We’ve briefly covered batch mode last time but the basic functionality is not always enough so let’s discuss how to customize it.
Basic usage
To recap, batch mode can be invoked with this command line:
ida -B -Lida.log <other switches> <filename>
IDA will load the file, wait for the end of analysis, and write the full disassembly to <filename>.asm
How it works
In fact, -B
is a shorthand for -A -Sanalysis.idc:
-A
: enable autonomous mode (answer all queries with the default choice).-Sanalysis.idc:
run the scriptanalysis.idc
after loading the file.
You can find analysis.idc
in the idc
subdirectory of IDA install. In IDA 7.5 it looks as follows:
static main() { // turn on coagulation of data in the final pass of analysis set_inf_attr(INF_AF, get_inf_attr(INF_AF) | AF_DODATA | AF_FINAL); // .. and plan the entire address space for the final pass auto_mark_range(0, BADADDR, AU_FINAL); msg("Waiting for the end of the auto analysis...\n"); auto_wait(); msg("\n\n------ Creating the output file.... --------\n"); auto file = get_idb_path()[0:-4] + ".asm"; auto fhandle = fopen(file, "w"); gen_file(OFILE_ASM, fhandle, 0, BADADDR, 0); // create the assembler file msg("All done, exiting...\n"); qexit(0); // exit to OS, error code 0 - success }
Thus, to modify the behavior of the batch mode you can:
- Either modify the standard
analysis.idc
- Or specify a different script using
-S<myscript.idc>
For example, to output an LST file (it includes address prefixes), change the gen_file call:
gen_file(OFILE_LST, fhandle, 0, BADADDR, 0);
Batch decompilation
If you have the decompiler for the target file’s architecture, you can also run it in batch mode.
For example, to decompile the whole file:
ida -Ohexrays:outfile.c:ALL -A <filename>
To decompile only the function main
:
ida -Ohexrays:outfile.c:main -A <filename>
This uses the functionality built-in into the decompiler plugin which works similarly to the analysis.idc
script (wait for the end of autoanalysis, then decompile the specified functions to outfile.c
).
Customizing batch decompilation
If the default functionality is not enough, you could write a plugin to drive the decompiler via its C++ API. However, for scripting it’s probably more convenient to use Python. Similarly to IDC, Python scripts can be used with the -S
switch to be run automatically after the file is loaded.
A sample script is attached to this post. Use it as follows:
ida -A -Sdecompile_entry_points.py -Llogfile.txt <filename>
Speeding up batch processing
In the examples so far we’ve been using the ida
executable which is the full GUI version of IDA. Even though the UI is not actually displayed in batch mode, it still has to load and initialize all the dependent UI libraries which can take non-negligible time. This is why it is often better to use the text-mode executable (idat
) which uses lightweight text-mode UI. However, it still needs a terminal even in batch mode. In case you need to run it in a situation without a terminal (e.g. run it in background or from a daemon), you can use the following approach:
- set environment variable
TVHEADLESS=1
- redirect output
For example:
TVHEADLESS=1 idat -A -Smyscript.idc file.bin >/dev/null &
Downloads