Let's assume what we want to have some normal programming language inside ida pro (not strange looking pile of spaces). Or just to made RPC interface so you can use several instances of ida from external processeses. In previous versions (since 4.x - I can be wrong) we had IDCFuncs which I used for example to embed perl. But since 7.x this symbol is no longer exported (obviously to make users' lives even more unbearable). Sure this small problem can`t stop me. So there are at least two ways to find IDCFuncs in any ida pro 7.x
signature search
strictly speaking this method allows you to find IDCFuncs->funcs. Name of first function in this array of ext_idcfunc_t always is "____" (yes, some undocumented function with name of four underscores). So you first must search for it in .text section (in ida.dll/ida64.dll) and then find address in .data - this will be first ext_idcfunc_t:
struct ext_idcfunc_t
{ const char *name; ///< Name of function
idc_func_t *fptr; ///< Pointer to the Function
const char *args; ///< Type of arguments. Terminated with 0.
const idc_value_t *defvals; ///< Default argument values.
int ndefvals; ///< Number of default values.
int flags; ///< \ref EXTFUN_
};
some disasm magic
It`s very ironic that in the disassembler you have to use another disassembler to find what you want. Lets see which exported functions use IDCFuncs
find_idc_func - contrary to expectations, it does not return any functions, prototype looks like:
idaman THREAD_SAFE bool ida_export find_idc_func( qstring *out, const char *prefix, int n=0);find_idc_func proc near ; DATA XREF: .text:off_100037A8 o
; .text:000000001034C40C o
var_38 = qword ptr -38h
arg_0 = qword ptr 8
arg_8 = qword ptr 10h
arg_10 = qword ptr 18h
arg_18 = qword ptr 20h
push rdi
push r12
push r13
push r14
push r15
sub rsp, 30h
mov [rsp+58h+var_38], 0FFFFFFFFFFFFFFFEh
mov [rsp+58h+arg_0], rbx
mov [rsp+58h+arg_8], rbp
mov [rsp+58h+arg_10], rsi
mov r15d, r8d
mov r12, rdx
mov r13, rcx
mov rbx, cs:qword_10362658
mov [rsp+58h+arg_18], rbx
mov rcx, rbx
loc_100B886E: ; DATA XREF: .text:stru_102A80A8 o
call qmutex_lock ; exported function
nop
mov rdi, 0FFFFFFFFFFFFFFFFh
mov rsi, rdi
xchg ax, ax
loc_100B8880: ; CODE XREF: find_idc_func+58 j
inc rsi
cmp byte ptr [r12+rsi], 0
jnz short loc_100B8880
xor ebp, ebp
cmp cs:IDCFuncs, rbp
Easy can be resolved with simple state machine - first cmp [memory in .data section] after qmutex_lock call