TransWikia.com

How to get the list of strings within IDA's string window in my script?

Reverse Engineering Asked by Eccmms on May 28, 2021

I’m trying to write some scripts that do some string searching through the disassembly in IDA. Currently, I loop through all the disassembly, MinEA() to MaxEA() and use idc.FindText() to see if a potential string is in the disassembly. Although this works, its very time consuming. I was wondering if there was a way I could just use an API method to get all the strings in IDAs string window. For example, I was able to get all the imports used in the import window by using idaapi.get_import_module_qty() and idaapi.enum_import_names(i, import_call_back). That’s very fast and I can easily just check if something has been imported. Is there something similar that will allow me to get all the strings from the strings window? If not, is there a less time-consuming method of string searching that is possible? Thanks for any input.

idaidapython

3 Answers

It looks like that the following is what you are looking for or at least similar:

import idautils
sc = idautils.Strings()

for s in sc:
    print "%x: len=%d type=%d -> '%s'" % (s.ea, s.length, s.type, str(s))

Tested and works in IDA 6.8, 64 bit. The details about the class Strings in idautils module are here: https://www.hex-rays.com/products/ida/support/idapython_docs/idautils.Strings-class.html

Correct answer by w s on May 28, 2021

another variation to get all the strings 

import idaapi as ia
sc = ia.string_info_t()
for i in range(0,ia.get_strlist_qty()):
    ia.get_strlist_item(i,sc)
    print ia.get_ascii_contents(sc.ea,sc.length,sc.type)

Answered by blabb on May 28, 2021

I found a crude yet completely different solution without having to mess with Python 2.7 . All with IDA GUI and with the help of side Regex

  1. Open desired file in IDA, let it load
  2. View -> Open subviews -> Strings
  3. Ctrl+A -> Right-Click -> Copy
  4. Paste data to some regex-supporting text editor (I use Notepad++)
  5. Go to find&replace with regex (On Notepad++: Replace, search mode "Regular expression" with ". matches newline" UNticked):
  • First, trim all " " before carriage return, 
    ___Find: x20x20+r
Replace: r
  • Then (as of Jan 2021) - in Notepad++ there is a bug, that makes it regex ^ match literal r. To work around it, you can do this: add a newline on the top (if you have the useless human readable headers on top, replace then with the newline). Count how many characters there are before the strings text begins (I had 27), and then perform, 
    ___Find: n.{27}?
Replace:

Warning: if you have a different count of characters before the strings text begins, replace the number with yours!

  1. Finally, remove the first newline and your data is ready for work

Answered by tabdiukov on May 28, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP