Back to Details

grep

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese
grep
is IDASQL's entity-search surface. Use it to discover named functions, labels, segments, structs, enums, and members before pivoting into xrefs, decompiler, or type work.
grep
是IDASQL的实体搜索接口。在切换到xrefs、反编译器或类型相关工作之前,可使用它来发现已命名的函数、标签、段、结构体、枚举和成员。

Trigger Intents

触发场景

Use this skill when user asks to:
  • find functions, labels, types, or members by name
  • search by prefix/substring like 
    sub_
    , 
    EH
    , 
    Zw
    , 
    CreateFile
    , or 
    main
  • page through search results quickly
  • seed table-native xref/decompiler/type workflows from name discovery
Route to:
  • xrefs
    after locating a candidate callee/import/function and needing callers/callees/references
  • decompiler
    after choosing a candidate function to inspect semantically
  • types
    when the hit is a struct/enum/member you need to inspect or edit
当用户提出以下需求时使用此技能:
  • 按名称查找函数、标签、类型或成员
  • 按前缀/子串搜索,例如 
    sub_
    EH
    Zw
    CreateFile
    main
  • 快速翻页查看搜索结果
  • 通过名称发现来启动原生表的xrefs/反编译器/类型工作流
后续可跳转至:
  • 定位到候选被调用方/导入项/函数后,若需要查找调用方/被调用方/引用,可使用 
    xrefs
  • 选择候选函数进行语义检查后,可使用 
    decompiler
  • 当搜索结果是需要检查或编辑的结构体/枚举/成员时,可使用 
    types

Do This First (Quick Start)

首先执行以下操作(快速入门)

sql
-- 1) Start with a structured search while you learn the result shape
SELECT name, kind, address
FROM grep
WHERE pattern = 'main'
ORDER BY kind, name
LIMIT 20;
sql
-- 2) Narrow immediately when the result set is noisy
SELECT name, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind = 'struct'
ORDER BY name;
sql
-- 3) Page with ordinary SQL
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY kind, name
LIMIT 10 OFFSET 10;
Interpretation guidance:
  • grep
    is a table. Use normal SQL for filtering, sorting, joining, grouping, and paging.
  • For downstream parsing, select rows directly instead of wrapping the results in JSON.
sql
-- 1) Start with a structured search while you learn the result shape
SELECT name, kind, address
FROM grep
WHERE pattern = 'main'
ORDER BY kind, name
LIMIT 20;
sql
-- 2) Narrow immediately when the result set is noisy
SELECT name, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind = 'struct'
ORDER BY name;
sql
-- 3) Page with ordinary SQL
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY kind, name
LIMIT 10 OFFSET 10;
使用说明:
  • grep
    是一个表。可使用标准SQL进行过滤、排序、连接、分组和分页操作。
  • 对于下游解析,直接选择行即可,无需将结果包装为JSON格式。

Result Shape

结果结构

grep
exposes named IDA entities as rows:
  • name
  • kind
  • address
  • ordinal
  • parent_name
  • full_name
Common 
kind
values:
  • function
  • label
  • segment
  • struct
  • union
  • enum
  • member
  • enum_member
grep
将已命名的IDA实体以行的形式展示:
  • name
    (名称)
  • kind
    (类型)
  • address
    (地址)
  • ordinal
    (序号)
  • parent_name
    (父级名称)
  • full_name
    (完整名称)
常见的 
kind
值:
  • function
    (函数)
  • label
    (标签)
  • segment
    (段)
  • struct
    (结构体)
  • union
    (联合体)
  • enum
    (枚举)
  • member
    (成员)
  • enum_member
    (枚举成员)

Pattern Rules

模式规则

  • Matching is case-insensitive.
  • Plain text becomes a contains-match.
  • %
    matches any substring.
  • _
    matches a single character.
  • *
    is accepted and normalized to 
    %
    .
  • Empty pattern returns no rows.
  • This is not regex.
  • This is unrelated to 
    byte_search
    .
Examples:
sql
-- Contains-match
SELECT name, kind
FROM grep
WHERE pattern = 'main'
LIMIT 20;
sql
-- Prefix wildcard
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY name
LIMIT 20;
sql
-- Shell-style star is accepted too
SELECT name, kind
FROM grep
WHERE pattern = 'Zw*'
LIMIT 20;
  • 匹配不区分大小写。
  • 纯文本表示包含匹配。
  • %
    匹配任意子串。
  • _
    匹配单个字符。
  • 支持 
    *
    ,并会将其标准化为 
    %
  • 空模式不会返回任何行。
  • 此模式不是正则表达式。
  • byte_search
    无关。
示例:
sql
-- Contains-match
SELECT name, kind
FROM grep
WHERE pattern = 'main'
LIMIT 20;
sql
-- Prefix wildcard
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY name
LIMIT 20;
sql
-- Shell-style star is accepted too
SELECT name, kind
FROM grep
WHERE pattern = 'Zw*'
LIMIT 20;

Common Workflows

常见工作流

Find candidate functions by name

按名称查找候选函数

sql
SELECT name, address
FROM grep
WHERE pattern = 'main%' AND kind = 'function'
ORDER BY name;
sql
SELECT name, address
FROM grep
WHERE pattern = 'main%' AND kind = 'function'
ORDER BY name;

Resolve imported APIs

解析导入的API

sql
SELECT module, name, address
FROM imports
WHERE name LIKE 'CreateFile%'
ORDER BY module, name;
sql
SELECT module, name, address
FROM imports
WHERE name LIKE 'CreateFile%'
ORDER BY module, name;

Find types by convention

按约定查找类型

sql
SELECT name, kind, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind IN ('struct', 'enum')
ORDER BY kind, name;
sql
SELECT name, kind, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind IN ('struct', 'enum')
ORDER BY kind, name;

Find members under a parent type

查找父类型下的成员

sql
SELECT name, parent_name, ordinal
FROM grep
WHERE pattern = 'flag%' AND kind = 'member'
ORDER BY parent_name, name
LIMIT 30;
sql
SELECT name, parent_name, ordinal
FROM grep
WHERE pattern = 'flag%' AND kind = 'member'
ORDER BY parent_name, name
LIMIT 30;

Join into richer function metadata

关联获取更丰富的函数元数据

sql
SELECT g.name, f.size, f.prototype
FROM grep g
JOIN funcs f ON f.address = g.address
WHERE g.pattern = 'sub_%' AND g.kind = 'function'
ORDER BY f.size DESC
LIMIT 20;
sql
SELECT g.name, f.size, f.prototype
FROM grep g
JOIN funcs f ON f.address = g.address
WHERE g.pattern = 'sub_%' AND g.kind = 'function'
ORDER BY f.size DESC
LIMIT 20;

Pivot from discovery into xrefs

从发现跳转至xrefs

sql
SELECT caller_name, printf('0x%X', caller_addr) AS from_addr
FROM callers
WHERE func_addr = (
    SELECT address
    FROM imports
    WHERE name = 'CreateFileW'
    ORDER BY name
    LIMIT 1
);
sql
SELECT caller_name, printf('0x%X', caller_addr) AS from_addr
FROM callers
WHERE func_addr = (
    SELECT address
    FROM imports
    WHERE name = 'CreateFileW'
    ORDER BY name
    LIMIT 1
);

Compare With Other Search Surfaces

与其他搜索接口的对比

  • Use 
    grep
    for named entities discovered by IDA.
  • Use 
    strings
    when you need literal string contents.
  • Use 
    byte_search
    when you need raw bytes or opcode patterns.
  • Use 
    xrefs
    after discovery when the real question is "who references this?"
  • 若要搜索IDA发现的已命名实体,使用 
    grep
  • 若需要查找字面字符串内容,使用 
    strings
  • 若需要查找原始字节或操作码模式,使用 
    byte_search
  • 当核心问题是“谁引用了这个?”时,在发现目标后使用 
    xrefs

Failure and Recovery

问题排查与解决

  • Too many hits: add 
    kind = ...
    , tighten the prefix, or switch from plain text to a more specific wildcard pattern.
  • No hits for an expected symbol: broaden the pattern, try a contains search, or pivot to 
    imports
    if the target may only exist as an imported API.
  • Need to search for comments, pseudocode text, or string contents: 
    grep
    is the wrong surface; pivot to 
    strings
    , decompiler tables, or other domain tables.
  • Need bytes/opcodes: use 
    byte_search
    instead of 
    grep
    .
  • 搜索结果过多: 添加 
    kind = ...
    条件、缩小前缀范围,或者将纯文本搜索切换为更具体的通配符模式。
  • 预期的符号无搜索结果: 扩大模式范围、尝试包含搜索,若目标可能仅作为导入API存在,可切换至 
    imports
  • 需要搜索注释、伪代码文本或字符串内容: 
    grep
    并非合适的接口;可切换至 
    strings
    、反编译器表或其他领域表。
  • 需要查找字节/操作码: 使用 
    byte_search
    而非 
    grep