IDAPython: Get struct id defined at an address

Question

Spotted an interesting problem when trying to determine which type of structure (since isStruct(getFlags(ea)) returns True) is defined at the given address in the DB. Reading through idc.py didn't help much.

Define a struct in the "structures" window.
It gets assigned a struct ID, so, it can be accessed from IDC/Python scripts.
Now, define a struct variable somewhere in e.g. the .data section.

A solid example:

# Some Python code
strid = idaapi.get_struc_id('_s__RTTIClassHierarchyDescriptor')
size = idaapi.get_struc_size(strid)
idaapi.doStruct(ea, size, strid)

How, knowing the ea, do I get the strid value ?

What is your question ? What problem did you spot ? – w s Jun 24 '14 at 14:14 — w s, Jun 24 '14 at 14:14
I didn't get what is the problem ?!? – perror Jun 24 '14 at 14:19 — perror, Jun 24 '14 at 14:19
Updated the question. – Dmitry Janushkevich Jun 25 '14 at 11:01 — Dmitry Janushkevich, Jun 25 '14 at 11:01

score 9 · Accepted Answer · edited Jul 02 '14 at 14:52

9

This works for me:

ea=here()
ti = idaapi.opinfo_t()
f = idc.GetFlags(ea)
if idaapi.get_opinfo(ea, 0, f, ti):
   print ("tid=%08x - %s" % (ti.tid, idaapi.get_struc_name(ti.tid)))

So ti.tid then contains the strid.

edited Jul 02 '14 at 14:52

perror

19,083
29
87
150

answered Jul 02 '14 at 14:16

Willem Hengeveld

1,829
11
11

Confirmed working. Likely because IDA treats the structure variable as an "operand" of some "instruction". – Dmitry Janushkevich Jul 02 '14 at 18:03
Sorry, there is 1 day timeout for bounties. :-( – Dmitry Janushkevich Jul 02 '14 at 18:03
Looks like the bounty is still open. https://imgur.com/d0NYZSq.jpg – Zach Riggle Jul 02 '14 at 19:04
Can't award earlier than 24h after starting the bounty, it seems. :-( Will do so ASAP. – Dmitry Janushkevich Jul 03 '14 at 07:33
There we go, awarded! :-) – Dmitry Janushkevich Jul 03 '14 at 13:35
Wow. Just Wow. The IDA API. Have to use 5 different namespaces to create a variable at an address, set its type, set its name, get its name, get its type, determine if it's one of built-in types or a user-defined type, get type name. – KulaGGin Feb 07 '22 at 11:04
Thanks, Willem, you're a savior, I couldn't figure out how to do it. It doesn't work anymore, needed to update for the newer API. – KulaGGin Feb 07 '22 at 12:11

Simeon Pilgrim · Answer 2 · 2014-06-26T03:54:37.087

3

in IDC the following works, so I'm not sure if you can use the same functions from Python

auto type;
auto ea;

ea = 0x8F84C37C;
Message("isStruct: %d\n", isStruct(GetFlags(ea)));
type = GetTinfo(ea);
Message("firstattr: %s\n", firstattr(type));
Message("getattr: %d\n", getattr(type,"typid"));

outputting:

isStruct: 1
firstattr: typid
getattr: 52541

edited Jun 26 '14 at 03:54

answered Jun 25 '14 at 21:46

Simeon Pilgrim

942
6
15

Doesn't seem to work for me from Python... even if using IDC adapter funcs from idc.py. To be fair, copying your snippet into an IDC script and executing it indeed works. :-)
Python>print idc.isStruct(idc.GetFlags(0x561114)) True Python>print idc.GetTinfo(0x561114) None Python>print idc.GetType(0x561114) None Sorry for this unreadable blob, I seem unable to insert line breaks in comments, but you probably get the idea of what's returned.
– Dmitry Janushkevich Jun 26 '14 at 07:15
That seems broken that the Python IDC wrapper for GetTinfo gets different results. – Simeon Pilgrim Jun 26 '14 at 07:23
idc.GetTinfo appears to just be calling idaapi.idc_get_type_raw(ea), but it's strange that it's failing. looking at swig/typeinf.i idc_get_type_raw appears to call get_tinfo so I'd expect it to work. – Simeon Pilgrim Jun 26 '14 at 08:01
Oddly enough: Python>tif = idaapi.tinfo_t() Python>print tif <idaapi.tinfo_t; proxy of <Swig Object of type 'tinfo_t *' at 0x02A5BFB0> > Python>print idaapi.get_tinfo2(0x561114, tif) False and Python>tp = idaapi.qtype() Python>flags = idaapi.qtype() Python>print idaapi.get_tinfo(0x561114, tp, flags) False so either those are broken, or I am doing it wrong (together with idapython, apparently). – Dmitry Janushkevich Jun 26 '14 at 08:31

KulaGGin · Answer 3 · 2022-02-07T12:58:53.577

1

Updated version of @Willem Hengeveld answer for IDA 7.4 API:

address=0x14001D020
struct_id = idaapi.opinfo_t()
flags = ida_bytes.get_flags(address)
if ida_bytes.get_opinfo(struct_id, address, 0, flags):
    struct_name = ida_struct.get_struc_name(struct_id.tid)
    print (f"tid=0x{struct_id.tid:08x} - {struct_name}")

edited Feb 07 '22 at 12:58

answered Feb 07 '22 at 12:14

KulaGGin

341
1
13

IDAPython: Get struct id defined at an address

3 Answers3

Linked