IDCFuncs in ida pro 7.x

Let's assume what we want to have some normal programming language inside ida pro (not strange looking pile of spaces). Or just to made RPC interface so you can use several instances of ida from external processeses. In previous versions (since 4.x - I can be wrong) we had IDCFuncs which I used for example to embed perl. But since 7.x this symbol is no longer exported (obviously to make users' lives even more unbearable). Sure this small problem can`t stop me. So there are at least two ways to find IDCFuncs in any ida pro 7.x

signature search

strictly speaking this method allows you to find IDCFuncs->funcs. Name of first function in this array of ext_idcfunc_t always is "____" (yes, some undocumented function with name of four underscores). So you first must search for it in .text section (in ida.dll/ida64.dll) and then find address in .data - this will be first ext_idcfunc_t:

struct ext_idcfunc_t

{  const char *name;             ///< Name of function  

   idc_func_t *fptr;             ///< Pointer to the Function

   const char *args;             ///< Type of arguments. Terminated with 0.        

   const idc_value_t *defvals;   ///< Default argument values.

   int ndefvals;                 ///< Number of default values.     

   int flags;                    ///< \ref EXTFUN_

};

some disasm magic

It`s very ironic that in the disassembler you have to use another disassembler to find what you want. Lets see which exported functions use IDCFuncs

find_idc_func - contrary to expectations, it does not return any functions, prototype looks like:

idaman THREAD_SAFE bool ida_export find_idc_func(

        qstring *out,

        const char *prefix,

        int n=0);

ok, lets use ida pro to see some guts of ida pro:

find_idc_func   proc near               ; DATA XREF: .text:off_100037A8o

                                        ; .text:000000001034C40Co

var_38          = qword ptr -38h

arg_0           = qword ptr  8

arg_8           = qword ptr  10h

arg_10          = qword ptr  18h

arg_18          = qword ptr  20h

                push    rdi

                push    r12

                push    r13

                push    r14

                push    r15

                sub     rsp, 30h

                mov     [rsp+58h+var_38], 0FFFFFFFFFFFFFFFEh

                mov     [rsp+58h+arg_0], rbx

                mov     [rsp+58h+arg_8], rbp

                mov     [rsp+58h+arg_10], rsi

                mov     r15d, r8d

                mov     r12, rdx

                mov     r13, rcx

                mov     rbx, cs:qword_10362658

                mov     [rsp+58h+arg_18], rbx

                mov     rcx, rbx

loc_100B886E:                           ; DATA XREF: .text:stru_102A80A8o

                call    qmutex_lock ; exported function

                nop

                mov     rdi, 0FFFFFFFFFFFFFFFFh

                mov     rsi, rdi

                xchg    ax, ax

loc_100B8880:                           ; CODE XREF: find_idc_func+58j

                inc     rsi

                cmp     byte ptr [r12+rsi], 0

                jnz     short loc_100B8880

                xor     ebp, ebp

                cmp     cs:IDCFuncs, rbp

Easy can be resolved with simple state machine - first cmp [memory in .data section] after qmutex_lock call