Being able to run IDA scripts from the command line is very useful, but can be a bit kludgy. Fortunately, idascript was written to simplify this process. Unfortunately (for me), it was written for Windows.
Since I work primarily in a Linux environment, I re-wrote the idascript utility in Python. I also added a few features to the idascript Python module, for convenience:
- Script arguments are accessible via the normal sys.argv
- The script can be terminated via the normal sys.exit function
- The directory to your collection of IDA scripts (specified during install) is added to sys.path
Installation is straightforward:
eve@eve:~/idascript$ sudo ./install.py Absolute path to your IDA install directory: /opt/ida/bin Absolute path to the directory where you usually keep all your IDA scripts: /opt/ida/scripts IDA_INSTALL_PATH = /opt/ida/bin IDA_SCRIPT_PATH = /opt/ida/scripts IDA_OUT_FILE = /tmp/idaout.txt
Using existing IDAPython scripts with idascript is as easy as importing the idascript module:
import idascript print "Cross references to strcpy:" for xref in XrefsTo(LocByName("strcpy")): print "0x%.8X %s" % (xref.frm, GetDisasm(xref.frm))
And usage of idascript itself is the same as the original idascript utility:
eve@eve:~$ idascript ./target.idb ./strcpy.py Cross references to strcpy: 0x00407F68 jalr $t9 ; strcpy 0x0040B9B8 jalr $t9 ; strcpy 0x0040E5BC jr $t9 ; strcpy 0x0041D448 jalr $t9 ; strcpy 0x00422C04 jalr $t9 ; strcpy 0x00422D04 jalr $t9 ; strcpy 0x00424C4C jalr $t9 ; strcpy 0x00425400 jalr $t9 ; strcpy 0x00430358 jalr $t9 ; strcpy 0x0043045C jalr $t9 ; strcpy 0x00434118 jalr $t9 ; strcpy 0x00436A30 jalr $t9 ; strcpy 0x0043CE48 jalr $t9 ; strcpy 0x00407F58 la $t9, strcpy 0x0040B9AC la $t9, strcpy 0x0040E598 la $t9, strcpy 0x0041D440 la $t9, strcpy 0x00422BF8 la $t9, strcpy 0x00422CF8 la $t9, strcpy 0x00422D74 la $t9, strcpy 0x00424C44 la $t9, strcpy 0x004253F0 la $t9, strcpy 0x004302D8 la $t9, strcpy 0x00430454 la $t9, strcpy 0x00434110 la $t9, strcpy 0x00436A28 la $t9, strcpy 0x0043CE40 la $t9, strcpy 0x00498ECC .word strcpy