Last active
October 30, 2025 11:38
-
-
Save williballenthin/be28139bcda3f94c3e753306ac38b15b to your computer and use it in GitHub Desktop.
find references to enum members in IDA Pro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ida_typeinf | |
| import ida_funcs | |
| import ida_xref | |
| import idautils | |
| enum_name = "_FILE_INFORMATION_CLASS" | |
| til = ida_typeinf.get_idati() | |
| tif = til.get_named_type(enum_name) | |
| print(f"Enum: {enum_name} (tid: {tif.get_tid():X})") | |
| for idx, edm in enumerate(tif.iter_enum()): | |
| print(f" {edm.name} = 0x{edm.value:x} (tid: {edm.get_tid():X})") | |
| tid = edm.get_tid() | |
| if tid == ida_idaapi.BADADDR: | |
| continue | |
| # Marking an operand as an enum creates a dr_S (0x6) xref | |
| # FROM instruction TO enum member's tid | |
| for xref in idautils.XrefsTo(tid, ida_xref.XREF_EA): | |
| # ida_xref.XREF_EA: return only program addresses | |
| # ida_xref.XREF_TID: return only type ids. | |
| # | |
| # XREF_EA and XREF_TID are exclusive, only one of them can be specified | |
| func_name = ida_funcs.get_func_name(xref.frm) or f"sub_{xref.frm:X}" | |
| print(f" - {xref.frm:X} in {func_name} (type: {xref.type})") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Enum: _FILE_INFORMATION_CLASS (tid: FF00000000002902) | |
| FileDirectoryInformation = 0x1 (tid: FF00000000002903) | |
| FileFullDirectoryInformation = 0x2 (tid: FF00000000002904) | |
| FileBothDirectoryInformation = 0x3 (tid: FF00000000002905) | |
| FileBasicInformation = 0x4 (tid: FF00000000002906) | |
| FileStandardInformation = 0x5 (tid: FF00000000002907) | |
| - 180008599 in RtlFileMapMapView (type: 6) | |
| FileInternalInformation = 0x6 (tid: FF00000000002908) | |
| FileEaInformation = 0x7 (tid: FF00000000002909) | |
| FileAccessInformation = 0x8 (tid: FF0000000000290A) | |
| FileNameInformation = 0x9 (tid: FF0000000000290B) | |
| FileRenameInformation = 0xa (tid: FF0000000000290C) | |
| FileLinkInformation = 0xb (tid: FF0000000000290D) | |
| FileNamesInformation = 0xc (tid: FF0000000000290E) | |
| FileDispositionInformation = 0xd (tid: FF0000000000290F) | |
| FilePositionInformation = 0xe (tid: FF00000000002910) | |
| FileFullEaInformation = 0xf (tid: FF00000000002911) | |
| FileModeInformation = 0x10 (tid: FF00000000002912) | |
| FileAlignmentInformation = 0x11 (tid: FF00000000002913) | |
| FileAllInformation = 0x12 (tid: FF00000000002914) | |
| FileAllocationInformation = 0x13 (tid: FF00000000002915) | |
| FileEndOfFileInformation = 0x14 (tid: FF00000000002916) | |
| FileAlternateNameInformation = 0x15 (tid: FF00000000002917) | |
| FileStreamInformation = 0x16 (tid: FF00000000002918) | |
| FilePipeInformation = 0x17 (tid: FF00000000002919) | |
| FilePipeLocalInformation = 0x18 (tid: FF0000000000291A) | |
| FilePipeRemoteInformation = 0x19 (tid: FF0000000000291B) | |
| FileMailslotQueryInformation = 0x1a (tid: FF0000000000291C) | |
| FileMailslotSetInformation = 0x1b (tid: FF0000000000291D) | |
| FileCompressionInformation = 0x1c (tid: FF0000000000291E) | |
| FileObjectIdInformation = 0x1d (tid: FF0000000000291F) | |
| FileCompletionInformation = 0x1e (tid: FF00000000002920) | |
| FileMoveClusterInformation = 0x1f (tid: FF00000000002921) | |
| FileQuotaInformation = 0x20 (tid: FF00000000002922) | |
| FileReparsePointInformation = 0x21 (tid: FF00000000002923) | |
| FileNetworkOpenInformation = 0x22 (tid: FF00000000002924) | |
| FileAttributeTagInformation = 0x23 (tid: FF00000000002925) | |
| FileTrackingInformation = 0x24 (tid: FF00000000002926) | |
| FileIdBothDirectoryInformation = 0x25 (tid: FF00000000002927) | |
| FileIdFullDirectoryInformation = 0x26 (tid: FF00000000002928) | |
| FileValidDataLengthInformation = 0x27 (tid: FF00000000002929) | |
| FileShortNameInformation = 0x28 (tid: FF0000000000292A) | |
| FileIoCompletionNotificationInformation = 0x29 (tid: FF0000000000292B) | |
| FileIoStatusBlockRangeInformation = 0x2a (tid: FF0000000000292C) | |
| FileIoPriorityHintInformation = 0x2b (tid: FF0000000000292D) | |
| FileSfioReserveInformation = 0x2c (tid: FF0000000000292E) | |
| FileSfioVolumeInformation = 0x2d (tid: FF0000000000292F) | |
| FileHardLinkInformation = 0x2e (tid: FF00000000002930) | |
| FileProcessIdsUsingFileInformation = 0x2f (tid: FF00000000002931) | |
| FileNormalizedNameInformation = 0x30 (tid: FF00000000002932) | |
| FileNetworkPhysicalNameInformation = 0x31 (tid: FF00000000002933) | |
| FileIdGlobalTxDirectoryInformation = 0x32 (tid: FF00000000002934) | |
| FileIsRemoteDeviceInformation = 0x33 (tid: FF00000000002935) | |
| FileUnusedInformation = 0x34 (tid: FF00000000002936) | |
| FileNumaNodeInformation = 0x35 (tid: FF00000000002937) | |
| FileStandardLinkInformation = 0x36 (tid: FF00000000002938) | |
| FileRemoteProtocolInformation = 0x37 (tid: FF00000000002939) | |
| FileMaximumInformation = 0x38 (tid: FF0000000000293A) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment