IDA Pro Python scripting for reverse engineering. Use when writing IDAPython scripts, analyzing binaries, working with IDA's API for disassembly, decompilation (Hex-Rays), type systems, cross-references, functions, segments, or any IDA database manipulation. Covers ida_* modules (50+), idautils iterators, and common patterns.
Add this skill
npx mdskills install mrexodia/idapythonComprehensive IDAPython reference with modern API patterns, module routing, and concrete examples
1---2name: idapython3description: IDA Pro Python scripting for reverse engineering. Use when writing IDAPython scripts, analyzing binaries, working with IDA's API for disassembly, decompilation (Hex-Rays), type systems, cross-references, functions, segments, or any IDA database manipulation. Covers ida_* modules (50+), idautils iterators, and common patterns.4---56# IDAPython78Use modern `ida_*` modules. Avoid legacy `idc` module.910## Module Router1112| Task | Module | Key Items |13|------|--------|-----------|14| Bytes/memory | `ida_bytes` | `get_bytes`, `patch_bytes`, `get_flags`, `create_*` |15| Functions | `ida_funcs` | `func_t`, `get_func`, `add_func`, `get_func_name` |16| Names | `ida_name` | `set_name`, `get_name`, `demangle_name` |17| Types | `ida_typeinf` | `tinfo_t`, `apply_tinfo`, `parse_decl` |18| Decompiler | `ida_hexrays` | `decompile`, `cfunc_t`, `lvar_t`, ctree visitor |19| Segments | `ida_segment` | `segment_t`, `getseg`, `add_segm` |20| Xrefs | `ida_xref` | `xrefblk_t`, `add_cref`, `add_dref` |21| Instructions | `ida_ua` | `insn_t`, `op_t`, `decode_insn` |22| Stack frames | `ida_frame` | `get_frame`, `define_stkvar` |23| Iteration | `idautils` | `Functions()`, `Heads()`, `XrefsTo()`, `Strings()` |24| UI/dialogs | `ida_kernwin` | `msg`, `ask_*`, `jumpto`, `Choose` |25| Database info | `ida_ida` | `inf_get_*`, `inf_is_64bit()` |26| Analysis | `ida_auto` | `auto_wait`, `plan_and_wait` |27| Flow graphs | `ida_gdl` | `FlowChart`, `BasicBlock` |28| Register tracking | `ida_regfinder` | `find_reg_value`, `reg_value_info_t` |2930## Core Patterns3132### Iterate functions33```python34for ea in idautils.Functions():35 name = ida_funcs.get_func_name(ea)36 func = ida_funcs.get_func(ea)37```3839### Iterate instructions in function40```python41for head in idautils.FuncItems(func_ea):42 insn = ida_ua.insn_t()43 if ida_ua.decode_insn(insn, head):44 print(f"{head:#x}: {insn.itype}")45```4647### Cross-references48```python49for xref in idautils.XrefsTo(ea):50 print(f"{xref.frm:#x} -> {xref.to:#x} type={xref.type}")51```5253### Read/write bytes54```python55data = ida_bytes.get_bytes(ea, size)56ida_bytes.patch_bytes(ea, b"\x90\x90")57```5859### Names60```python61name = ida_name.get_name(ea)62ida_name.set_name(ea, "new_name", ida_name.SN_NOCHECK)63```6465### Decompile function66```python67cfunc = ida_hexrays.decompile(ea)68if cfunc:69 print(cfunc) # pseudocode70 for lvar in cfunc.lvars:71 print(f"{lvar.name}: {lvar.type()}")72```7374### Walk ctree (decompiled AST)75```python76class MyVisitor(ida_hexrays.ctree_visitor_t):77 def visit_expr(self, e):78 if e.op == ida_hexrays.cot_call:79 print(f"Call at {e.ea:#x}")80 return 08182cfunc = ida_hexrays.decompile(ea)83MyVisitor().apply_to(cfunc.body, None)84```8586### Apply type87```python88tif = ida_typeinf.tinfo_t()89if ida_typeinf.parse_decl(tif, None, "int (*)(char *, int)", 0):90 ida_typeinf.apply_tinfo(ea, tif, ida_typeinf.TINFO_DEFINITE)91```9293### Create structure94```python95udt = ida_typeinf.udt_type_data_t()96m = ida_typeinf.udm_t()97m.name = "field1"98m.type = ida_typeinf.tinfo_t(ida_typeinf.BTF_INT32)99m.offset = 0100m.size = 4101udt.push_back(m)102tif = ida_typeinf.tinfo_t()103tif.create_udt(udt, ida_typeinf.BTF_STRUCT)104tif.set_named_type(ida_typeinf.get_idati(), "MyStruct")105```106107### Strings list108```python109for s in idautils.Strings():110 print(f"{s.ea:#x}: {str(s)}")111```112113### Wait for analysis114```python115ida_auto.auto_wait() # Block until autoanalysis completes116```117118## Key Constants119120| Constant | Value/Use |121|----------|-----------|122| `BADADDR` | Invalid address sentinel |123| `ida_name.SN_NOCHECK` | Skip name validation |124| `ida_typeinf.TINFO_DEFINITE` | Force type application |125| `o_reg`, `o_mem`, `o_imm`, `o_displ`, `o_near` | Operand types |126| `dt_byte`, `dt_word`, `dt_dword`, `dt_qword` | Data types |127| `fl_CF`, `fl_CN`, `fl_JF`, `fl_JN`, `fl_F` | Code xref types |128| `dr_R`, `dr_W`, `dr_O` | Data xref types |129130## Critical Rules1311321. **NEVER convert hex/decimal manually** — use `int_convert` MCP tool1332. **Wait for analysis**: Call `ida_auto.auto_wait()` before reading results1343. **Thread safety**: IDA SDK calls must run on main thread (use `@idasync`)1354. **64-bit addresses**: Always assume `ea_t` can be 64-bit136137## Anti-Patterns138139| Avoid | Do Instead |140|-------|------------|141| `idc.*` functions | Use `ida_*` modules |142| Hardcoded addresses | Use names, patterns, or xrefs |143| Manual hex conversion | Use `int_convert` tool |144| Blocking main thread | Use `execute_sync()` for long ops |145| Guessing at types | Derive from disassembly/decompilation |146147## Detailed API Reference148149For comprehensive documentation on any module, read `docs/<module>.md`:150- **High-use**: `ida_bytes`, `ida_funcs`, `ida_hexrays`, `ida_typeinf`, `ida_name`, `idautils`151- **Medium-use**: `ida_segment`, `ida_xref`, `ida_ua`, `ida_frame`, `ida_kernwin`152- **Specialized**: `ida_dbg` (debugger), `ida_nalt` (netnode storage), `ida_regfinder` (register tracking)153154Full RST sources from hex-rays.com available at `docs/<module>.rst`.155
Full transparency — inspect the skill content before installing.