Module index

Module ida_auto

Functions that work with the autoanalyzer queue.
The autoanalyzer works when IDA is not busy processing the user keystrokes. It has several queues, each queue having its own priority. The analyzer stops when all queues are empty.
A queue contains addresses or address ranges. The addresses are kept sorted by their values. The analyzer will process all addresses from the first queue, then switch to the second queue and so on. There are no limitations on the size of the queues.
This file also contains functions that deal with the IDA status indicator and the autoanalysis indicator. You may use these functions to change the indicator value.

Global variables

var AU_CHLB
12: load signature file (file name is kept separately)
var AU_CODE
1: convert to instruction
var AU_FCHUNK
5: find func chunks
var AU_FINAL
13: final pass
var AU_LBF2
10: the same, second pass
var AU_LBF3
11: the same, third pass
var AU_LIBF
9: apply signature to address
var AU_NONE
placeholder, not used
var AU_PROC
3: convert to procedure start
var AU_TAIL
4: add a procedure tail
var AU_TYPE
8: apply type information
var AU_UNK
0: convert to unexplored
var AU_USD2
7: reanalyze, second pass
var AU_USED
6: reanalyze
var AU_WEAK
2: convert to instruction (ida decision)
var st_Ready
st_Ready = 0
var st_Think
st_Think = 1
var st_Waiting
st_Waiting = 2
var st_Work
st_Work = 3

Functions

def auto_apply_tail(*args) ‑> void
auto_apply_tail(tail_ea, parent_ea)
Plan to apply the tail_ea chunk to the parent
tail_ea: (C++: ea_t) linear address of start of tail
parent_ea: (C++: ea_t) linear address within parent. If BADADDR, automatically try to
find parent via xrefs.
def auto_apply_type(*args) ‑> void
auto_apply_type(caller, callee)
Plan to apply the callee's type to the calling point.
caller: (C++: ea_t)
callee: (C++: ea_t)
def auto_cancel(*args) ‑> void
auto_cancel(ea1, ea2)
Remove an address range (ea1..ea2) from queues AU_CODE, AU_PROC, AU_USED. To remove an address range from other queues use auto_unmark() function. 'ea1' may be higher than 'ea2', the kernel will swap them in this case. 'ea2' doesn't belong to the range.
ea1: (C++: ea_t)
ea2: (C++: ea_t)
def auto_get(*args) ‑> ea_t
auto_get(type, lowEA, highEA) -> ea_t
Retrieve an address from queues regarding their priority. Returns BADADDR if no addresses not lower than 'lowEA' and less than 'highEA' are found in the queues. Otherwise *type will have queue type.
type: (C++: atype_t *)
lowEA: (C++: ea_t)
highEA: (C++: ea_t)
def auto_is_ok(*args) ‑> bool
auto_is_ok() -> bool
Are all queues empty? (i.e. has autoanalysis finished?).
def auto_make_code(*args) ‑> void
auto_make_code(ea)
Plan to make code.
ea: (C++: ea_t)
def auto_make_proc(*args) ‑> void
auto_make_proc(ea)
Plan to make code&function.
ea: (C++: ea_t)
def auto_make_step(*args) ‑> bool
auto_make_step(ea1, ea2) -> bool
Analyze one address in the specified range and return true.
ea1: (C++: ea_t)
ea2: (C++: ea_t)
return: if processed anything. false means that there is nothing to process in
the specified range.
def auto_mark(*args) ‑> void
auto_mark(ea, type)
Put single address into a queue. Queues keep addresses sorted.
ea: (C++: ea_t)
type: (C++: atype_t)
def auto_mark_range(*args) ‑> void
auto_mark_range(start, end, type)
Put range of addresses into a queue. 'start' may be higher than 'end', the kernel will swap them in this case. 'end' doesn't belong to the range.
start: (C++: ea_t)
end: (C++: ea_t)
type: (C++: atype_t)
def auto_postpone_analysis(*args) ‑> bool
auto_postpone_analysis(ea) -> bool
Plan to reanalyze on the second pass The typical usage of this function in emu.cpp is: if ( !auto_postpone_analysis(ea) ) op_offset(ea, 0, ...); (we make an offset only on the second pass)
ea: (C++: ea_t)
def auto_recreate_insn(*args) ‑> int
auto_recreate_insn(ea) -> int
Try to create instruction
ea: (C++: ea_t) linear address of callee
return: the length of the instruction or 0
def auto_unmark(*args) ‑> void
auto_unmark(start, end, type)
Remove range of addresses from a queue. 'start' may be higher than 'end', the kernel will swap them in this case. 'end' doesn't belong to the range.
start: (C++: ea_t)
end: (C++: ea_t)
type: (C++: atype_t)
def auto_wait(*args) ‑> bool
auto_wait() -> bool
Process everything in the queues and return true.
return: false if the user clicked cancel. (the wait box must be displayed by
the caller if desired)
def auto_wait_range(*args) ‑> ssize_t
auto_wait_range(ea1, ea2) -> ssize_t
Process everything in the specified range and return true.
ea1: (C++: ea_t)
ea2: (C++: ea_t)
return: number of autoanalysis steps made. -1 if the user clicked cancel. (the
wait box must be displayed by the caller if desired)
def enable_auto(*args) ‑> bool
enable_auto(enable) -> bool
Temporarily enable/disable autoanalyzer. Not user-facing, but rather because IDA sometimes need to turn AA on/off regardless of inf.s_genflags:INFFL_AUTO
enable: (C++: bool)
return: old state
def get_auto_display(*args) ‑> bool
get_auto_display(auto_display) -> bool
Get structure which holds the autoanalysis indicator contents.
auto_display: (C++: auto_display_t *)
def get_auto_state(*args) ‑> atype_t
get_auto_state() -> atype_t
Get current state of autoanalyzer. If auto_state == AU_NONE, IDA is currently not running the analysis (it could be temporarily interrupted to perform the user's requests, for example).
def is_auto_enabled(*args) ‑> bool
is_auto_enabled() -> bool
Get autoanalyzer state.
def may_create_stkvars(*args) ‑> bool
may_create_stkvars() -> bool
Is it allowed to create stack variables automatically?. This function should be used by IDP modules before creating stack vars.
def may_trace_sp(*args) ‑> bool
may_trace_sp() -> bool
Is it allowed to trace stack pointer automatically?. This function should be used by IDP modules before tracing sp.
def peek_auto_queue(*args) ‑> ea_t
peek_auto_queue(low_ea, type) -> ea_t
Peek into a queue 'type' for an address not lower than 'low_ea'. Do not remove address from the queue.
low_ea: (C++: ea_t)
type: (C++: atype_t)
return: the address or BADADDR
def plan_and_wait(*args) ‑> int
plan_and_wait(ea1, ea2, final_pass=True) -> int
Analyze the specified range. Try to create instructions where possible. Make the final pass over the specified range if specified. This function doesn't return until the range is analyzed.
retval 1: ok
retval 0: Ctrl-Break was pressed
ea1: (C++: ea_t)
ea2: (C++: ea_t)
final_pass: (C++: bool)
def plan_ea(*args) ‑> void
plan_ea(ea)
Plan to perform reanalysis.
ea: (C++: ea_t)
def plan_range(*args) ‑> void
plan_range(sEA, eEA)
Plan to perform reanalysis.
sEA: (C++: ea_t)
eEA: (C++: ea_t)
def reanalyze_callers(*args) ‑> void
reanalyze_callers(ea, noret)
Plan to reanalyze callers of the specified address. This function will add to AU_USED queue all instructions that call (not jump to) the specified address.
ea: (C++: ea_t) linear address of callee
noret: (C++: bool) !=0: the callee doesn't return, mark to undefine subsequent
instructions in the caller. 0: do nothing.
def revert_ida_decisions(*args) ‑> void
revert_ida_decisions(ea1, ea2)
Delete all analysis info that IDA generated for for the given range.
ea1: (C++: ea_t)
ea2: (C++: ea_t)
def set_auto_state(*args) ‑> atype_t
set_auto_state(new_state) -> atype_t
Set current state of autoanalyzer.
new_state: (C++: atype_t) new state of autoanalyzer
return: previous state
def set_ida_state(*args) ‑> idastate_t
set_ida_state(st) -> idastate_t
Change IDA status indicator value
st: (C++: idastate_t) - new indicator status
return: old indicator status
def show_addr(*args) ‑> void
show_addr(ea)
Show an address on the autoanalysis indicator. The address is displayed in the form " @:12345678".
ea: (C++: ea_t) - linear address to display
def show_auto(*args) ‑> void
show_auto(ea, type=AU_NONE)
Change autoanalysis indicator value.
ea: (C++: ea_t) linear address being analyzed
type: (C++: atype_t) autoanalysis type (see Autoanalysis queues)

Classes

class auto_display_t (*args)
Proxy of C++ auto_display_t class.
__init__(self) -> auto_display_t

Instance variables

var ea
ea
var state
state
var type
type