Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov.

Published byRudolf Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov."— Presentation transcript:

1 Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov

2 2 (c) 2008 Hex-Rays SA Presentation Outline Why plugins? IDC is not powerful enough Simple plugin, explained The descriptor and init/term/run More sample plugins IDA API overview Good, bad, and ugly Your feedback Online copy of this presentation is available at http://www.hex-rays.com/idapro/ppt/recon2008.ppt

3 3 (c) 2008 Hex-Rays SA IDA Pro Interactive Programmable Key macros – really handy (only text version)‏ Alt--,,, Alt-= IDC scripts Plugins

4 4 (c) 2008 Hex-Rays SA IDC language “Toy” language Lacks many modern features (arrays, structs, hashes)‏ Yet another language to learn Is it worth improving it? Can not dump it – there are many useful IDC scripts Provisions for seamless embedding of other scripting languages

5 5 (c) 2008 Hex-Rays SA Plugin API A “real” API, no limitations, full access Subsystems: Target processor Input file format Analysis User-interface Debugger Miscellaneous Pure C API with C++ syntax, compatible with all popular compilers Unfortunately, requires knowing C++ - an increasingly scarce skill Plugins are just DLLs you can use any tool to create them

6 6 (c) 2008 Hex-Rays SA IDA API It is eclectic – all kinds of naming conventions and paradigms can be found Probably it reflects my coding preferences over time :)‏ With the community help, we will add doxygen generated web pages in the future Currently sample plugins and modules are available with the SDK It is over 170K lines (only header files almost 40K)‏ API has over 1300 functions It has been frozen at IDA v4.9 – existing plugins will be compatible with future versions of IDA

7 7 (c) 2008 Hex-Rays SA API evolution Natural evolution vs. design/code/debug cycle IDA Pro is a naturally evolving platform Code transformation and refactoring is our main methods Things evolve in unforeseen directions: Addressable quantities (bytes) are not 8 bit AVR Atmel, Microchip's PIC GUI Bytecode machines 8-bit to 128-bit computers Multiple chunk functions Debugger Graph view Despite of this, the architecture stays the same

8 8 (c) 2008 Hex-Rays SA API evolution Things users want Multiple processors for the input file Multiple input files per database Multiple users per database Multiple debugging sessions per debugger server Multiple analysis threads

9 9 (c) 2008 Hex-Rays SA IDA Pro architecture IDA KERNEL User interface Input file loader Processor module Plugins Data base

10 10 (c) 2008 Hex-Rays SA The Database Consists of four files Btree The most interesting file Names, comments, etc are kept there Flags 32-bit value for each byte of the program Describe each byte: iscode, hasname, hascmt, isoff, etc Name pointers Something we may ignore (implementation detail)‏ Type library Local type definitions

11 11 (c) 2008 Hex-Rays SA Plugin descriptor The descriptor: name, flags, hotkeys, and init/term/run:

12 12 (c) 2008 Hex-Rays SA Plugin initialization Check if our plugin is useful for the current database: Is processor supported by the plugin? Is the file format supported? What IDA version is running? GUI or text mode (ui_get_hwnd != NULL)‏ version number (get_kernel_version)‏ Are other required plugins loaded? etc...

13 13 (c) 2008 Hex-Rays SA Invoking plugins Old way: Edit, Plugins, MyPlugin => calls run()‏ New way: use add_menu_item() to the menu in the desired menu, the specified callback function will be called when the user selects

14 14 (c) 2008 Hex-Rays SA Plugins and events You may register event callbacks and perform all necessary actions there You may also define a new IDC function and do nothing else

15 15 (c) 2008 Hex-Rays SA Hello, world! - full source code

16 16 (c) 2008 Hex-Rays SA Quick exit from IDA Pro Replacement of Alt-X – quit from IDA No questions asked, just exit We could use Shift-click on the Windows Close button at the right upper corner (use Ctrl-Shift to exit without saving)‏

17 17 (c) 2008 Hex-Rays SA Multiple file search Search for a function in several databases We have an object file for that function First we create a signature from the function plb object_file mypattern sigmake mypattern mypattern copy mypattern.sign %idadir%\sig We will start IDA with a special command line switch IDA will check if the database contains the function and If found, it may log the result and quit or just switch to interactive mode If not found, it will silently quit IDA will be called from a batch file for all databases

18 18 (c) 2008 Hex-Rays SA Multiple file search plugin We do everything in init() and return PLUGIN_SKIP

19 19 (c) 2008 Hex-Rays SA Multiple file search - launching Run idag from a batch file -O for our plugin -A to suppress dialog boxes The batch file will run until the signature file matches

20 20 (c) 2008 Hex-Rays SA Multiple search variants The same approach could be used to find (just some random ideas)‏ Precise instruction text (binary search over files won't do)‏ A specific comment Function of certain length or other attributes IDB created from a file with the specified MD5 checksum Databases with cryptographic functions etc...

21 21 (c) 2008 Hex-Rays SA Analysis improvement IDA uses lots of heuristic rules during analysis The built-in heuristics are generic You could benefit from heuristic rules specific to your files Unfortunately we can not implement these rules for you You can do it yourself One of the following approaches Manually run heuristic rules on the current database Wait for the file to load, scan the database and improve Wait for the analysis to finish, then scan the database Hook to analysis events and improve on the fly

22 22 (c) 2008 Hex-Rays SA Improve analysis when the file is loaded iPhone binaries use as the first instruction of many functions. IDA currently does not recognize such functions Our plugin will address this shortcoming It will check for this opcode in ARM binaries and mark the found addresses for function creation It will be fully automatic

23 23 (c) 2008 Hex-Rays SA Iphone analysis improver

24 24 (c) 2008 Hex-Rays SA iPhone analysis improver - results

25 25 (c) 2008 Hex-Rays SA Post-analysis improvement

26 26 (c) 2008 Hex-Rays SA On the fly analysis improvement This is the most powerful improvement method Active all the time Immediately reacts to recognized patterns

27 27 (c) 2008 Hex-Rays SA Symbian (EPOC) return anomaly ARM processor has many forms of “return” instruction Sometimes it is encoded as 2 instructions – our plugin will detect this and add a comment

28 28 (c) 2008 Hex-Rays SA First step: recognize the pattern

29 29 (c) 2008 Hex-Rays SA Second step: improve the listing Several methods Rename Add comment Patch the database Change operand type Save the data for further analysis etc... In our plugin we just add a comment

30 30 (c) 2008 Hex-Rays SA On the fly analysis - results Well, since we just added a comment, it is not spectacular

31 31 (c) 2008 Hex-Rays SA On the fly analysis - events There are many events you can hook to, they happen when IDA Emulates an instruction This is the main event to recognize patterns Adds/deletes a cross reference (IDA v5.3)‏ A code ref usually leads to additional analysis Creates an instruction What about checking instruction sanity? Creates a data item You may automatically pretty format or change number radix Performs the final pass What about checking the huge arrays disliked by many users? Changes a byte value Intercept this to provide additional actions and analysis

32 32 (c) 2008 Hex-Rays SA IDA events Changes an operand type Modifies structure/enum definition Renames a program location Creates/changes a segment Creates/changes a function etc...

33 33 (c) 2008 Hex-Rays SA Name watcher Hook to the “rename” event If a new name has “?c_wsz” prefix, convert it to unicode This is just an idea, you may check for other prefixes Or postfixes For anything, in fact You may prohibit some names by returning value < 0

34 34 (c) 2008 Hex-Rays SA Name watcher callback

35 35 (c) 2008 Hex-Rays SA Name watcher setup

36 36 (c) 2008 Hex-Rays SA The “thank you” slide Thank you for your attention! Questions?

Download ppt "Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov."

Similar presentations

Chapter 2 Operating System Overview Operating Systems: Internals and Design Principles, 6/E William Stallings.

Chapter 2 Operating System Overview Operating Systems: Internals and Design Principles, 6/E William Stallings.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
The Assembly Language Level

The Assembly Language Level
A Guide to Unix Using Linux Fourth Edition

A Guide to Unix Using Linux Fourth Edition
Lab6 – Debug Assembly Language Lab

Lab6 – Debug Assembly Language Lab
Automating Tasks With Macros

Automating Tasks With Macros
Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 12 Separate Compilation Namespaces Simple Make Files (Ignore all class references.

Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 12 Separate Compilation Namespaces Simple Make Files (Ignore all class references.
A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.

A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.
Automating Tasks With Macros. 2 Design a switchboard and dialog box for a graphical user interface Database developers interact directly with Access.

Automating Tasks With Macros. 2 Design a switchboard and dialog box for a graphical user interface Database developers interact directly with Access.
Software Development, Programming, Testing & Implementation.

Software Development, Programming, Testing & Implementation.
1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.

1 Introduction to Tool chains. 2 Tool chain for the Sitara Family (but it is true for other ARM based devices as well) A tool chain is a collection of.
Chapter 2 Software Tools and Assembly Language Syntax.

Chapter 2 Software Tools and Assembly Language Syntax.
Renesas Technology America Inc. 1 M16C/Tiny SKP Tutorial 2 Creating A New Project Using HEW4.

Renesas Technology America Inc. 1 M16C/Tiny SKP Tutorial 2 Creating A New Project Using HEW4.
RefWorks: Advanced February 13, 2006. 2 What We’ll Cover Today Managing Your Personal Database Searching Your Personal Database Linking to the Full Text.

RefWorks: Advanced February 13, What We’ll Cover Today Managing Your Personal Database Searching Your Personal Database Linking to the Full Text.
Visual Basic Chapter 1 Mr. Wangler.

Visual Basic Chapter 1 Mr. Wangler.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Computer Organization

Computer Organization
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>> www.softwaretestinggenius.com

Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>
Topics Introduction Hardware and Software How Computers Store Data

Topics Introduction Hardware and Software How Computers Store Data
Introduction to Python

Introduction to Python

Similar presentations

Ads by Google