IDA python

整理了一些常用的IDA python函数

Hex-rays python docs
https://www.hex-rays.com/products/ida/support/idapython_docs/

查询python函数信息

通过python自带的help函数查询函数信息

通过func.__code__.co_argcount查询函数信息

IDA python的常用函数

enum相关

搜索

find_binary(ea, flag, searchstr, radix=16, from_bc695=False)
flag：
SEARCH_BRK = 256
SEARCH_CASE = 4
SEARCH_DOWN = 1
SEARCH_IDENT = 128
SEARCH_NEXT = 2
SEARCH_NOBRK = 16
SEARCH_NOSHOW = 32
SEARCH_REGEX = 8
SEARCH_UP = 0
SWIG_PYTHON_LEGACY_BOOL = 1

add_enum(idx, name, flag)

Add a new enum type

Parameters:

idx - serial number of the new enum. If another enum with the same serial number exists, then all enums with serial numbers >= the specified idx get their serial numbers incremented (in other words, the new enum is put in the middle of the list of enums).
If idx >= get_enum_qty() or idx == idaapi.BADNODE then the new enum is created at the end of the list of enums.

name - name of the enum.

flag - flags for representation of numeric constants in the definition of enum.

Returns:

id of new enum or BADADDR

交互相关

要求用户输入

You can use the ask_* functions from the ida_kernwin module.

For example:

ask_long: Display a dialog box and wait for the user to input an number
ask_str: Display a dialog box and wait for the user to input a text string
ask_file: Display a dialog box and wait for the user to input a file name
ask_form: Display a dialog box and wait for the user
There are also the choose_* functions if you want the user to choose something from the database (function, segment, structure). And fully customisable forms (see this example).

分析常用函数

在指定地址make code

create_insn(ea, out=None)

Create an instruction at the specified address. This function checks if an instruction is present at the specified address and will try to create one if there is none. It will fail if there is a data item or other items hindering the creation of the new instruction. This function will also fill the ‘out’ structure.

Returns: int

the length of the instruction or 0

获取指定地址的指令（助记符）

print_insn_mnem

例如，对于mov eax,1

返回“mov”

获取指定地址的n个立即数

get_printable_immvals(ea, n, F=0)

Get immediate ready-to-print values at the specified address

Parameters:
ea - address to analyze (C++: ea_t)
n - number of operand (0.. UA_MAXOP -1), -1 means all operands (C++: int)
F - flags for the specified address (C++: flags_t)
Returns: PyObject *
number of immediate values (0..2* UA_MAXOP )

获取指定地址的第n个操作数

print_operand(ea, n, getn_flags=0, newtype=None)

删除项

del_items(ea, flags=0, nbytes=1, may_destroy=None)

获取指定地址的字符串 get_strlit_contents

Get string contents
ea - linear address
len - string length. -1 means to calculate the max string length
type - the string type (one of STRTYPE_… constants)
Returns: string contents or empty string

string get_strlit_contents(long ea, long len, long type);

获取指定地址的数据（不使用调试时的数据）

ida_bytes.get_qword,ida_bytes.get_64bit

ida_bytes.get_dword, ida_bytes.get_32bit

ida_bytes.get_word,ida_bytes.get_16bit

获取指定地址的数据（使用调试时的数据）

read_dbg_qword

read_dbg_dword

read_dbg_word

创建结构体 create_struct(ea, length, tid, force=False)

Convert to struct.

• Parameters:

  ea, (C++ - ea_t)

  length, (C++ - asize_t)

  tid, (C++ - tid_t)

  force, (C++ - bool)

• Returns: bool

获取指定地址的操作 GetDisasm(ea)

Get disassembly line

@param ea: linear address of instruction

@return: "" - could not decode instruction at the specified location

@note: this function may not return exactly the same mnemonics
       as you see on the screen.

获取一定长度的字节 get_bytes(ea, size, use_dbg=False)

Return the specified number of bytes of the program

Parameters:
ea - linear address
size - size of buffer in normal 8-bit bytes
use_dbg - if True, use debugger memory, otherwise just the database
Returns:
None on failure otherwise a string containing the read bytes

获取指定地址的名字 get_name(ea, gtn_flags=0)

Get name at the specified address

• Parameters:

  ea - linear address

  gtn_flags - how exactly the name should be retrieved. combination of GN_ bits

• Returns:

  “” - byte has no name

获取指定名字的地址 get_name_ea_simple(name)

Get linear address of a name

• Parameters:

  name - name of program byte

• Returns:

  address of the name BADADDR - No such name

All idc functions

idc.AddSeg
idc.AutoMark
idc.EVAL_FAILURE
idc.FindBinary
idc.FindText
idc.GetDisasm
idc.GetDouble
idc.GetFloat
idc.GetLocalType
idc.GetProcessorName
idc.LoadFile
idc.MakeFunction
idc.MakeStr
idc.MakeVar
idc.SaveFile
idc.SegEnd
idc.SegStart
idc.SetPrcsr
idc.SetSegmentType
idc.SetType
idc.SizeOf
idc.add_auto_stkpnt
idc.add_default_til
idc.add_enum
idc.add_enum_member
idc.add_segm_ex
idc.add_struc
idc.add_struc_member
idc.append_func_tail
idc.apply_type
idc.atoa
idc.atol
idc.batch
idc.byte_value
idc.call_system
idc.can_exc_continue
idc.choose_func
idc.clear_trace
idc.create_array
idc.create_byte
idc.create_double
idc.create_dword
idc.create_float
idc.create_oword
idc.create_pack_real
idc.create_qword
idc.create_strlit
idc.create_struct
idc.create_tbyte
idc.create_word
idc.create_yword
idc.define_local_var
idc.del_array_element
idc.del_enum_member
idc.del_hash_string
idc.del_stkpnt
idc.del_struc
idc.del_struc_member
idc.delete_all_segments
idc.delete_array
idc.demangle_name
idc.enable_tracing
idc.eval_idc
idc.expand_struc
idc.fclose
idc.fgetc
idc.filelength
idc.find_binary
idc.find_func_end
idc.find_selector
idc.find_text
idc.first_func_chunk
idc.fopen
idc.force_bl_call
idc.force_bl_jump
idc.form
idc.fprintf
idc.fputc
idc.fseek
idc.ftell
idc.func_contains
idc.gen_file
idc.gen_flow_graph
idc.gen_simple_call_chart
idc.generate_disasm_line
idc.get_array_element
idc.get_array_id
idc.get_bmask_cmt
idc.get_bmask_name
idc.get_bpt_attr
idc.get_bpt_ea
idc.get_bytes
idc.get_color
idc.get_curline
idc.get_enum_member
idc.get_enum_member_cmt
idc.get_enum_member_name
idc.get_event_bpt_hea
idc.get_event_ea
idc.get_event_exc_code
idc.get_event_exc_ea
idc.get_event_exc_info
idc.get_event_exit_code
idc.get_event_id
idc.get_event_info
idc.get_event_module_base
idc.get_event_module_name
idc.get_event_module_size
idc.get_event_pid
idc.get_event_tid
idc.get_fchunk_attr
idc.get_first_enum_member
idc.get_first_hash_key
idc.get_first_index
idc.get_first_member
idc.get_first_module
idc.get_first_seg
idc.get_fixup_target_dis
idc.get_fixup_target_flags
idc.get_fixup_target_off
idc.get_fixup_target_sel
idc.get_fixup_target_type
idc.get_frame_args_size
idc.get_frame_id
idc.get_frame_lvar_size
idc.get_frame_regs_size
idc.get_frame_size
idc.get_func_attr
idc.get_func_cmt
idc.get_func_flags
idc.get_func_name
idc.get_func_off_str
idc.get_hash_long
idc.get_hash_string
idc.get_idb_path
idc.get_inf_attr
idc.get_item_size
idc.get_last_enum_member
idc.get_last_hash_key
idc.get_last_index
idc.get_last_member
idc.get_local_tinfo
idc.get_member_cmt
idc.get_member_flag
idc.get_member_id
idc.get_member_name
idc.get_member_offset
idc.get_member_qty
idc.get_member_size
idc.get_member_strid
idc.get_min_spd_ea
idc.get_module_name
idc.get_module_size
idc.get_name
idc.get_name_ea_simple
idc.get_next_enum_member
idc.get_next_fchunk
idc.get_next_func
idc.get_next_hash_key
idc.get_next_index
idc.get_next_module
idc.get_next_offset
idc.get_next_seg
idc.get_numbered_type_name
idc.get_operand_type
idc.get_operand_value
idc.get_ordinal_qty
idc.get_prev_enum_member
idc.get_prev_fchunk
idc.get_prev_func
idc.get_prev_hash_key
idc.get_prev_index
idc.get_prev_offset
idc.get_reg_value
idc.get_segm_attr
idc.get_segm_by_sel
idc.get_segm_end
idc.get_segm_name
idc.get_segm_start
idc.get_sp_delta
idc.get_spd
idc.get_sreg
idc.get_str_type
idc.get_strlit_contents
idc.get_tinfo
idc.get_type
idc.get_xref_type
idc.guess_type
idc.hasName
idc.hasUserName
idc.has_value
idc.here
idc.idadir
idc.import_type
idc.isBin0
idc.isBin1
idc.isDec0
idc.isDec1
idc.isExtra
idc.isHex0
idc.isHex1
idc.isOct0
idc.isOct1
idc.isRef
idc.is_align
idc.is_byte
idc.is_char0
idc.is_char1
idc.is_code
idc.is_data
idc.is_defarg0
idc.is_defarg1
idc.is_double
idc.is_dword
idc.is_enum0
idc.is_enum1
idc.is_event_handled
idc.is_float
idc.is_flow
idc.is_head
idc.is_loaded
idc.is_manual0
idc.is_manual1
idc.is_mapped
idc.is_off0
idc.is_off1
idc.is_oword
idc.is_pack_real
idc.is_qword
idc.is_seg0
idc.is_seg1
idc.is_stkvar0
idc.is_stkvar1
idc.is_strlit
idc.is_stroff0
idc.is_stroff1
idc.is_struct
idc.is_tail
idc.is_tbyte
idc.is_union
idc.is_unknown
idc.is_word
idc.loadfile
idc.ltoa
idc.make_array
idc.move_segm
idc.next_func_chunk
idc.next_head
idc.op_offset_high16
idc.op_plain_offset
idc.op_stroff
idc.parse_decl
idc.parse_decls
idc.plan_and_wait
idc.prev_head
idc.print_decls
idc.print_insn_mnem
idc.print_operand
idc.process_config_line
idc.process_ui_action
idc.qsleep
idc.read_dbg_byte
idc.read_dbg_dword
idc.read_dbg_qword
idc.read_dbg_word
idc.read_selection_end
idc.read_selection_start
idc.readlong
idc.readshort
idc.readstr
idc.remove_fchunk
idc.rename_array
idc.resume_process
idc.rotate_byte
idc.rotate_dword
idc.rotate_left
idc.rotate_word
idc.save_database
idc.savefile
idc.sel2para
idc.selector_by_name
idc.send_dbg_command
idc.set_array_long
idc.set_array_params
idc.set_array_string
idc.set_bmask_cmt
idc.set_bmask_name
idc.set_bpt_attr
idc.set_bpt_cond
idc.set_color
idc.set_default_sreg_value
idc.set_fchunk_attr
idc.set_fixup
idc.set_flag
idc.set_frame_size
idc.set_func_attr
idc.set_func_cmt
idc.set_func_flags
idc.set_hash_long
idc.set_hash_string
idc.set_inf_attr
idc.set_local_type
idc.set_member_cmt
idc.set_member_name
idc.set_member_type
idc.set_name
idc.set_reg_value
idc.set_segm_addressing
idc.set_segm_alignment
idc.set_segm_attr
idc.set_segm_class
idc.set_segm_combination
idc.set_segm_name
idc.set_segm_type
idc.set_segment_bounds
idc.set_struc_idx
idc.set_tail_owner
idc.split_sreg_range
idc.strlen
idc.strstr
idc.substr
idc.to_ea
idc.toggle_bnot
idc.update_hidden_range
idc.validate_idb_names
idc.value_is_float
idc.value_is_func
idc.value_is_int64
idc.value_is_long
idc.value_is_pvoid
idc.value_is_string
idc.write_dbg_memory
idc.writelong
idc.writeshort
idc.writestr
idc.xtol