The following functions work with areas and area control blocks, as described in section 4.2.2 and 4.2.3 respectively. These functions are all methods within the areacb_t class, and therefore can only be used on instances of that class. Two instances of areacb_t are funcs and segs, representing all functions and segments within the currently disassembled file(s) in IDA.
Although you should use the segment-specific functions for dealing with segments, and the function-specific functions for dealing with functions, working with areas directly gives you a more abstract way of dealing with functions and segments. These functions are defined in area.hpp.
An essential part of debugging is having the ability to set and manipulate breakpoints, which can be set on any address within a process memory space and be hardware or software breakpoints. The following set of functions work with breakpoints, and are defined in dbg.hpp.
The following functions are a part of the xrefblk_t structure, defined in xref.hpp. They are used to populate and enumerate cross references to or from an address. All functions take flags as an argument, which can be one of the following, as taken from xref.hpp:
#define XREF_ALL 0x00 // return all references
#define XREF_FAR 0x01 // don't return ordinary flow xrefs
#define XREF_DATA 0x02 // return data references only
An ordinary flow is when execution normally passes from one instruction to another without the use of a CALL or JMP (or equivalent) instruction. If you are only interested in code cross references (ignoring ordinary flows), then you would use XREF_ALL and check if the isCode member of xrefblk_t is true in each case. Use XREF_DATA if you are only interested in data references.
When working with a disassembled file, it can often be very useful to bypass the disassembler and work directly with the bytes in the binary file itself. IDA provides the functionality to do this with this set of functions. All of these functions are defined in bytes.hpp. These functions work with bytes, however there are also functions to work with words, longs and qwords (get_word(), patch_word() and so on), which are also to be found in bytes.hpp. Aside from using these functions to read data from the binary file itself, they can also be used to read process memory while a process is executing under the debugger. More on this under the Debugger functions section.
This section in particular is for high level operations, such as process and thread control, on a binary/process. All of these functions are defined in dbg.hpp with the exception of invalidate_dbg_contents() and invalidate_dbg_config(), which are defined in bytes.hpp. To get the most out of the examples, you should run them (i.e. invoke your plug-in) whilst a binary is being debugged in IDA. You will probably notice that all of these functions aren't prefixed with ida_export. They don't need to be because they are all inlined wrappers to callui(), and use event notifications to carry out their respective functionality.
These set of functions are for checking whether particular flags (see section 4.3) are set for a byte within the currently disassembled file(s). They are all defined in bytes.hpp.
These set of functions are for working with functions within the currently disassembled file(s) in IDA. As with segments, functions are areas, and so some of these functions are simply wrappers to areacb_t methods, in funcs. All are defined in funcs.hpp.
A few of the standard C library functions for I/O have IDA SDK equivalents, and it's recommended you use them instead of their standard C counterparts. These are all defined in diskio.hpp.
The following functions are for working with IDA database (IDB) files, and can be found in loader.hpp. Although there is no actual definition of the linput_t class, you need to call the open_linput() (diskio.hpp) function to create an instance of the class, which some functions use as an argument. You can also use make_linput() to convert a FILE pointer to a linput_t instance; see loader.hpp for more information.
These set of functions work with instructions within the currently disassembled file(s) in IDA. All are defined in ua.hpp, except for generate_disasm_line(), which is defined in lines.hpp.
These are the functions you will probably use the most when writing a plug-in; not because they are the most useful, but simply because they provide a means for simple communication with the user and can be a great help when debugging plug-ins.
As you can probably tell from the definitions, all of these functions are inlined and take printf style arguments. They are all defined in kernwin.hpp.
The following functions deal with function (sub_*), location (loc_*) and variable (arg_*, var_*) names, set by IDA or the user. All are defined in name.hpp. Register names are not recognised by these functions.
The following functions are used for doing simple searching within the disassembled file(s) in IDA, and are defined in search.hpp. There are also other search functions for specific search types (errors, etc.) which can also be found in search.hpp. The search functions take flags, which dictate how the search is conducted, what is searched for, etc. These flags are, as taken from search.hpp:
#define SEARCH_UP 0x000 // only one of SEARCH_UP or SEARCH_DOWN can be specified
#define SEARCH_DOWN 0x001
#define SEARCH_NEXT 0x002 // Search for the next occurrence
#define SEARCH_CASE 0x004 // Make the search case-sensitive
#define SEARCH_REGEX 0x008 // Use the regular expression parser
#define SEARCH_NOBRK 0x010 // don't test ctrl-break
#define SEARCH_NOSHOW 0x020 // don't display the search progress
#define SEARCH_UNICODE 0x040 // treat strings as unicode
#define SEARCH_IDENT 0x080 // search for an identifier
#define SEARCH_BRK 0x100 // return BADADDR if break is pressed during find_imm()
Typically, you'd just use SEARCH_DOWN to conduct a case-insensitive search, towards the bottom of the file(s).
The following functions work with segments (.text, .idata, etc.) and are defined in segment.hpp. A lot of these functions are simply wrappers to areacb_t methods for the segs variable.
The following functions are used for reading the list of strings in IDA's Strings window, which is derived from strings found in the currently disassembled file(s). All of these functions are defined in strlist.hpp.
The functions available for tracing mostly revolve around checking whether a certain type of tracing is enabled, enabling or disabling a type of tracing and retrieving trace events. All of these functions are defined in dbg.hpp.
These set of functions are specifically for interacting with the user and the IDA GUI. Some of them use callui() to generate an event to IDA. All are defined in kernwin.hpp.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}