IDAPython examples
IDAPython scripts examples
The following examples demonstrate the usage of the IDAPython API in more complex scripts.
Where can I find all the examples?
IDA is shipped with examples of IDAPython scripts that perform specific tasks, useful for common situations.
The full library of our examples is shipped with your IDA instance in the python/examples folder. You can find them also in the GitHub repository.
How to run the examples?
Load the script via File Loader
Navigate to File -> Script file....
In the new dialog, select the
.pyscript you want to run and click Open.
Load the script via Script command
Navigate to File -> Script command....
Paste the code into Please enter script body field and click Run.
Load the script via output window/console
In the output window/IDAPython console, type the following command:
exec(open("path/to/your_script.py").read())to execute the script.
IDAPython examples
Category: analysis
dump_func_info
Dump (some) information about the current function.
Source code
Category
analysis
Description
Dump some of the most interesting bits of information about the function we are currently looking at.
Uses
ida_funcs.FUNC_FRAME
ida_funcs.FUNC_LUMINA
ida_funcs.FUNC_OUTLINE
ida_funcs.FUNC_THUNK
ida_funcs.get_fchunk
ida_funcs.is_func_entry
ida_funcs.is_func_tail
ida_kernwin.get_screen_ea
Category: core
actions
Custom actions, with icons & tooltips
Source code
Category
core
Description
How to create user actions, that once created can be inserted in menus, toolbars, context menus, ...
Those actions, when triggered, will be passed a 'context' that contains some of the most frequently needed bits of information.
In addition, custom actions can determine when they want to be available (through their ida_kernwin.action_handler_t.update callback)
Shortcut
Ctrl+F12
Keywords
actions ctxmenu UI_Hooks
Uses
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.SETMENU_APP
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_menu
ida_kernwin.attach_action_to_popup
ida_kernwin.attach_action_to_toolbar
ida_kernwin.get_widget_type
ida_kernwin.load_custom_icon
ida_kernwin.register_action
ida_kernwin.unregister_action
See also
add_hotkey
Triggering bits of code by pressing a shortcut
Source code
Category
core
Description
ida_kernwin.add_hotkey is a simpler, but much less flexible alternative to ida_kernwin.register_action (though it does use the same mechanism under the hood.)
It's particularly useful during prototyping, but note that the actions that are created cannot be inserted in menus, toolbars or cannot provide a custom ida_kernwin.action_handler_t.update callback.
Keywords
actions
Uses
ida_kernwin.add_hotkey
ida_kernwin.del_hotkey
See also
add_idc_hotkey
Triggering bits of code by pressing a shortcut (older version)
Source code
Category
core
Description
This is a somewhat ancient way of registering actions & binding shortcuts. It's still here for reference, but "fresher" alternatives should be preferred.
Keywords
actions
Uses
ida_expr.compile_idc_text
ida_kernwin.add_idc_hotkey
See also
auto_instantiate_widget_plugin
Better integrating custom widgets in the desktop layout
Source code
core/auto_instantiate_widget_plugin.py
Category
core
Description
This is an example demonstrating how one can create widgets from a plugin, and have them re-created automatically at IDA startup-time or at desktop load-time.
This example should be placed in the 'plugins' directory of the IDA installation, for it to work.
There are 2 ways to use this example:
reloading an IDB, where the widget was opened
open the widget ('View > Open subview > ...')
save this IDB, and close IDA
restart IDA with this IDB => the widget will be visible
reloading a desktop, where the widget was opened
open the widget ('View > Open subview > ...')
save the desktop ('Windows > Save desktop...') under, say, the name 'with_auto'
start another IDA instance with some IDB, and load that desktop => the widget will be visible
Keywords
desktop plugin UI_Hooks
Uses
ida_idaapi.plugin_t
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.SETMENU_APP
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_menu
ida_kernwin.find_widget
ida_kernwin.register_action
ida_kernwin.simplecustviewer_t
ida_kernwin.simplecustviewer_t.Create
colorize_disassembly_on_the_fly
An easy-to-use way to colorize lines
Source code
core/colorize_disassembly_on_the_fly.py
Category
core
Description
This builds upon the ida_kernwin.UI_Hooks.get_lines_rendering_info feature, to provide a quick & easy way to colorize disassembly lines.
Contrary to @colorize_disassembly, the coloring is not persisted in the database, and will therefore be lost after the session.
By triggering the action multiple times, the user can "carousel" across 4 predefined colors (and return to the "no color" state.)
Shortcut
!
Keywords
coloring UI_Hooks
Uses
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.CK_EXTRA5
ida_kernwin.CK_EXTRA6
ida_kernwin.CK_EXTRA7
ida_kernwin.CK_EXTRA8
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_custom_viewer_location
ida_kernwin.get_custom_viewer_place_xcoord
ida_kernwin.get_widget_title
ida_kernwin.line_rendering_output_entry_t
ida_kernwin.register_action
ida_moves.lochist_entry_t
See also
create_structure_programmatically
Programmatically create & populate a structure
Source code
core/create_structure_programmatically.py
Category
core
Description
Usage of the API to create & populate a structure with members of different types.
Uses
ida_typeinf.BTF_BYTE
ida_typeinf.BTF_DOUBLE
ida_typeinf.BTF_FLOAT
ida_typeinf.BTF_INT
ida_typeinf.BTF_INT128
ida_typeinf.BTF_INT16
ida_typeinf.BTF_INT64
ida_typeinf.BTF_TBYTE
ida_typeinf.BTF_UINT32
ida_typeinf.FRB_NUMO
ida_typeinf.NTF_TYPE
ida_typeinf.PRTYPE_DEF
ida_typeinf.PRTYPE_MULTI
ida_typeinf.PRTYPE_TYPE
ida_typeinf.del_named_type
ida_typeinf.idc_parse_types
ida_typeinf.tinfo_errstr
ida_typeinf.tinfo_t
ida_typeinf.udm_t
ida_typeinf.udt_type_data_t
ida_typeinf.value_repr_t
Author
Gergely Erdelyi (gergely.erdelyi@d-dome.net)
custom_cli
A custom command-line interpreter
Source code
Category
core
Description
Illustrates how one can add command-line interpreters to IDA
This custom interpreter doesn't actually run any code; it's there as a 'getting started'. It provides an example tab completion support.
Uses
ida_idaapi.NW_CLOSEIDB
ida_idaapi.NW_OPENIDB
ida_idaapi.NW_REMOVE
ida_idaapi.NW_TERMIDA
ida_idaapi.notify_when
ida_kernwin.cli_t
custom_data_types_and_formats
Using custom data types & printers
Source code
core/custom_data_types_and_formats.py
Category
core
Description
IDA can be extended to support certain data types that it does not know about out-of-the-box.
A 'custom data type' provide information about the type & size of a piece of data, while a 'custom data format' is in charge of formatting that data (there can be more than one format for a specific 'custom data type'.)
Uses
ida_bytes.data_format_t
ida_bytes.data_type_t
ida_bytes.find_custom_data_type
ida_bytes.get_byte
ida_bytes.register_data_types_and_formats
ida_bytes.unregister_data_types_and_formats
ida_idaapi.NW_CLOSEIDB
ida_idaapi.NW_OPENIDB
ida_idaapi.NW_REMOVE
ida_idaapi.NW_TERMIDA
ida_idaapi.notify_when
ida_idaapi.struct_unpack
ida_lines.COLSTR
ida_lines.SCOLOR_IMPNAME
ida_lines.SCOLOR_INSN
ida_lines.SCOLOR_NUMBER
ida_lines.SCOLOR_REG
ida_nalt.get_input_file_path
ida_netnode.netnode
ida_typeinf.tinfo_t
dump_extra_comments
Retrieve extra comments
Source code
Category
core
Description
Use the ida_lines.get_extra_cmt API to retrieve anterior and posterior extra comments.
This script registers two actions, that can be used to dump the previous and next extra comments.
Shortcuts
Ctrl+Shift+Y Ctrl+Shift+Z
Keywords
ctxmenu
Uses
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.find_widget
ida_kernwin.get_screen_ea
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_lines.E_NEXT
ida_lines.E_PREV
ida_lines.get_extra_cmt
ida_view
dump_flowchart
Dump function flowchart
Source code
Category
core
Description
Dumps the current function's flowchart, using 2 methods:
the low-level
ida_gdl.qflow_chart_ttypethe somewhat higher-level, and slightly more pythonic
ida_gdl.FlowCharttype.
Uses
ida_funcs.get_func
ida_gdl.FlowChart
ida_gdl.qflow_chart_t
ida_kernwin.get_screen_ea
dump_selection
Retrieve & dump current selection
Source code
Category
core
Description
Shows how to retrieve the selection from a listing widget ("IDA View-A", "Hex View-1", "Pseudocode-A", ...) as two "cursors", and from there retrieve (in fact, generate) the corresponding text.
After running this script:
select some text in one of the listing widgets (i.e., "IDA View-", "Local Types", "Pseudocode-")
press Ctrl+Shift+S to dump the selection
Shortcut
Ctrl+Shift+S
Uses
ida_kernwin.ACF_HAS_SELECTION
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.BWN_TILVIEW
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_viewer_user_data
ida_kernwin.l_compare2
ida_kernwin.linearray_t
ida_kernwin.read_selection
ida_kernwin.register_action
ida_kernwin.twinpos_t
ida_kernwin.unregister_action
ida_lines.tag_remove
extend_idc
Add functions to the IDC runtime from IDAPython
Source code
Category
core
Description
You can add IDC functions to IDA, whose "body" consists of IDAPython statements!
We'll register a 'pow' function, available to all IDC code, that when invoked will call back into IDAPython, and execute the provided function body.
After running this script, try switching to the IDC interpreter (using the button on the lower-left corner of IDA) and executing pow(3, 7)
Uses
ida_expr.VT_LONG
ida_expr.add_idc_func
find_string
Showcasing `ida_bytes.find_string`
Source code
Category
core
Description
IDAPython's ida_bytes.find_string can be used to implement a simple replacement for the 'Search > Sequence of bytes...' dialog, that lets users search for sequences of bytes that compose string literals in the binary file (either in the default 1-byte-per-char encoding, or as UTF-16.)
Shortcut
Ctrl+Shift+S
Uses
ida_bytes.BIN_SEARCH_FORWARD
ida_bytes.BIN_SEARCH_NOBREAK
ida_bytes.BIN_SEARCH_NOSHOW
ida_bytes.find_string
ida_ida.inf_get_max_ea
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.Form
ida_kernwin.Form.ChkGroupControl
ida_kernwin.Form.StringInput
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_screen_ea
ida_kernwin.jumpto
ida_kernwin.register_action
ida_nalt.BPU_1B
ida_nalt.BPU_2B
ida_nalt.get_default_encoding_idx
idapythonrc
Code to be run right after IDAPython initialization
Source code
Category
core
Description
The idapythonrc.py file:
%APPDATA%\Hex-Rays\IDA Pro\idapythonrc.py (on Windows)
~/.idapro/idapythonrc.py (on Linux & Mac)
can contain any IDAPython code that will be run as soon as IDAPython is done successfully initializing.
install_user_defined_prefix
Inserting information into disassembly prefixes
Source code
core/install_user_defined_prefix.py
Category
core
Description
By default, disassembly line prefixes contain segment + address information (e.g., '.text:08047718'), but it is possible to "inject" other bits of information in there, thanks to the ida_lines.user_defined_prefix_t helper type.
Keywords
plugin
Uses
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_lines.SCOLOR_INV
ida_lines.user_defined_prefix_t
list_bookmarks
List bookmarks associated to a listing
Source code
Category
core
Description
This sample shows how to programmatically access the list of bookmarks placed in a listing widget (e.g., "IDA View-A", "Pseudocode-", …) using the low-level ida_moves.bookmarks_t type.
Shortcut
Ctrl+!
Keywords
bookmarks
Uses
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_viewer_user_data
ida_kernwin.get_widget_title
ida_kernwin.register_action
ida_moves.bookmarks_t
list_function_items
Showcases (a few of) the iterators available on a function
Source code
Category
core
Description
This demonstrates how to use some of the iterators available on the func_t type.
This example will focus on:
func_t[.__iter__]: the default iterator; iterates on instructionsfunc_t.data_items: iterate on data items contained within a functionfunc_t.head_items: iterate on 'heads' (i.e., addresses containing the start of an instruction, or a data item.func_t.addresses: iterate on all addresses within function (code and data, beginning of an item or not)
Type help(ida_funcs.func_t) for a full list of iterators.
In addition, one can use:
func_tail_iterator_t: iterate on all the chunks (including the main one) of the functionfunc_parent_iterator_t: iterate on all the parent functions, that include this chunk
Keywords
funcs iterator
Uses
ida_bytes.get_flags
ida_bytes.is_code
ida_bytes.is_data
ida_bytes.is_tail
ida_bytes.is_unknown
ida_funcs.func_tail_iterator_t
ida_funcs.get_fchunk
ida_funcs.get_func
ida_funcs.get_func_name
ida_kernwin.get_screen_ea
ida_ua.print_insn_mnem
list_imports
Enumerate file imports
Source code
Category
core
Description
Using the API to enumerate file imports.
Uses
ida_nalt.enum_import_names
ida_nalt.get_import_module_name
ida_nalt.get_import_module_qty
list_patched_bytes
Enumerate patched bytes
Source code
Category
core
Description
Using the API to iterate over all the places in the file, that were patched using IDA.
Uses
ida_bytes.visit_patched_bytes
ida_idaapi.BADADDR
list_problems
Enumerate problems
Source code
Category
core
Description
Using the API to list all problem[atic situation]s that IDA encountered during analysis.
Uses
ida_ida.inf_get_min_ea
ida_idaapi.BADADDR
ida_problems.PR_ATTN
ida_problems.PR_BADSTACK
ida_problems.PR_COLLISION
ida_problems.PR_DECIMP
ida_problems.PR_DISASM
ida_problems.PR_FINAL
ida_problems.PR_HEAD
ida_problems.PR_ILLADDR
ida_problems.PR_JUMP
ida_problems.PR_MANYLINES
ida_problems.PR_NOBASE
ida_problems.PR_NOCMT
ida_problems.PR_NOFOP
ida_problems.PR_NONAME
ida_problems.PR_NOXREFS
ida_problems.PR_ROLLED
ida_problems.get_problem
ida_problems.get_problem_name
list_segment_functions
List all functions (and xrefs) in segment
Source code
core/list_segment_functions.py
Category
core
Description
List all the functions in the current segment, as well as all the cross-references to them.
Keywords
xrefs
Uses
ida_funcs.get_func
ida_funcs.get_func_name
ida_funcs.get_next_func
ida_kernwin.get_screen_ea
ida_segment.getseg
ida_xref.xrefblk_t
See also
list_segment_functions_using_idautils
List all functions (and xrefs) in segment
Source code
core/list_segment_functions_using_idautils.py
Category
core
Description
List all the functions in the current segment, as well as all the cross-references to them.
Contrary to @list_segment_functions, this uses the somewhat higher-level idautils module.
Keywords
xrefs
Uses
ida_funcs.get_func_name
ida_idaapi.BADADDR
ida_kernwin.get_screen_ea
ida_segment.getseg
idautils.CodeRefsTo
idautils.Functions
See also
list_stkvar_xrefs
List all xrefs to a function stack variable
Source code
Category
core
Description
Contrary to (in-memory) data & code xrefs, retrieving stack variables xrefs requires a bit more work than just using ida_xref's first_to(), next_to() (or higher level utilities such as idautils.XrefsTo)
Shortcut
Ctrl+Shift+F7
Keywords
xrefs
Uses
ida_bytes.get_flags
ida_bytes.is_stkvar
ida_frame.calc_stkvar_struc_offset
ida_funcs.get_func
ida_ida.UA_MAXOP
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_current_viewer
ida_kernwin.get_highlight
ida_kernwin.get_screen_ea
ida_kernwin.register_action
ida_typeinf.STRMEM_NAME
ida_typeinf.tinfo_t
ida_typeinf.udm_t
ida_ua.decode_insn
ida_ua.insn_t
list_strings
Retrieve the strings that are present in the IDB
Source code
Category
core
Description
This uses idautils.Strings to iterate over the string literals that are present in the IDB. Contrary to @show_selected_strings, this will not require that the "Strings" window is opened & available.
Uses
ida_nalt.STRTYPE_C
ida_nalt.STRTYPE_C_16
idautils.Strings
See also
produce_c_file
Decompile entire file
Source code
Category
core
Description
Automate IDA to perform auto-analysis on a file and, once that is done, produce a .c file containing the decompilation of all the functions in that file.
Run like so:
ida -A "-S...path/to/produce_c_file.py" <binary-file>where:
-A instructs IDA to run in non-interactive mode
-S holds a path to the script to run (note this is a single token; there is no space between '-S' and its path.)
Uses
ida_auto.auto_wait
ida_hexrays.VDRUN_MAYSTOP
ida_hexrays.VDRUN_NEWFILE
ida_hexrays.VDRUN_SILENT
ida_hexrays.decompile_many
ida_loader.PATH_TYPE_IDB
ida_loader.get_path
ida_pro.qexit
produce_lst_file
Produce listing
Source code
Category
core
Description
Automate IDA to perform auto-analysis on a file and, once that is done, produce a .lst file with the disassembly.
Run like so:
ida -A "-S...path/to/produce_lst_file.py" <binary-file>where:
-A instructs IDA to run in non-interactive mode
-S holds a path to the script to run (note this is a single token; there is no space between '-S' and its path.)
Uses
ida_auto.auto_wait
ida_fpro.qfile_t
ida_ida.inf_get_max_ea
ida_ida.inf_get_min_ea
ida_loader.OFILE_LST
ida_loader.PATH_TYPE_IDB
ida_loader.gen_file
ida_loader.get_path
ida_pro.qexit
register_timer
Using timers for delayed execution
Source code
Category
core
Description
Register (possibly repeating) timers.
Uses
ida_kernwin.register_timer
trigger_actions_programmatically
Execute existing actions programmatically
Source code
core/trigger_actions_programmatically.py
Category
core
Description
It's possible to invoke any action programmatically, by using either of those two:
ida_kernwin.execute_ui_requests()
ida_kernwin.process_ui_action()
Ideally, this script should be run through the "File > Script file..." menu, so as to keep focus on "IDA View-A" and have the 'ProcessUiActions' part work as intended.
Keywords
actions
Uses
ida_kernwin.ask_yn
ida_kernwin.execute_ui_requests
ida_kernwin.msg
ida_kernwin.process_ui_action
Category: cvt64
py_cvt64_sample
This file contains the CVT64 examples.
Source code
Category
cvt64
Description
For more infortmation see SDK/plugins/cvt64_sample example
Uses
ida_idaapi.BADADDR
ida_idaapi.BADADDR32
ida_netnode.atag
ida_netnode.htag
ida_netnode.stag
Category: debugging
automatic_steps
Programmatically drive a debugging session
Source code
debugging/dbghooks/automatic_steps.py
Category
debugging
Description
Start a debugging session, step through the first five instructions. Each instruction is disassembled after execution.
Keywords
DBG_Hooks
Uses
ida_dbg.DBG_Hooks
ida_dbg.get_reg_val
ida_dbg.request_exit_process
ida_dbg.request_run_to
ida_dbg.request_step_over
ida_dbg.run_requests
ida_ida.inf_get_start_ip
ida_idaapi.BADADDR
ida_lines.generate_disasm_line
ida_lines.tag_remove
dbg_trace
Using the low-level tracing hook
Source code
debugging/dbghooks/dbg_trace.py
Category
debugging
Description
This script demonstrates using the low-level tracing hook (ida_dbg.DBG_Hooks.dbg_trace). It can be run like so:
ida[t].exe -B -Sdbg_trace.py -Ltrace.log file.exeKeywords
DBG_Hooks
Uses
GENDSM_FORCE_CODE
GENDSM_REMOVE_TAGS
NN_call
NN_callfi
NN_callni
generate_disasm_line
ida_dbg.DBG_Hooks
ida_dbg.ST_OVER_DEBUG_SEG
ida_dbg.ST_OVER_LIB_FUNC
ida_dbg.enable_step_trace
ida_dbg.get_process_state
ida_dbg.get_reg_val
ida_dbg.get_step_trace_options
ida_dbg.load_debugger
ida_dbg.refresh_debugger_memory
ida_dbg.request_continue_process
ida_dbg.request_enable_step_trace
ida_dbg.request_set_step_trace_options
ida_dbg.run_requests
ida_dbg.run_to
ida_dbg.set_step_trace_options
ida_dbg.wait_for_next_event
ida_ida.f_ELF
ida_ida.f_MACHO
ida_ida.f_PE
ida_ida.inf_get_filetype
ida_ida.inf_get_max_ea
ida_ida.inf_get_min_ea
ida_ida.inf_get_start_ip
ida_pro.qexit
ida_ua.decode_insn
ida_ua.insn_t
idc.ARGV
print_call_stack
Print call stack (on Linux)
Source code
debugging/misc/print_call_stack.py
Category
debugging
Description
Print the return addresses from the call stack at a breakpoint.
(and print also the module and the debug name from debugger)To use this example:
run
ida64on test programsimple_appcall_linux64, oridaon test programsimple_appcall_linux32, and wait for auto-analysis to finishput a breakpoint where you want to see the call stack
select the 'linux debugger' (either local, or remote)
start debugging
Press Shift+C at the breakpoint
Shortcut
Shift+C
Uses
ida_dbg.collect_stack_trace
ida_dbg.get_current_thread
ida_dbg.get_module_info
ida_idd.call_stack_t
ida_idd.modinfo_t
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.action_desc_t
ida_kernwin.register_action
ida_name.GNCN_NOCOLOR
ida_name.GNCN_NOLABEL
ida_name.GNCN_NOSEG
ida_name.GNCN_PREFDBG
ida_name.get_nice_colored_name
print_registers
Print all registers, for all threads
Source code
debugging/misc/print_registers.py
Category
debugging
Description
Iterate over the list of threads in the program being
debugged, and dump all registers contentsTo use this example:
run
ida64on test programsimple_appcall_linux64, oridaon test programsimple_appcall_linux32, and wait for auto-analysis to finishput a breakpoint somewhere in the code
select the 'linux debugger' (either local, or remote)
start debugging
Press Alt+Shift+C at the breakpoint
Shortcut
Alt+Shift+C
Uses
ida_dbg.get_reg_vals
ida_dbg.get_thread_qty
ida_dbg.getn_thread
ida_idd.get_dbg
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.action_desc_t
ida_kernwin.register_action
registers_context_menu
Adding actions to the "registers" widget(s)
Source code
debugging/misc/registers_context_menu.py
Category
debugging
Description
It's possible to add actions to the context menu of pretty much all widgets in IDA.
This example shows how to do just that for registers-displaying widgets (e.g., "General registers")
Keywords
ctxmenu UI_Hooks
Uses
ida_dbg.get_dbg_reg_info
ida_dbg.get_reg_val
ida_idd.register_info_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_CPUREGS
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.get_widget_type
ida_kernwin.register_action
ida_ua.dt_byte
ida_ua.dt_dword
ida_ua.dt_qword
ida_ua.dt_word
show_debug_names
Retrieving & dumping debuggee symbols
Source code
Category
debugging
Description
Queries the debugger (possibly remotely) for the list of symbols that the process being debugged, provides.
Uses
ida_dbg.DSTATE_SUSP
ida_dbg.get_process_state
ida_dbg.is_debugger_on
ida_ida.inf_get_max_ea
ida_ida.inf_get_min_ea
ida_name.get_debug_names
simple_appcall_linux
Executing code into the application being debugged (on Linux)
Source code
debugging/appcall/simple_appcall_linux.py
Category
debugging
Description
Using the ida_idd.Appcall utility to execute code in the process being debugged.
This example will run the test program and stop wherever the cursor currently is, and then perform an appcall to execute the ref4 and ref8 functions.
To use this example:
run
ida64on test programsimple_appcall_linux64, oridaon test programsimple_appcall_linux32, and wait for auto-analysis to finishselect the 'linux debugger' (either local, or remote)
run this script
Note: the real body of code is in simple_appcall_common.py.
Imports
simple_appcall_common
Uses
ida_dbg.DBG_Hooks
ida_dbg.run_to
ida_idaapi.BADADDR
ida_idd.Appcall
ida_idd.Appcall.byref
ida_idd.Appcall.int64
ida_kernwin.get_screen_ea
ida_name.get_name_ea
ida_name.set_name
ida_typeinf.apply_cdecl
simple_appcall_win
Executing code into the application being debugged (on Windows)
Source code
debugging/appcall/simple_appcall_win.py
Category
debugging
Description
Using the ida_idd.Appcall utility to execute code in the process being debugged.
This example will run the test program and stop wherever the cursor currently is, and then perform an appcall to execute the ref4 and ref8 functions.
To use this example:
run
ida64on test programsimple_appcall_win64.exe, oridaon test programsimple_appcall_win32.exe, and wait for auto-analysis to finishselect the 'windows debugger' (either local, or remote)
run this script
Note: the real body of code is in simple_appcall_common.py.
Imports
simple_appcall_common
Uses
ida_dbg.DBG_Hooks
ida_dbg.run_to
ida_ida.inf_is_64bit
ida_idaapi.BADADDR
ida_idd.Appcall
ida_idd.Appcall.byref
ida_idd.Appcall.int64
ida_kernwin.get_screen_ea
ida_name.get_name_ea
ida_name.set_name
ida_typeinf.apply_cdecl
Category: disassembly
colorize_disassembly
Change background colours
Source code
Category
disassembly
Description
This illustrates the setting/retrieval of background colours using the IDC wrappers
In order to do so, we'll be assigning colors to specific ranges (item, function, or segment). Those will be persisted in the database.
Keywords
coloring idc
Uses
idc.CIC_FUNC
idc.CIC_ITEM
idc.CIC_SEGM
idc.get_color
idc.here
idc.set_color
See also
Category: hexrays
colorize_pseudocode_lines
Interactively color certain pseudocode lines
Source code
hexrays/colorize_pseudocode_lines.py
Category
hexrays
Description
Provides an action that can be used to dynamically alter the lines background rendering for pseudocode listings (as opposed to using ida_hexrays.cfunc_t.pseudocode[N].bgcolor)
After running this script, pressing 'M' on a line in a "Pseudocode-?" widget, will cause that line to be rendered with a special background color.
Shortcut
M
Keywords
colors UI_Hooks
Uses
ida_hexrays.get_widget_vdui
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.CK_EXTRA11
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_custom_viewer_location
ida_kernwin.line_rendering_output_entry_t
ida_kernwin.refresh_custom_viewer
ida_kernwin.register_action
ida_moves.lochist_entry_t
curpos_details
A focus on the 'curpos' hook, printing additional details about user input
Source code
Category
hexrays
Description
Shows how user input information can be retrieved during processing of a notification triggered by that input
Keywords
Hexrays_Hooks
Uses
ida_hexrays.Hexrays_Hooks
ida_kernwin.get_user_input_event
ida_kernwin.iek_key_press
ida_kernwin.iek_key_release
ida_kernwin.iek_mouse_button_press
ida_kernwin.iek_mouse_button_release
ida_kernwin.iek_mouse_wheel
ida_kernwin.iek_shortcut
ida_kernwin.input_event_t
See also
decompile_entry_points
Automatic decompilation of functions
Source code
hexrays/decompile_entry_points.py
Category
hexrays
Description
Attempts to load a decompiler plugin corresponding to the current architecture (and address size) right after auto-analysis is performed, and then tries to decompile the function at the first entrypoint.
It is particularly suited for use with the '-S' flag, for example: idat -Ldecompile.log -Sdecompile_entry_points.py -c file
Uses
ida_auto.auto_wait
ida_entry.get_entry
ida_entry.get_entry_ordinal
ida_entry.get_entry_qty
ida_hexrays.decompile
ida_hexrays.init_hexrays_plugin
ida_ida.inf_is_64bit
ida_idp.PLFM_386
ida_idp.PLFM_ARM
ida_idp.PLFM_MIPS
ida_idp.PLFM_PPC
ida_idp.ph.id
ida_kernwin.cvar.batch
ida_kernwin.msg
ida_loader.load_plugin
ida_pro.qexit
idc.get_idb_path
vds1
Decompile & print current function.
Source code
Category
hexrays
Description
Decompile & print current function.
Uses
ida_funcs.get_func
ida_hexrays.decompile
ida_hexrays.get_hexrays_version
ida_hexrays.init_hexrays_plugin
ida_kernwin.get_screen_ea
ida_lines.tag_remove
vds10
A custom microcode instruction optimization rule
Source code
Category
hexrays
Description
Installs a custom microcode instruction optimization rule, to transform:
call !DbgRaiseAssertionFailure <fast:>.0into
call !DbgRaiseAssertionFailure <fast:"char *" "assertion text">.0To see this plugin in action please use arm64_brk.i64
Keywords
plugin
Uses
ida_bytes.get_cmt
ida_hexrays.init_hexrays_plugin
ida_hexrays.mop_str
ida_hexrays.optinsn_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_typeinf.STI_PCCHAR
ida_typeinf.tinfo_t.get_stock
vds11
A custom microcode block optimization rule (resolve `goto` chains)
Source code
Category
hexrays
Description
Installs a custom microcode block optimization rule, to transform:
goto L1
...
L1:
goto L2into
goto L2In other words we fix a goto target if it points to a chain of gotos. This improves the decompiler output in some cases.
Keywords
plugin
Uses
ida_hexrays.getf_reginsn
ida_hexrays.init_hexrays_plugin
ida_hexrays.m_goto
ida_hexrays.optblock_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
vds12
List instruction registers
Source code
Category
hexrays
Description
Shows a list of direct references to a register from the current instruction.
Uses
ida_bytes.get_flags
ida_bytes.is_code
ida_funcs.get_func
ida_hexrays.ACFL_GUESS
ida_hexrays.DECOMP_NO_CACHE
ida_hexrays.DECOMP_WARNINGS
ida_hexrays.GCO_DEF
ida_hexrays.GCO_USE
ida_hexrays.GC_REGS_AND_STKVARS
ida_hexrays.MERR_OK
ida_hexrays.MMAT_PREOPTIMIZED
ida_hexrays.MUST_ACCESS
ida_hexrays.gco_info_t
ida_hexrays.gen_microcode
ida_hexrays.get_current_operand
ida_hexrays.get_merror_desc
ida_hexrays.hexrays_failure_t
ida_hexrays.init_hexrays_plugin
ida_hexrays.mba_ranges_t
ida_hexrays.mlist_t
ida_hexrays.op_parent_info_t
ida_hexrays.voff_t
ida_kernwin.Choose
ida_kernwin.get_screen_ea
ida_kernwin.jumpto
ida_kernwin.warning
ida_lines.GENDSM_REMOVE_TAGS
ida_lines.generate_disasm_line
ida_pro.eavec_t
vds13
Generates microcode for selection
Source code
Category
hexrays
Description
Generates microcode for selection and dumps it to the output window.
Uses
ida_bytes.get_flags
ida_bytes.is_code
ida_hexrays.DECOMP_WARNINGS
ida_hexrays.gen_microcode
ida_hexrays.hexrays_failure_t
ida_hexrays.init_hexrays_plugin
ida_hexrays.mba_ranges_t
ida_hexrays.vd_printer_t
ida_kernwin.read_range_selection
ida_kernwin.warning
ida_range.range_t
vds17
Using the "Select offsets" widget
Source code
Category
hexrays
Description
Registers an action opens the "Select offsets" widget (select_udt_by_offset() call).
This effectively repeats the functionality already available through Alt+Y.
Place cursor on the union field and press Shift+T
Shortcut
Shift+T
Keywords
plugin
Uses
ida_hexrays.USE_KEYBOARD
ida_hexrays.cot_add
ida_hexrays.cot_cast
ida_hexrays.cot_memptr
ida_hexrays.cot_memref
ida_hexrays.cot_num
ida_hexrays.cot_ref
ida_hexrays.get_hexrays_version
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.select_udt_by_offset
ida_hexrays.ui_stroff_applicator_t
ida_hexrays.ui_stroff_ops_t
ida_idaapi.BADADDR
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.get_custom_viewer_curline
ida_kernwin.msg
ida_kernwin.register_action
ida_kernwin.warning
ida_lines.tag_remove
ida_typeinf.PRTYPE_1LINE
ida_typeinf.print_tinfo
ida_typeinf.remove_pointer
vds19
A custom microcode instruction optimization rule (`x | ~x => -1`)
Source code
Category
hexrays
Description
Installs a custom microcode instruction optimization rule, to transform:
x | ~xinto
-1To see this plugin in action please use be_ornot_be.idb
Keywords
plugin
Uses
ida_hexrays.init_hexrays_plugin
ida_hexrays.m_bnot
ida_hexrays.m_mov
ida_hexrays.m_or
ida_hexrays.minsn_visitor_t
ida_hexrays.mop_t
ida_hexrays.optinsn_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
vds21
Dynamically provide a custom call type
Source code
Category
hexrays
Description
This plugin can greatly improve decompilation of indirect calls:
call [eax+4]For them, the decompiler has to guess the prototype of the called function. This has to be done at a very early phase of decompilation because the function prototype influences the data flow analysis. On the other hand, we do not have global data flow analysis results yet because we haven't analyzed all calls in the function. It is a chicked-and-egg problem.
The decompiler uses various techniques to guess the called function prototype. While it works very well, it may fail in some cases.
To fix, the user can specify the call prototype manually, using "Edit, Operand types, Set operand type" at the call instruction.
This plugin illustrates another approach to the problem: if you happen to be able to calculate the call prototypes dynamically, this is how to inform the decompiler about them.
Keywords
Hexrays_Hooks plugin
Uses
ida_hexrays.Hexrays_Hooks
ida_hexrays.init_hexrays_plugin
ida_hexrays.m_call
ida_hexrays.mcallinfo_t
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_kernwin.msg
ida_kernwin.warning
ida_nalt.get_op_tinfo
ida_typeinf.BT_INT
ida_typeinf.CM_CC_STDCALL
ida_typeinf.CM_N32_F48
ida_typeinf.parse_decl
ida_typeinf.tinfo_t
vds3
Invert if/else blocks
Source code
Category
hexrays
Description
Registers an action that can be used to invert the if and else blocks of a ida_hexrays.cif_t.
For example, a statement like
if ( cond )
{
statements1;
}
else
{
statements2;
}will be displayed as
if ( !cond )
{
statements2;
}
else
{
statements1;
}The modifications are persistent: the user can quit & restart IDA, and the changes will be present.
Shortcut
I
Keywords
ctxmenu Hexrays_Hooks IDP_Hooks plugin
Uses
ida_hexrays.CMAT_FINAL
ida_hexrays.CV_FAST
ida_hexrays.CV_INSNS
ida_hexrays.Hexrays_Hooks
ida_hexrays.ITP_ELSE
ida_hexrays.USE_KEYBOARD
ida_hexrays.VDI_TAIL
ida_hexrays.cexpr_t
ida_hexrays.cit_if
ida_hexrays.ctree_visitor_t
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.lnot
ida_hexrays.qswap
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_idp.IDP_Hooks
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_netnode.netnode
Author
EiNSTeiN_ (einstein@g3nius.org)
vds4
Dump user-defined information
Source code
Category
hexrays
Description
Prints user-defined information to the "Output" window. Namely:
user defined label names
user defined indented comments
user defined number formats
user defined local variable names, types, comments
This script loads information from the database without decompiling anything.
Uses
ida_bytes.get_radix
ida_funcs.get_func
ida_hexrays.CIT_COLLAPSED
ida_hexrays.NF_NEGATE
ida_hexrays.init_hexrays_plugin
ida_hexrays.lvar_uservec_t
ida_hexrays.restore_user_cmts
ida_hexrays.restore_user_iflags
ida_hexrays.restore_user_labels
ida_hexrays.restore_user_lvar_settings
ida_hexrays.restore_user_numforms
ida_hexrays.user_cmts_free
ida_hexrays.user_iflags_free
ida_hexrays.user_labels_free
ida_hexrays.user_numforms_free
ida_kernwin.get_screen_ea
Author
EiNSTeiN_ (einstein@g3nius.org)
vds5
Show ctree graph
Source code
Category
hexrays
Description
Registers an action that can be used to show the graph of the ctree. The current item will be highlighted in the graph.
The command shortcut is Ctrl+Shift+G, and is also added to the context menu.
To display the graph, we produce a .gdl file, and request that ida displays that using ida_gdl.display_gdl.
Shortcut
Ctrl+Shift+G
Keywords
ctxmenu Hexrays_Hooks plugin
Uses
ida_gdl.display_gdl
ida_hexrays.Hexrays_Hooks
ida_hexrays.USE_KEYBOARD
ida_hexrays.cit_asm
ida_hexrays.cit_goto
ida_hexrays.cot_helper
ida_hexrays.cot_memptr
ida_hexrays.cot_memref
ida_hexrays.cot_num
ida_hexrays.cot_obj
ida_hexrays.cot_ptr
ida_hexrays.cot_str
ida_hexrays.cot_var
ida_hexrays.ctree_parentee_t
ida_hexrays.get_ctype_name
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_kernwin.warning
ida_lines.tag_remove
ida_pro.str2user
vds6
Superficially modify the decompilation output
Source code
Category
hexrays
Description
Modifies the decompilation output in a superficial manner, by removing some white spaces
Note: this is rather crude, not quite "pythonic" code.
Keywords
Hexrays_Hooks plugin
Uses
ida_hexrays.Hexrays_Hooks
ida_hexrays.init_hexrays_plugin
ida_idaapi.PLUGIN_HIDE
ida_idaapi.PLUGIN_KEEP
ida_idaapi.plugin_t
ida_lines.tag_advance
ida_lines.tag_skipcodes
vds7
Iterate a cblock_t object
Source code
Category
hexrays
Description
Using a ida_hexrays.ctree_visitor_t, search for ida_hexrays.cit_block instances and dump them.
Keywords
Hexrays_Hooks
Uses
ida_hexrays.CMAT_BUILT
ida_hexrays.CV_FAST
ida_hexrays.Hexrays_Hooks
ida_hexrays.cit_block
ida_hexrays.ctree_visitor_t
ida_hexrays.init_hexrays_plugin
Author
EiNSTeiN_ (einstein@g3nius.org)
vds8
Using `ida_hexrays.udc_filter_t`
Source code
Category
hexrays
Description
Registers an action that uses a ida_hexrays.udc_filter_t to decompile svc 0x900001 and svc 0x9000F8 as function calls to svc_exit() and svc_exit_group() respectively.
You will need to have an ARM + Linux IDB for this script to be usable
In addition to having a shortcut, the action will be present in the context menu.
Shortcut
Ctrl+Shift+U
Keywords
ctxmenu UI_Hooks
Uses
ida_allins.ARM_svc
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.install_microcode_filter
ida_hexrays.udc_filter_t
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.get_widget_type
ida_kernwin.register_action
vds_create_hint
Decompiler hints
Source code
Category
hexrays
Description
Handle ida_hexrays.hxe_create_hint notification using hooks, to return our own.
If the object under the cursor is:
a function call, prefix the original decompiler hint with
==>a local variable declaration, replace the hint with our own in the form of
!{varname}(where{varname}is replaced with the variable name)an
ifstatement, replace the hint with our own, saying "condition"
Keywords
Hexrays_Hooks
Uses
ida_hexrays.Hexrays_Hooks
ida_hexrays.USE_MOUSE
ida_hexrays.VDI_EXPR
ida_hexrays.VDI_LVAR
ida_hexrays.cit_if
ida_hexrays.cot_call
vds_hooks
Various decompiler hooks
Source code
Category
hexrays
Description
Shows how to hook to many notifications sent by the decompiler.
This plugin doesn't really accomplish anything: it just prints the parameters.
The list of notifications handled below should be exhaustive, and is there to hint at what is possible to accomplish by subclassing ida_hexrays.Hexrays_Hooks
Keywords
Hexrays_Hooks
Uses
ida_hexrays.Hexrays_Hooks
ida_hexrays.cfunc_t
ida_hexrays.lvar_t
ida_hexrays.vdui_t
See also
vds_modify_user_lvars
Modifying local variables
Source code
hexrays/vds_modify_user_lvars.py
Category
hexrays
Description
Use a ida_hexrays.user_lvar_modifier_t to modify names, comments and/or types of local variables.
Uses
ida_hexrays.modify_user_lvars
ida_hexrays.user_lvar_modifier_t
ida_typeinf.parse_decl
idc.here
vds_xrefs
Show decompiler xrefs
Source code
Category
hexrays
Description
Show decompiler-style Xref when the Ctrl+X key is pressed in the Decompiler window.
supports any global name: functions, strings, integers, ...
supports structure member.
Shortcut
Ctrl+X
Keywords
ctxmenu Hexrays_Hooks
Uses
ida_funcs.get_func_name
ida_hexrays.DECOMP_GXREFS_FORCE
ida_hexrays.Hexrays_Hooks
ida_hexrays.USE_KEYBOARD
ida_hexrays.VDI_EXPR
ida_hexrays.VDI_FUNC
ida_hexrays.cexpr_t
ida_hexrays.cfunc_t
ida_hexrays.cinsn_t
ida_hexrays.decompile
ida_hexrays.get_widget_vdui
ida_hexrays.init_hexrays_plugin
ida_hexrays.open_pseudocode
ida_hexrays.qstring_printer_t
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.PluginForm
ida_kernwin.PluginForm.Show
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_typeinf.PRTYPE_1LINE
ida_typeinf.STRMEM_OFFSET
ida_typeinf.print_tinfo
ida_typeinf.tinfo_t
ida_typeinf.udm_t
idautils.Functions
idautils.XrefsTo
Author
EiNSTeiN_ (einstein@g3nius.org)
Category: idbhooks
log_idb_events
Logging IDB events
Source code
Category
idbhooks
Description
These hooks will be notified about IDB events, and dump their information to the "Output" window
Keywords
IDB_Hooks
Uses
ida_idp.IDB_Hooks
operand_changed
Notify the user when an instruction operand changes
Source code
Category
idbhooks
Description
Show notifications whenever the user changes an instruction's operand, or a data item.
Keywords
IDB_Hooks
Uses
ida_bytes.ALOPT_IGNCLT
ida_bytes.ALOPT_IGNHEADS
ida_bytes.get_flags
ida_bytes.get_max_strlit_length
ida_bytes.get_opinfo
ida_bytes.get_strlit_contents
ida_bytes.is_custfmt
ida_bytes.is_custom
ida_bytes.is_enum
ida_bytes.is_off
ida_bytes.is_strlit
ida_bytes.is_stroff
ida_bytes.is_struct
ida_idp.IDB_Hooks
ida_nalt.STRENC_DEFAULT
ida_nalt.get_default_encoding_idx
ida_nalt.get_encoding_name
ida_nalt.get_str_encoding_idx
ida_nalt.get_strtype_bpu
ida_nalt.opinfo_t
ida_typeinf.get_tid_name
ida_typeinf.tinfo_t
replay_prototypes_changes
Record and replay changes in function prototypes
Source code
idbhooks/replay_prototypes_changes.py
Category
idbhooks
Description
This is a sample script, that will record (in memory) all changes in functions prototypes, in order to re-apply them later.
To use this script:
open an IDB (say, "test.idb")
modify some functions prototypes (e.g., by triggering the 'Y' shortcut when the cursor is placed on the first address of a function)
reload that IDB, without saving it first
call rpc.replay(), to re-apply the modifications.
Note: 'ti_changed' is also called for changes to the function frames, but we'll only record function prototypes changes.
Keywords
IDB_Hooks
Uses
ida_funcs.get_func
ida_idp.IDB_Hooks
ida_typeinf.PRTYPE_1LINE
ida_typeinf.TINFO_DEFINITE
ida_typeinf.apply_tinfo
ida_typeinf.get_idati
ida_typeinf.tinfo_t
Category: idphooks
ana_emu_out
Override some parts of the processor module
Source code
Category
idphooks
Description
Implements disassembly of BUG_INSTR used in Linux kernel BUG() macro, which is architecturally undefined and is not disassembled by IDA's ARM module
See Linux/arch/arm/include/asm/bug.h for more info
Keywords
IDP_Hooks
Uses
ida_bytes.get_wide_dword
ida_bytes.get_wide_word
ida_idp.CUSTOM_INSN_ITYPE
ida_idp.IDP_Hooks
ida_idp.PLFM_ARM
ida_idp.ph.id
ida_idp.str2reg
ida_segregs.get_sreg
assemble
An `ida_idp.IDP_Hooks.assembly` implementation
Source code
Category
idphooks
Description
We add support for assembling the following pseudo instructions:
"zero eax" -> xor eax, eax
"nothing" -> nop
Keywords
IDP_Hooks
Uses
ida_idp.IDP_Hooks
idautils.DecodeInstruction
Category: merge
py_mex1
Add merge functionality to a simple plugin, example 1
Source code
Category
merge
Description
This is a primitive plugin which asks user for some info and saves it for some addresses.
We will add a merge functionality to plugin.
An IDA plugin may have two kinds of data with permanent storage:
Data common for entire database (e.g. the options). To describe them we will use the idbattr_info_t type.
Data specific to a particular address. To describe them we will use the merge_node_info_t type.
Also, see SDK/plugins/mex1 example
Keywords
IDP_Hooks plugin
Uses
ida_funcs.get_func
ida_ida.IDI_ALTVAL
ida_ida.IDI_CSTR
ida_ida.IDI_SCALAR
ida_ida.IDI_SUPVAL
ida_ida.idbattr_info_t
ida_idaapi.BADADDR
ida_idaapi.PLUGIN_MOD
ida_idaapi.PLUGIN_MULTI
ida_idaapi.plugin_t
ida_idaapi.plugmod_t
ida_idp.IDP_Hooks
ida_kernwin.Form
ida_kernwin.Form.ChkGroupControl
ida_kernwin.Form.StringInput
ida_kernwin.get_screen_ea
ida_merge.MERGE_KIND_END
ida_merge.MERGE_KIND_NONE
ida_merge.NDS_IS_STR
ida_merge.NDS_MAP_IDX
ida_merge.merge_handler_params_t
ida_merge.merge_node_info_t
ida_merge.moddata_diff_helper_t
ida_mergemod.create_std_modmerge_handlers
ida_netnode.BADNODE
ida_netnode.SIZEOF_nodeidx_t
ida_netnode.atag
ida_netnode.netnode
ida_netnode.stag
py_mex3
This example uses the mex1 example and improves the user-interface for it.
Source code
Category
merge
Description
IDA Teams uses a chooser to display the merge conflicts. To fill the chooser columns IDA Teams uses the following methods from diff_source_t type:
print_diffpos_name()
print_diffpos_details() and UI hints from merge_handler_params_t type:
ui_has_details()
ui_complex_details()
ui_complex_name()
In general, chooser columns are filled as following: columns.clear() NAME = print_diffpos_name() if ui_complex_name() then columns.add(split NAME by ui_split_char()) else columns[0] = NAME if not ui_complex_details() then columns.add(print_diffpos_details())
Also, see SDK/plugins/mex3 example
Keywords
IDP_Hooks plugin
Uses
ida_funcs.get_func
ida_ida.IDI_ALTVAL
ida_ida.IDI_CSTR
ida_ida.IDI_SCALAR
ida_ida.IDI_SUPVAL
ida_ida.idbattr_info_t
ida_idaapi.BADADDR
ida_idaapi.PLUGIN_MOD
ida_idaapi.PLUGIN_MULTI
ida_idaapi.plugin_t
ida_idaapi.plugmod_t
ida_idp.IDP_Hooks
ida_kernwin.Form
ida_kernwin.Form.ChkGroupControl
ida_kernwin.Form.StringInput
ida_kernwin.get_screen_ea
ida_merge.MERGE_KIND_END
ida_merge.MERGE_KIND_NONE
ida_merge.MH_UI_COLONNAME
ida_merge.MH_UI_COMMANAME
ida_merge.MH_UI_NODETAILS
ida_merge.NDS_IS_STR
ida_merge.NDS_MAP_IDX
ida_merge.create_nodeval_merge_handlers
ida_merge.get_ea_diffpos_name
ida_merge.merge_handler_params_t
ida_merge.merge_node_helper_t
ida_merge.merge_node_info_t
ida_merge.moddata_diff_helper_t
ida_mergemod.create_std_modmerge_handlers
ida_nalt.node2ea
ida_netnode.BADNODE
ida_netnode.SIZEOF_nodeidx_t
ida_netnode.atag
ida_netnode.netnode
ida_netnode.stag
Category: pyqt
inject_command
Injecting commands in the "Output" window
Source code
Category
pyqt
Description
This example illustrates how one can execute commands in the "Output" window, from their own widgets.
A few notes:
the original, underlying
cli:Executeaction, that has to be triggered for the code present in the input field to execute and be placed in the history, requires that the input field has focus (otherwise it simply won't do anything.)this, in turn, forces us to do "delayed" execution of that action, hence the need for a
QTimerthe IDA/SWiG 'TWidget' type that we retrieve through
ida_kernwin.find_widget, is not the same type as aQtWidgets.QWidget. We therefore need to convert it usingida_kernwin.PluginForm.TWidgetToPyQtWidget
Uses
ida_kernwin.PluginForm.TWidgetToPyQtWidget
ida_kernwin.disabled_script_timeout_t
ida_kernwin.find_widget
ida_kernwin.process_ui_action
paint_over_graph
Custom painting on top of graph view edges
Source code
Category
pyqt
Description
This sample registers an action enabling painting of a recognizable string of text over horizontal nodes edge sections beyond a satisfying size threshold.
In a disassembly view, open the context menu and select "Paint on edges". This should work for both graph disassembly, and proximity browser.
Using an "event filter", we will intercept paint events targeted at the disassembly view, let it paint itself, and then add our own markers along.
Keywords
ctxmenu UI_Hooks
Uses
ida_gdl.edge_t
ida_graph.get_graph_viewer
ida_graph.get_viewer_graph
ida_graph.point_t
ida_graph.viewer_get_gli
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.PluginForm.FormToPyQtWidget
ida_kernwin.UI_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.get_widget_type
ida_kernwin.register_action
ida_moves.graph_location_info_t
paint_over_navbar
Custom painting on top of the navigation band
Source code
Category
pyqt
Description
Using an "event filter", we will intercept paint events targeted at the navigation band widget, let it paint itself, and then add our own markers on top.
Uses
ida_kernwin.PluginForm.FormToPyQtWidget
ida_kernwin.get_navband_pixel
ida_kernwin.open_navband_window
ida_segment.get_segm_qty
ida_segment.getnseg
idc.here
populate_pluginform_with_pyqt_widgets
Adding PyQt5 widgets into an `ida_kernwin.PluginForm`
Source code
pyqt/populate_pluginform_with_pyqt_widgets.py
Category
pyqt
Description
Using ida_kernwin.PluginForm.FormToPyQtWidget, this script converts IDA's own dockable widget into a type that is recognized by PyQt5, which then enables populating it with regular Qt widgets.
Uses
ida_kernwin.PluginForm
Category: uihooks
func_chooser_coloring
Using `ida_kernwin.UI_Hooks.get_chooser_item_attrs` to override some defaults
Source code
uihooks/func_chooser_coloring.py
Category
uihooks
Description
Color the function in the Function window according to its size. The larger the function, the darker the color.
Keywords
UI_Hooks
Uses
ida_funcs.get_func
ida_kernwin.UI_Hooks
ida_kernwin.enable_chooser_item_attrs
lines_rendering
Dynamically colorize lines backgrounds (or parts of them)
Source code
Category
uihooks
Description
Shows how one can dynamically alter the lines background rendering (as opposed to, say, using ida_nalt.set_item_color()), and also shows how that rendering can be limited to just a few glyphs, not the whole line.
Keywords
UI_Hooks
Uses
ida_bytes.next_head
ida_idaapi.BADADDR
ida_kernwin.CK_EXTRA1
ida_kernwin.CK_EXTRA10
ida_kernwin.CK_EXTRA11
ida_kernwin.CK_EXTRA12
ida_kernwin.CK_EXTRA13
ida_kernwin.CK_EXTRA14
ida_kernwin.CK_EXTRA15
ida_kernwin.CK_EXTRA16
ida_kernwin.CK_EXTRA2
ida_kernwin.CK_EXTRA3
ida_kernwin.CK_EXTRA4
ida_kernwin.CK_EXTRA5
ida_kernwin.CK_EXTRA6
ida_kernwin.CK_EXTRA7
ida_kernwin.CK_EXTRA8
ida_kernwin.CK_EXTRA9
ida_kernwin.CK_TRACE
ida_kernwin.CK_TRACE_OVL
ida_kernwin.LROEF_CPS_RANGE
ida_kernwin.UI_Hooks
ida_kernwin.get_screen_ea
ida_kernwin.line_rendering_output_entry_t
ida_kernwin.refresh_idaview_anyway
log_misc_events
Being notified, and logging a few UI events
Source code
Category
uihooks
Description
Hooks to be notified about certain UI events, and dump their information to the "Output" window
Keywords
UI_Hooks
Uses
ida_kernwin.UI_Hooks
prevent_jump
Taking precedence over actions
Source code
Category
uihooks
Description
Using ida_kernwin.UI_Hooks.preprocess_action, it is possible to respond to a command instead of the action that would otherwise do it.
Keywords
UI_Hooks
Uses
ida_kernwin.UI_Hooks
Category: widgets
add_menus
Adding custom menus to IDA
Source code
Category
widgets
Description
It is possible to add custom menus to IDA, either at the toplevel (i.e., into the menubar), or as submenus of existing menus.
Notes:
the same action can be present in more than 1 menu
this example does not deal with context menus
Keywords
actions
Uses
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.SETMENU_INS
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_menu
ida_kernwin.create_menu
ida_kernwin.register_action
askusingform
Non-trivial uses of the `ida_kernwin.Form` helper class
Source code
Category
widgets
Description
How to query for complex user input, using IDA's built-in forms.
Note: while this example produces full-fledged forms for complex input, simpler types of inputs might can be retrieved by using ida_kernwin.ask_str and similar functions.
Keywords
forms
Uses
ida_kernwin.Choose
ida_kernwin.Choose.CH_MULTI
ida_kernwin.Form
ida_kernwin.PluginForm.FORM_TAB
ida_kernwin.ask_str
choose
A widget showing data in a tabular fashion
Source code
widgets/tabular_views/custom/choose.py
Category
widgets
Description
Shows how to subclass the ida_kernwin.Choose class to show data organized in a simple table. In addition, registers a couple actions that can be applied to it.
Keywords
actions chooser ctxmenu
Uses
Choose
Choose.ALL_CHANGED
Choose.CH_CAN_DEL
Choose.CH_CAN_EDIT
Choose.CH_CAN_INS
Choose.CH_CAN_REFRESH
Choose.CH_RESTORE
Choose.NOTHING_CHANGED
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.is_chooser_widget
ida_kernwin.register_action
ida_kernwin.unregister_action
See also
choose_multi
A widget showing data in a tabular fashion, providing multiple selection
Source code
widgets/tabular_views/custom/choose_multi.py
Category
widgets
Description
Similar to choose, but with multiple selection
Keywords
actions chooser
Uses
Choose
Choose.ALL_CHANGED
Choose.CHCOL_HEX
Choose.CH_MULTI
Choose.NOTHING_CHANGED
See also
chooser_with_folders
A widget that can show tabular data either as a simple table, or with a tree-like structure.
Source code
widgets/tabular_views/custom/chooser_with_folders.py
Category
widgets
Description
By adding the necessary bits to a ida_kernwin.Choose subclass, IDA can show the otherwise tabular data, in a tree-like fashion.
The important bits to enable this are:
ida_dirtree.dirspec_t (and my_dirspec_t)
ida_kernwin.CH_HAS_DIRTREE
ida_kernwin.Choose.OnGetDirTree
ida_kernwin.Choose.OnIndexToInode
Keywords
actions chooser folders
Uses
ida_dirtree.DTE_OK
ida_dirtree.direntry_t
ida_dirtree.direntry_t.BADIDX
ida_dirtree.dirspec_t
ida_dirtree.dirtree_t
ida_dirtree.dirtree_t.isdir
ida_kernwin.CH_CAN_DEL
ida_kernwin.CH_CAN_EDIT
ida_kernwin.CH_CAN_INS
ida_kernwin.CH_HAS_DIRTREE
ida_kernwin.CH_MULTI
ida_kernwin.Choose
ida_kernwin.Choose.ALL_CHANGED
ida_kernwin.Choose.CHCOL_DRAGHINT
ida_kernwin.Choose.CHCOL_INODENAME
ida_kernwin.Choose.CHCOL_PLAIN
ida_kernwin.ask_str
ida_netnode.BADNODE
ida_netnode.netnode
See also
custom_graph_with_actions
Drawing custom graphs
Source code
widgets/graphs/custom_graph_with_actions.py
Category
widgets
Description
Showing custom graphs, using ida_graph.GraphViewer. In addition, show how to write actions that can be performed on those.
Keywords
actions graph View_Hooks
Uses
ida_funcs.get_func
ida_funcs.get_func_name
ida_graph.GraphViewer
ida_graph.get_graph_viewer
ida_graph.screen_graph_selection_t
ida_graph.viewer_get_selection
ida_idp.is_call_insn
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.View_Hooks
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_dynamic_action_to_popup
ida_kernwin.get_screen_ea
ida_ua.decode_insn
ida_ua.insn_t
ida_xref.XREF_FAR
ida_xref.xrefblk_t
custom_viewer
Create custom listings in IDA
Source code
widgets/listings/custom_viewer.py
Category
widgets
Description
How to create simple listings, that will share many of the features as the built-in IDA widgets (highlighting, copy & paste, notifications, ...)
In addition, creates actions that will be bound to the freshly-created widget (using ida_kernwin.attach_action_to_popup.)
Keywords
actions ctxmenu listing
Uses
ida_kernwin.AST_ENABLE_ALWAYS
ida_kernwin.IK_DELETE
ida_kernwin.IK_ESCAPE
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.ask_long
ida_kernwin.ask_str
ida_kernwin.attach_action_to_popup
ida_kernwin.register_action
ida_kernwin.simplecustviewer_t
ida_kernwin.simplecustviewer_t.Create
ida_kernwin.simplecustviewer_t.Show
ida_kernwin.unregister_action
ida_lines.COLOR_DEFAULT
ida_lines.COLOR_DNAME
ida_lines.COLSTR
ida_lines.SCOLOR_PREFIX
ida_lines.SCOLOR_VOIDOP
func_chooser
An alternative view over the list of functions
Source code
widgets/tabular_views/custom/func_chooser.py
Category
widgets
Description
Partially re-implements the "Functions" widget present in IDA, with a custom widget.
Keywords
chooser functions
Uses
ida_funcs.get_func_name
ida_kernwin.Choose
ida_kernwin.Choose.ALL_CHANGED
ida_kernwin.Choose.CHCOL_FNAME
ida_kernwin.Choose.CHCOL_HEX
ida_kernwin.Choose.CHCOL_PLAIN
ida_kernwin.get_icon_id_by_name
idautils.Functions
idc.del_func
See also
jump_next_comment
Implement a "jump to next comment" action within IDA's disassembly view.
Source code
widgets/listings/jump_next_comment.py
Category
widgets
Description
We want our action not only to find the next line containing a comment, but to also place the cursor at the right horizontal position.
To find that position, we will have to inspect the text that IDA generates, looking for the start of a comment. However, we won't be looking for a comment "prefix" (e.g., "; "), as that would be too fragile.
Instead, we will look for special "tags" that IDA injects into textual lines, and that bear semantic information.
Those tags are primarily used for rendering (i.e., switching colors), but can also be very handy for spotting tokens of interest (registers, addresses, comments, prefixes, instruction mnemonics, ...)
Shortcut
Ctrl+Alt+C
Keywords
actions idaview
Uses
ida_bytes.next_head
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_DISASM
ida_kernwin.CVNF_LAZY
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.custom_viewer_jump
ida_kernwin.get_custom_viewer_location
ida_kernwin.place_t_as_idaplace_t
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_lines.SCOLOR_AUTOCMT
ida_lines.SCOLOR_ON
ida_lines.SCOLOR_REGCMT
ida_lines.SCOLOR_RPTCMT
ida_lines.generate_disassembly
ida_lines.tag_strlen
ida_moves.lochist_entry_t
See also
lazy_loaded_chooser
save_and_restore_listing_pos
Save, and then restore, positions in a listing
Source code
widgets/listings/save_and_restore_listing_pos.py
Category
widgets
Description
Shows how it is possible re-implement IDA's bookmark capability, using 2 custom actions: one action saves the current location, and the other restores it.
Note that, contrary to actual bookmarks, this example:
remembers only 1 saved position
doesn't save that position in the IDB (and therefore cannot be restored if IDA is closed & reopened.)
Shortcuts
Ctrl+Shift+O Ctrl+Shift+S
Keywords
actions listing
Uses
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_CUSTVIEW
ida_kernwin.BWN_DISASM
ida_kernwin.BWN_PSEUDOCODE
ida_kernwin.BWN_TILVIEW
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.custom_viewer_jump
ida_kernwin.find_widget
ida_kernwin.get_custom_viewer_location
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_moves.lochist_entry_t
See also
show_and_hide_waitbox
Showing, updating & hiding the progress dialog
Source code
widgets/waitbox/show_and_hide_waitbox.py
Category
widgets
Description
Using the progress dialog (aka 'wait box') primitives.
Keywords
actions
Uses
ida_hexrays.decompile
ida_kernwin.hide_wait_box
ida_kernwin.replace_wait_box
ida_kernwin.show_wait_box
ida_kernwin.user_cancelled
idautils.Functions
show_selected_strings
Retrieve the strings that are selected in the "Strings" window.
Source code
widgets/tabular_views/string_window/show_selected_strings.py
Category
widgets
Description
In IDA it's possible to write actions that can be applied even to core (i.e., "standard") widgets. The actions in this example use the action "context" to know what the current selection is.
This example shows how you can either retrieve string literals data directly from the chooser (ida_kernwin.get_chooser_data), or by querying the IDB (ida_bytes.get_strlit_contents)
Shortcuts
Ctrl+Shift+K Ctrl+Shift+S
Keywords
actions ctxmenu
Uses
ida_bytes.get_strlit_contents
ida_idaapi.BADADDR
ida_kernwin.AST_DISABLE_FOR_WIDGET
ida_kernwin.AST_ENABLE_FOR_WIDGET
ida_kernwin.BWN_STRINGS
ida_kernwin.action_desc_t
ida_kernwin.action_handler_t
ida_kernwin.attach_action_to_popup
ida_kernwin.find_widget
ida_kernwin.get_chooser_data
ida_kernwin.open_strings_window
ida_kernwin.register_action
ida_kernwin.unregister_action
ida_strlist.get_strlist_item
ida_strlist.string_info_t
See also
sync_two_graphs
Follow the movements of a disassembly graph, in another.
Source code
widgets/graphs/sync_two_graphs.py
Category
widgets
Description
Since it is possible to be notified of movements that happen take place in a widget, it's possible to "replay" those movements in another.
In this case, "IDA View-B" (will be opened if necessary) will show the same contents as "IDA View-A", slightly zoomed out.
Keywords
graph idaview
Uses
ida_graph.GLICTL_CENTER
ida_graph.viewer_fit_window
ida_graph.viewer_get_gli
ida_graph.viewer_set_gli
ida_kernwin.DP_RIGHT
ida_kernwin.IDAViewWrapper
ida_kernwin.MFF_FAST
ida_kernwin.TCCRT_GRAPH
ida_kernwin.execute_sync
ida_kernwin.find_widget
ida_kernwin.get_custom_viewer_place
ida_kernwin.jumpto
ida_kernwin.open_disasm_window
ida_kernwin.set_dock_pos
ida_kernwin.set_view_renderer_type
ida_moves.graph_location_info_t
See also
wrap_idaview
Manipulate IDAView and graph
Source code
widgets/idaview/wrap_idaview.py
Category
widgets
Description
This is an example illustrating how to manipulate an existing IDA-provided view (and thus possibly its graph), in Python.
Keywords
graph idaview
Uses
ida_graph.NIF_BG_COLOR
ida_graph.NIF_FRAME_COLOR
ida_graph.node_info_t
ida_kernwin.IDAViewWrapper
ida_kernwin.MFF_FAST
ida_kernwin.TCCRT_FLAT
ida_kernwin.TCCRT_GRAPH
ida_kernwin.execute_sync
See also
Last updated