From idasql
Executes IDAPython snippets and files via SQL in IDA Pro when SQL queries lack direct SDK access for complex analysis or UI automation.
npx claudepluginhub allthingsida/idasql-skills --plugin idasqlThis skill is limited to using the following tools:
---
Connects to IDA databases (.idb/.i64) via idasql CLI/REPL/HTTP. Bootstraps analysis sessions with orientation queries, schema introspection, and skill routing.
Writes and executes IDAPython scripts via IDA Domain API to analyze binaries, extract functions/strings/xrefs, decompile code, and automate IDA Pro (.idb/.i64) tasks.
Guides binary analysis with IDA Pro's Domain API for examining program structure, functions, disassembly, cross-references, and strings using Python.
Share bugs, ideas, or general feedback.
| Function | Description |
|---|---|
idapython_snippet(code[, sandbox]) | Execute Python snippet and return captured output text |
idapython_file(path[, sandbox]) | Execute Python file and return captured output text |
Python execution is disabled by default. Enable it with:
PRAGMA idasql.enable_idapython = 1;
SELECT idapython_snippet('print("hello from idapython")');
SELECT idapython_file('C:/temp/script.py');
SELECT idapython_snippet('counter = globals().get("counter", 0) + 1; print(counter)', 'alpha');
sandbox isolates/persists Python globals by sandbox keyrequests.post(.../query, data=sql) to batch SQL over HTTP. Use this for loops, bulk updates, and automation orchestration. See connect skill HTTP client patterns.idapython_snippet() / idapython_file() when you need direct IDA SDK APIs in-process.Example contrast:
# Host-side Python (outside IDA): sends SQL over HTTP
import requests
requests.post("http://127.0.0.1:8081/query", data="SELECT COUNT(*) FROM funcs")
-- IDAPython (inside IDA): executes Python in IDA runtime
SELECT idapython_snippet('import idaapi; print(idaapi.get_kernel_version())');
Each sandbox key creates an isolated Python namespace:
When a Python script raises an exception, it propagates as a SQL error:
-- This will return an error: "NameError: name 'undefined_var' is not defined"
SELECT idapython_snippet('print(undefined_var)');
| Use Case | Best Tool | Why |
|---|---|---|
| Query/filter/aggregate data | SQL | JOINs, CTEs, GROUP BY, window functions — SQL is purpose-built for this |
| Cross-table analysis | SQL | JOINing funcs, xrefs, strings, ctree is natural in SQL |
| Reporting and counting | SQL | COUNT, SUM, AVG, GROUP_CONCAT — no Python loop needed |
| Complex algorithms | IDAPython | Graph algorithms, custom pattern matching, ML pipelines |
| IDA SDK APIs not in idasql | IDAPython | Some IDA SDK features aren't exposed as SQL tables/functions |
| UI automation | IDAPython | Opening views, navigating cursor, triggering IDA actions |
| Existing scripts | IDAPython | Reuse existing .py scripts without rewriting in SQL |
General rule: Start with SQL. If you find yourself wanting nested loops, recursive algorithms, or IDA APIs that aren't exposed via idasql, reach for idapython_snippet() as a bridge.
-- Enable Python execution first
PRAGMA idasql.enable_idapython = 1;
-- Run a script that collects custom metrics
SELECT idapython_snippet('
import idautils, idc
count = 0
for func_ea in idautils.Functions():
if idc.get_func_attr(func_ea, idc.FUNCATTR_FLAGS) & 0x4: # FUNC_LIB
count += 1
print(f"Library functions: {count}")
');
-- Example: get processor-specific register names
SELECT idapython_snippet('
import ida_idp
for i in range(ida_idp.ph_get_regnames().__len__()):
name = ida_idp.ph_get_regnames()[i]
if name:
print(f"{i}: {name}")
');
When you need Python's power for extraction but SQL's power for analysis:
-- Python extracts data as JSON
SELECT idapython_snippet('
import json, idautils, idc
result = []
for ea in idautils.Functions():
flags = idc.get_func_attr(ea, idc.FUNCATTR_FLAGS)
if flags & 0x4: # FUNC_LIB
result.append({"ea": ea, "name": idc.get_func_name(ea)})
print(json.dumps(result))
');
-- Then process the JSON output in SQL using json_each()
-- (copy the output from above into the query)