") -> "ea64_pointer *"
assign(self, value: "flags_t") -> "void"
value(self) -> "flags_t"
cast(self) -> "flags_t *"
frompointer(t: "flags_t *") -> "flags_pointer *"
assign(self, value: "flags64_t") -> "void"
value(self) -> "flags64_t"
cast(self) -> "flags64_t *"
frompointer(t: "flags64_t *") -> "flags64_pointer *"
assign(self, value: "tid_t") -> "void"
value(self) -> "tid_t"
cast(self) -> "tid_t *"
frompointer(t: "tid_t *") -> "tid_pointer *"
get_login_name() -> "qstring *"
reg_value_info_t_make_dead_end
reg_value_info_t_make_aborted
reg_value_info_t_make_badinsn
reg_value_info_t_make_unkinsn
reg_value_info_t_make_unkfunc
reg_value_info_t_make_unkloop
reg_value_info_t_make_unkmult
reg_value_info_t_make_num
reg_value_info_t_make_initial_sp
invalidate_regfinder_cache(ea: "ea_t") -> "void"
invalidate_regfinder_cache(from=BADADDR: "ea_t", to=BADADDR: "ea_t") -> "void"
movt(self, r: "reg_value_info_t", insn: "insn_t const &") -> "void"
reg_load
reg_flush
find_binary
construct_macro(insn: "insn_t *", enable: "bool", build_macro: "PyObject *") -> bool (See [Modified functions](#modified-functions-4))
construct_macro2(_this: "macro_constructor_t *", insn: "insn_t *", enable: "bool") -> "bool"
construct_macro(_this: "macro_constructor_t *", insn: "insn_t *", enable: "bool") -> "bool"
construct_macro(self, insn: "insn_t", enable: "bool") -> "bool"
Structs() -> [(idx, sid, name)]
Structs() -> [(ordinal, sid, name)]
StructMembers(sid) -> [(offset, name, size)]
StructMembers(sid) -> [(offset_in_bytes, name, size_in_bytes)]
The following table provide a list of IDB events that have been replaced or, in some cases, removed.
truc_created
local_types_changed
deleting_struc
none
struc_deleted
local_types_changed
changing_struc_align
none
struc_align_changed
local_types_changed
renaming_struc
none
struc_renamed
local_types_changed
expanding_struc
none
struc_expanded
lt_udt_expanded, frame_expanded, local_types_changed
struc_member_created
lt_udm_created, frame_udm_created, local_types_changed
deleting_struc_member
none
struc_member_deleted
lt_udm_deleted, frame_udm_deleted, local_types_changed
renaming_struc_member
none
struc_member_renamed
lt_udm_renamed, frame_udm_renamed, local_types_changed
changing_struc_member
none
struc_member_changed
lt_udm_changed, frame_udm_changed, local_types_changed
changing_struc_cmt
none
struc_cmt_changed
local_types_changed
enum_created
local_types_changed
deleting_enum
none
enum_deleted
local_types_changed
renaming_enum
none
enum_renamed
local_types_changed
changing_enum_bf
local_types_changed
enum_bf_changed
local_types_changed
changing_enum_cmt
none
enum_cmt_changed
local_types_changed
enum_member_created
local_types_changed
deleting_enum_member
none
enum_member_deleted
local_types_changed
enum_width_changed
local_types_changed
enum_flag_changed
local_types_changed
enum_ordinal_changed
`none
Following is the list of error values returned by the type info module. It can also be found in typeinf.hpp in the IDASDK:
TERR_OK
0
ok
TERR_STABLE
1
it means no errors occurred but nothing has changed (this code is internal: should never be returned to caller) -*
TERR_SAVE_ERROR
-1
failed to save
TERR_SERIALIZE
-2
failed to serialize
TERR_BAD_NAME
-3
name is not acceptable
TERR_BAD_ARG
-4
bad argument
TERR_BAD_TYPE
-5
bad type
TERR_BAD_SIZE
-6
bad size
TERR_BAD_INDEX
-7
bad index
TERR_BAD_ARRAY
-8
arrays are forbidden as function arguments
TERR_BAD_BF
-9
bitfields are forbidden as function arguments
TERR_BAD_OFFSET
-10
bad member offset
TERR_BAD_UNIVAR
-11
unions cannot have variable sized members
TERR_BAD_VARLAST
-12
variable sized member must be the last member in the structure
TERR_OVERLAP
-13
the member overlaps with other members that cannot be deleted
TERR_BAD_SUBTYPE
-14
recursive structure nesting is forbidden
TERR_BAD_VALUE
-15
value is not acceptable
TERR_NO_BMASK
-16
bitmask is not found
TERR_BAD_BMASK
-17
Bad enum member mask. The specified mask should not intersect with any existing mask in the enum. Zero masks are prohibited too
TERR_BAD_MSKVAL
-18
bad bmask and value combination
TERR_BAD_REPR
-19
bad or incompatible field representation
TERR_GRP_NOEMPTY
-20
could not delete group mask for not empty group
TERR_DUPNAME
-21
duplicate name
TERR_UNION_BF
-22
unions cannot have bitfields
TERR_BAD_TAH
-23
bad bits in the type attributes (TAH bits)
TERR_BAD_BASE
-24
bad base class
TERR_BAD_GAP
-25
bad gap
TERR_NESTED
-26
recursive structure nesting is forbidden
TERR_NOT_COMPAT
-27
the new type is not compatible with the old type
TERR_BAD_LAYOUT
-28
failed to calculate the structure/union layout
TERR_BAD_GROUPS
-29
bad group sizes for bitmask enum
TERR_BAD_SERIAL
-30
enum value has too many serials
TERR_ALIEN_NAME
-31
enum member name is used in another enum
TERR_STOCK
-32
stock type info cannot be modified
TERR_ENUM_SIZE
-33
bad enum size
TERR_NOT_IMPL
-34
not implemented
TERR_TYPE_WORSE
-35
the new type is worse than the old type
TERR_BAD_FX_SIZE
-36
cannot extend struct beyond fixed size
This section gives examples of how to port some ida_struct and ida_enum functions using ida_typeinf.
The following code can be used as an example of how to replace ida_struct.del_struct_members.
The following code can be used as an example of how to replace ida_struct.get_member_by_fullname.
The following code can be used as an example of how to replace ida_struct.get_struc_qty.
The following code can be used as an example of how to replace ida_struct.is_special_member.
The following code can be used as an example of how to replace ida_struct.get_sptr.
Check the overview of all IDC functions with detailed descriptions.
see
til_t.numbered_types (see )
see
see
see
see
see
see
see
see
see
see
Alphabetical list of IDC functions
Debugger-related IDC functions
The following conventions are used in the function descriptions:
This collection of examples organizes all IDAPython sample code into categories for easy reference. Each example demonstrates practical implementation for the IDAPython API, complementing the reference documentation with a real-world usage scenario.
Navigate to File -> Script file....
In the new dialog, select the .py script you want to run and click Open.
Navigate to File -> Script command....
Paste the code into Please enter script body field and click Run.
In the output window/IDAPython console, type the following command: exec(open("path/to/your_script.py").read()) to execute the script.
Creating & manipulating user-interface widgets, prompting the user with forms, enriching existing widgets, or creating your own UI through Python Qt bindings.
Various ways to query, or modify the disassembly listing, alter the way analysis is performed, or be notified of changes made to the IDB.
Querying the decompiler, manipulating the decompilation trees (either at the microcode level, or the C-tree), and examples showing how to intervene in the decompilation output.
Driving debugging sessions, be notified of debugging events.
These samples utilize our Type APIs, which allow you to manage the types and perform various operations on them, like creating the structures or enums and adding their members programmatically.
Miscellaneous examples that don't quite fall into another category, but don't really justify one of their own.
Beginner
Intermediate
Advanced
Beginner
Intermediate
Advanced
Beginner
Intermediate
Advanced
Beginner
Intermediate
Advanced
Beginner
Intermediate
Advanced
Beginner
Intermediate
Advanced
ida_kernwin.add_hotkey is a simpler, but much less flexible alternative to ida_kernwin.register_action (though it does use the same mechanism under the hood.)
It's particularly useful during prototyping, but note that the actions that are created cannot be inserted in menus, toolbars or cannot provide a custom ida_kernwin.action_handler_t.update callback.
actions
Beginner
APIs Used:
ida_kernwin.add_hotkey
ida_kernwin.del_hotkey
It is possible to add custom menus to IDA, either at the toplevel (i.e., into the menubar), or as submenus of existing menus.
Notes:
the same action can be present in more than 1 menu
this example does not deal with context menus
actions
Beginner
APIs Used:
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.SETMENU_INS
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_menu
ida_kernwin.create_menu
ida_kernwin.register_action
This illustrates the setting/retrieval of background colours using the IDC wrappers
In order to do so, we'll be assigning colors to specific ranges (item, function, or segment). Those will be persisted in the database.
coloring idc
Beginner
APIs Used:
idc.CIC_FUNC
idc.CIC_ITEM
idc.CIC_SEGM
idc.get_color
idc.here
idc.set_color
Color the function in the Function window according to its size. The larger the function, the darker the color.
The key, is overriding ida_kernwin.UI_Hooks.get_chooser_item_attrs
UI_Hooks
Beginner
APIs Used:
ida_funcs.get_func
ida_kernwin.UI_Hooks
ida_kernwin.enable_chooser_item_attrs
Using ida_kernwin.PluginForm.FormToPyQtWidget, this script converts IDA's own dockable widget into a type that is recognized by PyQt5, which then enables populating it with regular Qt widgets.
Beginner
APIs Used:
ida_kernwin.PluginForm
Using ida_kernwin.UI_Hooks.preprocess_action, it is possible to respond to a command instead of the action that would otherwise do it.
UI_Hooks
Beginner
APIs Used:
ida_kernwin.UI_Hooks
Register (possibly repeating) timers.
Beginner
APIs Used:
ida_kernwin.register_timer
Using the progress dialog (aka 'wait box') primitives.
actions
Beginner
APIs Used:
ida_hexrays.decompile
ida_kernwin.hide_wait_box
ida_kernwin.replace_wait_box
ida_kernwin.show_wait_box
ida_kernwin.user_cancelled
idautils.Functions
How to create user actions, that once created can be inserted in menus, toolbars, context menus, ...
Those actions, when triggered, will be passed a 'context' that contains some of the most frequently needed bits of information.
In addition, custom actions can determine when they want to be available (through their ida_kernwin.action_handler_t.update callback)
actions ctxmenu UI_Hooks
Intermediate
APIs Used:
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.SETMENU_APP
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_menu
ida_kernwin.attach_action_to_popup
ida_kernwin.attach_action_to_toolbar
ida_kernwin.get_widget_type
ida_kernwin.load_custom_icon
ida_kernwin.register_action
ida_kernwin.unregister_action
Shows how to subclass the ida_kernwin.Choose class to show data organized in a simple table. In addition, registers a couple actions that can be applied to it.
actions chooser ctxmenu
Intermediate
APIs Used:
Choose
Choose.ALL_CHANGED
Choose.CH_CAN_DEL
Choose.CH_CAN_EDIT
Choose.CH_CAN_INS
Choose.CH_CAN_REFRESH
Choose.CH_RESTORE
Choose.NOTHING_CHANGED
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.is_chooser_widget
ida_kernwin.register_action
ida_kernwin.unregister_action
Similar to choose, but with multiple selection
actions chooser
Intermediate
APIs Used:
Choose
Choose.ALL_CHANGED
Choose.CHCOL_HEX
Choose.CH_MULTI
Choose.NOTHING_CHANGED
How to create simple listings, that will share many of the features as the built-in IDA widgets (highlighting, copy & paste, notifications, ...)
In addition, creates actions that will be bound to the freshly-created widget (using ida_kernwin.attach_action_to_popup.)
actions ctxmenu listing
Intermediate
APIs Used:
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.IK_DELETE
ida_kernwin.IK_ESCAPE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.ask_long
ida_kernwin.ask_str
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_kernwin.simplecustviewer_t
ida_kernwin.simplecustviewer_t.Create
ida_kernwin.simplecustviewer_t.Show
ida_kernwin.unregister_action
ida_lines.COLOR_DEFAULT
ida_lines.COLOR_DNAME
ida_lines.COLSTR
ida_lines.SCOLOR_PREFIX
ida_lines.SCOLOR_VOIDOP
Partially re-implements the "Functions" widget present in IDA, with a custom widget.
chooser functions
Intermediate
APIs Used:
ida_funcs.get_func_name
ida_kernwin.Choose
ida_kernwin.Choose.ALL_CHANGED
ida_kernwin.Choose.CHCOL_FNAME
ida_kernwin.Choose.CHCOL_HEX
ida_kernwin.Choose.CHCOL_PLAIN
ida_kernwin.get_icon_id_by_name
idautils.Functions
idc.del_func
We want our action not only to find the next line containing a comment, but to also place the cursor at the right horizontal position.
To find that position, we will have to inspect the text that IDA generates, looking for the start of a comment. However, we won't be looking for a comment "prefix" (e.g., "; "), as that would be too fragile.
Instead, we will look for special "tags" that IDA injects into textual lines, and that bear semantic information.
Those tags are primarily used for rendering (i.e., switching colors), but can also be very handy for spotting tokens of interest (registers, addresses, comments, prefixes, instruction mnemonics, ...)
actions idaview
Intermediate
APIs Used:
ida_bytes.next_head
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.CVNF_LAZY
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.custom_viewer_jump
ida_kernwin.get_custom_viewer_location
ida_kernwin.place_t_as_idaplace_t
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_lines.SCOLOR_AUTOCMT
ida_lines.SCOLOR_ON
ida_lines.SCOLOR_REGCMT
ida_lines.SCOLOR_RPTCMT
ida_lines.generate_disassembly
ida_lines.tag_strlen
ida_moves.lochist_entry_t
Shows how one can dynamically alter the lines background rendering (as opposed to, say, using ida_nalt.set_item_color()), and also shows how that rendering can be limited to just a few glyphs, not the whole line.
UI_Hooks
Intermediate
APIs Used:
ida_bytes.next_head
ida_idaapi.BADADDR
ida_kernwin.CK_EXTRA1
ida_kernwin.CK_EXTRA10
ida_kernwin.CK_EXTRA11
ida_kernwin.CK_EXTRA12
ida_kernwin.CK_EXTRA13
ida_kernwin.CK_EXTRA14
ida_kernwin.CK_EXTRA15
ida_kernwin.CK_EXTRA16
ida_kernwin.CK_EXTRA2
ida_kernwin.CK_EXTRA3
ida_kernwin.CK_EXTRA4
ida_kernwin.CK_EXTRA5
ida_kernwin.CK_EXTRA6
ida_kernwin.CK_EXTRA7
ida_kernwin.CK_EXTRA8
ida_kernwin.CK_EXTRA9
ida_kernwin.CK_TRACE
ida_kernwin.CK_TRACE_OVL
ida_kernwin.LROEF_CPS_RANGE
ida_kernwin.UI_Hooks
ida_kernwin.get_screen_ea
ida_kernwin.line_rendering_output_entry_t
ida_kernwin.refresh_idaview_anyway
Hooks to be notified about certain UI events, and dump their information to the "Output" window
UI_Hooks
Intermediate
APIs Used:
ida_kernwin.UI_Hooks
Using an "event filter", we will intercept paint events targeted at the navigation band widget, let it paint itself, and then add our own markers on top.
Intermediate
APIs Used:
ida_kernwin.PluginForm.FormToPyQtWidget
ida_kernwin.get_navband_pixel
ida_kernwin.open_navband_window
ida_segment.get_segm_qty
ida_segment.getnseg
idc.here
Shows how it is possible re-implement IDA's bookmark capability, using 2 custom actions: one action saves the current location, and the other restores it.
Note that, contrary to actual bookmarks, this example:
remembers only 1 saved position
doesn't save that position in the IDB (and therefore cannot be restored if IDA is closed & reopened.)
actions listing
Intermediate
APIs Used:
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_CUSTVIEW
ida_kernwin.BWN_DISASM
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.BWN_TILVIEW
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.custom_viewer_jump
ida_kernwin.find_widget
ida_kernwin.get_custom_viewer_location
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_moves.lochist_entry_t
In IDA it's possible to write actions that can be applied even to core (i.e., "standard") widgets. The actions in this example use the action "context" to know what the current selection is.
This example shows how you can either retrieve string literals data directly from the chooser (ida_kernwin.get_chooser_data), or by querying the IDB (ida_bytes.get_strlit_contents)
actions ctxmenu
Intermediate
APIs Used:
ida_bytes.get_strlit_contents
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_STRINGS
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.find_widget
ida_kernwin.get_chooser_data
ida_kernwin.open_strings_window
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_strlist.get_strlist_item
ida_strlist.string_info_t
Since it is possible to be notified of movements that happen take place in a widget, it's possible to "replay" those movements in another.
In this case, "IDA View-B" (will be opened if necessary) will show the same contents as "IDA View-A", slightly zoomed out.
graph idaview
Intermediate
APIs Used:
ida_graph.GLICTL_CENTER
ida_graph.viewer_fit_window
ida_graph.viewer_get_gli
ida_graph.viewer_set_gli
ida_kernwin.DP_RIGHT
ida_kernwin.IDAViewWrapper
ida_kernwin.MFF_FAST
ida_kernwin.TCCRT_GRAPH
ida_kernwin.execute_sync
ida_kernwin.find_widget
ida_kernwin.get_custom_viewer_place
ida_kernwin.jumpto
ida_kernwin.open_disasm_window
ida_kernwin.set_dock_pos
ida_kernwin.set_view_renderer_type
ida_moves.graph_location_info_t
It's possible to invoke any action programmatically, by using either of those two:
ida_kernwin.execute_ui_requests()
ida_kernwin.process_ui_action()
Ideally, this script should be run through the "File > Script file..." menu, so as to keep focus on "IDA View-A" and have the 'ProcessUiActions' part work as intended.
actions
Intermediate
APIs Used:
ida_kernwin.ask_yn
ida_kernwin.execute_ui_requests
ida_kernwin.msg
ida_kernwin.process_ui_action
How to query for complex user input, using IDA's built-in forms.
Note: while this example produces full-fledged forms for complex input, simpler types of inputs might can be retrieved by using ida_kernwin.ask_str and similar functions.
forms
Advanced
APIs Used:
ida_kernwin.Choose
ida_kernwin.Choose.CH_MULTI
ida_kernwin.Form
ida_kernwin.PluginForm.FORM_TAB
ida_kernwin.ask_str
This is an example demonstrating how one can create widgets from a plugin, and have them re-created automatically at IDA startup-time or at desktop load-time.
This example should be placed in the 'plugins' directory of the IDA installation, for it to work.
There are 2 ways to use this example:
reloading an IDB, where the widget was opened
open the widget ('View > Open subview > ...')
save this IDB, and close IDA
restart IDA with this IDB => the widget will be visible
reloading a desktop, where the widget was opened
open the widget ('View > Open subview > ...')
save the desktop ('Windows > Save desktop...') under, say, the name 'with_auto'
start another IDA instance with some IDB, and load that desktop => the widget will be visible
desktop plugin UI_Hooks
Advanced
APIs Used:
ida_idaapi.plugin_t
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.SETMENU_APP
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_menu
ida_kernwin.find_widget
ida_kernwin.register_action
ida_kernwin.simplecustviewer_t
ida_kernwin.simplecustviewer_t.Create
By adding the necessary bits to a ida_kernwin.Choose subclass, IDA can show the otherwise tabular data, in a tree-like fashion.
The important bits to enable this are:
ida_dirtree.dirspec_t (and my_dirspec_t)
ida_kernwin.CH_HAS_DIRTREE
ida_kernwin.Choose.OnGetDirTree
ida_kernwin.Choose.OnIndexToInode
actions chooser folders
Advanced
APIs Used:
ida_dirtree.DTE_OK
ida_dirtree.direntry_t
ida_dirtree.direntry_t.BADIDX
ida_dirtree.dirspec_t
ida_dirtree.dirtree_t
ida_dirtree.dirtree_t.isdir
ida_kernwin.CH_CAN_DEL
ida_kernwin.CH_CAN_EDIT
ida_kernwin.CH_CAN_INS
ida_kernwin.CH_HAS_DIRTREE
ida_kernwin.CH_MULTI
ida_kernwin.Choose
ida_kernwin.Choose.ALL_CHANGED
ida_kernwin.Choose.CHCOL_DRAGHINT
ida_kernwin.Choose.CHCOL_INODENAME
ida_kernwin.Choose.CHCOL_PLAIN
ida_kernwin.ask_str
ida_netnode.BADNODE
ida_netnode.netnode
This builds upon the ida_kernwin.UI_Hooks.get_lines_rendering_info feature, to provide a quick & easy way to colorize disassembly lines.
Contrary to @colorize_disassembly, the coloring is not persisted in the database, and will therefore be lost after the session.
By triggering the action multiple times, the user can "carousel" across 4 predefined colors (and return to the "no color" state.)
coloring UI_Hooks
Advanced
APIs Used:
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.CK_EXTRA5
ida_kernwin.CK_EXTRA6
ida_kernwin.CK_EXTRA7
ida_kernwin.CK_EXTRA8
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_custom_viewer_location
ida_kernwin.get_custom_viewer_place_xcoord
ida_kernwin.get_widget_title
ida_kernwin.line_rendering_output_entry_t
ida_kernwin.register_action
ida_moves.lochist_entry_t
Illustrates how one can add command-line interpreters to IDA
This custom interpreter doesn't actually run any code; it's there as a 'getting started'. It provides an example tab completion support.
Advanced
APIs Used:
ida_idaapi.NW_CLOSEIDB
ida_idaapi.NW_OPENIDB
ida_idaapi.NW_REMOVE
ida_idaapi.NW_TERMIDA
ida_idaapi.notify_when
ida_kernwin.cli_t
Showing custom graphs, using ida_graph.GraphViewer. In addition, show how to write actions that can be performed on those.
actions graph View_Hooks
Advanced
APIs Used:
ida_funcs.get_func
ida_funcs.get_func_name
ida_graph.GraphViewer
ida_graph.get_graph_viewer
ida_graph.screen_graph_selection_t
ida_graph.viewer_get_selection
ida_idp.is_call_insn
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.View_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_dynamic_action_to_popup
ida_kernwin.get_screen_ea
ida_ua.decode_insn
ida_ua.insn_t
ida_xref.XREF_FAR
ida_xref.xrefblk_t
Shows how to retrieve the selection from a listing widget ("IDA View-A", "Hex View-1", "Pseudocode-A", ...) as two "cursors", and from there retrieve (in fact, generate) the corresponding text.
After running this script:
select some text in one of the listing widgets (i.e., "IDA View-...", "Local Types", "Pseudocode-...")
press Ctrl+Shift+S to dump the selection
Advanced
APIs Used:
ida_kernwin.ACF_HAS_SELECTION
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.BWN_TILVIEW
ida_kernwin.IWID_ANY_LISTING
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_last_widget
ida_kernwin.get_viewer_user_data
ida_kernwin.l_compare2
ida_kernwin.linearray_t
ida_kernwin.read_selection
ida_kernwin.register_action
ida_kernwin.twinpos_t
ida_kernwin.unregister_action
ida_lines.tag_remove
This example illustrates how one can execute commands in the "Output" window, from their own widgets.
A few notes:
the original, underlying cli:Execute action, that has to be triggered for the code present in the input field to execute and be placed in the history, requires that the input field has focus (otherwise it simply won't do anything.)
this, in turn, forces us to do "delayed" execution of that action, hence the need for a QTimer
the IDA/SWiG 'TWidget' type that we retrieve through ida_kernwin.find_widget, is not the same type as a QtWidgets.QWidget. We therefore need to convert it using ida_kernwin.PluginForm.TWidgetToPyQtWidget
Advanced
APIs Used:
ida_kernwin.PluginForm.TWidgetToPyQtWidget
ida_kernwin.disabled_script_timeout_t
ida_kernwin.find_widget
ida_kernwin.process_ui_action
Brings lazy-loading of folders to the tree-like tabular views.
The important bit to enable this are:
ida_kernwin.Choose.OnLazyLoadDir
actions chooser folders
Advanced
This sample registers an action enabling painting of a recognizable string of text over horizontal nodes edge sections beyond a satisfying size threshold.
In a disassembly view, open the context menu and select "Paint on edges". This should work for both graph disassembly, and proximity browser.
Using an "event filter", we will intercept paint events targeted at the disassembly view, let it paint itself, and then add our own markers along.
ctxmenu UI_Hooks
Advanced
APIs Used:
ida_gdl.edge_t
ida_graph.get_graph_viewer
ida_graph.get_viewer_graph
ida_graph.point_t
ida_graph.viewer_get_gli
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.PluginForm.FormToPyQtWidget
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.get_widget_type
ida_kernwin.register_action
ida_moves.graph_location_info_t
This is an example illustrating how to manipulate an existing IDA-provided view (and thus possibly its graph), in Python.
graph idaview
Advanced
APIs Used:
ida_graph.NIF_BG_COLOR
ida_graph.NIF_FRAME_COLOR
ida_graph.node_info_t
ida_kernwin.IDAViewWrapper
ida_kernwin.MFF_FAST
ida_kernwin.TCCRT_FLAT
ida_kernwin.TCCRT_GRAPH
ida_kernwin.execute_sync
Dumps the current function's flowchart, using 2 methods:
the low-level ida_gdl.qflow_chart_t type
the somewhat higher-level, and slightly more pythonic ida_gdl.FlowChart type.
Beginner
APIs Used:
ida_funcs.get_func
ida_gdl.FlowChart
ida_gdl.qflow_chart_t
ida_kernwin.get_screen_ea
By default, disassembly line prefixes contain segment + address information (e.g., '.text:08047718'), but it is possible to "inject" other bits of information in there, thanks to the ida_lines.user_defined_prefix_t helper type.
plugin
Beginner
APIs Used:
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_lines.SCOLOR_INV
ida_lines.user_defined_prefix_t
Using the API to enumerate file imports.
Beginner
APIs Used:
ida_nalt.enum_import_names
ida_nalt.get_import_module_name
ida_nalt.get_import_module_qty
Using the API to iterate over all the places in the file, that were patched using IDA.
Beginner
APIs Used:
ida_bytes.visit_patched_bytes
ida_idaapi.BADADDR
Using the API to list all problems that IDA encountered during analysis.
Beginner
APIs Used:
ida_ida.inf_get_min_ea
ida_idaapi.BADADDR
ida_problems.PR_ATTN
ida_problems.PR_BADSTACK
ida_problems.PR_COLLISION
ida_problems.PR_DECIMP
ida_problems.PR_DISASM
ida_problems.PR_FINAL
ida_problems.PR_HEAD
ida_problems.PR_ILLADDR
ida_problems.PR_JUMP
ida_problems.PR_MANYLINES
ida_problems.PR_NOBASE
ida_problems.PR_NOCMT
ida_problems.PR_NOFOP
ida_problems.PR_NONAME
ida_problems.PR_NOXREFS
ida_problems.PR_ROLLED
ida_problems.get_problem
ida_problems.get_problem_name
List all the functions in the current segment, as well as all the cross-references to them.
xrefs
Beginner
APIs Used:
ida_funcs.get_func
ida_funcs.get_func_name
ida_funcs.get_next_func
ida_kernwin.get_screen_ea
ida_segment.getseg
ida_xref.xrefblk_t
List all the functions in the current segment, as well as all the cross-references to them.
Contrary to @list_segment_functions, this uses the somewhat higher-level idautils module.
xrefs
Beginner
APIs Used:
ida_funcs.get_func_name
ida_idaapi.BADADDR
ida_kernwin.get_screen_ea
ida_segment.getseg
idautils.CodeRefsTo
idautils.Functions
This uses idautils.Strings to iterate over the string literals that are present in the IDB. Contrary to @show_selected_strings, this will not require that the "Strings" window is opened & available.
Beginner
APIs Used:
ida_nalt.STRTYPE_C
ida_nalt.STRTYPE_C_16
idautils.Strings
Automate IDA to perform auto-analysis on a file and, once that is done, produce a .lst file with the disassembly.
Run like so:
where:
-A instructs IDA to run in non-interactive mode
-S holds a path to the script to run (note this is a single token; there is no space between '-S' and its path.)
Beginner
APIs Used:
ida_auto.auto_wait
ida_fpro.qfile_t
ida_ida.inf_get_max_ea
ida_ida.inf_get_min_ea
ida_loader.OFILE_LST
ida_loader.PATH_TYPE_IDB
ida_loader.gen_file
ida_loader.get_path
ida_pro.qexit
Implements disassembly of BUG_INSTR used in Linux kernel BUG() macro, which is architecturally undefined and is not disassembled by IDA's ARM module
See Linux/arch/arm/include/asm/bug.h for more info
IDP_Hooks
Intermediate
APIs Used:
ida_bytes.get_wide_dword
ida_bytes.get_wide_word
ida_idp.CUSTOM_INSN_ITYPE
ida_idp.IDP_Hooks
ida_idp.PLFM_ARM
ida_idp.ph.id
ida_idp.str2reg
ida_segregs.get_sreg
We add support for assembling the following pseudo instructions:
"zero eax" -> xor eax, eax
"nothing" -> nop
IDP_Hooks
Intermediate
APIs Used:
ida_idp.IDP_Hooks
idautils.DecodeInstruction
Use the ida_lines.get_extra_cmt API to retrieve anterior and posterior extra comments.
This script registers two actions, that can be used to dump the previous and next extra comments.
ctxmenu
Intermediate
APIs Used:
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.find_widget
ida_kernwin.get_screen_ea
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_lines.E_NEXT
ida_lines.E_PREV
ida_lines.get_extra_cmt
ida_view
Dump some of the most interesting bits of information about the function we are currently looking at.
Intermediate
APIs Used:
ida_funcs.FUNC_FRAME
ida_funcs.FUNC_LUMINA
ida_funcs.FUNC_OUTLINE
ida_funcs.FUNC_THUNK
ida_funcs.get_fchunk
ida_funcs.is_func_entry
ida_funcs.is_func_tail
ida_kernwin.get_screen_ea
IDAPython's ida_bytes.find_string can be used to implement a simple replacement for the 'Search > Sequence of bytes...' dialog, that lets users search for sequences of bytes that compose string literals in the binary file (either in the default 1-byte-per-char encoding, or as UTF-16.)
Intermediate
APIs Used:
ida_bytes.BIN_SEARCH_FORWARD
ida_bytes.BIN_SEARCH_NOBREAK
ida_bytes.BIN_SEARCH_NOSHOW
ida_bytes.find_string
ida_ida.inf_get_max_ea
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.Form
ida_kernwin.Form.ChkGroupControl
ida_kernwin.Form.StringInput
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_screen_ea
ida_kernwin.jumpto
ida_kernwin.register_action
ida_nalt.BPU_1B
ida_nalt.BPU_2B
ida_nalt.get_default_encoding_idx
The goal of this script is to demonstrate some usage of the type API. In this script, we will create an IDB hook that intercepts ti_changed IDB events, and if it is a function prototype that changed, print it.
IDB_Hooks
Intermediate
APIs Used:
ida_funcs.get_func_name
ida_idp.IDB_Hooks
ida_typeinf.tinfo_t
This sample shows how to programmatically access the list of bookmarks placed in a listing widget (e.g., "IDA View-A", "Pseudocode-", …) using the low-level ida_moves.bookmarks_t type.
bookmarks
Intermediate
APIs Used:
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_viewer_user_data
ida_kernwin.get_widget_title
ida_kernwin.register_action
ida_moves.bookmarks_t
This demonstrates how to use some of the iterators available on the func_t type.
This example will focus on:
func_t[.__iter__]: the default iterator; iterates on instructions
func_t.data_items: iterate on data items contained within a function
func_t.head_items: iterate on 'heads' (i.e., addresses containing the start of an instruction, or a data item.
func_t.addresses: iterate on all addresses within function (code and data, beginning of an item or not)
Type help(ida_funcs.func_t) for a full list of iterators.
In addition, one can use:
func_tail_iterator_t: iterate on all the chunks (including the main one) of the function
func_parent_iterator_t: iterate on all the parent functions, that include this chunk
funcs iterator
Intermediate
APIs Used:
ida_bytes.get_flags
ida_bytes.is_code
ida_bytes.is_data
ida_bytes.is_tail
ida_bytes.is_unknown
ida_funcs.func_tail_iterator_t
ida_funcs.get_fchunk
ida_funcs.get_func
ida_funcs.get_func_name
ida_kernwin.get_screen_ea
ida_ua.print_insn_mnem
These hooks will be notified about IDB events, and dump their information to the "Output" window
IDB_Hooks
Intermediate
APIs Used:
ida_idp.IDB_Hooks
These hooks will be notified about IDP events, and dump their information to the "Output" window
IDP_Hooks
Intermediate
APIs Used:
ida_idp.IDP_Hooks
This is a sample script, that will record (in memory) all changes in functions prototypes, in order to re-apply them later.
To use this script:
open an IDB (say, "test.idb")
modify some functions prototypes (e.g., by triggering the 'Y' shortcut when the cursor is placed on the first address of a function)
reload that IDB, without saving it first
call rpc.replay(), to re-apply the modifications.
Note: 'ti_changed' is also called for changes to the function frames, but we'll only record function prototypes changes.
IDB_Hooks
Intermediate
APIs Used:
ida_funcs.get_func
ida_idp.IDB_Hooks
ida_typeinf.PRTYPE_1LINE
ida_typeinf.TINFO_DEFINITE
ida_typeinf.apply_tinfo
ida_typeinf.get_idati
ida_typeinf.tinfo_t
The goal of this script is to demonstrate some usage of the type API. In this script, we show a way to add a new frame member (a pointer to an uint64) inside a wide enough gap in the frame:
Get the function object surrounding cursor location.
Use this function to retrieve the corresponding frame object.
Find a wide enough gap to create our new member.
If found, we use cal_frame_offset() to get the actual offset in the frame structure.
Use the previous result to add the new member.
Advanced
APIs Used:
ida_frame.add_frame_member
ida_frame.calc_frame_offset
ida_frame.get_func_frame
ida_funcs.get_func
ida_range.rangeset_t
ida_typeinf.BTF_UINT64
ida_typeinf.tinfo_t
idc.here
IDA can be extended to support certain data types that it does not know about out-of-the-box.
A 'custom data type' provide information about the type & size of a piece of data, while a 'custom data format' is in charge of formatting that data (there can be more than one format for a specific 'custom data type'.)
Advanced
APIs Used:
ida_bytes.data_format_t
ida_bytes.data_type_t
ida_bytes.find_custom_data_type
ida_bytes.get_byte
ida_bytes.register_data_types_and_formats
ida_bytes.unregister_data_types_and_formats
ida_idaapi.NW_CLOSEIDB
ida_idaapi.NW_OPENIDB
ida_idaapi.NW_REMOVE
ida_idaapi.NW_TERMIDA
ida_idaapi.notify_when
ida_idaapi.struct_unpack
ida_lines.COLSTR
ida_lines.SCOLOR_IMPNAME
ida_lines.SCOLOR_INSN
ida_lines.SCOLOR_NUMBER
ida_lines.SCOLOR_REG
ida_nalt.get_input_file_path
ida_netnode.netnode
ida_typeinf.tinfo_t
It is possible to assign, to instruction operands, the notion of "structure offset", which really is a pointer to a specific offset in a type, leading to a possible N-deep path within types.
E.g., assuming the following types
and assuming an instruction that initially looks like this:
by pressing t, the user will be able set the "structure offset" to either:
c.trail
b.c_instance.quux
a.b_inscance.c_instance.baz
Here's why IDA offers a.b_inscance.c_instance.baz:
This sample shows how to programmatically retrieve information about that "structure member path" that an operand was made pointing to.
bookmarks
Advanced
APIs Used:
ida_bytes.get_full_flags
ida_bytes.get_stroff_path
ida_bytes.is_stroff
ida_typeinf.get_tid_name
ida_typeinf.tinfo_t
ida_ua.decode_insn
ida_ua.insn_t
ida_ua.o_imm
ida_ua.o_void
Show notifications whenever the user changes an instruction's operand, or a data item.
IDB_Hooks
Advanced
APIs Used:
ida_bytes.ALOPT_IGNCLT
ida_bytes.ALOPT_IGNHEADS
ida_bytes.get_flags
ida_bytes.get_max_strlit_length
ida_bytes.get_opinfo
ida_bytes.get_strlit_contents
ida_bytes.is_custfmt
ida_bytes.is_custom
ida_bytes.is_enum
ida_bytes.is_off
ida_bytes.is_strlit
ida_bytes.is_stroff
ida_bytes.is_struct
ida_idp.IDB_Hooks
ida_nalt.STRENC_DEFAULT
ida_nalt.get_default_encoding_idx
ida_nalt.get_encoding_name
ida_nalt.get_str_encoding_idx
ida_nalt.get_strtype_bpu
ida_nalt.opinfo_t
ida_typeinf.get_tid_name
ida_typeinf.tinfo_t
Automate IDA to perform auto-analysis on a file and, once that is done, produce a .c file containing the decompilation of all the functions in that file.
Run like so:
where:
-A instructs IDA to run in non-interactive mode
-S holds a path to the script to run (note this is a single token; there is no space between '-S' and its path.)
Beginner
APIs Used:
ida_auto.auto_wait
ida_hexrays.VDRUN_MAYSTOP
ida_hexrays.VDRUN_NEWFILE
ida_hexrays.VDRUN_SILENT
ida_hexrays.decompile_many
ida_loader.PATH_TYPE_IDB
ida_loader.get_path
ida_pro.qexit
Decompile the function under the cursor
Beginner
APIs Used:
ida_funcs.get_func
ida_hexrays.decompile
ida_hexrays.get_hexrays_version
ida_hexrays.init_hexrays_plugin
ida_kernwin.get_screen_ea
ida_lines.tag_remove
Generates microcode for selection and dumps it to the output window.
Beginner
APIs Used:
ida_bytes.get_flags
ida_bytes.is_code
ida_hexrays.DECOMP_WARNINGS
ida_hexrays.gen_microcode
ida_hexrays.hexrays_failure_t
ida_hexrays.init_hexrays_plugin
ida_hexrays.mba_ranges_t
ida_hexrays.vd_printer_t
ida_kernwin.read_range_selection
ida_kernwin.warning
ida_range.range_t
Using a ida_hexrays.ctree_visitor_t, search for ida_hexrays.cit_block instances and dump them.
Hexrays_Hooks
Beginner
APIs Used:
ida_hexrays.CMAT_BUILT
ida_hexrays.CV_FAST
ida_hexrays.Hexrays_Hooks
ida_hexrays.cit_block
ida_hexrays.ctree_visitor_t
ida_hexrays.init_hexrays_plugin
Handle ida_hexrays.hxe_create_hint notification using hooks, to return our own.
If the object under the cursor is:
a function call, prefix the original decompiler hint with ==>
a local variable declaration, replace the hint with our own in the form of !{varname} (where {varname} is replaced with the variable name)
an if statement, replace the hint with our own, saying "condition"
Hexrays_Hooks
Beginner
APIs Used:
ida_hexrays.Hexrays_Hooks
ida_hexrays.USE_MOUSE
ida_hexrays.VDI_EXPR
ida_hexrays.VDI_LVAR
ida_hexrays.cit_if
ida_hexrays.cot_call
Provides an action that can be used to dynamically alter the lines background rendering for pseudocode listings (as opposed to using ida_hexrays.cfunc_t.pseudocode[N].bgcolor)
After running this script, pressing 'M' on a line in a "Pseudocode-?" widget, will cause that line to be rendered with a special background color.
colors UI_Hooks
Intermediate
APIs Used:
ida_hexrays.get_widget_vdui
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.CK_EXTRA11
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_custom_viewer_location
ida_kernwin.line_rendering_output_entry_t
ida_kernwin.refresh_custom_viewer
ida_kernwin.register_action
ida_moves.lochist_entry_t
Attempts to load a decompiler plugin corresponding to the current architecture right after auto-analysis is performed, and then tries to decompile the function at the first entrypoint.
It is particularly suited for use with the '-S' flag, for example: idat -Ldecompile.log -Sdecompile_entry_points.py -c file
Intermediate
APIs Used:
ida_auto.auto_wait
ida_entry.get_entry
ida_entry.get_entry_ordinal
ida_entry.get_entry_qty
ida_hexrays.decompile
ida_hexrays.init_hexrays_plugin
ida_idp.PLFM_386
ida_idp.PLFM_ARM
ida_idp.PLFM_MIPS
ida_idp.PLFM_PPC
ida_idp.PLFM_RISCV
ida_idp.ph.id
ida_kernwin.cvar.batch
ida_kernwin.msg
ida_loader.load_plugin
ida_pro.qexit
idc.get_idb_path
Installs a custom microcode instruction optimization rule, to transform:
into
To see this plugin in action please use arm64_brk.i64
plugin
Intermediate
APIs Used:
ida_bytes.get_cmt
ida_hexrays.init_hexrays_plugin
ida_hexrays.mop_str
ida_hexrays.optinsn_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_typeinf.STI_PCCHAR
ida_typeinf.tinfo_t.get_stock
This plugin can greatly improve decompilation of indirect calls:
For them, the decompiler has to guess the prototype of the called function. This has to be done at a very early phase of decompilation because the function prototype influences the data flow analysis. On the other hand, we do not have global data flow analysis results yet because we haven't analyzed all calls in the function. It is a chicked-and-egg problem.
The decompiler uses various techniques to guess the called function prototype. While it works very well, it may fail in some cases.
To fix, the user can specify the call prototype manually, using "Edit, Operand types, Set operand type" at the call instruction.
This plugin illustrates another approach to the problem: if you happen to be able to calculate the call prototypes dynamically, this is how to inform the decompiler about them.
Hexrays_Hooks plugin
Intermediate
APIs Used:
ida_hexrays.Hexrays_Hooks
ida_hexrays.init_hexrays_plugin
ida_hexrays.m_call
ida_hexrays.mcallinfo_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_kernwin.msg
ida_kernwin.warning
ida_nalt.get_op_tinfo
ida_typeinf.BT_INT
ida_typeinf.CM_CC_STDCALL
ida_typeinf.CM_N32_F48
ida_typeinf.parse_decl
ida_typeinf.tinfo_t
Prints user-defined information to the "Output" window. Namely:
user defined label names
user defined indented comments
user defined number formats
user defined local variable names, types, comments
This script loads information from the database without decompiling anything.
Intermediate
APIs Used:
ida_bytes.get_radix
ida_funcs.get_func
ida_hexrays.CIT_COLLAPSED
ida_hexrays.NF_NEGATE
ida_hexrays.init_hexrays_plugin
ida_hexrays.lvar_uservec_t
ida_hexrays.restore_user_cmts
ida_hexrays.restore_user_iflags
ida_hexrays.restore_user_labels
ida_hexrays.restore_user_lvar_settings
ida_hexrays.restore_user_numforms
ida_hexrays.user_cmts_free
ida_hexrays.user_iflags_free
ida_hexrays.user_labels_free
ida_hexrays.user_numforms_free
ida_kernwin.get_screen_ea
Modifies the decompilation output in a superficial manner, by removing some white spaces
Note: this is rather crude, not quite "pythonic" code.
Hexrays_Hooks plugin
Intermediate
APIs Used:
ida_hexrays.Hexrays_Hooks
ida_hexrays.init_hexrays_plugin
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_lines.tag_advance
ida_lines.tag_skipcodes
Registers an action that uses a ida_hexrays.udc_filter_t to decompile svc 0x900001 and svc 0x9000F8 as function calls to svc_exit() and svc_exit_group() respectively.
You will need to have an ARM + Linux IDB for this script to be usable
In addition to having a shortcut, the action will be present in the context menu.
ctxmenu UI_Hooks
Intermediate
APIs Used:
ida_allins.ARM_svc
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.install_microcode_filter
ida_hexrays.udc_filter_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.get_widget_type
ida_kernwin.register_action
Shows how to hook to many notifications sent by the decompiler.
This plugin doesn't really accomplish anything: it just prints the parameters.
The list of notifications handled below should be exhaustive, and is there to hint at what is possible to accomplish by subclassing ida_hexrays.Hexrays_Hooks
Hexrays_Hooks
Intermediate
APIs Used:
ida_hexrays.Hexrays_Hooks
ida_hexrays.cfunc_t
ida_hexrays.lvar_t
ida_hexrays.vdui_t
Use a ida_hexrays.user_lvar_modifier_t to modify names, comments and/or types of local variables.
Intermediate
APIs Used:
ida_hexrays.modify_user_lvars
ida_hexrays.user_lvar_modifier_t
ida_typeinf.parse_decl
idc.here
Shows how user input information can be retrieved during processing of a notification triggered by that input
Hexrays_Hooks
Advanced
APIs Used:
ida_hexrays.Hexrays_Hooks
ida_kernwin.get_user_input_event
ida_kernwin.iek_key_press
ida_kernwin.iek_key_release
ida_kernwin.iek_mouse_button_press
ida_kernwin.iek_mouse_button_release
ida_kernwin.iek_mouse_wheel
ida_kernwin.iek_shortcut
ida_kernwin.input_event_t
Installs a custom microcode block optimization rule, to transform:
into
In other words we fix a goto target if it points to a chain of gotos. This improves the decompiler output in some cases.
plugin
Advanced
APIs Used:
ida_hexrays.getf_reginsn
ida_hexrays.init_hexrays_plugin
ida_hexrays.m_goto
ida_hexrays.optblock_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
Shows a list of direct references to a register from the current instruction.
Advanced
APIs Used:
ida_bytes.get_flags
ida_bytes.is_code
ida_funcs.get_func
ida_hexrays.ACFL_GUESS
ida_hexrays.DECOMP_NO_CACHE
ida_hexrays.DECOMP_WARNINGS
ida_hexrays.GCO_DEF
ida_hexrays.GCO_USE
ida_hexrays.GC_REGS_AND_STKVARS
ida_hexrays.MERR_OK
ida_hexrays.MMAT_PREOPTIMIZED
ida_hexrays.MUST_ACCESS
ida_hexrays.gco_info_t
ida_hexrays.gen_microcode
ida_hexrays.get_current_operand
ida_hexrays.get_merror_desc
ida_hexrays.hexrays_failure_t
ida_hexrays.init_hexrays_plugin
ida_hexrays.mba_ranges_t
ida_hexrays.mlist_t
ida_hexrays.op_parent_info_t
ida_hexrays.voff_t
ida_kernwin.Choose
ida_kernwin.get_screen_ea
ida_kernwin.jumpto
ida_kernwin.warning
ida_lines.GENDSM_REMOVE_TAGS
ida_lines.generate_disasm_line
ida_pro.eavec_t
Registers an action opens the "Select offsets" widget (select_udt_by_offset() call).
This effectively repeats the functionality already available through Alt+Y.
Place cursor on the union field and press Shift+T
plugin
Advanced
APIs Used:
ida_hexrays.USE_KEYBOARD
ida_hexrays.cot_add
ida_hexrays.cot_cast
ida_hexrays.cot_memptr
ida_hexrays.cot_memref
ida_hexrays.cot_num
ida_hexrays.cot_ref
ida_hexrays.get_hexrays_version
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.select_udt_by_offset
ida_hexrays.ui_stroff_applicator_t
ida_hexrays.ui_stroff_ops_t
ida_idaapi.BADADDR
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_custom_viewer_curline
ida_kernwin.msg
ida_kernwin.register_action
ida_kernwin.warning
ida_lines.tag_remove
ida_typeinf.PRTYPE_1LINE
ida_typeinf.print_tinfo
ida_typeinf.remove_pointer
Installs a custom microcode instruction optimization rule, to transform:
into
To see this plugin in action please use be_ornot_be.idb
plugin
Advanced
APIs Used:
ida_hexrays.init_hexrays_plugin
ida_hexrays.m_bnot
ida_hexrays.m_mov
ida_hexrays.m_or
ida_hexrays.minsn_visitor_t
ida_hexrays.mop_t
ida_hexrays.optinsn_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
Registers an action that can be used to invert the if and else blocks of a ida_hexrays.cif_t.
For example, a statement like
will be displayed as
The modifications are persistent: the user can quit & restart IDA, and the changes will be present.
ctxmenu Hexrays_Hooks IDP_Hooks plugin
Advanced
APIs Used:
ida_hexrays.CMAT_FINAL
ida_hexrays.CV_FAST
ida_hexrays.CV_INSNS
ida_hexrays.Hexrays_Hooks
ida_hexrays.ITP_ELSE
ida_hexrays.USE_KEYBOARD
ida_hexrays.VDI_TAIL
ida_hexrays.cexpr_t
ida_hexrays.cit_if
ida_hexrays.ctree_visitor_t
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.lnot
ida_hexrays.qswap
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_idp.IDP_Hooks
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_netnode.netnode
Registers an action that can be used to show the graph of the ctree. The current item will be highlighted in the graph.
The command shortcut is Ctrl+Shift+G, and is also added to the context menu.
To display the graph, we produce a .gdl file, and request that ida displays that using ida_gdl.display_gdl.
ctxmenu Hexrays_Hooks plugin
Advanced
APIs Used:
ida_gdl.display_gdl
ida_hexrays.Hexrays_Hooks
ida_hexrays.USE_KEYBOARD
ida_hexrays.cit_asm
ida_hexrays.cit_goto
ida_hexrays.cot_helper
ida_hexrays.cot_memptr
ida_hexrays.cot_memref
ida_hexrays.cot_num
ida_hexrays.cot_obj
ida_hexrays.cot_ptr
ida_hexrays.cot_str
ida_hexrays.cot_var
ida_hexrays.ctree_parentee_t
ida_hexrays.get_ctype_name
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_kernwin.warning
ida_lines.tag_remove
ida_pro.str2user
Show decompiler-style Xref when the Ctrl+X key is pressed in the Decompiler window.
supports any global name: functions, strings, integers, ...
supports structure member.
ctxmenu Hexrays_Hooks
Advanced
APIs Used:
ida_funcs.get_func_name
ida_hexrays.DECOMP_GXREFS_FORCE
ida_hexrays.Hexrays_Hooks
ida_hexrays.USE_KEYBOARD
ida_hexrays.VDI_EXPR
ida_hexrays.VDI_FUNC
ida_hexrays.cexpr_t
ida_hexrays.cfunc_t
ida_hexrays.cinsn_t
ida_hexrays.decompile
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.open_pseudocode
ida_hexrays.qstring_printer_t
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.PluginForm
ida_kernwin.PluginForm.Show
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_typeinf.PRTYPE_1LINE
ida_typeinf.STRMEM_OFFSET
ida_typeinf.print_tinfo
ida_typeinf.tinfo_t
ida_typeinf.udm_t
idautils.Functions
idautils.XrefsTo
Iterate over the list of threads in the program being debugged, and dump all registers contents
To use this example:
run ida64 on test program simple_appcall_linux64, or ida on test program simple_appcall_linux32, and wait for auto-analysis to finish
put a breakpoint somewhere in the code
select the 'linux debugger' (either local, or remote)
start debugging
Press Alt+Shift+C at the breakpoint
Beginner
APIs Used:
ida_dbg.get_reg_vals
ida_dbg.get_thread_qty
ida_dbg.getn_thread
ida_idd.get_dbg
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.action_desc_t
ida_kernwin.register_action
Queries the debugger (possibly remotely) for the list of symbols that the process being debugged, provides.
Beginner
APIs Used:
ida_dbg.DSTATE_SUSP
ida_dbg.get_process_state
ida_dbg.is_debugger_on
ida_ida.inf_get_max_ea
ida_ida.inf_get_min_ea
ida_name.get_debug_names
Print the return addresses from the call stack at a breakpoint, when debugging a Linux binary. (and also print the module and the debug name from debugger)
To use this example:
run ida on test program simple_appcall_linux64, or ida on test program simple_appcall_linux32, and wait for auto-analysis to finish
put a breakpoint where you want to see the call stack
select the 'linux debugger' (either local, or remote)
start debugging
Press Shift+C at the breakpoint
Intermediate
APIs Used:
ida_dbg.collect_stack_trace
ida_dbg.get_current_thread
ida_dbg.get_module_info
ida_idd.call_stack_t
ida_idd.modinfo_t
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.action_desc_t
ida_kernwin.register_action
ida_name.GNCN_NOCOLOR
ida_name.GNCN_NOLABEL
ida_name.GNCN_NOSEG
ida_name.GNCN_PREFDBG
ida_name.get_nice_colored_name
It's possible to add actions to the context menu of pretty much all widgets in IDA.
This example shows how to do just that for registers-displaying widgets (e.g., "General registers")
ctxmenu UI_Hooks
Intermediate
APIs Used:
ida_dbg.get_dbg_reg_info
ida_dbg.get_reg_val
ida_idd.register_info_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_CPUREGS
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.get_widget_type
ida_kernwin.register_action
ida_ua.dt_byte
ida_ua.dt_dword
ida_ua.dt_qword
ida_ua.dt_word
Start a debugging session, step through the first five instructions. Each instruction is disassembled after execution.
DBG_Hooks
Advanced
APIs Used:
ida_dbg.DBG_Hooks
ida_dbg.get_reg_val
ida_dbg.request_exit_process
ida_dbg.request_run_to
ida_dbg.request_step_over
ida_dbg.run_requests
ida_ida.inf_get_start_ip
ida_idaapi.BADADDR
ida_lines.generate_disasm_line
ida_lines.tag_remove
This script demonstrates using the low-level tracing hook (ida_dbg.DBG_Hooks.dbg_trace). It can be run like so:
DBG_Hooks
Advanced
APIs Used:
GENDSM_FORCE_CODE
GENDSM_REMOVE_TAGS
NN_call
NN_callfi
NN_callni
generate_disasm_line
ida_dbg.DBG_Hooks
ida_dbg.ST_OVER_DEBUG_SEG
ida_dbg.ST_OVER_LIB_FUNC
ida_dbg.enable_step_trace
ida_dbg.get_process_state
ida_dbg.get_reg_val
ida_dbg.get_step_trace_options
ida_dbg.load_debugger
ida_dbg.refresh_debugger_memory
ida_dbg.request_continue_process
ida_dbg.request_enable_step_trace
ida_dbg.request_set_step_trace_options
ida_dbg.run_requests
ida_dbg.run_to
ida_dbg.set_step_trace_options
ida_dbg.wait_for_next_event
ida_ida.f_ELF
ida_ida.f_MACHO
ida_ida.f_PE
ida_ida.inf_get_filetype
ida_ida.inf_get_max_ea
ida_ida.inf_get_min_ea
ida_ida.inf_get_start_ip
ida_pro.qexit
ida_ua.decode_insn
ida_ua.insn_t
idc.ARGV
Using the ida_idd.Appcall utility to execute code in the process being debugged.
This example will run the test program and stop wherever the cursor currently is, and then perform an appcall to execute the ref4 and ref8 functions.
To use this example:
run ida64 on test program simple_appcall_linux64, or ida on test program simple_appcall_linux32, and wait for auto-analysis to finish
select the 'linux debugger' (either local, or remote)
run this script
Note: the real body of code is in simple_appcall_common.py.
Advanced
APIs Used:
ida_dbg.DBG_Hooks
ida_dbg.run_to
ida_idaapi.BADADDR
ida_idd.Appcall
ida_idd.Appcall.byref
ida_idd.Appcall.int64
ida_kernwin.get_screen_ea
ida_name.get_name_ea
ida_name.set_name
ida_typeinf.apply_cdecl
Using the ida_idd.Appcall utility to execute code in the process being debugged.
This example will run the test program and stop wherever the cursor currently is, and then perform an appcall to execute the ref4 and ref8 functions.
To use this example:
run ida on test program simple_appcall_win64.exe, or ida on test program simple_appcall_win32.exe, and wait for auto-analysis to finish
select the 'windows debugger' (either local, or remote)
run this script
Note: the real body of code is in simple_appcall_common.py.
Advanced
APIs Used:
ida_dbg.DBG_Hooks
ida_dbg.run_to
ida_ida.inf_is_64bit
ida_idaapi.BADADDR
ida_idd.Appcall
ida_idd.Appcall.byref
ida_idd.Appcall.int64
ida_kernwin.get_screen_ea
ida_name.get_name_ea
ida_name.set_name
ida_typeinf.apply_cdecl
The goal of this script is to demonstrate some usage of the type API. In this script, we create a structure using the "parsing" method.
Beginner
APIs Used:
ida_typeinf.tinfo_t
The goal of this script is to demonstrate some usage of the type API. In this script, we first create a structure with many members, and then remove all those that fall within a range.
Beginner
APIs Used:
ida_typeinf.STRMEM_OFFSET
ida_typeinf.TERR_OK
ida_typeinf.tinfo_t
ida_typeinf.udm_t
In this example, we will first ask the user to provide the name of an enumeration, and then iterate on it
Beginner
APIs Used:
ida_kernwin.ask_str
The goal of this script is to demonstrate some usage of the type API. In this script, we retrieve the function frame structure, and iterate on the frame members.
Beginner
APIs Used:
ida_funcs.get_func
ida_kernwin.get_screen_ea
This script demonstrates how to list a function return type along with its parameters types and name if any. We do this for all the functions found in the database.
Beginner
APIs Used:
ida_funcs.get_func
idautils.Functions
The goal of this script is to demonstrate some usage of the type API. In this script, we:
Ask the user for a structure name. It must already be present in the local types.
Retrieve the structure type info from the local type
Extract its type details (udt)
Iterates it members and prints their names.
Beginner
APIs Used:
ida_kernwin.ask_str
ida_typeinf.BTF_STRUCT
ida_typeinf.get_idati
ida_typeinf.tinfo_t
ida_typeinf.udt_type_data_t
The goal of this script is to demonstrate some usage of the type API. In this script, we:
Ask the user for a structure name. It must already be present in the local types.
Get its tid
Create the list of all the reference.
Print it
Beginner
APIs Used:
ida_kernwin.choose_struct
ida_typeinf.tinfo_t
ida_xref.xrefblk_t
The goal of this script is to demonstrate some usage of the type API. In this script, we:
Ask the user for a union name. It must already be present in the local types.
Retrieve the union type info from the local type
Extract its type details (udt)
Iterates it members and prints their names.
Beginner
APIs Used:
ida_kernwin.ask_str
ida_typeinf.BTF_UNION
ida_typeinf.get_idati
ida_typeinf.tinfo_t
ida_typeinf.udt_type_data_t
At least two possibilies are offered in order to indicate that a function spoils registers (excluding the "normal" ones):
You can either parse & apply a declaration:
or retrieve & modify the tinfo_t object directly.
This script showcases the latter.
Beginner
APIs Used:
ida_funcs.get_func
ida_idp.parse_reg_name
ida_idp.reg_info_t
ida_kernwin.get_screen_ea
ida_nalt.get_tinfo
ida_typeinf.FTI_SPOILED
ida_typeinf.TINFO_DEFINITE
ida_typeinf.apply_tinfo
ida_typeinf.func_type_data_t
ida_typeinf.tinfo_t
The goal of this script is to demonstrate some usage of the type API. In this script, we:
Open the private type libary.
Load its declaration in the type library by parsing its declaration and keep the return tuple for future use.
Deserialize the type info stored in the returned tuple.
Get the address of the function.
Get the address of the code reference to the function and apply the type info there.
Intermediate
APIs Used:
ida_idaapi.BADADDR
ida_name.get_name_ea
ida_typeinf.PT_REPLACE
ida_typeinf.apply_callee_tinfo
ida_typeinf.get_idati
ida_typeinf.idc_parse_decl
ida_typeinf.tinfo_t
idautils.CodeRefsTo
The goal of this script is to demonstrate some usage of the type API. In this script, we create an array using both versions of create_array tinfo_t method.
Intermediate
APIs Used:
ida_typeinf.BTF_INT
ida_typeinf.array_type_data_t
ida_typeinf.tinfo_t
The goal of this script is to demonstrate some usage of the type API. In this script, we:
Create a bitfield structure. In the present case the bitfield is an int32 made of three 'members' spanning it entirely: bit0->bit19: bf1 bit20->bit25: bf2 bit26->bit31: bf3
For each member create a repeatable comment.
Intermediate
APIs Used:
ida_typeinf.tinfo_t
ida_typeinf.udm_t
ida_typeinf.udt_type_data_t
The goal of this script is to demonstrate some usage of the type API. In this script, we create a bitmask enumeration member by member.
Intermediate
APIs Used:
ida_typeinf.BTE_BITMASK
ida_typeinf.BTE_HEX
ida_typeinf.tinfo_t
The goal of this script is to demonstrate some usage of the type API. In this script:
We create a new libssh2-64.til file holding some libssh2 64-bit structures.
Once the file has been created, it can copied in the IDA install til directory or in the user IDA til directory.
Intermediate
APIs Used:
ida_typeinf.HTI_DCL
ida_typeinf.HTI_PAKDEF
ida_typeinf.compact_til
ida_typeinf.free_til
ida_typeinf.new_til
ida_typeinf.parse_decls
ida_typeinf.store_til
The goal of this script is to demonstrate some usage of the type API. In this script, we create a structure by building it member by member.
Intermediate
APIs Used:
ida_typeinf.BTF_UINT32
ida_typeinf.NTF_TYPE
ida_typeinf.del_named_type
ida_typeinf.tinfo_errstr
ida_typeinf.tinfo_t
ida_typeinf.udt_type_data_t
Usage of the API to create & populate a structure with members of different types.
Intermediate
APIs Used:
ida_typeinf.BTF_BYTE
ida_typeinf.BTF_DOUBLE
ida_typeinf.BTF_FLOAT
ida_typeinf.BTF_INT
ida_typeinf.BTF_INT128
ida_typeinf.BTF_INT16
ida_typeinf.BTF_INT64
ida_typeinf.BTF_TBYTE
ida_typeinf.BTF_UINT32
ida_typeinf.FRB_NUMO
ida_typeinf.NTF_TYPE
ida_typeinf.PRTYPE_DEF
ida_typeinf.PRTYPE_MULTI
ida_typeinf.PRTYPE_TYPE
ida_typeinf.del_named_type
ida_typeinf.idc_parse_types
ida_typeinf.tinfo_errstr
ida_typeinf.tinfo_t
ida_typeinf.udm_t
ida_typeinf.udt_type_data_t
ida_typeinf.value_repr_t
The goal of this script is to demonstrate some usage of the type API. In this script, we create a union by building it member after member.
Intermediate
APIs Used:
ida_typeinf.BTF_CHAR
ida_typeinf.BTF_FLOAT
ida_typeinf.BTF_INT32
ida_typeinf.BTF_UNION
ida_typeinf.NTF_TYPE
ida_typeinf.PRTYPE_DEF
ida_typeinf.PRTYPE_MULTI
ida_typeinf.PRTYPE_TYPE
ida_typeinf.del_named_type
ida_typeinf.tinfo_t
ida_typeinf.udm_t
ida_typeinf.udt_type_data_t
The goal of this script is to demonstrate some usage of the type API. In this script, we show how to create, set type and name of a user shared data region in an ntdll IDB:
Load the _KUSER_SHARED_DATA data type from a type info library shipped with IDA, and import it into the IDB's "local types"
Create a data segment with UserSharedData as its name.
Apply the type to the start of the newly created segment base address.
Set the address name.
Intermediate
APIs Used:
ida_name.set_name
ida_segment.add_segm_ex
ida_segment.saRelPara
ida_segment.scPub
ida_segment.segment_t
ida_segment.setup_selector
ida_typeinf.TINFO_DEFINITE
ida_typeinf.apply_tinfo
ida_typeinf.free_til
ida_typeinf.load_til
The goal of this script is to illustrate ways to detect gaps & alignments in structures, from a structure name & (byte) offset.
Intermediate
APIs Used:
ida_range.rangeset_t
The goal of this script is to provide a way to figure out what structure member, is most likely referenced by an offset.
This also works for variable sized types.
Intermediate
APIs Used:
ida_typeinf.tinfo_t
ida_typeinf.udt_type_data_t
Assuming the 2 following types:
looking at an offset of 5 bytes inside an a instance, might be interpreted as pointing somewhere inside member b_instance, of type b. Alternatively, that same offset might be intprereted as pointing somewhere inside low, of type int.
We refer to that latter interpretation as "innermost", and this sample shows how the API lets us "drill down" to retrieve that innermost member.
Intermediate
APIs Used:
ida_typeinf.get_idati
ida_typeinf.parse_decls
The goal of this script is to demonstrate some usage of the type API. In this script, we:
ask the user for a specific til to be lodaed
if successfully loaded ask the user for a type name to be imported.
append the type to the local types.
Intermediate
APIs Used:
ida_kernwin.ask_str
ida_typeinf.load_til
This sample will retrieve the type info object by its name, find the member at the specified offset, and insert a new member right before it
Intermediate
APIs Used:
ida_typeinf.TERR_OK
ida_typeinf.tinfo_t
Contrary to (in-memory) data & code xrefs, retrieving stack variables xrefs requires a bit more work than just using ida_xref's first_to(), next_to() (or higher level utilities such as idautils.XrefsTo)
xrefs
Intermediate
APIs Used:
ida_bytes.get_flags
ida_bytes.is_stkvar
ida_frame.calc_stkvar_struc_offset
ida_funcs.get_func
ida_ida.UA_MAXOP
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_highlight
ida_kernwin.get_screen_ea
ida_kernwin.register_action
ida_typeinf.tinfo_t
ida_ua.decode_insn
ida_ua.insn_t
The goal of this script is to demonstrate some usage of the type API. In this script, we demonstrate how to list each stack variables xref:
Get the function object surrounding cursor location.
Use this function to retrieve the corresponding frame object.
For each frame element:
Build the stack variable xref list
Print it.
Intermediate
APIs Used:
ida_frame.build_stkvar_xrefs
ida_frame.get_func_frame
ida_frame.xreflist_t
ida_funcs.get_func
ida_kernwin.get_screen_ea
ida_typeinf.tinfo_t
ida_typeinf.udt_type_data_t
ida_xref.dr_R
ida_xref.dr_W
The goal of this script is to demonstrate some usage of the type API.
In this script, we:
load a PE64 file in binary mode
import some types from the mssdk64 til
apply these types at the correct ofsset in the DB
finally, rebase the program based on the information stored in the ImageBase field of the IMAGE_OPTIONAL_HEADER64.
Intermediate
APIs Used:
ida_bytes.create_struct
ida_bytes.get_dword
ida_bytes.get_qword
ida_bytes.get_word
ida_hexrays.get_type
ida_name.set_name
ida_netnode.BADNODE
ida_segment.MSF_FIXONCE
ida_segment.rebase_program
ida_typeinf.ADDTIL_DEFAULT
ida_typeinf.BTF_STRUCT
ida_typeinf.add_til
ida_typeinf.tinfo_t
ida_typeinf.udt_type_data_t
idc.import_type
In this script, we show an example of tinfo_visitor_t to list a user define type members, recursively.
This scripts skips array & pointer members (by calling tinfo_visitor_t.prune_now())
Intermediate
APIs Used:
ida_netnode.BADNODE
ida_typeinf.ADDTIL_DEFAULT
ida_typeinf.TVST_DEF
ida_typeinf.add_til
ida_typeinf.array_type_data_t
ida_typeinf.get_idati
ida_typeinf.tinfo_t
ida_typeinf.tinfo_visitor_t
idc.import_type
The goal of this script is to demonstrate some usage of the type API. In this script, we demonstrate a way to change the name of a stack variable:
Get the function object surrounding cursor location.
Use this function to retrieve the corresponding frame object.
Find the frame member matching the given name.
Using its offset in the frame structure object, calculate the actual stack delta.
Use the previous result to redefine the stack variable name if it is not a special or argument member.
Advanced
APIs Used:
ida_frame.define_stkvar
ida_frame.get_func_frame
ida_frame.is_funcarg_off
ida_frame.is_special_frame_member
ida_frame.soff_to_fpoff
ida_funcs.get_func
ida_typeinf.tinfo_t
ida_typeinf.udm_t
idc.here
The goal of this script is to demonstrate some usage of the type API.
In this script, we show a way to change the type and the name of a stack variable. In this case we will take advantage of the fact that RtlImageNtHeader calls RtlImageNtHeaderEx which takes a pointer to PIMAGE_NT_HEADERS as its fourth parameter and, for this, uses a stack variable of its caller.
Get the function object for RtlImageNtHeader.
Iterate through the function item to localize the load of the stack variable address before the call to RtlImageNtHeaderEx. We keep this information.
Localize the call and take advantage of the previoulsy stored instruction to get the stack variable index in the frame.
Set the type and rename the stack variable.
Advanced
APIs Used:
ida_allins.NN_call
ida_allins.NN_lea
ida_frame.get_func_frame
ida_funcs.func_item_iterator_t
ida_funcs.get_func
ida_funcs.get_func_name
ida_ida.inf_get_procname
ida_ida.inf_is_64bit
ida_idaapi.BADADDR
ida_name.get_name_ea
ida_typeinf.BTF_STRUCT
ida_typeinf.TERR_OK
ida_typeinf.tinfo_t
ida_ua.decode_insn
ida_ua.insn_t
ida_ua.o_reg
idautils.procregs.r9.reg
The goal of this script is to demonstrate some usage of the type API. In this script, we:
ask the user to choose the structure that will be used for the conversion.
build the structure path and call ida_bytes.op_stroff. In case an enum is found a modal chooser is displayed in order to select a member.
Advanced
APIs Used:
ida_bytes.op_stroff
ida_kernwin.Choose
ida_kernwin.Choose.CHCOL_HEX
ida_kernwin.Choose.CHCOL_PLAIN
ida_kernwin.choose_struct
ida_kernwin.get_opnum
ida_kernwin.get_screen_ea
ida_pro.tid_array
ida_typeinf.STRMEM_OFFSET
ida_typeinf.tinfo_t
ida_typeinf.udm_t
ida_typeinf.udt_type_data_t
ida_ua.decode_insn
ida_ua.insn_t
The idapythonrc.py file:
%APPDATA%\Hex-Rays\IDA Pro\idapythonrc.py (on Windows)
~/.idapro/idapythonrc.py (on Linux & Mac)
can contain any IDAPython code that will be run as soon as IDAPython is done successfully initializing.
Beginner
You can add IDC functions to IDA, whose "body" consists of IDAPython statements!
We'll register a 'pow' function, available to all IDC code, that when invoked will call back into IDAPython, and execute the provided function body.
After running this script, try switching to the IDC interpreter (using the button on the lower-left corner of IDA) and executing pow(3, 7)
Intermediate
APIs Used:
ida_expr.VT_LONG
ida_expr.add_idc_func
For more infortmation see SDK/plugins/cvt64_sample example
Advanced
APIs Used:
ida_idaapi.BADADDR
ida_idaapi.BADADDR32
ida_netnode.atag
ida_netnode.htag
ida_netnode.stag
This is a primitive plugin which asks user for some info and saves it for some addresses.
We will add a merge functionality to plugin.
An IDA plugin may have two kinds of data with permanent storage:
Data common for entire database (e.g. the options). To describe them we will use the idbattr_info_t type.
Data specific to a particular address. To describe them we will use the merge_node_info_t type.
Also, see SDK/plugins/mex1 example
IDP_Hooks plugin
Advanced
APIs Used:
ida_funcs.get_func
ida_ida.IDI_ALTVAL
ida_ida.IDI_CSTR
ida_ida.IDI_SCALAR
ida_ida.IDI_SUPVAL
ida_ida.idbattr_info_t
ida_idaapi.BADADDR
ida_idaapi.PLUGIN_MOD
ida_idaapi.PLUGIN_MULTI
ida_idaapi.plugin_t
ida_idaapi.plugmod_t
ida_idp.IDP_Hooks
ida_kernwin.Form
ida_kernwin.Form.ChkGroupControl
ida_kernwin.Form.StringInput
ida_kernwin.get_screen_ea
ida_merge.MERGE_KIND_END
ida_merge.MERGE_KIND_NONE
ida_merge.NDS_IS_STR
ida_merge.NDS_MAP_IDX
ida_merge.merge_handler_params_t
ida_merge.merge_node_info_t
ida_merge.moddata_diff_helper_t
ida_mergemod.create_std_modmerge_handlers
ida_netnode.BADNODE
ida_netnode.SIZEOF_nodeidx_t
ida_netnode.atag
ida_netnode.netnode
ida_netnode.stag
IDA Teams uses a chooser to display the merge conflicts. To fill the chooser columns IDA Teams uses the following methods from diff_source_t type:
print_diffpos_name()
print_diffpos_details()
and UI hints from merge_handler_params_t type:
ui_has_details()
ui_complex_details()
ui_complex_name()
In general, chooser columns are filled as following:
Also, see SDK/plugins/mex3 example
IDP_Hooks plugin
Advanced
APIs Used:
ida_funcs.get_func
ida_ida.IDI_ALTVAL
ida_ida.IDI_CSTR
ida_ida.IDI_SCALAR
ida_ida.IDI_SUPVAL
ida_ida.idbattr_info_t
ida_idaapi.BADADDR
ida_idaapi.PLUGIN_MOD
ida_idaapi.PLUGIN_MULTI
ida_idaapi.plugin_t
ida_idaapi.plugmod_t
ida_idp.IDP_Hooks
ida_kernwin.Form
ida_kernwin.Form.ChkGroupControl
ida_kernwin.Form.StringInput
ida_kernwin.get_screen_ea
ida_merge.MERGE_KIND_END
ida_merge.MERGE_KIND_NONE
ida_merge.MH_UI_COLONNAME
ida_merge.MH_UI_COMMANAME
ida_merge.MH_UI_NODETAILS
ida_merge.NDS_IS_STR
ida_merge.NDS_MAP_IDX
ida_merge.create_nodeval_merge_handlers
ida_merge.get_ea_diffpos_name
ida_merge.merge_handler_params_t
ida_merge.merge_node_helper_t
ida_merge.merge_node_info_t
ida_merge.moddata_diff_helper_t
ida_mergemod.create_std_modmerge_handlers
ida_nalt.node2ea
ida_netnode.BADNODE
ida_netnode.SIZEOF_nodeidx_t
ida_netnode.atag
ida_netnode.netnode
ida_netnode.stag