IDAPython is a plug-in developed by Gergely Erdelyi that integrates a Python interpreter into IDA. Combined with supplied Python bindings, this plug-in allows you to write Python scripts with full access to all of the capabilities of the IDC scripting language. One clear advantage gained with IDAPython is access to Python’s native data-handling capabilities as well as the full range of Python modules. In addition, IDAPython exposes a significant portion of IDA’s SDK functionality, allowing for far more powerful scripting than is possible using IDC. IDAPython has developed quite a following in the IDA community. Ilfak’s blog[106] contains numerous interesting examples of problem solving with Python scripts, while questions, answers, and many other useful IDAPython scripts are frequently posted in the forums at OpenRCE.org.[107] In addition, third-party tools such as BinNavi[108] from Zynamics rely on IDA and IDAPython in order to perform various subtasks required by the tools.
Since IDA 5.4, Hex-Rays has been including IDAPython as a standard plug-in. Source code for the plug-in is available for download on the IDA-Python project page,[109] and API documentation is available on the Hex-Rays website.[110] IDA enables the plug-in only when Python is found to be installed on the computer on which you are running IDA. The Windows version of IDA ships with and installs a compatible version of Python,[111] while the Linux and OS X versions of IDA leave proper installation of Python up to you. On Linux, the current version of IDA (6.1) looks for Python 2.6. IDAPython is compatible with Python 2.7, and IDA will work just fine if you create symlinks from the required Python 2.6 libraries to your existing Python 2.7 libraries. If you have Python 2.7, a command similar to the following will create the symlink that will make IDA happy:
# ln -s /usr/lib/libpython2.7.so.1.0 /usr/lib/libpython2.6.so.1
OS X users may find that the version of Python that ships with OS X is older than that required by IDA. If this is the case, a suitable Python installer should be downloaded from www.python.org.[112]
IDAPython bridges Python code into IDA by making available three Python modules, each serving a specific purpose. Access to the core IDA API (as exposed via the SDK) is made available with the idaapi module. All of the functions present in IDC are made available in IDAPython’s idc module. The third module that ships with IDAPython is idautils, which provides a number of utility functions, many of which yield Python lists of various database-related objects such as functions or cross-references. Modules idc and idautils are automatically imported for all IDAPython scripts. If you need idaapi, on the other hand, you must import it yourself.
When using IDAPython, keep in mind that the plug-in embeds a single instance of the Python interpreter into IDA. This interpreter is not destroyed until you close IDA. As a result, you can view all of your scripts and statements as if they are running within a single Python shell session. For example, once you have imported the idaapi module for the first time in your IDA session, you need never import it again until you restart IDA. Similarly, initialized variables and function definitions retain their values until they are redefined or until you quit IDA.
There are a number of strategies for learning IDA’s Python API. If you already have some experience using IDC or programming with the IDA SDK, then you should feel right at home with the idaapi and idc modules. A quick review of the additional features in the idautils module should be all you really need to start making full use of IDAPython. If you have prior experience with IDC or the SDK, then you might dive into the Hex-Ray’s documentation for the Python API to develop a feel for the capabilities it offers. Remember that the idc module basically mirrors the IDC API and that you may find the list of IDC functions in IDA’s built-in help to be quite useful. Similarly, the descriptions of IDC functions presented earlier in this chapter are equally applicable to the corresponding functions in the idc module.