Pure Python parser and analyzer for IDA Pro database files (.idb).
python-idb is a library for accessing the contents of IDA Pro databases (.idb files). It provides read-only access to internal structures such as the B-tree (ID0 section), name address index (NAM section), flags index (ID2 section), and types (TIL section). The library also provides analysis of B-tree entries to expose logical structures like functions, cross references, bytes, and disassembly (via Capstone). An example use for python-idb might be to run IDA scripts in a pure-Python environment.
Willem Hengeveld ([email protected]) provided the initial research into the low-level structures in his projects pyidbutil and idbutil. Willem deserves substantial credit for reversing the .idb file format and publishing his results online. This project heavily borrows from his knowledge, though there is little code overlap.
In this example, we list the effective addresses and names of functions:
In : import idb ...: with idb.from_file('./data/kernel32/kernel32.idb') as db: ...: api = idb.IDAPython(db) ...: for ea in api.idautils.Functions(): ...: print('%x: %s' % (ea, api.idc.GetFunctionName(ea)))
Out : 68901010: GetStartupInfoA ....: 689011df: Sleep ....: 68901200: MulDiv ....: 68901320: SwitchToFiber ....: 6890142c: GetTickCount ....: 6890143a: ReleaseMutex ....: 68901445: WaitForSingleObject ....: 68901450: GetCurrentThreadId ...
Note that we create an emulated instance of the IDAPython scripting interface, and use this to invoke
idautilsroutines to fetch data.
The target script
yara_fn.pyhas only been slightly modified: - to make it Python 3.x compatible, and - to use the modern IDAPython modules, such as
python-idb is a pure-Python library, with the exception of Capstone (required only when calling disassembly APIs). You can install it via pip or
setup.py install, both of which should handle depedency resolution:
$ cd ~/Downloads/python-idb/ $ python setup.py install $ python scripts/run_ida_script.py ~/tools/yara_fn.py ~/Downloads/kernel32.idb ... profit! ...
While most python-idb function have meaningful docstrings, there is not yet a comprehensive documentation website. However, the unit tests demonstrate functionality that you'll probably find useful.
Someone interested in learning the file format and contributing to the project should review the
idb.fileformatmodule & tests. Those that are looking to extract meaningful information from existing .idb files probably should look at the
idb.idapythonmodules & tests.
Please report issues or feature requests through Github's bug tracker associated with the project.
python-idb is licensed under the Apache License, Version 2.0. This means it is freely available for use and modification in a personal and professional capacity.