grep
grep is IDASQL's entity-search surface. Use it to discover named functions, labels, segments, structs, enums, and members before pivoting into xrefs, decompiler, or type work.
Trigger Intents
Use this skill when user asks to:
- find functions, labels, types, or members by name
- search by prefix/substring like
sub_,EH,Zw,CreateFile, ormain - page through search results quickly
- decide whether to use the
greptable orgrep()JSON output
Route to:
xrefsafter locating a candidate callee/import/function and needing callers/callees/referencesdecompilerafter choosing a candidate function to inspect semanticallytypeswhen the hit is a struct/enum/member you need to inspect or edit
Do This First (Quick Start)
-- 1) Start with a structured search while you learn the result shape
SELECT name, kind, address
FROM grep
WHERE pattern = 'main'
ORDER BY kind, name
LIMIT 20;
-- 2) Narrow immediately when the result set is noisy
SELECT name, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind = 'struct'
ORDER BY name;
-- 3) Use JSON when you want a quick paged payload
SELECT grep('sub_%', 10, 0);
SELECT grep('sub_%', 10, 10);
Interpretation guidance:
- Prefer the
greptable first when you want to filter, sort, join, or group. - Prefer
grep()when you want one JSON cell for quick paging or downstream parsing.
Pick a Surface
Use grep table when you need:
WHERE kind = ...ORDER BY,GROUP BY,JOIN- richer follow-on SQL after discovery
Use grep() when you need:
- quick JSON output
- pagination without writing a full row query
json_each(...)parsing inside one statement
grep() accepts grep(pattern [, limit [, offset]]).
Defaults:
limit = 50offset = 0
Both surfaces expose the same entity fields:
namekindaddressordinalparent_namefull_name
Common kind values:
functionlabelsegmentstructunionenummemberenum_member
Pattern Rules
- Matching is case-insensitive.
- Plain text becomes a contains-match.
%matches any substring._matches a single character.*is accepted and normalized to%.- Empty pattern returns no rows from
grepand[]fromgrep(). - This is not regex.
- This is unrelated to
search_bytes().
Examples:
-- Contains-match
SELECT name, kind
FROM grep
WHERE pattern = 'main'
LIMIT 20;
-- Prefix wildcard
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY name
LIMIT 20;
-- Shell-style star is accepted too
SELECT name, kind
FROM grep
WHERE pattern = 'Zw*'
LIMIT 20;
Common Workflows
Find candidate functions by name
SELECT name, address
FROM grep
WHERE pattern = 'main%' AND kind = 'function'
ORDER BY name;
Resolve imported APIs
SELECT module, name, address
FROM imports
WHERE name LIKE 'CreateFile%'
ORDER BY module, name;
Find types by convention
SELECT name, kind, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind IN ('struct', 'enum')
ORDER BY kind, name;
Find members under a parent type
SELECT name, parent_name, ordinal
FROM grep
WHERE pattern = 'flag%' AND kind = 'member'
ORDER BY parent_name, name
LIMIT 30;
Join into richer function metadata
SELECT g.name, f.size, f.prototype
FROM grep g
JOIN funcs f ON f.address = g.address
WHERE g.pattern = 'sub_%' AND g.kind = 'function'
ORDER BY f.size DESC
LIMIT 20;
Parse paged JSON results from grep()
SELECT
json_extract(value, '$.name') AS name,
json_extract(value, '$.kind') AS kind,
printf('0x%llX', json_extract(value, '$.address')) AS addr
FROM json_each(grep('init', 10, 0))
WHERE json_extract(value, '$.kind') = 'function';
Pivot from discovery into xrefs
SELECT caller_name, printf('0x%X', caller_addr) AS from_addr
FROM callers
WHERE func_addr = (
SELECT address
FROM imports
WHERE name = 'CreateFileW'
ORDER BY name
LIMIT 1
);
Compare With Other Search Surfaces
- Use
grep/grep()for named entities discovered by IDA. - Use
stringswhen you need literal string contents. - Use
search_bytes()when you need raw bytes or opcode patterns. - Use
xrefsafter discovery when the real question is "who references this?"
Failure and Recovery
- Too many hits:
add
kind = ..., tighten the prefix, or switch from plain text to a more specific wildcard pattern. - No hits for an expected symbol:
broaden the pattern, try a contains search, or pivot to
importsif the target may only exist as an imported API. - Need to search for comments, pseudocode text, or string contents:
grepis the wrong surface; pivot tostrings, decompiler tables, or other domain tables. - Need bytes/opcodes:
use
search_bytes()instead ofgrep.
More from allthingsida/idasql-skills
disassembly
Query IDA disassembly. Use when asked about functions, segments, instructions, blocks, operands, control flow, or raw code structure.
11decompiler
Decompile and analyze IDA functions. Use when asked for pseudocode, ctree AST analysis, local variables, labels, or decompiler-driven cleanup.
10xrefs
Analyze IDA cross-references. Use when asked about callers, callees, imports, data refs, call graphs, or dependency chains.
9debugger
IDA debugger operations. Use when asked to set breakpoints, patch bytes, add conditions, or manage a patch inventory.
9storage
Persistent key-value storage in IDA databases. Use when asked to store metadata, track progress, or persist session state via netnode_kv.
9ui-context
Capture live IDA UI context. Use when the user references what's on screen, what's selected, or asks about the current view in IDA's GUI.
9