此命令将查找 ScreenEA() 旁边的挂起指令的地址并打印它。

import idaapi
import idc
addr = idaapi.find_not_func(ScreenEA(), 1)
if addr != idc.BADADDR: 
    print "0x%08x : %s" % (addr, idc.GetDisasm(addr))
else:
    print "Hanging instruction not found"

要打印加载的二进制文件中的所有挂起指令，请执行以下操作：

import idaapi
import idc
addr = idaapi.find_not_func(0, 1)
while addr != idc.BADADDR:
    print "0x%08x : %s" % (addr, idc.GetDisasm(addr))
    addr = idaapi.find_not_func(addr, 1)
print "No more hanging instruction found"

天真的解决方案是迭代代码中的每条指令并检查它是否在函数内部。

使用萨克

for line in sark.lines():
    if not line.is_code:
        # The line is not a code line, so we skip it.
        continue
    if sark.is_function(line.ea):
        # Line is inside a function, skip it.
        continue

    # The line is code outside a function. Print it.
    print line

使用标准的 IDAPython

import idaapi
import idc

def iter_all_lines():
    start = idaapi.cvar.inf.minEA
    end = idaapi.cvar.inf.maxEA

    item = idaapi.get_item_head(start)
    while item < end:
        yield item
        item += idaapi.get_item_size(item)


def iter_hanging_lines():
    for line in iter_all_lines():
        if not idaapi.isCode(idaapi.getFlags(line)):
            # The line is not a code line, so we skip it.
            continue

        if idaapi.get_func(line):
            # The line is inside a function, skip it.
            continue

        # The line is code outside a function. Yield it.
        yield line


for line in iter_handing_lines():
    print "[{:08X}]    {}".format(line, idc.GetDisasm(line))