{"id":13754909,"url":"https://github.com/nlitsme/idbutil","last_synced_at":"2025-08-01T12:34:02.537Z","repository":{"id":71128356,"uuid":"93574736","full_name":"nlitsme/idbutil","owner":"nlitsme","description":"Library and tool for reading IDApro databases.","archived":false,"fork":false,"pushed_at":"2023-11-08T14:03:56.000Z","size":291,"stargazers_count":148,"open_issues_count":1,"forks_count":34,"subscribers_count":18,"default_branch":"master","last_synced_at":"2024-11-16T08:33:59.982Z","etag":null,"topics":["ida-databases","idapro","reverse-engineering"],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nlitsme.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-06-07T00:22:44.000Z","updated_at":"2024-10-25T04:36:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"6bdd4347-1cca-4b00-b5fd-370cb1e9b8a2","html_url":"https://github.com/nlitsme/idbutil","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nlitsme%2Fidbutil","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nlitsme%2Fidbutil/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nlitsme%2Fidbutil/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nlitsme%2Fidbutil/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nlitsme","download_url":"https://codeload.github.com/nlitsme/idbutil/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228377535,"owners_count":17910449,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ida-databases","idapro","reverse-engineering"],"created_at":"2024-08-03T10:00:36.449Z","updated_at":"2024-12-05T22:15:26.602Z","avatar_url":"https://github.com/nlitsme.png","language":"C++","funding_links":[],"categories":["\u003ca id=\"5e91b280aab7f242cbc37d64ddbff82f\"\u003e\u003c/a\u003eIDB操作"],"sub_categories":["\u003ca id=\"46c9dfc585ae59fe5e6f7ddf542fb31a\"\u003e\u003c/a\u003eYara"],"readme":"IDBTOOL\n=======\n\nA tool for extracting information from IDA databases.\n`idbtool` knows how to handle databases from all IDA versions since v2.0, both `i64` and `idb` files.\nYou can also use `idbtool` to recover information from unclosed databases.\n\n`idbtool` works without change with IDA v7.0.\n\n\nMuch faster than loading a file in IDA\n--------------------------------------\n\nWith idbtool you can search thousands of .idb files in seconds.\n\nMore precisely: on my laptop it takes:\n\n *  1.5 seonds to extract 143 idc scripts from 119 idb and i64 files.\n *  3.8 seonds to print idb info for 441 files.\n *  5.6 seconds to extract 281 enums containing 4726 members from 35 files.\n * 67.8 seconds to extract 5942 structs containing 33672 members from 265 files.\n\nLoading an approximately 5 Gbyte idb file in IDA, takes about 45 minutes.\nWhile idb3.h takes basically no time at all, no more than a few milliseconds.\n\n\nDownload\n========\n\nTwo versions of this tool exist:\n\nOne written in python\n * https://github.com/nlitsme/pyidbutil\n\nOne written in C++\n * https://github.com/nlitsme/idbutil\n\nBoth repositories contain a library which can be used for reading `.idb` or `.i64` files.\n\n\nAn IDA Pro plugin making use of `idb3.h` can be found here:\n * https://github.com/nlitsme/idbimport\n\nThis is a plugin making it easy to copy scripts, structs or enums from recent ida databases.\n\n\nUsage\n=====\n\nUsage: \n\n    idbtool [options] [database file(s)] [-- address-list]\n\n * `-n` or `--names`  will list all named values in the database.\n * `-s` or `--scripts` will list all scripts stored in the database.\n * `-u` or `--structs` will list all structs stored in the database.\n * `-e` or `--enums` will list all enums stored in the database.\n * `-i` or `--info` will print some general info about the database. \n\n * `-a`  list all names, including ..todo..\n * `-d`  dump btree page tree contents.\n * `--inc`, `--dec` list all records in ascending / descending order.\n * `-q` or `--query` search specific records in the database.\n * `-m` or `--limit` limit the number of results returned by `-q`.\n\nAll addresses after `--` will be printed as `symbol+offset`.\n\nQuery\n-----\n\nQueries need to be specified last on the command line.\n\nExample:\n\n    idbtool [database file(s)]  --query  \"Root Node;V\"\n\nWill list the source binary for all the databases specified on the command line.\n\nA query is a string with the following format:\n\n * [==,\u003c=,\u003e=,\u003c,\u003e]  - optional relation, default: ==\n * a base node key:\n    * a DOT followed by the numeric value of the nodeid.\n    * a HASH followed by the numeric value of the system-nodeid.\n    * a QUESTION followed by the name of the node. -\u003e a 'N'ame node\n    * the name of the node.  -\u003e the name is resolved, results in a '.'Dot node\n * an optional tag ( A for Alt, S for Supval, etc )\n * an optional index value\n\nExample queries:\n * `Root Node;V` -\u003e prints record containing the source binary name\n * `?Root Node` -\u003e prints the Name record pointing to the root\n * `\u003eRoot Node` -\u003e prints the first 10 records starting with the root node id.\n * `\u003cRoot Node` -\u003e prints the 10 records startng with the records before the root node.\n * `.0xff000001;N` -\u003e prints the root node name entry.\n * `#1;N` -\u003e prints the root node name entry.\n\nList the highest node and following record in the database in two different ways,\nthe first: starting at the first record below `ffc00000`, and listing the next.\nThe second: starting at the first record after `ffc00000`, and listing the previous:\n * `--query \"\u003c#0xc00000\"  --limit 2 --inc -v`\n * `--query \"\u003e#0xc00000\"  --limit 2 --dec -v`\n\nNote that this should be the nodeid in the `$ MAX NODE` record.\n\nList the last two records:\n * `--limit 2 --dec  -v`\n\nList the first two records, the `$ MAX LINK` and `$ MAX NODE` records:\n * `--limit 2 --inc -v`\n\n\nA full database dump\n--------------------\n\nSeveral methods exist for printing all records in the database. This may be useful if\nyou want to investigate more of IDA''s internals. But can also be useful in recovering\ndata from corrupted databases.\n\n * `--inc`, `--dec` can be used to enumerate all b-tree records in either forward, or backward direction.\n * `--id0`  walks the page tree, instead of the b-tree, printing the contents of each page\n\n\nLIBRARY\n=======\n\nThe header file `idb3.h` contains a library for reading from IDA Pro databases.\n\n\n## IDBFile\n\nClass for accessing sections of an `.idb` or `.i64` file.\n\nConstructor Parameters:\n * `std::shared_ptr\u003cstd::istream\u003e` ( typedefed to `stream_ptr` )\n\nMethods:\n * `stream_ptr getsection(int)`\n\n \n\n## ID0File, ID1File, NAMFile\n\nConstructor Parameters:\n * `IDBFile\u0026 idb`\n * `stream_ptr`\n\nConstant\n * `INDEX`  - the argument for `idb.getsection`\n\n## ID0File\n\nMethods\n * `Cursor find(relation_t, nodeid, ...)` \n    * `...`  can be: \n       * tag, index\n       * tag, hash\n       * tag\n * `Cursor find(relation_t, std::string key)`\n * `std::string blob(nodeid, tag, ...)`\n * `uint64_t node(std::string name)`\n\n * `bool is64bit()`\n    * `true` for `.i64` files.\n\n * `uint64_t nodebase()`\n    * return `0xFF000000(00000000)` for 32/64 bit databases.\n\n * `void enumlist(uint64_t nodeid, char tag, CB cb)`\n    * call `cb` for each value in the list.\n\nConvenience Methods\n * `std::string getdata(ARGS...args)`\n * `std::string getstr(ARGS...args)`\n * `uint64_t getuint(ARGS...args)`\n * `uint64_t getuint(BtreeBase::Cursor\u0026 c)`\n * `std::string getname(uint64_t node)`\n\n\n\n## ID1File\n\nMethods\n * `uint32_t GetFlags(uint64_t ea)`\n\n\n## NAMFile\n\nMethods\n * `uint64_t findname(uint64_t ea)`\n\n\n## Cursor\n\nMethods\n * `void next()`\n    * move cursor to the next btree record\n * `void prev()`\n    * move cursor to the previous btree record\n * `bool eof()`\n    * did we reach the start/end of the btree?\n * `std::string `getkey()`\n    * return the key pointed to by the cursor\n * `std::string `getval()`\n    * return the value pointed to by the cursor\n\nTODO\n====\n\n * add option to list all comments stored in the database\n * support compressed sections\n * add option to list flags for a list of addresses.\n\nAuthor\n======\n\nWillem Hengeveld \u003citsme@xs4all.nl\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnlitsme%2Fidbutil","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnlitsme%2Fidbutil","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnlitsme%2Fidbutil/lists"}