3.1.3. function – Function module¶

This module exposes a number of tools that can be used on or in a particular function. There are a couple of namespaces that can allow one to interact with the different components that are available for a function.

The base argument type for a number of the utilities within this module is the idaapi.func_t. This type is interchangeable with an address or a name and either can be used to identify a function. Some of the tools exposed in this module allow for one to modify comments, rename, or determine the relationships between functions.

Some namespaces are provided for interacting with the different components that IDA associates with each function. This can be used to navigate to the different parts of a function. Some of the available namespaces are type, block, chunk, blocks, chunks, and frame.

3.1.3.1. Function list¶

The functions that are available in this module use multicased functions and aliases. For more information on this, please see Aliases and Multicased functions.

function.address()¶

Return the address of the entrypoint for the current function.

Aliases: function.top, function.addr

function.address(func)

Return the address for the entrypoint belonging to the function func.

Aliases: function.top, function.addr

Parameters:	func – the function to return the address for

function.address(func, offset)

Return the address for the entrypoint belonging to the function func and add the provided offset to it.

Aliases: function.top, function.addr

Parameters:	func – the function to return the address for offset (int or long) – the amount to add to the returned address

function.bottom()¶: Return the exit-points of the current function.

function.bottom(func)

Return the exit-points of the function func.

Parameters:	func – the function to return the exit-points for

function.bounds()¶

Return a tuple containing the bounds of the first chunk of the current function.

Aliases: function.range

function.bounds(func)

Return a tuple containing the bounds of the first chunk of the function func.

Aliases: function.range

Parameters:	func – the function to return the boundaries for

function.by()¶: Return the current function.

function.by(func)

Return the function identified by func.

Parameters:	func (idaapi.func_t) – an `idaapi.func_t` to return

function.by(ea)

Return the function at the address ea.

Parameters:	ea (int or long) – the address of the function to return

function.by(name)

Return the function with the specified name.

Parameters:	name (str) – the name of the function to return

function.by_address()¶: Return the function at the current address.

function.by_address(ea)

Return the function containing the address ea.

Aliases: function.byaddress

Parameters:	ea (int or long) – the address of the function to return

function.by_name(name)¶

Return the function with the specified name.

Aliases: function.byname

Parameters:	name – the name of the function to return

function.color()¶: Return the color (RGB) of the current function.

function.color(func)

Return the color (RGB) of the function func.

Parameters:	func – the function to return the color for

function.color(func, none)

Remove the color for the function func.

Parameters:	func – the function to remove the color from none (None) – the python value `None`

function.color(func, rgb)

Set the color (RGB) of the function func to rgb.

Parameters:	func – the function to set the color for rgb (int or long) – the color as a red, green, and blue integer (`0x00RRGGBB`)

function.color(none)

Remove the color from the current function.

Parameters:	none (None) – the python value `None`

function.comment(**repeatable)¶

Return the comment for the current function.

Parameters:	**repeatable – a boolean specifying that the repeatable comment should be returned

function.comment(func, **repeatable)

Return the comment for the function func.

If the bool repeatable is specified, then return the repeatable comment.

Parameters:	func – the function to return the comment for **repeatable – a boolean specifying that the repeatable comment should be returned

function.comment(string, **repeatable)

Set the comment for the current function to string.

Parameters:	string (str) – the comment to apply **repeatable – a boolean specifying that the repeatable comment should be modified

function.comment(none, **repeatable)

Remove the comment for the current function.

Parameters:	none (None) – the python value `None` **repeatable – a boolean specifying that the repeatable comment should be removed

function.comment(func, string, **repeatable)

Set the comment for the function func to string.

If the bool repeatable is specified, then modify the repeatable comment.

Parameters:	func – the function to assign the comment to string (str) – the comment to apply **repeatable – a boolean specifying that the repeatable comment should be modified

function.comment(func, none, **repeatable)

Remove the comment for the function func.

If the bool repeatable is specified, then remove the repeatable comment.

Parameters:	func – the function to remove the comment from none (None) – the python value `None` **repeatable – a boolean specifying that the repeatable comment should be removed

function.marks()¶: Return all the marks in the current function.

function.marks(func)

Return all the marks in the function func.

Parameters:	func – the function containing the marks to return

function.name()¶: Return the name of the current function.

function.name(func)

Return the name of the function func.

Parameters:	func – the function to return the name for

function.name(none, **flags)

Remove the custom-name from the current function.

Parameters:	none (None) – the python value `None` **flags – any extra flags to use when removing the name

function.name(packed, **flags)

Set the name of the current function to the given packed name.

Parameters:	packed (tuple) – a tuple of integers or strings to use for the name **flags – any extra flags to use when setting the name. if `listed` is set to true, then ensure the name is added to the "names" list

function.name(string, *suffix, **flags)

Set the name of the current function to string.

Parameters:	string (str) – the string containing the new name to use suffix – any extra names to append to the name *flags – any extra flags to use when setting the name. if `listed` is set to true, then ensure the name is added to the "names" list

function.name(func, none, **flags)

Remove the custom-name from the function func.

Parameters:	func – the function to remove the name for none (None) – the python value `None` **flags – any extra flags to use when removing the name

function.name(func, packed, **flags)

Set the name of the function func to the given packed name.

Parameters:	func – the function to set the name of packed (tuple) – a tuple of integers or strings to use for the name **flags – any extra flags to use when setting the name. if `listed` is set to true, then ensure the name is added to the "names" list

function.name(func, string, *suffix, **flags)

Set the name of the function func to string.

If flags is specified, then use the specified value as the flags. If the boolean listed is specified, then specify whether to add the label to the Names list or not.

Parameters:	func – the function to set the name of string (str) – the string containing the new name to use suffix – any extra names to append to the name *flags – any extra flags to use when setting the name. if `listed` is set to true, then ensure the name is added to the "names" list

function.new()¶

Create a new function at the current address.

Aliases: function.make, function.add

function.new(ea)

Create a new function at the address specified by ea.

Aliases: function.make, function.add

Parameters:	ea (int or long) – the starting address of the function to create

function.new(start, end)

Create a new function from the address start until end.

Aliases: function.make, function.add

Parameters:	start (int or long) – the starting address of the function to create end (int or long) – the end address of the function to create

function.new(bounds)

Create a new function using the specified bounds.

Aliases: function.make, function.add

Parameters:	bounds (tuple) – the boundaries of the function to create

function.offset()¶: Return the offset from the base of the database for the current function.

function.offset(func)

Return the offset from the base of the database for the function func.

Parameters:	func – anything referring to a function to return the offset for

function.offset(func, offset)

Return the offset from the base of the database for the function func and add the provided offset to it.

Parameters:	func – offset (int or long) –

function.prototype()¶: Return the prototype of the current function if it has one.

function.prototype(func)

Return the prototype of the function func if it has one.

Parameters:	func – the function to return the prototype for

function.remove()¶: Remove the current function from the database.

function.remove(func)

Remove the function func from the database.

Parameters:	func – the function to remove

function.remove(bounds)

Remove the function specified by bounds from the database.

Parameters:	bounds (tuple) –

function.select(**boolean)¶

Query the contents of the current function for any tags specified by boolean

Parameters:	**boolean – either `And` or `Or` which specifies required or optional tags (respectively)

function.select(tag, *Or, **boolean)

Query the contents of the current function for the specified tag and any others specified as Or.

Parameters:	tag (str) – a required tag name to search the contents for Or – any other tag names to include *boolean – either `And` or `Or` which specifies required or optional tags (respectively)

function.select(func, tag, *Or, **boolean)

Query the contents of the function func for the specified tag and any others specified as Or.

Parameters:	func – the function containing the contents tags to select tag (str) – a required tag name to search the contents for Or – any other tag names to include *boolean – either `And` or `Or` which specifies required or optional tags (respectively)

function.select(func, tag, *Or, **boolean)

Query the contents of the function func for the specified tag and any others specified as Or.

Parameters:	func – the function containing the contents tags to select tag (set or list) – a list of tag names to search the contents for Or – any other tag names to include *boolean – either `And` or `Or` which specifies required or optional tags (respectively)

function.select(func, **boolean)

Query the contents of the function func for any tags specified by boolean. Yields each address found along with the matching tags as a dictionary.

If And contains an iterable then require the returned address contains them. If Or contains an iterable then include any other tags that are specified.

Parameters:	func – the function containing the contents tags to select **boolean – either `And` or `Or` which specifies required or optional tags (respectively)

function.switches()¶: Yield each switch found in the current function.

function.switches(func)

Yield each switch found in the function identifed by func.

Parameters:	func – the function to yield all the switches for

function.tag()¶: Returns all the tags defined for the current function.

function.tag(key)

Returns the value of the tag identified by key for the current function.

Parameters:	key (str) – a string representing the tag name to return

function.tag(key, value)

Sets the value for the tag key to value for the current function.

Parameters:	key (str) – a string representing the tag name value – a python object to store at the tag

function.tag(func, key)

Returns the value of the tag identified by key for the function func.

Parameters:	func – the function to return the tag for key (str) – a string representing the tag name to return

function.tag(func)

Returns all the tags defined for the function func.

Parameters:	func – the function to return all the tags for

function.tag(func, key, value)

Sets the value for the tag key to value for the function func.

Parameters:	func – the function to assign the tag to key (str) – a string representing the tag name to assign value – a python object to store at the tag

function.tag(key, none)

Removes the tag identified by key for the current function.

Parameters:	key (str) – a string representing the tag name to remove none (None) – the python value `None`

function.tag(func, key, none)

Removes the tag identified by key from the function func.

Parameters:	func – the function to remove the tag from key (str) – a string representing the tag name to remove none (None) – the python value `None`

function.tags()¶: Returns all of the content tags for the function at the current address.

function.tags(ea)

Returns all of the content tags for the function at the address ea.

Parameters:	ea (int or long) – the address of the function containing the content tags to return

function.tags(func)

Returns all of the content tags for the function func.

Parameters:	func – the function containing the content tags to return

function.within()¶: Return if the current address is within a function.

function.within(ea)

Return if the address ea is within a function.

Parameters:	ea (int or long) – the address to check for function membership

3.1.3.2. Namespace list¶

These are the namespaces available within this module. Namespaces group similar functions that can be used typically for the same concept. Please see Classes as namespaces for more information on namespaces. For more information on multicase functions or aliases, please see Multicased functions or Aliases.

3.1.3.2.1. function.block¶

This namespace is for interacting with a single basic block belonging to a function. By default the bounds of the selected basic block will be returned. This bounds or an address within these bounds can then be used in other functions within this namespace.

Some examples of this functionality can be:

> B = function.block(ea)
> bid = function.block.id()
> c = function.block.color(ea, rgb)
> print( function.block.before(ea) )
> for ea in function.block.iterate(): print( database.disasm(ea) )
> for ea, op, st in function.block.register('eax', read=1): ...
> print( function.block.read().encode('hex') )
> print( function.block.disasm(ea) )

function.block(**flags)¶

Returns the boundaries of the current basic block.

Parameters:	**flags –

function.block(ea, **flags)

Returns the boundaries of the basic block at address ea.

Parameters:	ea (int or long) – the address containing the basic block to return the boundaries for *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

function.block(func, ea, **flags)

Returns the boundaries of the basic block at address ea in function func.

Parameters:	func – the function containing the basic block ea (int or long) – the address containing the basic block to return the boundaries for *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

function.block(func, ea, flags)

Returns the boundaries of the basic block with the specified flags (idaapi.FC_*) at address ea in function func.

Parameters:	func – ea (int or long) – flags (int or long) –

function.block(bb)

Returns the boundaries of the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the boundaries for

function.block(bounds, **flags)

Return the boundaries of the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to return the basic block for *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

block.address()¶: Return the top address for the basic block containing the current address.

block.address(ea)

Return the top address for the basic block containing the address ea.

Parameters:	ea (int or long) – the address of the basic block to return the address of

block.address(ea, offset)

Return the top address for the basic block containing the address ea and add the provided offset to it.

Parameters:	ea (int or long) – the address of the basic block to return the address of offset (int or long) – the amount to add to the returned address

block.after()¶

Return the addresses of all the instructions that the current basic block leaves to.

Aliases: function.block.succs, function.block.successors

block.after(ea)

Return the addresses of all the instructions that the basic block at address ea leaves to.

Aliases: function.block.succs, function.block.successors

Parameters:	ea (int or long) – the address of the basic block to return the successors for

block.after(bounds)

Return the addresses of all the instructions that branch to the basic block identified by bounds.

Aliases: function.block.succs, function.block.successors

Parameters:	bounds (tuple) – the boundaries of the basic block to return the successors for

block.after(bb)

Return the addresses of all the instructions that branch to the basic block bb.

Aliases: function.block.succs, function.block.successors

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the successors for

block.at(**flags)¶

Return the idaapi.BasicBlock of the current address in the current function.

Parameters:	*flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

block.at(ea, **flags)

Return the idaapi.BasicBlock of address ea in the current function.

Parameters:	ea (int or long) – the address of the basic block to return *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

block.at(func, ea, **flags)

Return the idaapi.BasicBlock of address ea in the function func.

Parameters:	func – the function containing the basic block ea (int or long) – the address of the basic block to return *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

block.at(bb)

Return the idaapi.BasicBlock of the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return

block.at(bounds, **flags)

Return the idaapi.BasicBlock identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to return *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

block.before()¶

Return the addresses of all the instructions that branch to the current basic block.

Aliases: function.block.preds, function.block.predecessors

block.before(ea)

Return the addresses of all the instructions that branch to the basic block at address ea.

Aliases: function.block.preds, function.block.predecessors

Parameters:	ea (int or long) – the address of the basic block to return the predecessors for

block.before(bounds)

Return the addresses of all the instructions that branch to the basic block identified by bounds.

Aliases: function.block.preds, function.block.predecessors

Parameters:	bounds (tuple) – the boundaries of the basic block to return the predecessors for

block.before(bb)

Return the addresses of all the instructions that branch to the basic block bb.

Aliases: function.block.preds, function.block.predecessors

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the predecessors for

block.bottom()¶: Return the bottom address of the basic block at the current address.

block.bottom(ea)

Return the bottom address of the basic block at address ea.

Parameters:	ea (int or long) – the address belonging to the basic block to return the bottom address for

block.bottom(bb)

Return the bottom address of the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the bottom address for

block.bottom(bounds)

Return the bottom address of the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to return the bottom address for

block.color()¶: Returns the color of the basic block at the current address.

block.color(none)

Removes the color of the basic block at the current address.

Parameters:	none (None) – the python value `None`

block.color(ea)

Returns the color of the basic block at the address ea.

Parameters:	ea (int or long) – the address of the basic block to return the color of

block.color(bb)

Returns the color of the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the color of

block.color(bounds)

Returns the color of the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to return the color for

block.color(ea, none)

Removes the color of the basic block at the address ea.

Parameters:	ea (int or long) – the address of the basic block to remove the color from none (None) – the python value `None`

block.color(bounds, none)

Removes the color of the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to remove the color from none (None) – the python value `None`

block.color(bb, none)

Removes the color of the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to remove the color from none (None) – the python value `None`

block.color(ea, rgb, **frame)

Sets the color of the basic block at the address ea to rgb.

If the color frame is specified, set the frame to the specified color.

Parameters:	ea (int or long) – the address belonging to the basic block to set the color for rgb (int or long) – the color as a red, green, and blue integer (`0x00RRGGBB`) **frame – if `frame` is specified, then set the frame of the basic block to this color

block.color(bb, rgb, **frame)

Sets the color of the basic block bb to rgb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to set the color for rgb (int or long) – the color as a red, green, and blue integer (`0x00RRGGBB`) **frame – if `frame` is specified, then set the frame of the basic block to this color

block.color(bounds, rgb, **frame)

Sets the color of the basic block identifed by bounds to rgb.

Parameters:	bounds (tuple) – the boundaries of the basic block to set the color for rgb (int or long) – the color as a red, green, and blue integer (`0x00RRGGBB`) **frame – if `frame` is specified, then set the frame of the basic block to this color

block.contains(ea)¶

Return whether the address ea is within the current basic block.

Parameters:	ea (int or long) – the address to be checked

block.contains(address, ea)

Return whether the address ea is within the basic block at the specified address.

Parameters:	address (int or long) – the address of the basic block ea (int or long) – the address to be checked

block.contains(func, address, ea)

Return whether the address ea is within the basic block for the function func at the specified address.

Parameters:	func – the function containing the basic block address (int or long) – the address of the basic block ea (int or long) – the address to be checked

block.contains(bb, ea)

Return whether the address ea is within the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to check ea (int or long) – the address to be checked

block.contains(bounds, ea)

Return whether the address ea is within the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to check ea (int or long) – the address to be checked

block.decompile()¶: (UNSTABLE) Returns the decompiled code of the basic block at the current address.

block.decompile(ea)

(UNSTABLE) Returns the decompiled code of the basic block at the address ea.

Parameters:	ea (int or long) – the address of the basic block to decompile

block.disassemble(**options)¶

Returns the disassembly of the basic block at the current address.

Aliases: function.block.disasm

Parameters:	**options – any options to pass to `database.disassemble`

block.disassemble(ea, **options)

Returns the disassembly of the basic block at the address ea.

Aliases: function.block.disasm

Parameters:	ea (int or long) – the address of the basic block to disassemble **options – any options to pass to `database.disassemble`

block.disassemble(bounds, **options)

Returns the disassembly of the basic block identified by bounds.

Aliases: function.block.disasm

Parameters:	bounds (tuple) – the boundaries of the basic block to disassemble **options – any options to pass to `database.disassemble`

block.disassemble(bb, **options)

Returns the disassembly of the basic block bb.

Aliases: function.block.disasm

Parameters:	bb (idaapi.BasicBlock) – the basic block to disassemble **options – any options to pass to `database.disassemble`

block.id()¶: Return the block id of the current address in the current function.

block.id(ea)

Return the block id of address ea in the current function.

Parameters:	ea (int or long) – the address of the basic block to return the id for

block.id(func, ea)

Return the block id of address ea in the function func.

Parameters:	func – the function containing the basic block ea (int or long) – the address of the basic block to return the id for

block.id(bb)

Return the block id of the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the id for

block.id(bounds)

Return the block id of the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to return the id for

block.iterate()¶: Yield all the addresses in the current basic block.

block.iterate(ea)

Yield all the addresses in the basic block at address ea.

Parameters:	ea (int or long) – the address of the basic block to iterate through

block.iterate(bounds)

Yield all the addresses in the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to iterate through

block.iterate(bb)

Yield all the addresses in the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to iterate through

block.offset()¶: Return the offset from the base of the database for the basic block at the current address.

block.offset(ea)

Return the offset from the base of the database for the basic block at the address ea.

Parameters:	ea (int or long) – the address of the basic block to return the offset of

block.offset(ea, offset)

Return the offset from the base of the database for the basic block at address ea and add the provided offset to it.

Parameters:	ea (int or long) – the address of the basic block to return the offset of offset (int or long) – the amount to add to the returned offset

block.read()¶: Return all the bytes contained in the current basic block.

block.read(ea)

Return all the bytes contained in the basic block at address ea.

Parameters:	ea (int or long) – the address of the basic block to return bytes for

block.read(bounds)

Return all the bytes contained in the basic block identified by bounds.

Parameters:	bounds (tuple) – the boundaries of the basic block to return bytes for

block.read(bb)

Return all the bytes contained in the basic block bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return bytes for

block.register(reg, *regs, **modifiers)¶

Yield each (address, opnum, state) within the current block that uses reg or any one of the registers in regs.

Parameters:	reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

block.register(ea, reg, *regs, **modifiers)

Yield each (address, opnum, state) within the block containing ea that uses reg or any one of the registers in regs.

Parameters:	ea (int or long) – the address belonging to the basic block to identify registers in reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

block.register(bounds, reg, *regs, **modifiers)

Yield each (address, opnum, state) within the block identified by bounds that uses reg or any one of the registers in regs.

Parameters:	bounds (tuple) – the boundaries of the basic block to identify registers in reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

block.register(bb, reg, *regs, **modifiers)

Yield each (address, opnum, state) within the block bb that uses reg or any one of the registers in regs.

If the keyword write is true, then only return the result if it’s writing to the register.

Parameters:	bb (idaapi.BasicBlock) – the basic block to identify registers in reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

block.tag()¶: Returns all the tags defined for the current basic block.

block.tag(key)

Returns the value of the tag identified by key for the current basic block.

Parameters:	key (str) – a string representing the tag name to return

block.tag(key, value)

Sets the value for the tag key to value for the current basic block.

Parameters:	key (str) – a string representing the tag name to assign value – a python object to store at the tag

block.tag(key, none)

Removes the tag identified by key for the current basic block.

Parameters:	key (str) – a string representing the tag name to remove none (None) – the python value `None`

block.tag(ea)

Returns all the tags defined for the basic block at ea.

Parameters:	ea (int or long or tuple) – the address of the basic block

block.tag(ea, key)

Returns the value of the tag identified by key for the basic block at ea.

Parameters:	ea (int or long or tuple) – the address of the basic block key (str) – a string representing the tag name to return

block.tag(ea, key, value)

Sets the value for the tag key to value for the basic block at ea.

Parameters:	ea (int or long or tuple) – the address of the basic block key (str) – a string representing the tag name to assign value – a python object to store at the tag

block.tag(ea, key, none)

Removes the tag identified by key for the basic block at ea.

Parameters:	ea (int or long or tuple) – the address of the basic block key (str) – a string representing the tag name to remove none (None) – the python value `None`

block.tag(bb)

Returns all the tags defined for the idaapi.BasicBlock given in bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the tags from

block.tag(bb, key)

Returns the value of the tag identified by key from the idaapi.BasicBlock given in bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the tag from key (str) – a string representing the tag name to return

block.tag(bb, key, value)

Sets the value for the tag key to value in the idaapi.BasicBlock given by bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to assign the tag to key (str) – a string representing the tag name to assign value – a python object to store at the tag

block.tag(bb, key, none)

Removes the tag identified by key from the idaapi.BasicBlock given by bb.

Parameters:	bb (idaapi.BasicBlock) – the basic block to remove the tag from key (str) – a string representing the tag name to remove none (None) – the python value `None`

block.top()¶

Return the top address of the basic block at the current address.

Aliases: function.block.addr, function.block.address

block.top(ea)

Return the top address of the basic block at address ea.

Aliases: function.block.addr, function.block.address

Parameters:	ea (int or long) – the address belonging to the basic block to return the top address for

block.top(bb)

Return the top address of the basic block bb.

Aliases: function.block.addr, function.block.address

Parameters:	bb (idaapi.BasicBlock) – the basic block to return the top address for

block.top(bounds)

Return the top address of the basic block identified by bounds.

Aliases: function.block.addr, function.block.address

Parameters:	bounds (tuple) – the boundaries of the basic block to return the top address for

3.1.3.2.2. function.blocks¶

This namespace is for interacting with all of the basic blocks within the specified function. By default this namespace will yield the boundaries of each basic block defined within the function.

This namespace provides a small number of utilities that can be used to extract the basic blocks of a function and convert them into a flow-graph such as idaapi.FlowChart, or a digraph as used by the networkx module.

Due to idaapi.FlowChart and networkx’s digraph being used so often, these functions are exported globally as function.flowchart and function.digraph.

Some examples of this namespace’s usage:

> for bb in function.blocks(calls=False): ...
> chart = function.blocks.flowchart(ea)
> G = function.blocks.graph()

function.blocks(**external)¶

Return the bounds of each basic block for the current function.

Parameters:	**external – a boolean specifying to include external blocks in the blocks that are returned

function.blocks(func, **external)

Returns the bounds of each basic block for the function func.

Parameters:	func – the function to return the basic blocks for **external – a boolean specifying to include external blocks in the blocks that are returned

function.blocks(bounds, **external)

Return each basic block contained within the specified bounds.

Parameters:	bounds (tuple) – the boundaries to use when constraining the returned list of basic blocks **external – a boolean specifying to include external blocks in the blocks that are returned

function.blocks(left, right, **external)

Returns each basic block contained between the addresses left and right.

If external is true, then include all blocks that are a branch target despite being outside the function boundaries. If split is false, then do not allow a call instruction to split a block.

Parameters:	left – the top address of the basic block right – the bottom address of the basic block **external – a boolean specifying to include external blocks in the blocks that are returned

blocks.at(**flags)¶

Return the idaapi.BasicBlock at the current address in the current function.

Parameters:	*flags – the flags from `idaapi.FC_\` to use when building the flowchart

blocks.at(ea, **flags)

Return the idaapi.BasicBlock of address ea in the current function.

Parameters:	ea (int or long) – the address of the basic block to return *flags – the flags from `idaapi.FC_\` to use when building the flowchart

blocks.at(func, ea, **flags)

Return the idaapi.BasicBlock in function func at address ea.

Parameters:	func – the function containing the basic block ea (int or long) – the address of the basic block to return *flags – the flags from `idaapi.FC_\` to use when building the flowchart

blocks.at(func, ea, flags)

Return the idaapi.BasicBlock with the specified flags (idaapi.FC_*) for function func at address ea.

Parameters:	func – the function containing the basic block ea (int or long) – the address of the basic block to return flags (int or long) – the flags from `idaapi.FC_\*` to use when building the flowchart

blocks.at(bb)

Return the idaapi.BasicBlock matching the boundaries identifed by bb.

Parameters:	bb (idaapi.BasicBlock) – the `idaapi.BasicBlock` containing the boundaries to match

blocks.at(func, bb)

Return the idaapi.BasicBlock in function func identifed by bb.

Parameters:	func – bb (idaapi.BasicBlock) –

blocks.digraph()¶

Return a networkx.DiGraph of the function at the current address.

Aliases: function.blocks.graph, function.graph, function.digraph

blocks.digraph(func, **flags)

Return a networkx.DiGraph of the function func.

Requires the networkx module in order to build the graph.

Aliases: function.blocks.graph, function.graph, function.digraph

Parameters:	func – the function to return a graph for *flags – the flags from `idaapi.FC_\` to use when building the flowchart

blocks.flowchart(**flags)¶

Return an idaapi.FlowChart object for the current function.

Aliases: function.flowchart

Parameters:	*flags – the flags from `idaapi.FC_\` to use when building the flowchart

blocks.flowchart(func, **flags)

Return an idaapi.FlowChart object for the function func.

Aliases: function.flowchart

Parameters:	func – the function to return the flowchart for *flags – the flags from `idaapi.FC_\` to use when building the flowchart

blocks.flowchart(func, flags)

Return an idaapi.FlowChart object built with the specified flags for the function func.

Aliases: function.flowchart

Parameters:	func – the function to return the flowchart for flags (int or long) – the flags from `idaapi.FC_\*` to use when building the flowchart

blocks.flowchart(bb)

Return an idaapi.FlowChart object for the given idaapi.BasicBlock.

Parameters:	bb (idaapi.BasicBlock) –

blocks.iterate(**external)¶

Return each idaapi.BasicBlock for the current function.

Parameters:	**external – a boolean specifying to include external blocks in the blocks that are returned

blocks.iterate(func, **external)

Returns each idaapi.BasicBlock for the function func.

If external is true, then include all blocks that are a branch target despite being outside the function boundaries. If split is false, then do not allow a call instruction to split a block.

Parameters:	func – the function containing the basic blocks to yield **external – a boolean specifying to include external blocks in the blocks that are returned

blocks.iterate(func, flags, **silent)

Returns each idaapi.BasicBlock from the flowchart built with the specified flags (idaapi.FC_*) for the function func.

Parameters:	func – the function containing the basic blocks to yield flags (int or long) – the flags from `idaapi.FC_\` to use when building the flowchart *silent – a boolean specifying to exclude warnings about blocks that are outside the function

blocks.moonwalk(**flags)¶

Traverse each of the predecessor blocks for the current function starting with the block at the current address.

Parameters:	*flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

blocks.moonwalk(ea, **flags)

Traverse each of the predecessor blocks for a function starting with the block at the address ea.

Parameters:	ea (int or long) – the address of the block to start at *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

blocks.moonwalk(func, ea, **flags)

Traverse each of the predecessor blocks from the block at address ea belonging to the function func.

Parameters:	func – the function containing the block to traverse the predecessors of ea (int or long) – the address of the block to start at *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

blocks.moonwalk(bb)

Traverse each of the predecessor blocks from the idaapi.BasicBlock identified by bb.

Parameters:	bb (idaapi.BasicBlock) – the `idaapi.BasicBlock` to traverse the predecessors of

blocks.select(**boolean)¶

Query the basic blocks of the current function for any tags specified by boolean

Parameters:	**boolean –

blocks.select(tag, *Or, **boolean)

Query the basic blocks of the current function for the specified tag and any others specified as Or.

Parameters:	tag (str) – Or – *boolean –

blocks.select(func, tag, *Or, **boolean)

Query the basic blocks of the function func for the specified tag and any others specified as Or.

Parameters:	func – tag (str) – Or – *boolean –

blocks.select(func, tag, *Or, **boolean)

Query the basic blocks of the function func for the specified tag and any others specified as Or.

Parameters:	func – tag (set or list) – Or – *boolean –

blocks.select(func, **boolean)

Query the basic blocks of the function func for any tags specified by boolean. Yields each basic block found along with the matching tags as a dictionary.

If And contains an iterable then require the returned address contains them. If Or contains an iterable then include any other tags that are specified.

Parameters:	func – **boolean –

blocks.subgraph(start, exits)¶

Return a networkx.DiGraph subgraph of the current function from address start and terminating at any address in exits.

Parameters:	start (int or long) – the address of the basic block to start from exits (int or long or list or tuple or set) – the addresses of basic blocks to stop at

blocks.subgraph(func, start, exits)

Return a networkx.DiGraph subgraph of the function func from address start and terminating at any address in exits.

Requires the networkx module in order to build the graph.

Parameters:	func – the function to return the graph from start (int or long) – the address of the basic block to start from exits (int or long or list or tuple or set) – the addresses of basic blocks to stop at

blocks.traverse(**flags)¶

Traverse each of the successor blocks starting from the beginning of the current function.

Parameters:	*flags – the flags from `idaapi.FC_\` to use when building the flowchart to traverse

blocks.traverse(predicate, **flags)

Traverse the blocks from the beginning of the current function until the callable predicate returns no more elements.

Parameters:	predicate (callable) – a callable (such as `block.before` or `block.after`) returning the blocks to choose from *flags – the flags from `idaapi.FC_\` to use when building the flowchart to traverse

blocks.traverse(func, predicate, **flags)

Traverse the blocks from the beginning of function func until the callable predicate returns no more elements.

Parameters:	func – the function to traverse predicate (callable) – a callable (such as `block.before` or `block.after`) returning the blocks to choose from *flags – the flags from `idaapi.FC_\` to use when building the flowchart to traverse

blocks.traverse(func, ea, predicate, **flags)

Traverse the blocks of function func from the block given by ea until the callable predicate returns no more elements.

Parameters:	func – the function containing the block ea (int or long) – the address of the block to start at predicate (callable) – a callable (such as `block.before` or `block.after`) returning the blocks to choose from *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

blocks.traverse(bb, predicate)

Traverse the blocks of function func from the idaapi.BasicBlock given by bb until the callable predicate returns no more elements.

Parameters:	bb (idaapi.BasicBlock) – the `idaapi.BasicBlock` to start at predicate (callable) – a callable (such as `block.before` or `block.after`) returning the blocks to choose from

blocks.walk(**flags)¶

Traverse each of the successor blocks starting from the beginning of the current function.

Parameters:	*flags – the flags from `idaapi.FC_\` to use when building the flowchart to traverse

blocks.walk(func, **flags)

Traverse each of the successor blocks starting from the beginning of the function func.

Parameters:	func – the function containing to traverse the successors of *flags – the flags from `idaapi.FC_\` to use when building the flowchart to traverse

blocks.walk(func, ea, **flags)

Traverse each of the successor blocks of the block identified by ea belonging to the function func.

Parameters:	func – the function containing the block to traverse the successors of ea (int or long) – the address of the block to start at *flags – the flags from `idaapi.FC_\` to use when building the flowchart the block comes from

blocks.walk(bb)

Traverse each of the successor blocks from the idaapi.BasicBlock identified by bb.

Parameters:	bb (idaapi.BasicBlock) – the `idaapi.BasicBlock` to traverse the successors of

3.1.3.2.3. function.chunk¶

This namespace is for interacting with a specific chunk belonging to a function. By default this namespace will return the bounds of the chunk containing the requested address.

The functions in this namespace can be used as:

> l, r = function.chunk(ea)
> ea = function.chunk.top()
> function.chunk.add(function.by(), 0x401000, 0x402000)
> function.chunk.remove(ea)

function.chunk()¶: Return a tuple containing the bounds of the function chunk at the current address.

function.chunk(ea)

Return a tuple containing the bounds of the function chunk at the address ea.

Parameters:	ea (int or long) – the address containing the chunk to return

chunk.add(start)¶

Add the chunk starting at the address start to the current function.

Aliases: function.add_chunk

Parameters:	start (int or long) – the starting address of the chunk to add

chunk.add(bounds)

Add the chunk specified by bounds to the current function.

Aliases: function.add_chunk

Parameters:	bounds (tuple) – the boundaries of the chunk to add

chunk.add(func, ea)

Add the chunk starting at address ea to the function func.

Aliases: function.add_chunk

Parameters:	func – the function to add the chunk to ea (int or long) – the starting address of the chunk to add to the function

chunk.add(func, start, end)

Add the chunk from the address start until end to the function func.

Aliases: function.add_chunk

Parameters:	func – the function to add the chunk to start (int or long) – the starting address of the chunk to add to the function end (int or long) – the ending address of the chunk

chunk.add(func, bounds)

Add the chunk specified by bounds to the function func.

Aliases: function.add_chunk

Parameters:	func – the function to add the chunk to bounds (tuple) – the boundaries of the chunk to add to the function

chunk.address()¶: Return the top address of the function chunk containing the current address.

chunk.address(ea)

Return the top address of the function chunk containing the address ea.

Parameters:	ea (int or long) – the address of the chunk

chunk.address(ea, offset)

Return the address of the function chunk containing the address ea and add the provided offset to it.

Parameters:	ea (int or long) – the address of the chunk offset (int or long) – the offset to add to the chunk address

chunk.at()¶: Return an idaapi.range_t describing the bounds of the current function chunk.

chunk.at(ea)

Return an idaapi.range_t describing the bounds of the function chunk at the address ea.

Parameters:	ea (int or long) – the address of the chunk to return

chunk.at(func, ea)

Return an idaapi.range_t describing the bounds of the function chunk belonging to func at the address ea.

Parameters:	func – the function containing the chunk ea (int or long) – the address of the chunk to return

chunk.bottom()¶: Return the bottom address of the chunk at the current address.

chunk.bottom(ea)

Return the bottom address of the chunk at address ea.

Parameters:	ea (int or long) – the address of the chunk

chunk.bottom(ea, address)

Change the bottom address of the chunk at address ea to the specified address.

Parameters:	ea (int or long) – the address of the chunk to modify address (int or long) – the new address to set the bottom of the chunk with

chunk.iterate()¶: Iterate through all the instructions for the function chunk containing the current address.

chunk.iterate(ea)

Iterate through all the instructions for the function chunk containing the address ea.

Parameters:	ea (int or long) – the address belonging to the function chunk to iterate through

chunk.offset()¶: Return the offset from the base of the database for the current function chunk.

chunk.offset(ea)

Return the offset from the base of the database for the function chunk containing the address ea.

Parameters:	ea (int or long) – the address of the chunk to return the offset of

chunk.offset(ea, offset)

Return the offset from the base of the database for the function chunk containing the address ea and add the provided offset to it.

Parameters:	ea (int or long) – the address of the chunk to return the offset of offset – the offset to add to the result

chunk.owner()¶: Return the primary owner of the function chunk containing the current address.

chunk.owner(ea)

Return the primary owner of the function chunk containing the address specified by ea.

Parameters:	ea (int or long) – the address of the chunk to return the owner of

chunk.owner(bounds)

Return the primary owner of the function chunk specified by bounds.

Parameters:	bounds (tuple) – the boundaries of the chunk to return the owner of

chunk.owner(ea, func)

Set the primary owner of the chunk at ea to the function func.

Parameters:	ea (int or long) – the address of the chunk to change the owner of func – the desired function that should own the chunk

chunk.owner(bounds, func)

Set the primary owner of the chunk specified by bounds to the function func.

Parameters:	bounds (tuple) – the boundaries of the chunk to change the owner of func – the desired function that should own the chunk

chunk.owners()¶: Yield each of the owners which have the current function chunk associated with it.

chunk.owners(ea)

Yield each of the owners which have the function chunk containing the address ea associated with it.

Parameters:	ea (int or long) – the address of the chunk to return each of the functions for

chunk.points()¶: Iterate through the current function chunk and yield each address and stack delta that was calculated.

chunk.points(ea)

Iterate through the function chunk containing the address ea and yield each address and stack delta that was calculated.

Parameters:	ea (int or long) – the address of the chunk to yield each of the stack points for

chunk.points(func, ea)

Iterate through the chunk belonging to the function func and containing the address ea in order to yield each address and stack delta that was calculated.

Parameters:	func – the function containing the chunk ea (int or long) – the address of the chunk to yield each of the stack points for

chunk.register(reg, *regs, **modifiers)¶

Yield each (address, opnum, state) within the function chunk containing the current address which uses reg or any one of the registers in regs.

Parameters:	reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

chunk.register(ea, reg, *regs, **modifiers)

Yield each (address, opnum, state) within the function chunk containing the address ea which uses reg or any one of the registers in regs.

If the keyword write is True, then only return the result if it’s writing to the register.

Parameters:	ea – the address belonging to the function chunk to identify registers in reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

chunk.remove()¶

Remove the chunk containing the current address from its function.

Aliases: function.remove_chunk

chunk.remove(ea)

Remove the chunk at ea from its function.

Aliases: function.remove_chunk

Parameters:	ea (int or long) – the address of the chunk to remove

chunk.remove(bounds)

Remove the chunk specified by bounds from its function.

Aliases: function.remove_chunk

Parameters:	bounds (tuple) – a tuple describing the boundaries of the chunk to remove

chunk.remove(func, ea)

Remove the chunk at ea from the function func.

Aliases: function.remove_chunk

Parameters:	func – the function containing the chunk ea (int or long) – the address of the chunk to remove from the function

chunk.remove(func, bounds)

Remove the chunk specified by bounds from the function func.

Aliases: function.remove_chunk

Parameters:	func – the function containing the chunk bounds (tuple) – a tuple describing the boundaries of the chunk to remove

chunk.top()¶: Return the top address of the chunk at the current address.

chunk.top(ea)

Return the top address of the chunk at address ea.

Parameters:	ea (int or long) – the address of the chunk

chunk.top(ea, address)

Change the top address of the chunk at address ea to the specified address.

Parameters:	ea (int or long) – the address of the chunk to modify address (int or long) – the new address to set the top of the chunk with

3.1.3.2.4. function.chunks¶

This namespace is for interacting with the different chunks associated with a function. By default this namespace will yield the boundaries of each chunk associated with a function.

Some of the ways to use this namespace are:

> for l, r in function.chunks(): ...
> for ea in function.chunks.iterate(ea): ...

function.chunks()¶: Yield the bounds of each chunk within current function.

function.chunks(func)

Yield the bounds of each chunk for the function func.

Parameters:	func – the function to yield the chunks for

chunks.at()¶: Return an idaapi.range_t describing the bounds of the current function chunk.

chunks.at(ea)

Return an idaapi.range_t describing the bounds of the function chunk at the address ea.

Parameters:	ea (int or long) – the address belonging to the chunk to return

chunks.at(func, ea)

Return an idaapi.range_t describing the bounds of the function chunk belonging to func at the address ea.

Parameters:	func – the function containing the chunk ea (int or long) – the address belonging to the chunk to return

chunks.contains()¶

Returns True if the current function contains the current address in any of its chunks.

Aliases: function.contains

chunks.contains(ea)

Returns True if the current function contains the address ea in any of its chunks.

Aliases: function.contains

Parameters:	ea (int or long) – the address of the chunk to check

chunks.contains(func, ea)

Returns True if the function func contains the address ea in any of its chunks.

Aliases: function.contains

Parameters:	func – the function to check the chunk against ea (int or long) – the address of the chunk to check

chunks.iterate()¶

Iterate through all the instructions for each chunk in the current function.

Aliases: function.iterate

chunks.iterate(func)

Iterate through all the instructions for each chunk in the function func.

Aliases: function.iterate

Parameters:	func – the function to iterate through

chunks.register(reg, *regs, **modifiers)¶

Yield each (address, opnum, state) within the current function that uses reg or any one of the registers in regs.

Aliases: function.register

Parameters:	reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

chunks.register(func, reg, *regs, **modifiers)

Yield each (address, opnum, state) within the function func that uses reg or any one of the registers in regs.

If the keyword write is True, then only return the result if it’s writing to the register.

Aliases: function.register

Parameters:	func – the function to identify registers in reg (str or register_t) – a register of some kind regs – any other registers to match for *modifiers – if `write` or `read` is true, then only return addresses where the specified registers are written to or read from (respectively)

3.1.3.2.5. function.frame¶

This namespace is for getting information about the selected function’s frame. By default, this namespace will return a structure_t representing the frame belonging to the specified function.

Some ways of using this can be:

> print( function.frame() )
> print( hex(function.frame.id(ea)) )
> sp = function.frame.delta(ea)

function.frame()¶: Return the frame of the current function.

function.frame(func)

Return the frame of the function func.

Parameters:	func – the function containing the frame to return

frame.delta()¶

Returns the stack delta for the current address within its function.

Aliases: function.get_spdelta

frame.delta(ea)

Returns the stack delta for the address ea within its given function.

Aliases: function.get_spdelta

Parameters:	ea (int or long) – the address to return the stack delta for

frame.delta(func, ea)

Returns the stack delta for the address ea within the function func.

Aliases: function.get_spdelta

Parameters:	func – the function to get the stack delta from ea (int or long) – the address to return the stack delta for

frame.id()¶

Returns the structure id for the current function’s frame.

Aliases: function.get_frameid

frame.id(func)

Returns the structure id for the function func.

Aliases: function.get_frameid

Parameters:	func – the function to return the frame id for

frame.new()¶: Add an empty frame to the current function.

frame.new(lvars, args)

Add a frame to the current function using the sizes specified by lvars for local variables, and args for arguments.

Parameters:	lvars (int or long) – the number of bytes to allocate for local variables args (int or long) – the number of bytes to allocate for arguments

frame.new(lvars, regs, args)

Add a frame to the current function using the sizes specified by lvars for local variables, regs for frame registers, and args for arguments.

Parameters:	lvars (int or long) – the number of bytes to allocate for local variables regs (int or long) – the number of bytes to allocate for registers args (int or long) – the number of bytes to allocate for arguments

frame.new(func, lvars, regs, args)

Add a frame to the function func using the sizes specified by lvars for local variables, regs for frame registers, and args for arguments.

When specifying the size of the registers (regs) the size of the saved instruction pointer must also be included.

Parameters:	func – the function to add the frame to lvars (int or long) – the number of bytes to allocate for local variables regs (int or long) – the number of bytes to allocate for registers args (int or long) – the number of bytes to allocate for arguments

3.1.3.2.5.1. function.frame.arguments¶

Aliases: function.frame.args

This namespace is for returning information about the arguments within a function’s frame. By default, this namespace will yield each argument as a tuple containing the (offset, name, size).

Some ways of using this are:

> print( function.frame.arguments(f) )
> print( function.frame.arguments.registers(f) )
> print( function.frame.arguments.size(f) )
> print( function.frame.arguments.location(ea) )

frame.arguments()¶: Yield the (offset, name, size) of each argument belonging to the current function.

frame.arguments(func)

Yield the (offset, name, size) of each argument belonging to the function func.

Parameters:	func – the function containing the arguments to yield

frame.arguments.iterate()¶: Yield the (member, type, name) associated with the arguments for the current function.

frame.arguments.iterate(func)

Yield the (member, type, name) associated with the arguments for the function func.

Parameters:	func – the function containing the argument information to yield

frame.arguments.location()¶

Return the list of address locations for each of the parameters that are passed to the function call at the current address.

Aliases: function.frame.args.locations

frame.arguments.location(ea)

Return the list of address locations for each of the parameters that are passed to the function call at ea.

Aliases: function.frame.args.locations

Parameters:	ea (int or long) – the address of the reference to the function

frame.arguments.location(ea, index)

Return the initialization address for the parameter at index for the function call at ea.

Aliases: function.frame.args.locations

Parameters:	ea (int or long) – the address of the reference to the function index (int or long) – the index of the parameter to return the address of

frame.arguments.registers()¶

Return the register information associated with the arguments of the current function.

Aliases: function.frame.args.regs

frame.arguments.registers(func)

Return the register information associated with the arguments of the function func.

Aliases: function.frame.args.regs

Parameters:	func – the function containing the argument register information to return

frame.arguments.size()¶

Returns the size of the arguments for the current function.

Aliases: function.get_args_size

frame.arguments.size(func)

Returns the size of the arguments for the function func.

Aliases: function.get_args_size

Parameters:	func – the function containing the argument size to return

3.1.3.2.5.2. function.frame.lvars¶

Aliases: function.frame.vars

This namespace provides information about the local variables defined within a function’s frame.

Some ways to get this information can be:

> print( function.frame.lvars.size() )

frame.lvars()¶: Yield the (offset, name, size) of each local variable relative to the stack pointer for the current function.

frame.lvars(func)

Yield the (offset, name, size) of each local variable relative to the stack pointer for the function func.

Parameters:	func – the function containing the local variables to return

frame.lvars.size()¶

Returns the size of the local variables for the current function.

Aliases: function.get_vars_size

frame.lvars.size(func)

Returns the size of the local variables for the function func.

Aliases: function.get_vars_size

Parameters:	func – the function containing the local variable size to return

3.1.3.2.5.3. function.frame.regs¶

This namespace provides information about the registers that are saved when a function constructs its frame.

An example of using this namespace:

> print( function.frame.regs.size(ea) )

frame.regs()¶: Yield the (offset, name, size) of each saved register relative to the stack pointer of the current function.

frame.regs(func)

Yield the (offset, name, size) of each saved register relative to the stack pointer of the function func.

Parameters:	func – the function containing the registers to return

frame.regs.size()¶

Returns the number of bytes occupied by the saved registers in the current function.

Aliases: function.get_regs_size

frame.regs.size(func)

Returns the number of bytes occupied by the saved registers for the function func.

Aliases: function.get_regs_size

Parameters:	func – the function containing the register size to return

3.1.3.2.6. function.type¶

This namespace allows one to query type information about a specified function. This allows one to get any attributes that IDA or a user has applied to a function within the database. This alows one to filter functions according to their particular attributes.

This namespace is aliased as function.t.

Some of the functions within this namespace are also aliased as the following globals:

function.convention - Interact with the calling convention (idaapi.CM_CC_*) for a function’s prototype.
function.result - Interact with the result type associated with a function’s prototype.

Some simple ways of getting information about a function:

> print( function.type.has_noframe() )
> for ea in filter(function.type.is_library, database.functions()): ...

function.type()¶: Return the type information for the current function as an idaapi.tinfo_t.

function.type(info, **guessed)

Apply the type information in info to the current function.

Parameters:	info (str or idaapi.tinfo_t) – the type information to apply **guessed – a boolean describing whether the type is guessed by the disassembler or the user

function.type(none)

Remove the type information for the current function.

Parameters:	none (None) – the python value `None` which will remove the type information from the function

function.type(func)

Return the type information for the function func as an idaapi.tinfo_t.

Parameters:	func (int or long or idaapi.func_t) – the address or function to return the type information from

function.type(func, info, **guessed)

Apply the idaapi.tinfo_t in info to the function func.

Parameters:	func – the address or function to apply the type information to info (idaapi.tinfo_t) – the type information string to apply to the function **guessed – a boolean describing whether the type is guessed by the disassembler or the user

function.type(func, info, **guessed)

Parse the type information string in info into an idaapi.tinfo_t and apply it to the function func.

Parameters:	func – the address or function to apply the type information to info (str) – the `idaapi.tinfo_t` containing the type information to apply to the function **guessed – a boolean describing whether the type is guessed by the disassembler or the user

function.type(func, none)

Remove the type information for the function func.

Parameters:	func – the address or function to remove the type information from none (None) – the python value `None` which will remove the type information from the function

type.convention()¶

Return the calling convention of the current function.

Aliases: function.cc, function.convention, function.type.cc

type.convention(func)

Return the calling convention of the function func.

The integer returned corresponds to one of the idaapi.CM_CC_* constants.

Aliases: function.cc, function.convention, function.type.cc

Parameters:	func – the address or function to return the calling convention from

type.convention(func, convention)

Set the calling convention used by the prototype for the function func to the specified convention string.

Aliases: function.cc, function.convention, function.type.cc

Parameters:	func – the address or function using the calling convention to modify convention (str) – the calling convention to apply to the function prototype as a string

type.convention(func, convention)

Set the calling convention used by the prototype for the function func to the specified convention.

Aliases: function.cc, function.convention, function.type.cc

Parameters:	func – the address or function using the calling convention to modify convention (int or long) – the calling convention to apply to the function specified as an `idaapi.CM_CC_MASK`

type.flags()¶: Return the flags for the current function.

type.flags(func)

Return the flags for the function func.

Parameters:	func – the function to return the flags of

type.flags(func, mask)

Return the flags for the function func selected with the specified mask.

Parameters:	func – the function to return the flags of mask (int or long) – a bitmask used to select the explicit flag bits to return

type.flags(func, mask, integer)

Set the flags for the function func selected by the specified mask to the provided integer.

Parameters:	func – the function with the flags that are to be modified mask (int or long) – a bitmask used to specify the explicit flags to set integer (bool or int or long) – the flags to set on the function

type.has_frame()¶

Return if the current function has a frame allocated to it.

Aliases: function.type.frameQ

type.has_frame(func)

Return if the function func has a frame allocated to it.

Aliases: function.type.frameQ

Parameters:	func – the function to check for the existence of a frame

type.has_frameptr()¶

Return if the current function uses a frame pointer (register).

Aliases: function.type.frameptrQ

type.has_frameptr(func)

Return if the function func uses a frame pointer (register).

Aliases: function.type.frameptrQ

Parameters:	func – the function to check for the existence of a frame pointer

type.has_name()¶

Return if the current function has a user-defined name.

Aliases: function.type.nameQ, function.type.customnameQ, function.type.has_customname

type.has_name(func)

Return if the function func has a user-defined name.

Aliases: function.type.nameQ, function.type.customnameQ, function.type.has_customname

Parameters:	func – the function to use when checking for a name

type.has_problem()¶

Return if the current function has a problem associated with it.

Aliases: function.type.problemQ

type.has_problem(func)

Return if the function func has a problem associated with it.

Aliases: function.type.problemQ

Parameters:	func – the function to check for problems

type.has_problem(func, problem)

Return if the function func has the specified problem associated with it.

Aliases: function.type.problemQ

Parameters:	func – the function to check for problems problem (int or long) – the `idaapi.PR_` problem type representing the queue to search for problems in

type.has_prototype()¶

Return a boolean describing whether the current function has a prototype associated with it.

Aliases: function.type.has_typeinfo, function.type.typeinfoQ, function.type.prototypeQ

type.has_prototype(func)

Return a boolean describing whether the function func has a prototype associated with it.

Aliases: function.type.has_typeinfo, function.type.typeinfoQ, function.type.prototypeQ

Parameters:	func – the address or function to check for the existence of a prototype

type.has_return()¶

Return if the current function returns.

Aliases: function.type.returnQ

type.has_return(func)

Return if the function func returns.

Aliases: function.type.returnQ

Parameters:	func – the function to use when checking if it returns

type.hidden()¶: Return a boolean describing whether the current function is hidden.

type.hidden(func)

Return a boolean describing whether the function func is hidden.

Parameters:	func – the function to return the hidden attribute from

type.hidden(func, boolean)

Modify the attributes of the function func to set it as a hidden function depending on the value of boolean.

Parameters:	func – the function to modify the hidden attribute boolean – a boolean value representing whether the function is hidden or not

type.is_decompiled()¶

Return if the current function has been decompiled.

Aliases: function.type.decompiledQ

type.is_decompiled(func)

Return if the function func has been decompiled.

Aliases: function.type.decompiledQ

Parameters:	func – the function to check if it is decompiled

type.is_far()¶

Return a boolean describing whether the current function is considered a “far” function by IDA or the user.

Aliases: function.type.farQ

type.is_far(func)

Return a boolean describing whether the function func is considered a “far” function by IDA or the user.

Aliases: function.type.farQ

Parameters:	func – the function to use when checking if it is typically called from outside its segment

type.is_hidden()¶

Return a boolean describing whether the current function is hidden.

Aliases: function.type.hiddenQ

type.is_hidden(func)

Return a boolean describing whether the function func is hidden.

Aliases: function.type.hiddenQ

Parameters:	func – the function to check for its visibility

type.is_library()¶

Return a boolean describing whether the current function is considered a library function.

Aliases: function.type.libraryQ

type.is_library(func)

Return a boolean describing whether the function func is considered a library function.

Aliases: function.type.libraryQ

Parameters:	func – the function to use when checking if it is a library function

type.is_static()¶

Return a boolean describing whether the current function is defined as a static function.

Aliases: function.type.staticQ

type.is_static(func)

Return a boolean describing whether the function func is defined as a static function.

Aliases: function.type.staticQ

Parameters:	func – the function to use when checking if it is a static function

type.is_thunk()¶

Return a boolean describing whether the current function was determined to be a code thunk.

Aliases: function.type.thunkQ

type.is_thunk(func)

Return a boolean describing whether the function func was determined to be a code thunk.

Aliases: function.type.thunkQ

Parameters:	func – the function to use when checking if it is a code thunk

type.library()¶: Return a boolean describing whether the current function is considered a library function.

type.library(func)

Return a boolean describing whether the function func is considered a library function.

Parameters:	func – the desired function to return the library attribute from

type.library(func, boolean)

Modify the attributes of the function func to set it as a library function depending on the value of boolean.

Parameters:	func – the desired function to modify the attributes of boolean – a boolean value representing whether the function should be set as a library function or not

type.static()¶: Return a boolean describing whether the current function is defined as a static function.

type.static(func)

Return a boolean describing whether the function func is defined as a static function.

Parameters:	func – the function to return the static attribute from

type.static(func, boolean)

Modify the attributes of the function func to set it as a static function depending on the value of boolean.

Parameters:	func – the function to modify the static attribute boolean – a boolean value representing whether the function should be set as a static function or not

type.thunk()¶: Return a boolean describing whether the current function was determined to be a code thunk.

type.thunk(func)

Return a boolean describing whether the function func was determined to be a code thunk.

Parameters:	func – the function to return the thunk attribute from

type.thunk(func, boolean)

Modify the attributes of the function func to set it as a code thunk depending on the value of boolean.

Parameters:	func – the function to modify the thunk attribute boolean – a boolean value representing whether the function should be set as a code thunk or not

3.1.3.2.6.1. function.type.argument¶

This namespace allows one to interact with individual arguments within a function prototype. This allows one to rename or modify the type information for a particular argument within its definition.

This namespace is aliased as function.type.arg and function.type.parameter.

Some simple ways of fetching or modifying the type of the first parameter in a function:

> print( function.argument(0) ) > print( function.argument.name(1) ) > oldtype = function.argument(0, ‘void*’) > oldname = function.argument.name(1) > storage = function.argument.storage(2) > index = function.argument.remove(3)

type.argument(index)¶

Return the type information for the parameter at the specified index of the current function.

Parameters:	index (int or long) – the index of the argument to return

type.argument(index, info)

Modify the type information for the parameter at the specified index of the current function to info.

Parameters:	index (int or long) – the index of the argument to apply the type to info (str or idaapi.tinfo_t) – the type information to apply to the specified argument

type.argument(func, index)

Return the type information for the parameter at the specified index of the function func.

Parameters:	func – the address or function containing the prototype index (int or long) – the index of the argument to return

type.argument(func, index, info)

Modify the type information for the parameter at the specified index of the function func to info.

Parameters:	func – the address or function containing the prototype index (int or long) – the index of the argument to apply type information to info (idaapi.tinfo_t) – the `idaapi.tinfo_t` containing the type information to apply

type.argument(func, index, info)

Modify the type information for the parameter at the specified index of the function func to the string in info.

Parameters:	func – the address or function containing the prototype index (int or long) – the index of the argument to apply type information to info (str) – the type information as a string to apply to the argument

type.argument.location(index)¶

Return the address of the parameter at index that is passed to the function referenced at the current address.

Parameters:	index (int or long) –

type.argument.location(ea, index)

Return the address of the parameter at index that is passed to the function referenced at the address ea.

Parameters:	ea (int or long) – index (int or long) –

type.argument.name(index)¶

Return the name of the parameter at the specified index in the current function.

Parameters:	index (int or long) – the index of the argument to return the name of

type.argument.name(index, none)

Remove the name from the parameter at the specified index in the current function.

Parameters:	index (int or long) – the index of the argument to remove the name from none (None) – the python value `None`

type.argument.name(index, string, *suffix)

Modify the name of the parameter at the specified index of the current function to string.

Parameters:	index (int or long) – the index of the argument to rename string (str) – *suffix –

type.argument.name(func, index)

Return the name of the parameter at the specified index in the function func.

Parameters:	func – the address or function containing the parameter index (int or long) – the index of the argument to return the name of

type.argument.name(func, index, none)

Remove the name from the parameter at the specified index in the function func.

Parameters:	func – the address or function containing the parameter index (int or long) – the index of the argument to remove the name from none (None) – the python value `None`

type.argument.name(func, index, string, *suffix)

Modify the name of the parameter at the specified index of the function func to string.

Parameters:	func – the address or function containing the parameter index (int or long) – the index of the argument to rename string (str) – the string to rename the argument to *suffix – any other integers or strings to append to the name

type.argument.remove(index)¶

Remove the parameter at the specified index from the current function.

Aliases: function.type.argument.pop

Parameters:	index (int or long) – the index of the parameter to remove

type.argument.remove(func, index)

Remove the parameter at the specified index from the function func.

Aliases: function.type.argument.pop

Parameters:	func – the address or function to containing the parameter index (int or long) – the index of the parameter to remove

type.argument.storage(index)¶

Return the storage location of the parameter at the specified index in the current function.

Parameters:	index (int or long) – the index of the parameter to return the location of

type.argument.storage(func, index)

Return the storage location of the parameter at the specified index in the function func.

Parameters:	func – the address or function containing the parameter index (int or long) – the index of the parameter to return the location of

3.1.3.2.6.2. function.type.arguments¶

This namespace allows one to interact the with the arguments belonging to a function prototype as a whole. This can allow one to count the number of arguments, or fetch all their names and types in their entirety.

This namespace is aliased as function.type.args and function.type.parameters.

type.arguments()¶: Return the type information for each of the parameters belonging to the current function.

type.arguments(func)

Return the type information for each of the parameters belonging to the function func.

Parameters:	func – the address or function containing the prototype with the types to return

type.arguments(func, types)

Overwrite the type information for the parameters belonging to the function func with the provided list of types.

Parameters:	func – the address or function containing the prototype to modify types (list or tuple) – a tuple or list of types to use for the parameters

type.arguments.add(info)¶

Add the provided type information in info as another parameter to the current function.

Aliases: function.type.arguments.append

Parameters:	info (str or idaapi.tinfo_t) – the type information of the parameter

type.arguments.add(func, info)

Add the provided type information in info as another parameter to the function func.

Aliases: function.type.arguments.append

Parameters:	func – the address or function to add a parameter to info (str or idaapi.tinfo_t) – the type information of the parameter

type.arguments.add(func, info, name, *suffix)

Add the provided type information in info with the given name as another parameter to the function func.

Aliases: function.type.arguments.append

Parameters:	func – the address or function to add a parameter to info (str or idaapi.tinfo_t) – the type information of the parameter name (str) – the name of the parameter *suffix – any integers or strings to append to the name

type.arguments.count()¶: Return the number of parameters in the prototype for the current function.

type.arguments.count(func)

Return the number of parameters in the prototype of the function identified by func.

Parameters:	func – the address or function to return the number of arguments from

type.arguments.iterate()¶: Yield the (name, type, storage) of each of the parameters belonging to the current function.

type.arguments.iterate(func)

Yield the (name, type, storage) of each of the parameters belonging to the function func.

Parameters:	func – the address or function containing the prototype with the argument locations to return

type.arguments.locations()¶: Return the address of each of the parameters being passed to the function referenced at the current address.

type.arguments.locations(ea)

Return the address of each of the parameters being passed to the function referenced at address ea.

Parameters:	ea (int or long) –

type.arguments.locations(func, ea)

Return the address of each of the parameters for the function func that are being passed to the function referenced at address ea.

Parameters:	func – ea (int or long) –

type.arguments.names()¶

Return the names for each of the parameters belonging to the current function.

Aliases: function.type.arguments.name

type.arguments.names(func)

Return the names for each of the parameters belonging to the function func.

Aliases: function.type.arguments.name

Parameters:	func – the address or function containing the prototype with the argument names to return

type.arguments.names(func, names)

Overwrite the names for the parameters belonging to the function func with the provided list of names.

Aliases: function.type.arguments.name

Parameters:	func – the address or function containing the prototype to modify names (list or tuple) – a tuple or list of names to apply to the parameters

type.arguments.registers()¶

Return the registers for each of the parameters belonging to the current function.

Aliases: function.type.arguments.regs

type.arguments.registers(func)

Return the registers for each of the parameters belonging to the function func.

Aliases: function.type.arguments.regs

Parameters:	func – the address or function containing the prototype with the registers to return

type.arguments.storage()¶: Return the storage location for each of the parameters belonging to the current function.

type.arguments.storage(func)

Return the storage locations for each of the parameters belonging to the function func.

Parameters:	func – the address or function containing the prototype with the locations to return

type.arguments.types()¶

Return the type information for each of the parameters belonging to the current function.

Aliases: function.type.arguments.type

type.arguments.types(func)

Return the type information for each of the parameters belonging to the function func.

Aliases: function.type.arguments.type

Parameters:	func – the address or function containing the prototype with the argument types to return

type.arguments.types(func, types)

Overwrite the type information for the parameters belonging to the function func with the provided list of types.

Aliases: function.type.arguments.type

Parameters:	func – the address or function containing the prototype to modify types (list or tuple) – a tuple or list of types to use for the parameters

3.1.3.2.6.3. function.type.result¶

This namespace allows one to interact with the result as defined within a function prototype. This allows one to fetch or modify the type information that is returned by a function.

Some ways to utilize this namespace can be:

> print( function.type.result() )
> print( function.type.result.location() )

type.result()¶

Return the result type for the current function as an idaapi.tinfo_t.

Aliases: function.result

type.result(info)

Modify the result type for the current function to the type information provided as an idaapi.tinfo_t provided in info.

Aliases: function.result

Parameters:	info (idaapi.tinfo_t) – the `idaapi.tinfo_t` containing the type information to apply to the result

type.result(func)

Return the result type for the function func as an idaapi.tinfo_t.

Aliases: function.result

Parameters:	func – the address or function containing the result to return

type.result(func, info)

Modify the result type for the function func to the type information provided as a string in info.

Aliases: function.result

Parameters:	func – the address or function using the result to modify info (str) – the type information to apply to the result of the function

type.result(func, info)

Modify the result type for the function func to the type information provided as an idaapi.tinfo_t in info.

Aliases: function.result

Parameters:	func – the address or function using the result to modify info (idaapi.tinfo_t) – the `idaapi.tinfo_t` containing the type information to apply to the result

type.result.storage()¶: Return the storage location of the result belonging to the current function.

type.result.storage(func)

Return the storage location of the result belonging to the function func.

Parameters:	func – the address or function using the result to return the location of

3.1.3.2.7. function.xref¶

This namespace is for navigating the cross-references (xrefs) associated with a function in the database. This allows for one to return all of the callers for a function, as well as all of the functions that it may call.

This namespace is aliased as function.x.

Some of the functions within this namespace are also aliased as the following globals:

function.up - Return all the addresses that reference a function
function.down - Return the callable addresses referenced by a function

Some ways to utilize this namespace can be:

> print( function.xref.up() )
> for ea in function.xref.down(): ...

xref.argument(index)¶

Return the address of the parameter being passed to the function reference at the current address for the specified index.

Aliases: function.xref.arg

Parameters:	index (int or long) – the index of the parameter to return the address of

xref.argument(index, ea)

Return the address of the parameter being passed to the function reference at the address ea for the specified index.

Aliases: function.xref.arg

Parameters:	index (int or long) – the index of the parameter to return the address of ea (int or long) – the address of the reference to the function

xref.argument(func, index, ea)

Return the address of the parameter from the specified index of the function func that is being passed to the function reference at the address ea.

Aliases: function.xref.arg

Parameters:	func – the function to return the argument from index (int or long) – the index of the parameter to return the address of ea (int or long) – the address of the reference to the function

xref.arguments()¶

Return the address of each of the parameters being passed to the function reference at the current address.

Aliases: function.xref.args

xref.arguments(ea)

Return the address of each of the parameters being passed to the function reference at address ea.

Aliases: function.xref.args

Parameters:	ea (int or long) – the address of the reference to the function

xref.arguments(func, ea)

Return the address of each of the parameters for the function func that are being passed to the function reference at address ea.

Aliases: function.xref.args

Parameters:	func – the address of the reference to the function ea (int or long) – the address of the reference to the function to return the arguments for

xref.down(**references)¶

Return all of the addresses that are referenced by a branch instruction from the current function.

Aliases: function.down

Parameters:	**references – a boolean specifying to include the address of the instruction with the yielded reference

xref.down(func, **references)

Return all of the addresses that are referenced by a branch instruction from the function func.

If the boolean references is true, then include the reference address of each instruction along with its.

Aliases: function.down

Parameters:	func – the function to return the references for **references – a boolean specifying to include the address of the instruction with the yielded refrence

xref.up()¶

Return all of the addresses that reference the current function.

Aliases: function.up

xref.up(func)

Return all of the addresses that reference the function func.

Aliases: function.up

Parameters:	func – the function to return the references for

3.1.3. function – Function module¶

3.1.3.1. Function list¶

3.1.3.2. Namespace list¶

3.1.3.2.1. function.block¶

3.1.3.2.2. function.blocks¶

3.1.3.2.3. function.chunk¶

3.1.3.2.4. function.chunks¶

3.1.3.2.5. function.frame¶

3.1.3.2.5.1. function.frame.arguments¶

3.1.3.2.5.2. function.frame.lvars¶

3.1.3.2.5.3. function.frame.regs¶

3.1.3.2.6. function.type¶

3.1.3.2.6.1. function.type.argument¶

3.1.3.2.6.2. function.type.arguments¶

3.1.3.2.6.3. function.type.result¶

3.1.3.2.7. function.xref¶

IDA-minsc

Navigation

Contents

Search

Indices

This Page