Need help with python-idb?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

williballenthin
372 Stars 67 Forks Apache License 2.0 578 Commits 10 Opened issues

Description

Pure Python parser and analyzer for IDA Pro database files (.idb).

Services available

!
?

Need anything else?

Contributors list

# 31,662
Shell
fireeye...
Android
Haskell
342 commits
# 370,522
Shell
Python
106 commits
# 227,788
Shell
python-...
fireeye...
idapyth...
20 commits
# 7,811
radare2
Vue.js
opam
binary-...
11 commits
# 212,598
C++
C
Shell
vdex
7 commits
# 694,135
Shell
Python
3 commits
# 676,932
Shell
Python
2 commits
# 193,804
Shell
C++
Common ...
1 commit
# 561,568
Shell
disasse...
Reverse...
C
1 commit
# 711,653
Shell
Python
1 commit

Python IDB

python-idb

python-idb is a library for accessing the contents of IDA Pro databases (.idb files). It provides read-only access to internal structures such as the B-tree (ID0 section), name address index (NAM section), flags index (ID2 section), and types (TIL section). The library also provides analysis of B-tree entries to expose logical structures like functions, cross references, bytes, and disassembly (via Capstone). An example use for python-idb might be to run IDA scripts in a pure-Python environment.

Willem Hengeveld ([email protected]) provided the initial research into the low-level structures in his projects pyidbutil and idbutil. Willem deserves substantial credit for reversing the .idb file format and publishing his results online. This project heavily borrows from his knowledge, though there is little code overlap.

example use:

example: list function names

In this example, we list the effective addresses and names of functions:

In [4]: import idb
   ...: with idb.from_file('./data/kernel32/kernel32.idb') as db:
   ...:     api = idb.IDAPython(db)
   ...:     for ea in api.idautils.Functions():
   ...:         print('%x: %s' % (ea, api.idc.GetFunctionName(ea)))

Out [4]: 68901010: GetStartupInfoA ....: 689011df: Sleep ....: 68901200: MulDiv ....: 68901320: SwitchToFiber ....: 6890142c: GetTickCount ....: 6890143a: ReleaseMutex ....: 68901445: WaitForSingleObject ....: 68901450: GetCurrentThreadId ...

Note that we create an emulated instance of the IDAPython scripting interface, and use this to invoke

idc
and
idautils
routines to fetch data.

example: run an existing IDAPython script

In this example, we run the yara_fn.py IDAPython script to generate a YARA rule for the function at effective address 0x68901695 in kernel32.idb:

asciicast

The target script

yara_fn.py
has only been slightly modified: - to make it Python 3.x compatible, and - to use the modern IDAPython modules, such as
ida_bytes.GetManyBytes
rather than
idc.GetManyBytes
.

what works

  • ~250 unit tests that demonstrate functionality including file format, B-tree, analysis, and idaapi features.
  • read-only parsing of .idb and .i64 files from IDA Pro v5.0 to v7.5
    • extraction of file sections
    • B-tree lookups and queries (ID0 section)
    • flag enumeration (ID1 section)
    • named address listing (NAM section)
    • types parsing (TIL section)
  • analysis of artifacts that reconstructs logical elements, including:
    • root metadata
    • loader metadata
    • entry points
    • functions
    • structures
    • cross references
    • fixups
    • segments
  • partial implementation of the IDAPython API, including:
    • Names
    • Heads
    • Segs
    • GetMnem
      (via Capstone)
    • Functions
    • FlowChart
      (basic blocks)
    • lots and lots of flags
  • Python 2.7 & 3.x compatibility
  • zlib-packed idb/i64 files

what will never work

  • write access

getting started

python-idb is a pure-Python library, with the exception of Capstone (required only when calling disassembly APIs). You can install it via pip or

setup.py install
, both of which should handle depedency resolution:
 $ cd ~/Downloads/python-idb/
 $ python setup.py install
 $ python scripts/run_ida_script.py  ~/tools/yara_fn.py  ~/Downloads/kernel32.idb
   ... profit! ...

While most python-idb function have meaningful docstrings, there is not yet a comprehensive documentation website. However, the unit tests demonstrate functionality that you'll probably find useful.

Someone interested in learning the file format and contributing to the project should review the

idb.fileformat
module & tests. Those that are looking to extract meaningful information from existing .idb files probably should look at the
idb.analysis
and
idb.idapython
modules & tests.

Please report issues or feature requests through Github's bug tracker associated with the project.

license

python-idb is licensed under the Apache License, Version 2.0. This means it is freely available for use and modification in a personal and professional capacity.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.