IDAPython provides wrappers for a big chunk of IDA SDK. Still, there are some APIs that are not wrapped because of SWIG limitations or just because we didn’t get to them yet. Recently, I needed to test the get_loader_name() API which is not available in IDAPython but I didn’t want to write a full plugin just for one call. For such cases it’s often possible to use the ctypes module to call the function manually.
The IDA APIs are provided by the kernel dynamic library. In Windows, it’s called ida.wll (or ida64.wll), in Linux libida[64].so and on OS X libida[64].dylib. ctypes provides a nice feature that dynamically creates a callable wrapper for a DLL export by treating it as an attribute of a special class instance. Here’s how to get that instance under the three platforms supported by IDA:
import ctypes idaname = "ida64" if __EA64__ else "ida" if sys.platform == "win32": dll = ctypes.windll[idaname + ".wll"] elif sys.platform == "linux2": dll = ctypes.cdll["lib" + idaname + ".so"] elif sys.platform == "darwin": dll = ctypes.cdll["lib" + idaname + ".dylib"]
We use “windll” because IDA APIs use stdcall calling convention on Windows (check the definition of idaapi in pro.h).
Now we just need to call our function just as if it was an attribute of the “dll” object. But first we need to prepare the arguments. Here’s the declaration from loader.hpp:
idaman ssize_t ida_export get_loader_name(char *buf, size_t bufsize);
ctypes provides a convenience functions for creating character buffers:
buf = ctypes.create_string_buffer(256)
And now we can call the function:
dll.get_loader_name(buf, 256)
To retrieve the contents of the buffer as a Python byte string, just use its .raw attribute. The complete script now looks like this:
import ctypes idaname = "ida64" if __EA64__ else "ida" if sys.platform == "win32": dll = ctypes.windll[idaname + ".wll"] elif sys.platform == "linux2": dll = ctypes.cdll["lib" + idaname + ".so"] elif sys.platform == "darwin": dll = ctypes.cdll["lib" + idaname + ".dylib"] buf = ctypes.create_string_buffer(256) dll.get_loader_name(buf, 256) print "loader:", buf.raw
ctypes offers many means to interface with C code, so you can use it to call almost any IDA API.