quokka is a tool to manipulate the exported versions of your program.
The goal is to have an easy to understand, stable and scalable API to query the
(disassembled) binary without relying on having IDA running in the background
nor interacting with its API.
As a bonus, once a binary has been exported, you can close IDA and work only with the exported file.
IDA API has at least two drawbacks (for me) :
- you will need to learn its syntax and how it works:
# IDA way
inst = ida_ua.insn_t()
ida_ua.decode_insn(inst, 0xABCD)
print(inst.get_canon_mnem())
## Quokka
inst = program.get_instruction(0xABCD)
print(inst.mnemonic)In short, it will write everything to a serialized binary format (namely protobuf).
You may have a look at the protobuf format definition to understand exactly what is exported but the list here can give you a nice overview.
- Meta information (file hash, name, detected compiler, calling convention)
- Segments
- Structures (structs, enumerations and unions)
- Comments (every comments attached to anything)
- Layout (where is the code/data/unknown)
- Functions and their associated Control Flow Graph
- Call Graph
- Instructions (and their operands / mnemonics)
- References (data and code xref)
- Data (bytes, strings, ...)
Pretty much everything else but I think the most important here is the type information. It will be a nice addition but that's not the best part of IDA API.
TODO(dm)
Every PR is welcome.
Grep the code for TODO, some are easy, some require more understanding of the code.
During development, you may want to use a soft link in the
plugin directory coupled with the option to unload the plugin PLUGIN_UNL
user@host:~/quokka/$ ln -sf $(pwd)build/src/quokka*64.so \
/opt/ida/plugins/