本文主要是介绍[参考]IDAPython 速查表，对大家解决编程问题具有一定的参考价值，需要的程序猿们随着小编来一起学习吧！

IDAPython 速查表

重要参考网站

• Porting IDAPython plugins to IDA 7.4
• Hex-Rays IDAPython official documentation

基本指令

二进制、硬编码与指令

info = idaapi.get_inf_structure()
filename = idaapi.get_input_file_path()
entrypoint = info.start_ip
imagebase = ida_nalt.get_imagebase()
is_64bits = info.is_64bit()
is_dll = info.is_dll()
proc_name = ida_ida.inf_get_procname()

获取指令地址

for ea in idautils.Heads():
  print(hex(ea))

来自地址的交叉引用

for ref in idautils.XrefsTo(ea):
  print(hex(ref.frm))

获取地址名称

idaapi.get_name(0, ea)
idaapi.get_name_ea(0, name) # name = "main" for example

for ea, name in idautils.Names():
  print("%x: %s" % (ea, name))

获取硬编码、更改硬编码

# check the return value with the constant ida_idaapi.BADADDR
idaapi.get_byte(ea)
idaapi.get_bytes(ea, size)

idaapi.patch_byte(ea, byte)
idaapi.patch_bytes(ea, bytes)

读取指针引用的地址

def read_ptr(ea):
  if idaapi.get_inf_structure().is_64bit():
    return idaapi.get_qword(ea)
  return idaapi.get_dword(ea)

print("%x" % read_ptr(ea))

获取字符串

ida_bytes.get_max_strlit_length(ea, ida_nalt.STRTYPE_C)
ida_bytes.get_strlit_contents(ea, size, ida_nalt.STRTYPE_C_16)
for c in idautils.Strings()
  print s.ea, s.length, s.strtype

获取当前widget

widget = idaapi.get_current_widget()
widget_type = idaapi.get_widget_type(widget) # can be any of ida_kernwin.BWN_*
vdui = idaapi.get_widget_vdui(widget)

获取、设置注释

# set non-repeatable comment
idc.get_cmt(ea, False)
# get repeatable comment
idc.get_cmt(ea, True)
# get func cmt
idc.get_func_cmt(ea, repeatable)

# set non-repeatable comment
idc.set_cmt(ea, comment, 0)
# set repeatable comment
idc.set_cmt(ea, comment, 1)
# set func cmt
idc.set_func_cmt(ea, comment, repeatable)

段间操作

列出各区段(/节表)

for s in idautils.Segments():
    start = idc.get_segm_start(s)
    end = idc.get_segm_end(s)
    name = idc.get_segm_name(s)
    data = ida_bytes.get_bytes(start, end-start)

增加区段

max_ea = idaapi.inf_get_max_ea() # get last segment end address
idaapi.add_segm(0, start_ea, end_ea, name, sclass) # sclass can be one of "CODE", "DATA", "BSS", "STACK", "XTRN", "CONST", "ABS" or "COMM"

结构、类型操作

创建结构

name = "my_super_structure"
struct_id = idc.add_struc(0, name, 0)

从名称获取结构

struct_id = idaapi.get_struc_id(name)
if struct_id == idaapi.BADADDR:
    print("Structure {} does not exist".format(name))

从id获取结构

struct = idaapi.get_struc(struct_id)

向结构内增加成员

# add dword
idc.add_struc_member(struct_id, member_name, member_offset, idaapi.FF_DWORD, -1, 4) 

设置结构成员的类型

# define type
tinfo = idaapi.tinfo_t()
[...]
member = idaapi.get_member_by_name(struct, member_name)
if idaapi.set_member_tinfo(struct, member, 0, tinfo, 0) == idaapi.SMT_OK:
    print("Member type successfully modified !")

将结构套用在某个特定的地址所指向的数据上

idaapi.apply_tinfo(ea, tinfo, idaapi.TINFO_DEFINITE)

函数

获取函数

f = ida_funcs.get_func(ea)
print("%x %x" % (f.start_ea, f.end_ea))
print(ida_funcs.get_func_name(ea)) # not necessarily the start ea

for ea in Functions():
  print("%x" % ea)

在函数中查找指令

f = ida_funcs.get_func(ea)
for ea in Heads(f.start_ea, f_end_ea):
  insn = idaapi.insn_t()
  length = idaapi.decode_insn(insn, ea)
  if insn.itype == ida_allins.NN_call:
    print("Call at %x" % ea)
  # also works to search for call instructions
  if ida_idp.is_call_insn(insn):
    print("Call at %x" % ea)

获取操作数的值、类型

# Get mov instructions to memory adresses
f = ida_funcs.get_func(ea)
for ea in Heads(f.start_ea, f_end_ea):
  insn = idaapi.insn_t()
  length = idaapi.decode_insn(insn, ea)
  if insn.itype != ida_allins.NN_mov:
    continue
  if insn.ops[1].type == ida_ua.o_mem:
    print("Data is moved at addr %x" % insn.ops[1].value)

GetOpType可以返回以下值:

• o_void: 无操作数
• o_reg: 寄存器
• o_mem: 确切地址
• o_phrase, o_displ: 指向某个地址的指针
• o_imm: 立即数

查找汇编代码

f = ida_funcs.get_func(ea)
for ea in idautils.Heads(f.start_ea, f_end_ea):
  insn = idaapi.insn_t()
  length = idaapi.decode_insn(insn, ea)
  if insn.itype != ida_allins.NN_xor and insn.ops[0].reg == idautils.procregs.ecx and insn.ops[1].reg == idautils.procregs.ecx:
    print("Found at addr %x" % ea)

获取导入函数的原型

# get import function prototype
import_prototype = idaapi.get_named_type(None, 'WriteFile', 0)

# deserialize import function prototype
import_tif = idaapi.tinfo_t()
import_tif.deserialize(None, import_prototype[1], import_prototype[2])

# create a pointer to the import function type
ptr_import_tif = idaapi.tinfo_t()
ptr_import_tif.create_ptr(import_tif)

GUI

读选定的代码

_, start, end = idaapi.read_range_selection(None)
for ea in idautils.Heads(start, end):
    insn = idaapi.insn_t()
    length = idaapi.decode_insn(insn, ea)

调试器

启动调试器

ida_dbg.add_bpt(ea, 1, ida_idd.BPT_DEFAULT)
ida_dbg.start_process("/path/to/exe", "-q 1", "/path/to")
# bp reached
ida_dbg.continue_process()
ida_dbg.exit_process()

断点类型:

• BPT_WRITE = 1
• BPT_READ = 2
• BPT_RDWD = 3
• BPT_SOFT = 4
• BPT_EXEC = 8
• BPT_DEFAULT = BPT_SOFT|BPT_EXEC

获取内存值

rv = ida_idd.regval_t()
ida_dbg.get_reg_val("ECX", rv)
print(hex(rv.ival))
print(hex(idautils.cpu.ecx))

在断点上添加脚本

1. 添加断点
2. 右键断点，选择 Edit Breakpoints
3. 点击Condition按钮
4. 将Scripting language改为python
5. 编写脚本

启动被调试对象的某个函数

# test check_passwd(char *passwd) -> int
passwd = ida_idd.Appcall.byref("MyFirstGuess")
res = ida_idd.Appcall.check_passwd(passwd)
if res.value == 0:
  print("Good passwd !")
else:
  print("Bad passwd...")

其余例子请参考: Practical Appcall examples – Hex Rays (hex-rays.com)

英语原文：Cheatsheet for IDAPython (github.com)

这篇关于[参考]IDAPython 速查表的文章就介绍到这儿，希望我们推荐的文章对大家有所帮助，也希望大家多多支持为之网！