Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
97 lines (80 sloc) 3.59 KB

Enums

Enums in IDA are a great way to name numbers and bit-values for easier reading.

>>> for enum in sark.enums():
...     print "{}:".format(enum.name)
...     for member in enum.members:
...         print "    {:<30} = {}".format(member.name, member.value)
...     print
POOL_TYPE:
    NonPagedPool                   = 0
    PagedPool                      = 1
    NonPagedPoolMustSucceed        = 2
    DontUseThisType                = 3
    NonPagedPoolCacheAligned       = 4
    PagedPoolCacheAligned          = 5
    NonPagedPoolCacheAlignedMustS  = 6
    MaxPoolType                    = 7

CREATE_FILE_TYPE:
    CreateFileTypeNone             = 0
    CreateFileTypeNamedPipe        = 1
    CreateFileTypeMailslot         = 2

The Sark Enum object provides the following members:

Member Usage
name the enum name
comments enum comments, similar to line comments
eid the enum-id of the enum
bitfield is the enum a bitfield
members the enum member constants

Using the Enum object you can easily enumerate and manipulate enums in IDA.

Enum Members

The .members member of sark.Enum returns a members object. The members object allows easy enumeration and manipulation of the members:

>>> my_enum = sark.add_enum("MyEnum")
>>> my_enum.members.add("first", 0)
>>> my_enum.members.add("second", 1)
>>> my_enum.members.add("third", 2)
>>> my_enum.members.remove("second")
>>> for member in my_enum.members:
...     print "{} = {}".format(member.name, member.value)
first = 0
third = 2

Each member provides the following:

Member Usage
name the member name
value the member value
comments the member comments
enum the containing enum

Getting Enums

There are several ways to get an enum. All are summed in the following table:

Code Explanation
sark.enums() iterate all the enums in the IDB
sark.Enum("EnumName") get an existing enum by name
sark.Enum(eid=enum_id) get an enum using a known id
sark.add_enum("NewEnumName") create a new enum