grep | idasql | ClaudePluginHub

Skill

grep

Searches named IDA entities like functions, labels, structs, enums, members by pattern or prefix. Use to find symbols before pivoting to xrefs, decompiler, or types.

developer-tools

$

npx claudepluginhub allthingsida/idasql-skills --plugin idasql

Tool Access

This skill is limited to using the following tools:

BashReadGlobGrep

Preview

`grep` is IDASQL's entity-search surface. Use it to discover named functions, labels, segments, structs, enums, and members before pivoting into xrefs, decompiler, or type work.

Supporting Assets

agents/openai.yaml

SKILL.md

Similar Skills

data

13

Queries IDA strings, bytes, and binary data to search patterns, rebuild string tables, and analyze binary content. Use for string/byte hunts, IOCs, and reverse engineering data signals.

1 file4 tools

functions

13

Find and list functions in binaries by name, address, regex, or byte pattern. Use for binary analysis, locating specific functions, or enumerating matches.

cs-search

18

Searches the Codescope knowledge graph for functions, methods, or symbols matching a name pattern. Displays results in a table grouped by file with counts. Use to locate code symbols by name.

Stats

Parent Repo Stars13

Parent Repo Forks4

Last CommitMar 15, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

reverse-engineering

Help us improve

Share bugs, ideas, or general feedback.

grep is IDASQL's entity-search surface. Use it to discover named functions, labels, segments, structs, enums, and members before pivoting into xrefs, decompiler, or type work.

Trigger Intents

Use this skill when user asks to:

find functions, labels, types, or members by name
search by prefix/substring like sub_, EH, Zw, CreateFile, or main
page through search results quickly
decide whether to use the grep table or grep() JSON output

Route to:

xrefs after locating a candidate callee/import/function and needing callers/callees/references
decompiler after choosing a candidate function to inspect semantically
types when the hit is a struct/enum/member you need to inspect or edit

Do This First (Quick Start)

-- 1) Start with a structured search while you learn the result shape
SELECT name, kind, address
FROM grep
WHERE pattern = 'main'
ORDER BY kind, name
LIMIT 20;

-- 2) Narrow immediately when the result set is noisy
SELECT name, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind = 'struct'
ORDER BY name;

-- 3) Use JSON when you want a quick paged payload
SELECT grep('sub_%', 10, 0);
SELECT grep('sub_%', 10, 10);

Interpretation guidance:

Prefer the grep table first when you want to filter, sort, join, or group.
Prefer grep() when you want one JSON cell for quick paging or downstream parsing.

Pick a Surface

Use grep table when you need:

WHERE kind = ...
ORDER BY, GROUP BY, JOIN
richer follow-on SQL after discovery

Use grep() when you need:

quick JSON output
pagination without writing a full row query
json_each(...) parsing inside one statement

grep() accepts grep(pattern [, limit [, offset]]). Defaults:

limit = 50
offset = 0

Both surfaces expose the same entity fields:

name
kind
address
ordinal
parent_name
full_name

Common kind values:

function
label
segment
struct
union
enum
member
enum_member

Pattern Rules

Matching is case-insensitive.
Plain text becomes a contains-match.
% matches any substring.
_ matches a single character.
* is accepted and normalized to %.
Empty pattern returns no rows from grep and [] from grep().
This is not regex.
This is unrelated to search_bytes().

Examples:

-- Contains-match
SELECT name, kind
FROM grep
WHERE pattern = 'main'
LIMIT 20;

-- Prefix wildcard
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY name
LIMIT 20;

-- Shell-style star is accepted too
SELECT name, kind
FROM grep
WHERE pattern = 'Zw*'
LIMIT 20;

Common Workflows

Find candidate functions by name

SELECT name, address
FROM grep
WHERE pattern = 'main%' AND kind = 'function'
ORDER BY name;

Resolve imported APIs

SELECT module, name, address
FROM imports
WHERE name LIKE 'CreateFile%'
ORDER BY module, name;

Find types by convention

SELECT name, kind, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind IN ('struct', 'enum')
ORDER BY kind, name;

Find members under a parent type

SELECT name, parent_name, ordinal
FROM grep
WHERE pattern = 'flag%' AND kind = 'member'
ORDER BY parent_name, name
LIMIT 30;

Join into richer function metadata

SELECT g.name, f.size, f.prototype
FROM grep g
JOIN funcs f ON f.address = g.address
WHERE g.pattern = 'sub_%' AND g.kind = 'function'
ORDER BY f.size DESC
LIMIT 20;

Parse paged JSON results from `grep()`

SELECT
    json_extract(value, '$.name') AS name,
    json_extract(value, '$.kind') AS kind,
    printf('0x%llX', json_extract(value, '$.address')) AS addr
FROM json_each(grep('init', 10, 0))
WHERE json_extract(value, '$.kind') = 'function';

Pivot from discovery into xrefs

SELECT caller_name, printf('0x%X', caller_addr) AS from_addr
FROM callers
WHERE func_addr = (
    SELECT address
    FROM imports
    WHERE name = 'CreateFileW'
    ORDER BY name
    LIMIT 1
);

Compare With Other Search Surfaces

Use grep / grep() for named entities discovered by IDA.
Use strings when you need literal string contents.
Use search_bytes() when you need raw bytes or opcode patterns.
Use xrefs after discovery when the real question is "who references this?"

Failure and Recovery

Too many hits: add kind = ..., tighten the prefix, or switch from plain text to a more specific wildcard pattern.
No hits for an expected symbol: broaden the pattern, try a contains search, or pivot to imports if the target may only exist as an imported API.
Need to search for comments, pseudocode text, or string contents: grep is the wrong surface; pivot to strings, decompiler tables, or other domain tables.
Need bytes/opcodes: use search_bytes() instead of grep.