idapython

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

IDAPython

Use modern

ida_*

modules. Avoid legacy

idc

module.

使用现代的

ida_*

模块，避免使用旧版的

idc

模块。

Module Router

模块路由表

Task	Module	Key Items
Bytes/memory	`ida_bytes`	`get_bytes` , `patch_bytes` , `get_flags` , `create_*`
Functions	`ida_funcs`	`func_t` , `get_func` , `add_func` , `get_func_name`
Names	`ida_name`	`set_name` , `get_name` , `demangle_name`
Types	`ida_typeinf`	`tinfo_t` , `apply_tinfo` , `parse_decl`
Decompiler	`ida_hexrays`	`decompile` , `cfunc_t` , `lvar_t` , ctree visitor
Segments	`ida_segment`	`segment_t` , `getseg` , `add_segm`
Xrefs	`ida_xref`	`xrefblk_t` , `add_cref` , `add_dref`
Instructions	`ida_ua`	`insn_t` , `op_t` , `decode_insn`
Stack frames	`ida_frame`	`get_frame` , `define_stkvar`
Iteration	`idautils`	`Functions()` , `Heads()` , `XrefsTo()` , `Strings()`
UI/dialogs	`ida_kernwin`	`msg` , `ask_*` , `jumpto` , `Choose`
Database info	`ida_ida`	`inf_get_*` , `inf_is_64bit()`
Analysis	`ida_auto`	`auto_wait` , `plan_and_wait`
Flow graphs	`ida_gdl`	`FlowChart` , `BasicBlock`
Register tracking	`ida_regfinder`	`find_reg_value` , `reg_value_info_t`

任务	模块	核心内容
字节/内存	`ida_bytes`	`get_bytes` , `patch_bytes` , `get_flags` , `create_*`
函数	`ida_funcs`	`func_t` , `get_func` , `add_func` , `get_func_name`
命名	`ida_name`	`set_name` , `get_name` , `demangle_name`
类型	`ida_typeinf`	`tinfo_t` , `apply_tinfo` , `parse_decl`
反编译	`ida_hexrays`	`decompile` , `cfunc_t` , `lvar_t` , ctree visitor
段	`ida_segment`	`segment_t` , `getseg` , `add_segm`
交叉引用	`ida_xref`	`xrefblk_t` , `add_cref` , `add_dref`
指令	`ida_ua`	`insn_t` , `op_t` , `decode_insn`
栈帧	`ida_frame`	`get_frame` , `define_stkvar`
迭代	`idautils`	`Functions()` , `Heads()` , `XrefsTo()` , `Strings()`
UI/对话框	`ida_kernwin`	`msg` , `ask_*` , `jumpto` , `Choose`
数据库信息	`ida_ida`	`inf_get_*` , `inf_is_64bit()`
分析	`ida_auto`	`auto_wait` , `plan_and_wait`
流程图	`ida_gdl`	`FlowChart` , `BasicBlock`
寄存器追踪	`ida_regfinder`	`find_reg_value` , `reg_value_info_t`

Core Patterns

核心使用模式

Iterate functions

遍历函数

python

for ea in idautils.Functions():
    name = ida_funcs.get_func_name(ea)
    func = ida_funcs.get_func(ea)

python

for ea in idautils.Functions():
    name = ida_funcs.get_func_name(ea)
    func = ida_funcs.get_func(ea)

Iterate instructions in function

遍历函数中的指令

python

for head in idautils.FuncItems(func_ea):
    insn = ida_ua.insn_t()
    if ida_ua.decode_insn(insn, head):
        print(f"{head:#x}: {insn.itype}")

python

for head in idautils.FuncItems(func_ea):
    insn = ida_ua.insn_t()
    if ida_ua.decode_insn(insn, head):
        print(f"{head:#x}: {insn.itype}")

Cross-references

交叉引用

python

for xref in idautils.XrefsTo(ea):
    print(f"{xref.frm:#x} -> {xref.to:#x} type={xref.type}")

python

for xref in idautils.XrefsTo(ea):
    print(f"{xref.frm:#x} -> {xref.to:#x} type={xref.type}")

Read/write bytes

读取/写入字节

python

data = ida_bytes.get_bytes(ea, size)
ida_bytes.patch_bytes(ea, b"\x90\x90")

python

data = ida_bytes.get_bytes(ea, size)
ida_bytes.patch_bytes(ea, b"\x90\x90")

Names

命名操作

python

name = ida_name.get_name(ea)
ida_name.set_name(ea, "new_name", ida_name.SN_NOCHECK)

python

name = ida_name.get_name(ea)
ida_name.set_name(ea, "new_name", ida_name.SN_NOCHECK)

Decompile function

反编译函数

python

cfunc = ida_hexrays.decompile(ea)
if cfunc:
    print(cfunc)  # pseudocode
    for lvar in cfunc.lvars:
        print(f"{lvar.name}: {lvar.type()}")

python

cfunc = ida_hexrays.decompile(ea)
if cfunc:
    print(cfunc)  # 伪代码
    for lvar in cfunc.lvars:
        print(f"{lvar.name}: {lvar.type()}")

Walk ctree (decompiled AST)

遍历反编译AST（ctree）

python

class MyVisitor(ida_hexrays.ctree_visitor_t):
    def visit_expr(self, e):
        if e.op == ida_hexrays.cot_call:
            print(f"Call at {e.ea:#x}")
        return 0

cfunc = ida_hexrays.decompile(ea)
MyVisitor().apply_to(cfunc.body, None)

python

class MyVisitor(ida_hexrays.ctree_visitor_t):
    def visit_expr(self, e):
        if e.op == ida_hexrays.cot_call:
            print(f"Call at {e.ea:#x}")
        return 0

cfunc = ida_hexrays.decompile(ea)
MyVisitor().apply_to(cfunc.body, None)

Apply type

应用类型

python

tif = ida_typeinf.tinfo_t()
if ida_typeinf.parse_decl(tif, None, "int (*)(char *, int)", 0):
    ida_typeinf.apply_tinfo(ea, tif, ida_typeinf.TINFO_DEFINITE)

python

tif = ida_typeinf.tinfo_t()
if ida_typeinf.parse_decl(tif, None, "int (*)(char *, int)", 0):
    ida_typeinf.apply_tinfo(ea, tif, ida_typeinf.TINFO_DEFINITE)

Create structure

创建结构体

python

udt = ida_typeinf.udt_type_data_t()
m = ida_typeinf.udm_t()
m.name = "field1"
m.type = ida_typeinf.tinfo_t(ida_typeinf.BTF_INT32)
m.offset = 0
m.size = 4
udt.push_back(m)
tif = ida_typeinf.tinfo_t()
tif.create_udt(udt, ida_typeinf.BTF_STRUCT)
tif.set_named_type(ida_typeinf.get_idati(), "MyStruct")

python

udt = ida_typeinf.udt_type_data_t()
m = ida_typeinf.udm_t()
m.name = "field1"
m.type = ida_typeinf.tinfo_t(ida_typeinf.BTF_INT32)
m.offset = 0
m.size = 4
udt.push_back(m)
tif = ida_typeinf.tinfo_t()
tif.create_udt(udt, ida_typeinf.BTF_STRUCT)
tif.set_named_type(ida_typeinf.get_idati(), "MyStruct")

Strings list

字符串列表

python

for s in idautils.Strings():
    print(f"{s.ea:#x}: {str(s)}")

python

for s in idautils.Strings():
    print(f"{s.ea:#x}: {str(s)}")

Wait for analysis

等待分析完成

python

ida_auto.auto_wait()  # Block until autoanalysis completes

python

ida_auto.auto_wait()  # 阻塞直到自动分析完成

Key Constants

关键常量

Constant	Value/Use
`BADADDR`	Invalid address sentinel
`ida_name.SN_NOCHECK`	Skip name validation
`ida_typeinf.TINFO_DEFINITE`	Force type application
`o_reg` , `o_mem` , `o_imm` , `o_displ` , `o_near`	Operand types
`dt_byte` , `dt_word` , `dt_dword` , `dt_qword`	Data types
`fl_CF` , `fl_CN` , `fl_JF` , `fl_JN` , `fl_F`	Code xref types
`dr_R` , `dr_W` , `dr_O`	Data xref types

常量	值/用途
`BADADDR`	无效地址标记
`ida_name.SN_NOCHECK`	跳过名称验证
`ida_typeinf.TINFO_DEFINITE`	强制应用类型
`o_reg` , `o_mem` , `o_imm` , `o_displ` , `o_near`	操作数类型
`dt_byte` , `dt_word` , `dt_dword` , `dt_qword`	数据类型
`fl_CF` , `fl_CN` , `fl_JF` , `fl_JN` , `fl_F`	代码交叉引用类型
`dr_R` , `dr_W` , `dr_O`	数据交叉引用类型

Critical Rules

重要规则

NEVER convert hex/decimal manually — use
```
int_convert
```
MCP tool
Wait for analysis: Call
```
ida_auto.auto_wait()
```
before reading results
Thread safety: IDA SDK calls must run on main thread (use
```
@idasync
```
)
64-bit addresses: Always assume
```
ea_t
```
can be 64-bit

绝对不要手动转换十六进制/十进制 — 使用
```
int_convert
```
MCP工具
等待分析完成：读取结果前调用
```
ida_auto.auto_wait()
```
线程安全：IDA SDK调用必须在主线程运行（使用
```
@idasync
```
）
64位地址：始终假设
```
ea_t
```
为64位

Anti-Patterns

反模式

Avoid	Do Instead
`idc.*` functions	Use `ida_*` modules
Hardcoded addresses	Use names, patterns, or xrefs
Manual hex conversion	Use `int_convert` tool
Blocking main thread	Use `execute_sync()` for long ops
Guessing at types	Derive from disassembly/decompilation

需避免的做法	推荐做法
`idc.*` 函数	使用 `ida_*` 模块
硬编码地址	使用名称、模式或交叉引用
手动十六进制转换	使用 `int_convert` 工具
阻塞主线程	长操作使用 `execute_sync()`
猜测类型	从反汇编/反编译结果推导

Detailed API Reference

详细API参考

For comprehensive documentation on any module, read

docs/<module>.md

High-use:

ida_bytes

ida_funcs

ida_hexrays

ida_typeinf

ida_name

idautils

Medium-use:

ida_segment

ida_xref

ida_ua

ida_frame

ida_kernwin

Specialized:
```
ida_dbg
```
(debugger),
```
ida_nalt
```
(netnode storage),
```
ida_regfinder
```
(register tracking)

Full RST sources from hex-rays.com available at

docs/<module>.rst

如需任何模块的完整文档，请查看

docs/<module>.md

：

高频使用：

ida_bytes

ida_funcs

ida_hexrays

ida_typeinf

ida_name

idautils

中频使用：

ida_segment

ida_xref

ida_ua

ida_frame

ida_kernwin

特殊用途：
```
ida_dbg
```
（调试器）、
```
ida_nalt
```
（网络节点存储）、
```
ida_regfinder
```
（寄存器追踪）

完整的RST源文件可从hex-rays.com获取，路径为

docs/<module>.rst

。