grep
Original:🇺🇸 English
Translated
Search named IDA entities by pattern. Use when asked to find functions, labels, types, or members by name, or to seed xref/decompiler workflows from a name lookup.
3installs
Added on
NPX Install
npx skill4agent add allthingsida/idasql-skills grepTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →grepTrigger Intents
Use this skill when user asks to:
- find functions, labels, types, or members by name
- search by prefix/substring like ,
sub_,EH,Zw, orCreateFilemain - page through search results quickly
- seed table-native xref/decompiler/type workflows from name discovery
Route to:
- after locating a candidate callee/import/function and needing callers/callees/references
xrefs - after choosing a candidate function to inspect semantically
decompiler - when the hit is a struct/enum/member you need to inspect or edit
types
Do This First (Quick Start)
sql
-- 1) Start with a structured search while you learn the result shape
SELECT name, kind, address
FROM grep
WHERE pattern = 'main'
ORDER BY kind, name
LIMIT 20;sql
-- 2) Narrow immediately when the result set is noisy
SELECT name, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind = 'struct'
ORDER BY name;sql
-- 3) Page with ordinary SQL
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY kind, name
LIMIT 10 OFFSET 10;Interpretation guidance:
- is a table. Use normal SQL for filtering, sorting, joining, grouping, and paging.
grep - For downstream parsing, select rows directly instead of wrapping the results in JSON.
Result Shape
grepnamekindaddressordinalparent_namefull_name
Common values:
kindfunctionlabelsegmentstructunionenummemberenum_member
Pattern Rules
- Matching is case-insensitive.
- Plain text becomes a contains-match.
- matches any substring.
% - matches a single character.
_ - is accepted and normalized to
*.% - Empty pattern returns no rows.
- This is not regex.
- This is unrelated to .
byte_search
Examples:
sql
-- Contains-match
SELECT name, kind
FROM grep
WHERE pattern = 'main'
LIMIT 20;sql
-- Prefix wildcard
SELECT name, kind, address
FROM grep
WHERE pattern = 'sub_%'
ORDER BY name
LIMIT 20;sql
-- Shell-style star is accepted too
SELECT name, kind
FROM grep
WHERE pattern = 'Zw*'
LIMIT 20;Common Workflows
Find candidate functions by name
sql
SELECT name, address
FROM grep
WHERE pattern = 'main%' AND kind = 'function'
ORDER BY name;Resolve imported APIs
sql
SELECT module, name, address
FROM imports
WHERE name LIKE 'CreateFile%'
ORDER BY module, name;Find types by convention
sql
SELECT name, kind, ordinal, full_name
FROM grep
WHERE pattern = 'EH%' AND kind IN ('struct', 'enum')
ORDER BY kind, name;Find members under a parent type
sql
SELECT name, parent_name, ordinal
FROM grep
WHERE pattern = 'flag%' AND kind = 'member'
ORDER BY parent_name, name
LIMIT 30;Join into richer function metadata
sql
SELECT g.name, f.size, f.prototype
FROM grep g
JOIN funcs f ON f.address = g.address
WHERE g.pattern = 'sub_%' AND g.kind = 'function'
ORDER BY f.size DESC
LIMIT 20;Pivot from discovery into xrefs
sql
SELECT caller_name, printf('0x%X', caller_addr) AS from_addr
FROM callers
WHERE func_addr = (
SELECT address
FROM imports
WHERE name = 'CreateFileW'
ORDER BY name
LIMIT 1
);Compare With Other Search Surfaces
- Use for named entities discovered by IDA.
grep - Use when you need literal string contents.
strings - Use when you need raw bytes or opcode patterns.
byte_search - Use after discovery when the real question is "who references this?"
xrefs
Failure and Recovery
- Too many hits:
add , tighten the prefix, or switch from plain text to a more specific wildcard pattern.
kind = ... - No hits for an expected symbol:
broaden the pattern, try a contains search, or pivot to if the target may only exist as an imported API.
imports - Need to search for comments, pseudocode text, or string contents:
is the wrong surface; pivot to
grep, decompiler tables, or other domain tables.strings - Need bytes/opcodes:
use instead of
byte_search.grep