ida-domain-api

Domain API for IDA Pro

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "ida-domain-api" with this command: npx skills add hexrayssa/ida-claude-plugins/hexrayssa-ida-claude-plugins-ida-domain-api

Domain API for IDA Pro

Use this skill to efficiently use the Domain API for IDA Pro, which is easier and more concise than the legacy IDA Python SDK.

Always prefer the IDA Domain API over the legacy low-level IDA Python SDK. The Domain API provides a clean, Pythonic interface that is easier to use and understand.

Documentation Resources

Resource URL

LLM-optimized overview https://ida-domain.docs.hex-rays.com/llms.txt

Getting Started https://ida-domain.docs.hex-rays.com/getting_started/index.md

Examples https://ida-domain.docs.hex-rays.com/examples/index.md

API Reference https://ida-domain.docs.hex-rays.com/ref/{module}/index.md

Available API modules: bytes , comments , database , entries , flowchart , functions , heads , hooks , instructions , names , operands , segments , signature_files , strings , types , xrefs

To fetch specific API documentation, use URLs like:

Opening a Database

from ida_domain import Database from ida_domain.database import IdaCommandOptions

ida_options = IdaCommandOptions(auto_analysis=True, new_database=False) with Database.open("path/to/binary", ida_options, save_on_close=True) as db: # Your analysis here pass

Key Database Properties

with Database.open(path, ida_options) as db: db.minimum_ea # Start address db.maximum_ea # End address db.metadata # Database metadata db.architecture # Target architecture

db.functions       # All functions (iterable)
db.strings         # All strings (iterable)
db.segments        # Memory segments
db.names           # Symbols and labels
db.entries         # Entry points
db.types           # Type definitions
db.comments        # All comments
db.xrefs           # Cross-reference utilities
db.bytes           # Byte manipulation
db.instructions    # Instruction access

Functions

Iterating Functions

Iterate all functions

for func in db.functions: print(db.functions.get_name(func))

Get function count

count = len(db.functions)

Finding Functions

func = db.functions.get_at(0x401000) # By address func = db.functions.get_function_by_name("main") # By name func = db.functions.get_next(ea) # Next function after ea

Functions in range

for func in db.functions.get_between(start_ea, end_ea): print(func.start_ea)

Function Properties

name = db.functions.get_name(func) signature = db.functions.get_signature(func) flags = db.functions.get_flags(func) # Returns FunctionFlags

Check function attributes

db.functions.is_far(func) db.functions.does_return(func)

Function Code

Get disassembly lines

lines = db.functions.get_disassembly(func, remove_tags=True)

Get decompiled pseudocode

pseudocode = db.functions.get_pseudocode(func, remove_tags=True)

Get microcode

microcode = db.functions.get_microcode(func, remove_tags=True)

Function Analysis

Get instructions in function

for insn in db.functions.get_instructions(func): print(insn.ea)

Get flowchart for basic blocks

flowchart = db.functions.get_flowchart(func) for block in flowchart: print(f"Block: {block.start_ea:#x} - {block.end_ea:#x}")

Get callers/callees

callers = db.functions.get_callers(func) callees = db.functions.get_callees(func)

Get function chunks

for chunk in db.functions.get_chunks(func): print(f"Chunk: {chunk.start_ea:#x}, main={chunk.is_main}")

Get data items within function

for data_ea in db.functions.get_data_items(func): print(f"Data at {data_ea:#x}")

Local Variables

Get all local variables

lvars = db.functions.get_local_variables(func) for lvar in lvars: print(f"{lvar.name}: {lvar.type_str}, arg={lvar.is_argument}")

Find variable by name

lvar = db.functions.get_local_variable_by_name(func, "result")

Get variable references in pseudocode

refs = db.functions.get_local_variable_references(func, lvar) for ref in refs: print(f"Line {ref.line_number}: {ref.access_type} in {ref.context}")

Modifying Functions

db.functions.set_name(func, "new_name") db.functions.set_comment(func, "This function does X", repeatable=False) db.functions.create(ea) # Create function at address db.functions.remove(ea) # Remove function at address

Instructions

Iterating Instructions

All instructions in database

for insn in db.instructions: print(db.instructions.get_disassembly(insn))

Instructions in range

for insn in db.instructions.get_between(start_ea, end_ea): print(insn.ea)

Getting Instructions

insn = db.instructions.get_at(ea) # Decode at address insn = db.instructions.get_previous(ea) # Previous instruction

Instruction Properties

disasm = db.instructions.get_disassembly(insn) mnemonic = db.instructions.get_mnemonic(insn) # "mov", "push", etc. db.instructions.is_valid(insn)

Control Flow Analysis

db.instructions.is_call_instruction(insn) # Is this a call? db.instructions.is_indirect_jump_or_call(insn) # Indirect jump/call? db.instructions.breaks_sequential_flow(insn) # Stops flow (ret, jmp)?

Working with Operands

count = db.instructions.get_operands_count(insn) operands = db.instructions.get_operands(insn) # List of Operand objects

for op in operands: info = op.get_info() print(f"Operand {op.number}: {op.type.name}")

if isinstance(op, RegisterOperand):
    print(f"  Register: {op.get_register_name()}")
elif isinstance(op, ImmediateOperand):
    print(f"  Value: 0x{op.get_value():x}")
elif isinstance(op, MemoryOperand):
    if op.is_direct_memory():
        print(f"  Memory: 0x{op.get_address():x}")

Segments

Iterating Segments

for segment in db.segments: name = db.segments.get_name(segment) size = db.segments.get_size(segment) print(f"{name}: {segment.start_ea:#x} - {segment.end_ea:#x}")

count = len(db.segments)

Finding Segments

seg = db.segments.get_at(0x401000) # Segment containing address seg = db.segments.get_by_name(".text") # By name

Segment Properties

name = db.segments.get_name(segment) size = db.segments.get_size(segment) bitness = db.segments.get_bitness(segment) # 16, 32, or 64 seg_class = db.segments.get_class(segment) # "CODE", "DATA", etc.

Creating Segments

from ida_domain.segments import PredefinedClass, AddSegmentFlags

Add segment with explicit range

seg = db.segments.add( seg_para=0, start_ea=0x1000, end_ea=0x2000, seg_name="MySegment", seg_class=PredefinedClass.CODE )

Append segment after last one

seg = db.segments.append(seg_para=0, seg_size=0x1000, seg_name="NewSeg")

Modifying Segments

from ida_domain.segments import SegmentPermissions, AddressingMode

db.segments.set_name(segment, "new_name") db.segments.set_permissions(segment, SegmentPermissions.READ | SegmentPermissions.EXEC) db.segments.add_permissions(segment, SegmentPermissions.WRITE) db.segments.remove_permissions(segment, SegmentPermissions.WRITE) db.segments.set_addressing_mode(segment, AddressingMode.BIT64) db.segments.set_comment(segment, "Code section", repeatable=False)

Strings

Iterating Strings

for string in db.strings: print(f"{string.address:#x}: {string}")

By index

first_string = db.strings[0] count = len(db.strings)

Finding Strings

string = db.strings.get_at(0x402000) # String at address

Strings in range

for s in db.strings.get_between(start_ea, end_ea): print(s.contents)

String Properties

print(string.address) # Address print(string.length) # Length in characters print(string.type) # StringType enum print(string.encoding) # Internal encoding print(string.contents) # UTF-8 bytes print(str(string)) # Decoded string

Rebuilding String List

from ida_domain.strings import StringListConfig, StringType

config = StringListConfig( string_types=[StringType.C, StringType.C_16], min_len=3, only_ascii_7bit=False ) db.strings.rebuild(config) db.strings.clear() # Clear string list

Xrefs

Getting References TO an Address

All xrefs to an address

for xref in db.xrefs.to_ea(target_ea): print(f"{xref.from_ea:#x} -> {xref.to_ea:#x} ({xref.type.name})")

Just code references

for ea in db.xrefs.code_refs_to_ea(target_ea, flow=False): print(f"Code ref from {ea:#x}")

Just data references

for ea in db.xrefs.data_refs_to_ea(target_ea): print(f"Data ref from {ea:#x}")

Call references only

for ea in db.xrefs.calls_to_ea(func_ea): print(f"Called from {ea:#x}")

Detailed caller information

for caller in db.xrefs.get_callers(func_ea): print(f"Called from {caller.name} at {caller.ea:#x}")

Getting References FROM an Address

All xrefs from an address

for xref in db.xrefs.from_ea(source_ea): print(f"{xref.from_ea:#x} -> {xref.to_ea:#x}")

Code/data refs from

for ea in db.xrefs.code_refs_from_ea(source_ea): print(f"Code ref to {ea:#x}")

for ea in db.xrefs.calls_from_ea(source_ea): print(f"Calls {ea:#x}")

Data Access Analysis

Who reads this data?

for ea in db.xrefs.reads_of_ea(data_ea): print(f"Read by {ea:#x}")

Who writes to this data?

for ea in db.xrefs.writes_to_ea(data_ea): print(f"Written by {ea:#x}")

XrefInfo Properties

xref.is_call # Is this a call reference? xref.is_jump # Is this a jump reference? xref.is_read # Is this a data read? xref.is_write # Is this a data write? xref.is_flow # Is this ordinary flow? xref.user # Is this user-defined?

Names

Iterating Names

for ea, name in db.names: print(f"{ea:#x}: {name}")

count = len(db.names)

Getting Names

name = db.names.get_at(0x401000) ea, name = db.names[0] # By index

Setting Names

from ida_domain.names import SetNameFlags

db.names.set_name(ea, "my_function") db.names.set_name(ea, "my_func", flags=SetNameFlags.CHECK) # Validate chars db.names.force_name(ea, "func") # Creates func_2 if func exists db.names.delete(ea) # Remove name

Name Properties

db.names.is_valid_name("my_name") # Check if valid db.names.is_public_name(ea) # Is public? db.names.is_weak_name(ea) # Is weak?

db.names.make_name_public(ea) db.names.make_name_non_public(ea) db.names.make_name_weak(ea) db.names.make_name_non_weak(ea)

Demangling

from ida_domain.names import DemangleFlags

demangled = db.names.get_demangled_name(ea) demangled = db.names.get_demangled_name(ea, DemangleFlags.NORETTYPE) demangled = db.names.demangle_name("?main@@YAXXZ")

Types

Getting Types

By name

tinfo = db.types.get_by_name("MyStruct")

At address

tinfo = db.types.get_at(ea)

Iterate all types

for tinfo in db.types: print(tinfo)

Parsing Types

Parse declarations from string

errors = db.types.parse_declarations(None, "struct Point { int x; int y; };")

Parse single declaration

tinfo = db.types.parse_one_declaration(None, "int (callback)(void)", "callback_t")

Parse header file

errors = db.types.parse_header_file(library, Path("header.h"))

Applying Types

from ida_domain.types import TypeApplyFlags

db.types.apply_at(tinfo, ea, flags=TypeApplyFlags.DEFINITE)

Type Details

details = db.types.get_details(tinfo) print(details.name) print(details.size) print(details.attributes)

For structs/unions

if details.udt: print(details.udt.num_members) print(details.udt.attributes)

For functions

if details.func: print(details.func.attributes)

Type Libraries

Load/create libraries

lib = db.types.load_library(Path("types.til")) lib = db.types.create_library(Path("new.til"), "My Types")

Import/export types

db.types.import_type(source_lib, "MyStruct") db.types.export_type(dest_lib, "MyStruct")

Save library

db.types.save_library(lib, Path("output.til")) db.types.unload_library(lib)

Bytes

Reading Values

byte = db.bytes.get_byte_at(ea) word = db.bytes.get_word_at(ea) dword = db.bytes.get_dword_at(ea) qword = db.bytes.get_qword_at(ea) float_val = db.bytes.get_float_at(ea) double_val = db.bytes.get_double_at(ea)

Read multiple bytes

data = db.bytes.get_bytes_at(ea, size=16) original = db.bytes.get_original_bytes_at(ea, size=16)

Read strings

string = db.bytes.get_string_at(ea) cstring = db.bytes.get_cstring_at(ea, max_length=256)

Writing Values

db.bytes.set_byte_at(ea, 0x90) db.bytes.set_word_at(ea, 0x1234) db.bytes.set_dword_at(ea, 0x12345678) db.bytes.set_qword_at(ea, 0x123456789ABCDEF0) db.bytes.set_bytes_at(ea, b"\x90\x90\x90")

Patching (with History)

db.bytes.patch_byte_at(ea, 0x90) # Saves original db.bytes.patch_bytes_at(ea, data) db.bytes.revert_byte_at(ea) # Restore original

Get original values

orig = db.bytes.get_original_byte_at(ea)

Searching

from ida_domain.bytes import SearchFlags

Find bytes

ea = db.bytes.find_bytes_between(b"\x55\x89\xe5", start_ea, end_ea)

Find all occurrences

addresses = db.bytes.find_binary_sequence(b"\x90\x90")

Find text

ea = db.bytes.find_text_between("error", flags=SearchFlags.DOWN)

Find immediate value

ea = db.bytes.find_immediate_between(0x1234)

Creating Data Items

from ida_domain.strings import StringType

db.bytes.create_byte_at(ea, count=4) db.bytes.create_word_at(ea) db.bytes.create_dword_at(ea, count=10) # Array of 10 dwords db.bytes.create_qword_at(ea) db.bytes.create_float_at(ea) db.bytes.create_double_at(ea) db.bytes.create_string_at(ea, string_type=StringType.C) db.bytes.create_struct_at(ea, count=1, tid=struct_tid)

Querying Properties

size = db.bytes.get_data_size_at(ea) db.bytes.is_value_initialized_at(ea) db.bytes.is_code_at(ea) db.bytes.is_data_at(ea) db.bytes.is_head_at(ea) db.bytes.is_tail_at(ea) db.bytes.is_unknown_at(ea)

Get disassembly at address

disasm = db.bytes.get_disassembly_at(ea)

Navigation

next_head = db.bytes.get_next_head(ea) prev_head = db.bytes.get_previous_head(ea) next_addr = db.bytes.get_next_address(ea) prev_addr = db.bytes.get_previous_address(ea)

Comments

Regular Comments

from ida_domain.comments import CommentKind

Get comment

info = db.comments.get_at(ea, CommentKind.REGULAR) if info: print(info.comment)

Set comment

db.comments.set_at(ea, "This is important", CommentKind.REGULAR) db.comments.set_at(ea, "Shows everywhere", CommentKind.REPEATABLE)

Delete comment

db.comments.delete_at(ea, CommentKind.ALL)

Iterating Comments

for comment_info in db.comments: print(f"{comment_info.ea:#x}: {comment_info.comment}")

All comment types

for info in db.comments.get_all(CommentKind.ALL): print(f"{info.ea:#x} (repeatable={info.repeatable}): {info.comment}")

Extra Comments (Anterior/Posterior)

from ida_domain.comments import ExtraCommentKind

Set extra comment

db.comments.set_extra_at(ea, index=0, comment="Before line", kind=ExtraCommentKind.ANTERIOR) db.comments.set_extra_at(ea, index=0, comment="After line", kind=ExtraCommentKind.POSTERIOR)

Get extra comments

comment = db.comments.get_extra_at(ea, index=0, kind=ExtraCommentKind.ANTERIOR) for comment in db.comments.get_all_extra_at(ea, ExtraCommentKind.ANTERIOR): print(comment)

Delete

db.comments.delete_extra_at(ea, index=0, kind=ExtraCommentKind.ANTERIOR)

Entries

Iterating Entry Points

for entry in db.entries: print(f"{entry.ordinal}: {entry.name} at {entry.address:#x}")

count = len(db.entries) first = db.entries[0]

Finding Entries

entry = db.entries.get_at(ea) # By address entry = db.entries.get_by_ordinal(1) # By ordinal entry = db.entries.get_by_name("main") # By name entry = db.entries.get_at_index(0) # By index

Entry Properties

print(entry.ordinal) print(entry.address) print(entry.name) print(entry.forwarder_name) entry.has_forwarder()

Modifying Entries

db.entries.add(address=ea, name="new_entry", ordinal=10) db.entries.rename(ordinal=10, new_name="renamed_entry") db.entries.set_forwarder(ordinal=10, forwarder_name="other.dll!func") db.entries.exists(ordinal=10)

Utility Iterators

for ordinal in db.entries.get_ordinals(): print(ordinal)

for addr in db.entries.get_addresses(): print(f"{addr:#x}")

for name in db.entries.get_names(): print(name)

for fwd in db.entries.get_forwarders(): print(f"{fwd.ordinal}: {fwd.name}")

Heads

Iterating Heads

for ea in db.heads: print(f"Head at {ea:#x}")

In range

for ea in db.heads.get_between(start_ea, end_ea): print(ea)

Navigation

next_ea = db.heads.get_next(ea) prev_ea = db.heads.get_previous(ea)

Head Properties

db.heads.is_head(ea) # Is start of item? db.heads.is_tail(ea) # Is part of multi-byte item? db.heads.is_code(ea) # Is instruction? db.heads.is_data(ea) # Is data? db.heads.is_unknown(ea) # Is unclassified?

size = db.heads.size(ea) start, end = db.heads.bounds(ea)

Flowchart

Creating Flowcharts

from ida_domain.flowchart import FlowChart, FlowChartFlags

From function

flowchart = FlowChart(db, func=my_func)

From address range

flowchart = FlowChart(db, bounds=(start_ea, end_ea))

With predecessor info

flowchart = FlowChart(db, func=my_func, flags=FlowChartFlags.PREDS)

Iterating Basic Blocks

for block in flowchart: print(f"Block {block.id}: {block.start_ea:#x} - {block.end_ea:#x}")

By index

block = flowchart[0] count = len(flowchart)

Block Navigation

for succ in block.get_successors(): print(f"Successor: {succ.id}")

for pred in block.get_predecessors(): print(f"Predecessor: {pred.id}")

succ_count = block.count_successors() pred_count = block.count_predecessors()

Block Instructions

for insn in block.get_instructions(): print(f"{insn.ea:#x}")

Enums Reference

XrefType

from ida_domain.xrefs import XrefType

XrefType.OFFSET # Offset reference XrefType.WRITE # Write access XrefType.READ # Read access XrefType.CALL_FAR # Far call XrefType.CALL_NEAR # Near call XrefType.JUMP_FAR # Far jump XrefType.JUMP_NEAR # Near jump XrefType.ORDINARY_FLOW # Sequential flow

xref_type.is_code_ref() # Check if code ref xref_type.is_data_ref() # Check if data ref

FunctionFlags

from ida_domain.functions import FunctionFlags

FunctionFlags.NORET # Doesn't return FunctionFlags.LIB # Library function FunctionFlags.THUNK # Thunk function FunctionFlags.HIDDEN # Hidden chunk FunctionFlags.LUMINA # From Lumina FunctionFlags.FAR # Far function FunctionFlags.FRAME # Uses frame pointer

LocalVariableAccessType

from ida_domain.functions import LocalVariableAccessType

LocalVariableAccessType.READ # Variable is read LocalVariableAccessType.WRITE # Variable is written LocalVariableAccessType.ADDRESS # Address taken (&var)

LocalVariableContext

from ida_domain.functions import LocalVariableContext

LocalVariableContext.ASSIGNMENT # var = expr LocalVariableContext.CONDITION # if (var) LocalVariableContext.CALL_ARG # func(var) LocalVariableContext.RETURN # return var LocalVariableContext.ARITHMETIC # var + 1 LocalVariableContext.COMPARISON # var == x LocalVariableContext.ARRAY_INDEX # arr[var] LocalVariableContext.POINTER_DEREF # *var LocalVariableContext.CAST # (type)var

OperandType

from ida_domain.operands import OperandType

OperandType.REGISTER # Register OperandType.MEMORY # Direct memory OperandType.PHRASE # Register addressing OperandType.DISPLACEMENT # Reg + displacement OperandType.IMMEDIATE # Immediate value OperandType.FAR_ADDRESS # Far address OperandType.NEAR_ADDRESS # Near address

StringType

from ida_domain.strings import StringType

StringType.C # C-style null-terminated StringType.C_16 # C-style 16-bit StringType.C_32 # C-style 32-bit StringType.PASCAL # Pascal-style StringType.LEN2 # 2-byte length prefix StringType.LEN4 # 4-byte length prefix

SegmentPermissions

from ida_domain.segments import SegmentPermissions

SegmentPermissions.READ SegmentPermissions.WRITE SegmentPermissions.EXEC SegmentPermissions.ALL

AddressingMode

from ida_domain.segments import AddressingMode

AddressingMode.BIT16 # 16-bit segment AddressingMode.BIT32 # 32-bit segment AddressingMode.BIT64 # 64-bit segment

PredefinedClass

from ida_domain.segments import PredefinedClass

PredefinedClass.CODE PredefinedClass.DATA PredefinedClass.CONST PredefinedClass.STACK PredefinedClass.BSS PredefinedClass.XTRN

CommentKind

from ida_domain.comments import CommentKind

CommentKind.REGULAR # Normal comment CommentKind.REPEATABLE # Shows at all refs CommentKind.ALL # Both types

ExtraCommentKind

from ida_domain.comments import ExtraCommentKind

ExtraCommentKind.ANTERIOR # Before the line ExtraCommentKind.POSTERIOR # After the line

TypeAttr

from ida_domain.types import TypeAttr

TypeAttr.INT, TypeAttr.UINT TypeAttr.FLOAT, TypeAttr.DOUBLE TypeAttr.PTR, TypeAttr.ARRAY TypeAttr.FUNC, TypeAttr.STRUCT TypeAttr.UNION, TypeAttr.ENUM TypeAttr.CONST, TypeAttr.VOLATILE

FlowChartFlags

from ida_domain.flowchart import FlowChartFlags

FlowChartFlags.NONE # Default FlowChartFlags.NOEXT # Don't compute external blocks FlowChartFlags.PREDS # Compute predecessors

Common Patterns

Find All Calls to a Function

func = db.functions.get_function_by_name("malloc") if func: for caller in db.xrefs.get_callers(func.start_ea): print(f"Called from {caller.name} at {caller.ea:#x}")

Rename Functions Based on Strings

for func in db.functions: for insn in db.functions.get_instructions(func): for xref in db.xrefs.from_ea(insn.ea): string = db.strings.get_at(xref.to_ea) if string and "error" in str(string).lower(): db.functions.set_name(func, f"func_with_error_{func.start_ea:x}") break

Analyze Function Complexity

func = db.functions.get_at(ea) flowchart = db.functions.get_flowchart(func) print(f"Basic blocks: {len(flowchart)}")

total_edges = sum(block.count_successors() for block in flowchart) print(f"Cyclomatic complexity: {total_edges - len(flowchart) + 2}")

Export Function Pseudocode

for func in db.functions: name = db.functions.get_name(func) try: pseudocode = db.functions.get_pseudocode(func) print(f"// {name}") for line in pseudocode: print(line) except RuntimeError: print(f"// Could not decompile {name}")

Find Cross-References to Strings

for string in db.strings: refs = list(db.xrefs.to_ea(string.address)) if refs: print(f'"{string}" referenced from:') for xref in refs: print(f" {xref.from_ea:#x}")

Legacy API (Avoid)

The legacy idc , idautils , ida_funcs APIs still work but are harder to use. Prefer the Domain API for new analysis scripts. Only use legacy APIs when Domain API doesn't expose needed functionality.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

ida-domain-scripting

No summary provided by upstream source.

Repository SourceNeeds Review
-6
hexrayssa
General

package-ida-plugin

No summary provided by upstream source.

Repository SourceNeeds Review
-4
hexrayssa
Coding

ida-plugin-development

No summary provided by upstream source.

Repository SourceNeeds Review
-4
hexrayssa