IDAPython: Is it possible to determine whether an instruction operand is a constant rather than a variable?

Question

Here is my use case:

I am trying to create a script that finds all instances of a particular instruction (in this case wrmsr) and traces back to find out whether the operands for the instruction are hard-coded literals or variables that are set at runtime. This is meant to help me detect a certain flavor of vulnerable driver.

Does IDAPython have a way to query instruction operands to distinguish between literals and variables? How would I do this?

score 1 · Answer 1 · edited Oct 30 '21 at 13:19

1

I believe you can look at the type of the operand with something like this (ideally with some more error and type checking):

  insn = idaapi.insn_t()
  idaapi.decode_insn(insn, ea)
  if insn.ops[0].type == ida_ua.o_imm:
      print("This is the constant value ", insn.ops[0])

The possible values for op_t.type are here: IDA SDK: Operand types.

edited Oct 30 '21 at 13:19

MarianD

1,130
1
6
23

answered Oct 28 '21 at 10:48

Capo80

11
2

score 1 · Accepted Answer · answered Nov 08 '23 at 21:46

1

idc.get_operand_type() is a concise way to do this.

e.g.

if idc.get_operand_type(ea, 1) == idaapi.o_reg:
    print("that's a register")

The operand types are all here: https://hex-rays.com/products/ida/support/sdkdoc/group__o__.html

answered Nov 08 '23 at 21:46

thejoelpatrol

76
3

IDAPython: Is it possible to determine whether an instruction operand is a constant rather than a variable?

2 Answers2