Hex-Rays' blog

Igor’s tip of the week #07: IDA command-line options cheatsheet – Hex Rays

Written by Igor Skochinsky | Sep 17, 2020

Most IDA users probably run IDA as a stand-alone application and use the UI to configure various options. However, it is possible to pass command-line options to it to automate some parts of the process. The full set of options is quite long so we’ll cover the more common and useful ones.

In the examples below, ida can be replaced by ida64 for 64-bit files, or idat (idat64) for console (text-mode) UI.

Simply open a file in IDA

ida <filename>

<filename> can be a new file that you want to disassemble or an existing database. This usage is basically the same as using File > Open or dropping the file onto IDA’s icon. You still need to manually confirm the options in the Load File dialog or any other prompts that IDA displays, but the initial splash screen is skipped.

If you use any additional command-line options, make sure to put them before the filename or they’ll be ignored.

Open a file and auto-select a loader

ida -T<prefix> <filename>

Where <prefix> is a unique prefix of the loader description shown in the Load file dialog. For example, when loading a .NET executable, IDA proposes the following options:

  • Microsoft.Net assembly
  • Portable executable for AMD64 (PE)
  • MS-DOS executable (EXE)
  • Binary file

For each of them, the corresponding-T option could be:

  • -TMicrosoft
  • -TPortable
  • -TMS
  • -TBinary

When the prefix contains a space, use quotes. For example, to load the first slice from a fat Mach-O file:

ida "-TFat Mach-O File, 1" file.macho

In case of archive formats like ZIP, you can specify the archive member to load after a colon (and additional loader names nested as needed). For example, to load the main dex file from an .apk (which is a zip file):

ida -TZIP:classes.dex:Android file.apk

However, it is usually better to pick the APK loader at the top level (especially in the case of multi-dex files)

ida -TAPK file.apk

When -T is specified, the initial load dialog is skipped and IDA proceeds directly to loading the file using the specified loader (but any additional prompts may still be shown).

Auto-accept any prompts, informational messages or warnings

Sometimes you just want to load the file and simply accept all default settings. In such case you can use the -A switch:

ida -A <filename>

This will load the file using autonomous, or batch, mode, where IDA will not display any dialog but accept the default answer in all cases.

In this mode no interactive dialogs will show up after loading is finished (e.g not even “Rename” or “Add comment”). To restore interactivity, execute batch(0) statement in the IDC or Python console at the bottom of IDA’s window.

Batch disassembly

This is an extension of the previous section and is invoked using the -B switch:

ida -B <filename>

IDA will load the file using all default options, wait for the end of auto-analysis, output the disassembly to <filename>.asm and exit after saving the database.

Binary file options

When loading raw binary files, IDA cannot use any of the metadata that is present in higher-level file formats like ELF, PE or Mach-O. In particular, the processor type and loading address cannot be deduced from the file and have to be provided by the user. To speed up your workflow, you can specify them on the command line:

ida -p<processor> -B<base> <filename>

<processor> is one of the processor types supported by IDA.  Some processors also support options after a colon.

<base> is the hexadecimal load base in paragraphs (16-byte quantities). In practice, it means that you should remove the last zero from the full address.

For example, to load a big-endian MIPS firmware at linear address 0xBFC00000:

ida -pmipsb -bBFC0000 firmware.bin

A Cortex-M3 firmware mapped at 0x4000:

ida -parm:ARMv7-M -b400 firmware.bin

Logging

When IDA is running autonomously, you may miss the messages that are usually printed in the Output window but they may contain important informational messages, errors, or warnings. To keep a copy of the messages you can use the -L switch:

ida -B -Lida_batch.log <filename>