Awesome

IDA Practical Cheatsheet

A few practical use-cases of IDA scripting.

IDA Python

Get minimum and maximum address

import ida_idaapi

ea_inf = ida_idaapi.get_inf_structure()
min_ea = ea_inf.min_ea
max_ea = ea_inf.max_ea

Iterate over segments and print their names

import ida_segment
import idautils

for seg_ea in idautils.Segments():
  seg = ida_segment.getseg(seg_ea)
  seg_name = ida_segment.get_segm_name(seg)
  print(f"Current segment: {seg_name}")

Iterate over all instructions

All executable code (scan full memory)

import idautils
import ida_bytes

for ea in idautils.Heads(): # Iterate over all heads
  flags = ida_bytes.get_flags(ea)
  if ida_bytes.is_code(flags): # Check that ea is located in executable zone
    pass # Do stuff

Instructions in functions (scan all functions)

import idautils

for func_ea in idautils.Functions(): # Iterate over all functions
  for item_ea in idautils.FuncItems(func_ea): # List all instructions in function
    pass # Do stuff

Create instruction at specific location

import ida_ua

ida_ua.create_insn(ea) # i.e ea = 0x424242

Create function at specific location

import ida_funcs

ida_funcs.add_func(ea) # i.e ea = 0x424242

Decode instruction at specific location

Full supported instructions list here: IDA Python instructions

import idautils
import ida_allins

insn = idautils.DecodeInstruction(ea) # i.e ea = 0x424242

# List operands
for op in insn.ops:
  pass # Do stuff

# Check instruction type
if insn.itype == ida_allins.NN_movs:
  print("Instruction is movs")
  if insn.auxpref & 2:
    print("Instruction has rep prefix")
    
# Get instruction mnemonic name
insn_mnemonic = insn.get_canon_mnem()

Add comment at specific location

import ida_bytes

ida_bytes.set_cmt(ea, "Comment", 0)

Get cross references

import idautils

refs_to = idautils.XrefsTo(ea)
refs_from = idautils.XrefsFrom(ea)

for ref in refs_to:
  print(ref.frm) # From address
  
for ref in refs_from:
  print(ref.to) # To address