ida_xref

Functions that deal with cross-references (xrefs).

There are 2 groups of xrefs: CODE and DATA references. All xrefs are kept in the bTree except the ordinary execution flow to the next instruction. The ordinary execution flow to the next instruction is kept in flags (see bytes.hpp) The source address of an xref must be an item head (is_head) or a structure member id. Even if an xref is generated by an element in the middle of the item, the item head address must be used. There are some exceptions to the rule but they are not worth mentioning here. Xrefs are automatically sorted by addresses. However, the flow to the next instruction is always at the beginning of the list. Xrefs are usually created by the processor module, as a reaction to the ev_emu_insn event. Plugins may create xrefs too but please note that upon a reanalysis of an item, all its xrefs, except the ones marked with XREF_USER, are deleted by the kernel.

Attributes

`SWIG_PYTHON_LEGACY_BOOL`
`fl_U`	unknown - for compatibility with old versions. Should not be used anymore.
`fl_CF`	Call Far This xref creates a function at the referenced location
`fl_CN`	Call Near This xref creates a function at the referenced location
`fl_JF`	Jump Far.
`fl_JN`	Jump Near.
`fl_USobsolete`	User specified (obsolete)
`fl_F`	Ordinary flow: used to specify execution flow to the next instruction.
`dr_U`	Unknown - for compatibility with old versions. Should not be used anymore.
`dr_O`	Offset The reference uses 'offset' of data rather than its value OR The reference appeared because the "OFFSET" flag of instruction is set. The meaning of this type is IDP dependent.
`dr_W`	Write access.
`dr_R`	Read access.
`dr_T`	Text (for forced operands only) Name of data is used in manual operand
`dr_I`	Informational (a derived java class references its base class informationally)
`dr_S`	Reference to enum member (symbolic constant)
`XREF_USER`	User specified xref. This xref will not be deleted by IDA. This bit should be combined with the existing xref types (cref_t & dref_t) Cannot be used for fl_F xrefs
`XREF_TAIL`	Reference to tail byte in extrn symbols.
`XREF_BASE`	Reference to the base part of an offset.
`XREF_MASK`	Mask to get xref type.
`XREF_PASTEND`	Reference is past item. This bit may be passed to add_dref() functions but it won't be saved in the database. It will prevent the destruction of eventual alignment directives.
`XREF_FLOW`	return all references, including ordinary flow xrefs
`XREF_NOFLOW`	skip ordinary flow xrefs (code xrefs to the next insn)
`XREF_DATA`	return only data references (dr_...)
`XREF_CODE`	return only code references (fl_...)
`XREF_EA`	return only program addresses
`XREF_TID`	return only type ids. XREF_EA and XREF_TID are exclusive, only one of them can be specified
`XREF_ALL`
`XREF_FAR`
`XREF_ALL`
`XREF_FAR`

Classes

`cases_and_targets_t`
`xrefblk_t`
`casevec_t`

Functions

`create_switch_xrefs`(ea, si)	This function creates xrefs from the indirect jump.
`calc_switch_cases`(ea, si)	Get information about a switch's cases.
`create_switch_table`(ea, si)	Create switch table from the switch information
`xrefchar`(→ char)	Get character describing the xref type.
`add_cref`(→ bool)	Create a code cross-reference.
`del_cref`(→ bool)	Delete a code cross-reference.
`add_dref`(→ bool)	Create a data cross-reference.
`del_dref`(→ None)	Delete a data cross-reference.
`get_first_dref_from`(→ ida_idaapi.ea_t)	Get first data referenced from the specified address.
`get_next_dref_from`(→ ida_idaapi.ea_t)	Get next data referenced from the specified address.
`get_first_dref_to`(→ ida_idaapi.ea_t)	Get address of instruction/data referencing to the specified data.
`get_next_dref_to`(→ ida_idaapi.ea_t)	Get address of instruction/data referencing to the specified data
`get_first_cref_from`(→ ida_idaapi.ea_t)	Get first instruction referenced from the specified instruction. If the specified instruction passes execution to the next instruction then the next instruction is returned. Otherwise the lowest referenced address is returned (remember that xrefs are kept sorted!).
`get_next_cref_from`(→ ida_idaapi.ea_t)	Get next instruction referenced from the specified instruction.
`get_first_cref_to`(→ ida_idaapi.ea_t)	Get first instruction referencing to the specified instruction. If the specified instruction may be executed immediately after its previous instruction then the previous instruction is returned. Otherwise the lowest referencing address is returned. (remember that xrefs are kept sorted!).
`get_next_cref_to`(→ ida_idaapi.ea_t)	Get next instruction referencing to the specified instruction.
`get_first_fcref_from`(→ ida_idaapi.ea_t)
`get_next_fcref_from`(→ ida_idaapi.ea_t)
`get_first_fcref_to`(→ ida_idaapi.ea_t)
`get_next_fcref_to`(→ ida_idaapi.ea_t)
`has_external_refs`(→ bool)	Does 'ea' have references from outside of 'pfn'?
`has_jump_or_flow_xref`(→ bool)	Are there jump or flow references to EA?
`delete_switch_table`(→ None)

Module Contents

ida_xref.SWIG_PYTHON_LEGACY_BOOL

ida_xref.create_switch_xrefs(ea, si)

This function creates xrefs from the indirect jump.

Usually there is no need to call this function directly because the kernel will call it for switch tables

Note: Custom switch information are not supported yet.

Parameters:

ea – address of the ‘indirect jump’ instruction
si – switch information

Returns:

Boolean

class ida_xref.cases_and_targets_t

Bases: object

thisown

cases: casevec_t

targets: eavec_t

ida_xref.calc_switch_cases(ea, si)

Get information about a switch’s cases.

The returned information can be used as follows:

for idx in range(len(results.cases)):
cur_case = results.cases[idx] for cidx in range(len(cur_case)):

print(“case: %d” % cur_case[cidx])

print(” goto 0x%x” % results.targets[idx])

Parameters:

ea – address of the ‘indirect jump’ instruction
si – switch information

Returns:

a structure with 2 members: ‘cases’, and ‘targets’.

ida_xref.create_switch_table(ea, si)

Create switch table from the switch information

Parameters:

ea – address of the ‘indirect jump’ instruction
si – switch information

Returns:

Boolean

ida_xref.fl_U: unknown - for compatibility with old versions. Should not be used anymore.

ida_xref.fl_CF: Call Far This xref creates a function at the referenced location

ida_xref.fl_CN: Call Near This xref creates a function at the referenced location

ida_xref.fl_JF: Jump Far.

ida_xref.fl_JN: Jump Near.

ida_xref.fl_USobsolete: User specified (obsolete)

ida_xref.fl_F: Ordinary flow: used to specify execution flow to the next instruction.

ida_xref.dr_U: Unknown - for compatibility with old versions. Should not be used anymore.

ida_xref.dr_O: Offset The reference uses ‘offset’ of data rather than its value OR The reference appeared because the “OFFSET” flag of instruction is set. The meaning of this type is IDP dependent.

ida_xref.dr_W: Write access.

ida_xref.dr_R: Read access.

ida_xref.dr_T: Text (for forced operands only) Name of data is used in manual operand

ida_xref.dr_I: Informational (a derived java class references its base class informationally)

ida_xref.dr_S: Reference to enum member (symbolic constant)

ida_xref.XREF_USER: User specified xref. This xref will not be deleted by IDA. This bit should be combined with the existing xref types (cref_t & dref_t) Cannot be used for fl_F xrefs

ida_xref.XREF_TAIL: Reference to tail byte in extrn symbols.

ida_xref.XREF_BASE: Reference to the base part of an offset.

ida_xref.XREF_MASK: Mask to get xref type.

ida_xref.XREF_PASTEND: Reference is past item. This bit may be passed to add_dref() functions but it won’t be saved in the database. It will prevent the destruction of eventual alignment directives.

ida_xref.xrefchar(xrtype: char) → char

Get character describing the xref type.

Parameters:: xrtype – combination of Cross-Reference type flags and a cref_t of dref_t value

ida_xref.add_cref(frm: ida_idaapi.ea_t, to: ida_idaapi.ea_t, type: cref_t) → bool

Create a code cross-reference.

Parameters:

to – linear address of referenced instruction
type – cross-reference type

Returns:

success

ida_xref.del_cref(frm: ida_idaapi.ea_t, to: ida_idaapi.ea_t, expand: bool) → bool

Delete a code cross-reference.

Parameters:

to – linear address of referenced instruction
expand – policy to delete the referenced instruction

1: plan to delete the referenced instruction if it has no more references.
0: don’t delete the referenced instruction even if no more cross-references point to it

Returns:: true: if the referenced instruction will be deleted

ida_xref.add_dref(frm: ida_idaapi.ea_t, to: ida_idaapi.ea_t, type: dref_t) → bool

Create a data cross-reference.

Parameters:

to – linear address of referenced data
type – cross-reference type

Returns:

success (may fail if user-defined xref exists from->to)

ida_xref.del_dref(frm: ida_idaapi.ea_t, to: ida_idaapi.ea_t) → None

Delete a data cross-reference.

Parameters:: to – linear address of referenced data

class ida_xref.xrefblk_t

Bases: object

thisown

frm: ida_idaapi.ea_t

to: ida_idaapi.ea_t: the referenced address - filled by first_from(), next_from()

iscode: bool: is code reference (cref_t)? otherwise it is a data reference (dref_t)

type: uchar: type of the last returned reference (cref_t & dref_t)

user: bool: is user defined xref? otherwise defined by ida

first_from(_from: ida_idaapi.ea_t, flags: int = 0) → bool

first_to(_to: ida_idaapi.ea_t, flags: int = 0) → bool

next_from(*args) → bool

next_to(*args) → bool

crefs_to(ea): Provide an iterator on code references to ea including flow references

fcrefs_to(ea): Provide an iterator on code references to ea

crefs_from(ea): Provide an iterator on code references from ea including flow references

fcrefs_from(ea): Provide an iterator on code references from ea

drefs_to(ea): Provide an iterator on data references to ea

drefs_from(ea): Provide an iterator on data references from ea

refs_from(ea, flag): Provide an iterator on from reference represented by flag

refs_to(ea, flag): Provide an iterator on to reference represented by flag

ida_xref.XREF_FLOW: return all references, including ordinary flow xrefs

ida_xref.XREF_NOFLOW: skip ordinary flow xrefs (code xrefs to the next insn)

ida_xref.XREF_DATA: return only data references (dr_…)

ida_xref.XREF_CODE: return only code references (fl_…)

ida_xref.XREF_EA: return only program addresses

ida_xref.XREF_TID: return only type ids. XREF_EA and XREF_TID are exclusive, only one of them can be specified

ida_xref.get_first_dref_from(frm: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get first data referenced from the specified address.

Returns:: linear address of first (lowest) data referenced from the specified address. Return BADADDR if the specified instruction/data doesn’t reference to anything.

ida_xref.get_next_dref_from(frm: ida_idaapi.ea_t, current: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get next data referenced from the specified address.

Parameters:: current – linear address of current referenced data. This value is returned by get_first_dref_from() or previous call to get_next_dref_from() functions.
Returns:: linear address of next data or BADADDR.

ida_xref.get_first_dref_to(to: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get address of instruction/data referencing to the specified data.

Parameters:: to – linear address of referencing instruction or data
Returns:: BADADDR if nobody refers to the specified data.

ida_xref.get_next_dref_to(to: ida_idaapi.ea_t, current: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get address of instruction/data referencing to the specified data

Parameters:

to – linear address of referencing instruction or data
current – current linear address. This value is returned by get_first_dref_to() or previous call to get_next_dref_to() functions.

Returns:

BADADDR if nobody refers to the specified data.

ida_xref.get_first_cref_from(frm: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get first instruction referenced from the specified instruction. If the specified instruction passes execution to the next instruction then the next instruction is returned. Otherwise the lowest referenced address is returned (remember that xrefs are kept sorted!).

Returns:: first referenced address. If the specified instruction doesn’t reference to other instructions then returns BADADDR.

ida_xref.get_next_cref_from(frm: ida_idaapi.ea_t, current: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get next instruction referenced from the specified instruction.

Parameters:: current – linear address of current referenced instruction This value is returned by get_first_cref_from() or previous call to get_next_cref_from() functions.
Returns:: next referenced address or BADADDR.

ida_xref.get_first_cref_to(to: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get first instruction referencing to the specified instruction. If the specified instruction may be executed immediately after its previous instruction then the previous instruction is returned. Otherwise the lowest referencing address is returned. (remember that xrefs are kept sorted!).

Parameters:: to – linear address of referenced instruction
Returns:: linear address of the first referencing instruction or BADADDR.

ida_xref.get_next_cref_to(to: ida_idaapi.ea_t, current: ida_idaapi.ea_t) → ida_idaapi.ea_t

Get next instruction referencing to the specified instruction.

Parameters:

to – linear address of referenced instruction
current – linear address of current referenced instruction This value is returned by get_first_cref_to() or previous call to get_next_cref_to() functions.

Returns:

linear address of the next referencing instruction or BADADDR.

ida_xref.get_first_fcref_from(frm: ida_idaapi.ea_t) → ida_idaapi.ea_t

ida_xref.get_next_fcref_from(frm: ida_idaapi.ea_t, current: ida_idaapi.ea_t) → ida_idaapi.ea_t

ida_xref.get_first_fcref_to(to: ida_idaapi.ea_t) → ida_idaapi.ea_t

ida_xref.get_next_fcref_to(to: ida_idaapi.ea_t, current: ida_idaapi.ea_t) → ida_idaapi.ea_t

ida_xref.has_external_refs(pfn: func_t *, ea: ida_idaapi.ea_t) → bool: Does ‘ea’ have references from outside of ‘pfn’?

ida_xref.has_jump_or_flow_xref(ea: ida_idaapi.ea_t) → bool: Are there jump or flow references to EA?

ida_xref.delete_switch_table(jump_ea: ida_idaapi.ea_t, si: switch_info_t) → None

ida_xref.XREF_ALL

ida_xref.XREF_FAR

class ida_xref.casevec_t(*args)

Bases: object

thisown

push_back(*args) → qvector< long long > &

pop_back() → None

size() → size_t

empty() → bool

at(_idx: size_t) → qvector< long long > const &

qclear() → None

clear() → None

resize(*args) → None

grow(*args) → None

capacity() → size_t

reserve(cnt: size_t) → None

truncate() → None

swap(r: casevec_t) → None

extract() → qvector< long long > *

inject(s: qvector< long long > *, len: size_t) → None

begin(*args) → qvector< qvector< long long > >::const_iterator

end(*args) → qvector< qvector< long long > >::const_iterator

insert(it: qvector< qvector< long long > >::iterator, x: qvector< long long > const &) → qvector< qvector< long long > >::iterator

erase(*args) → qvector< qvector< long long > >::iterator

find(*args) → qvector< qvector< long long > >::const_iterator

has(x: qvector< long long > const &) → bool

add_unique(x: qvector< long long > const &) → bool

append(x: qvector< long long > const &) → None

extend(x: casevec_t) → None

front

back

ida_xref.XREF_ALL

ida_xref.XREF_FAR