https://docs.hex-rays.com/developer-guide/idapython/idapython-examples
https://oacia.dev/idapython-learning/
import idc
import idaapi
import ida_segment
import idautils
import ida_ua
import ida_bytes
ea = idc.get_screen_ea() # 获取当前光标所在地址
idc.get_inf_attr(idaapi.INF_MAX_EA) # 获取本文件的最大地址
idc.get_inf_attr(idaapi.INF_MAX_EA) # 获取本文件的最小地址
idaapi.get_imagebase() # 获取文件的基址
idc.next_head(ea) # 获取上一条指令的地址
idc.prev_head(ea) # 获取下一条指令的地址
if idaapi.BADADDR != ea: # 判断当前地址是否在程序中存在
pass
idc.GetDisasm(ea) # 获取某一个地址的反汇编指令
idc.print_insn_mnem(ea=ea) # 返回助记符
idc.print_operand(ea=ea, n=1) # 返回第 n+1 个参数
idc.get_operand_value(ea=ea, n=1) # 返回第 n+1 个参数的数值形式
idc.get_item_size(ea=ea) # 获取某行汇编的长度
idc.get_segm_name(ea=ea) # 获取地址所在的段名
start = idc.get_segm_start(ea=ea) # 获取地址所在段的段起始地址
end = idc.get_segm_end(ea=ea) # 获取地址所在段的段结束地址
idc.get_segm_attr(ea, idc.SEGATTR_CS) # 获取段属性
idc.set_segm_attr(ea, idc.SEGATTR_FLAGS) # 获取段属性
idc.SEG_NORM # 查看对应 flag mask 意义
idc.get_first_seg() # 获取第一个段
idc.get_next_seg() # 获取下一个段
ida_segment.get_segm_by_name('.text') # 通过段名获取段对象
idc.get_func_name(ea=ea) # 通过当前地址获取函数名
fstart = idaapi.get_func(ea=ea) # 通过函数内的地址获取函数开始地址
flag = idc.get_func_attr(ea, idc.FUNCATTR_FLAGS) # 获取函数的属性
idc.FUNC_NORET # 查看对应 flag mask 意义
if flag & idc.FUNC_SP_READY: # 检查函数信息
pass
idautils.Function(start, end) # 获取所有函数的首地址列表,没有参数则全部输出
fc = idaapi.FlowChart(fstart) # 获取函数的块
for block in fc:
block.start_ea # 块开始地址
block.end_ea # 下一个块的开始地址(结束地址后面一个指令的地址
block.id # 块id
block.type # 块的一些属性
for pred in block.preds():
pass # 获取前驱块
for succ in block.succs():
pass # 获取后驱块
idc.get_operand_type(ea=ea,n=1) #获取第 n+1 个操作数的类型
idc.o_void # 查看对应type意义
idc.find_bytes(bs=b"aabb",range_size=start,range_end=end,flags=ida_bytes.BIN_SEARCH_CASE) # 搜索
ida_bytes.BIN_SEARCH_NOSHOW # 查看flag意义
ida_bytes.get_bytes(ea=ea,size=3) # 获取对应字节数据
ida_bytes.get_byte(ea=ea)
ida_bytes.get_word(ea=ea)
ida_bytes.get_dword(ea=ea)
ida_bytes.get_dword(ea=ea)
idc.add_bpt(ea) # 设置断点
idc.get_reg_value("rdx") # 获取当前状态的寄存器值
idc.set_reg_value(0xdeadface,"rdx") # 设置对应寄存器值
idc.run_to(ea) # 运行到指定位置停下
idc.wait_for_next_event(0x0001,timeout=-1) # 等待下一个事件
# #define WFNE_ANY 0x0001 // return the first event (even if it doesn't suspend the process)
# // if the process is still running, the database
# // does not reflect the memory state. you might want
# // to call refresh_debugger_memory() in this case
# #define WFNE_SUSP 0x0002 // wait until the process gets suspended
# #define WFNE_SILENT 0x0004 // 1: be slient, 0:display modal boxes if necessary
# #define WFNE_CONT 0x0008 // continue from the suspended state
# #define WFNE_NOWAIT 0x0010 // do not wait for any event, immediately return DEC_TIMEOUT
# // (to be used with WFNE_CONT)
# #define WFNE_USEC 0x0020 // timeout is specified in microseconds
# // (minimum non-zero timeout is 40000us)
# // debugger event codes
# #define NOTASK -2 // process does not exist
# #define DBG_ERROR -1 // error (e.g. network problems)
# #define DBG_TIMEOUT 0 // timeout
# #define PROCESS_STARTED 0x00000001 // New process started
# #define PROCESS_EXITED 0x00000002 // Process stopped
# #define THREAD_STARTED 0x00000004 // New thread started
# #define THREAD_EXITED 0x00000008 // Thread stopped
# #define BREAKPOINT 0x00000010 // Breakpoint reached
# #define STEP 0x00000020 // One instruction executed
# #define EXCEPTION 0x00000040 // Exception
# #define LIB_LOADED 0x00000080 // New library loaded
# #define LIB_UNLOADED 0x00000100 // Library unloaded
# #define INFORMATION 0x00000200 // User-defined information
# #define PROCESS_ATTACHED 0x00000400 // Attached to running process
# #define PROCESS_DETACHED 0x00000800 // Detached from process
# #define PROCESS_SUSPENDED 0x00001000 // Process has been suspended
ida_bytes.patch_bytes(ea=ea,buf=b"aaaa")
ida_bytes.patch_byte(ea=ea,x=0x13)
ida_bytes.patch_word(ea=ea,x=0x1313)