Difference between revisions of "IDA Pro"
m (→Python) |
m (→Resources) |
||
(52 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
* ELF, Java bytecode, Dalvik, ARM,... |
* ELF, Java bytecode, Dalvik, ARM,... |
||
* disassembler, some debugger |
* disassembler, some debugger |
||
+ | =Resources= |
||
+ | * [http://www.nostarch.com/idapro2.htm The IDA Pro Book] |
||
+ | * https://leanpub.com/IDAPython-Book |
||
+ | * [http://shop.oreilly.com/product/9781597492379.do Reverse Engineering Code with IDA Pro by IOActive] |
||
+ | * https://duksctf.github.io/Make-IDA-Pro-Great-Again/ |
||
+ | |||
=PIN Tracer= |
=PIN Tracer= |
||
==Install== |
==Install== |
||
Line 16: | Line 22: | ||
ln -s libelf.so.0.8.13 libelf.so |
ln -s libelf.so.0.8.13 libelf.so |
||
popd |
popd |
||
− | mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@ |
+ | mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66 |
− | cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@ |
+ | cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66 |
− | wget https://www.hex-rays.com/products/ida/support/freefiles/ |
+ | wget https://www.hex-rays.com/products/ida/support/freefiles/idapin66.zip |
− | 7z x |
+ | 7z x idapin66.zip |
make TARGET=ia32e |
make TARGET=ia32e |
||
make TARGET=ia32 |
make TARGET=ia32 |
||
+ | |||
==Usage== |
==Usage== |
||
In IDA select "PIN Tracer" and configure it. |
In IDA select "PIN Tracer" and configure it. |
||
*Path to PIN: pin-2.13-61206-gcc.4.4.7-linux/pin |
*Path to PIN: pin-2.13-61206-gcc.4.4.7-linux/pin |
||
− | *Path to tool: pin-2.13-61206-gcc.4.4.7-linux/source/tools/@ |
+ | *Path to tool: pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66/ |
See [https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf PIN tutorial] |
See [https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf PIN tutorial] |
||
=Python= |
=Python= |
||
− | ==Install== |
||
Based on [https://code.google.com/p/idapython/ idapython] (shipped with IDA Pro) |
Based on [https://code.google.com/p/idapython/ idapython] (shipped with IDA Pro) |
||
+ | ==Install for ida 6.5== |
||
<br>Some require PySide as well |
<br>Some require PySide as well |
||
<br>To install it on Linux for IDA Pro, see [http://www.hexblog.com/?p=333 Hexblog], but let's install it locally in idapython instead of / |
<br>To install it on Linux for IDA Pro, see [http://www.hexblog.com/?p=333 Hexblog], but let's install it locally in idapython instead of / |
||
<br>Download PySide 2011/12/30 for IDAPython 1.5+, Python 2.7 (2.6) and Qt 4.8.4 (IDA 6.5), Linux version |
<br>Download PySide 2011/12/30 for IDAPython 1.5+, Python 2.7 (2.6) and Qt 4.8.4 (IDA 6.5), Linux version |
||
tar xvfz os_package_pyside_python27_package.tgz -C /path/to/ida |
tar xvfz os_package_pyside_python27_package.tgz -C /path/to/ida |
||
+ | ==Install for ida 6.6== |
||
+ | PySide is now also part of IDA Pro, nothing to do anymore :) |
||
+ | |||
+ | =Patching= |
||
+ | IDA Pro can natively patch code/data in its DB but not the original file, but you can do: |
||
+ | * patch in the DB: |
||
+ | ** Edit / Patch program / ... |
||
+ | * produce a diff file: |
||
+ | ** File / Produce file / Create DIF |
||
+ | * patch the file: |
||
+ | ** Edit / Patch program / Apply patches to input file |
||
+ | * patch the file from a DIF file: |
||
+ | ** see e.g. http://resources.infosecinstitute.com/applied-cracking-byte-patching-ida-pro/ |
||
+ | See also plugins Fentanyl and idapatcher here below |
||
=Extensions= |
=Extensions= |
||
+ | ==Development== |
||
+ | * [https://github.com/techbliss/Ida_Pro_Ultimate_Qt_Build_Guide/blob/master/The%20ultimate%20tut%20for%20Qt%20and%20Ida.pdf Adding full Qt support to Ida Pro] (pdf) |
||
+ | ==[http://thesprawl.org/projects/ida-patcher/ ida-patcher]== |
||
+ | Make ida-patcher.py available in ida-6.6/plugins/ |
||
+ | * View->Open subviews->Patches |
||
+ | |||
==[https://github.com/isislab/Fentanyl Fentanyl]== |
==[https://github.com/isislab/Fentanyl Fentanyl]== |
||
Easy patching! |
Easy patching! |
||
Line 52: | Line 79: | ||
Ctrl-Alt-F Make jump unconditional |
Ctrl-Alt-F Make jump unconditional |
||
Ctrl-Alt-N Neuter the binary (remove calls to fork, setuid, setgid, getpwnam, set groups, and chdir) |
Ctrl-Alt-N Neuter the binary (remove calls to fork, setuid, setgid, getpwnam, set groups, and chdir) |
||
+ | ==Hex-Rays== |
||
+ | The most <strike>expensive</strike>powerful IDA Pro plugin is the [https://www.hex-rays.com/products/decompiler/index.shtml Hex-Rays decompiler] |
||
+ | * x86 and ARM |
||
+ | * decompiler |
||
+ | Limitations specific to ARM: |
||
+ | *floating point instructions are not supported |
||
+ | *VFP/SIMD/Neon/... instructions are not supported |
||
+ | *functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack) |
||
+ | ===Addons=== |
||
+ | * [https://github.com/EiNSTeiN-/hexrays-python Python bindings] and [https://github.com/EiNSTeiN-/hexrays-python-plugins plugins] |
||
+ | * [https://github.com/REhints/HexRaysCodeXplorer HexRaysCodeXplorer] |
||
+ | |||
+ | ==[https://github.com/EiNSTeiN-/ida-decompiler ida-decompiler]== |
||
+ | Decompile small functions in IDA |
||
+ | ==[https://code.google.com/p/arm-thumb-decompiler-plugin/ arm-thumb-decompiler]== |
||
+ | Mainly for Thumb right now |
||
+ | ==[https://sourceforge.net/projects/idaproarmdebug/ IDA Pro ARM debugger]== |
||
+ | Support ARM code debugging via JTAG or software emulators |
||
+ | ==[https://bitbucket.org/Alexander_Hanel/garts/src/ Garts: Get all referenced text strings]== |
||
+ | aka A Better String Viewer |
||
+ | File > Script file > garts.py |
||
+ | |||
+ | ==[http://thunkers.net/~deft/code/toolbag/docs.html#Installation IDA toolbag]== |
||
+ | * Under Linux put toolbag content under ~/.idapro |
||
+ | >>> import toolbag |
||
+ | |||
+ | ==Miasm== |
||
+ | Some bridges between IDA and Miasm: |
||
+ | * [https://github.com/cea-sec/miasm/pull/52 Symbolic execution plugin] |
||
+ | * [https://github.com/cea-sec/miasm/pull/82 Dependency graph plugin] |
||
+ | ==[https://github.com/joxeankoret/diaphora Diaphora]== |
||
+ | A program diffing plugin, working with IDA 6.7 and 6.8 |
||
+ | <br>Doc [https://github.com/joxeankoret/diaphora/raw/master/doc/diaphora_help.pdf here (pdf)] |
||
+ | <br>When running scritp I got [https://groups.google.com/forum/#!topic/diaphora/6vDqztVgpJY this issue] about importing md5. |
||
+ | <br>To solve it I had to install manually libssl0.9.8:i386 from [https://packages.debian.org/squeeze-lts/i386/libssl0.9.8/download old Debian repo] |
||
+ | <br>As bonus, it exports IDA DBs in Sqlite format |
||
+ | ==[https://github.com/sektioneins/WWCD WWCD]== |
||
+ | What Would Capstone Decode - IDA plugin that implements a Capstone powered IDA view |
||
==To sort== |
==To sort== |
||
− | * [http://thunkers.net/~deft/code/toolbag/docs.html#Installation IDA toolbag] |
||
* [https://bitbucket.org/daniel_plohmann/simplifire.idascope/ IDAscope] |
* [https://bitbucket.org/daniel_plohmann/simplifire.idascope/ IDAscope] |
||
− | * [https://code.google.com/p/patchdiff2/ patchdiff2] |
||
* [http://www.zynamics.com/bindiff.html Zynamics bindiff] |
* [http://www.zynamics.com/bindiff.html Zynamics bindiff] |
||
+ | * [https://code.google.com/p/patchdiff2/ patchdiff2] or [https://github.com/filcab/patchdiff2 here], couldn't get even the git version working on linux and IDA 6.8 (compiled after some patches but fail parsing IDA DB) |
||
* [http://www.darungrim.org/ DarunGrim], another binary diff tool, opensource but discontinued? |
* [http://www.darungrim.org/ DarunGrim], another binary diff tool, opensource but discontinued? |
||
* [http://www.idabook.com/x86emu/ x86emu], x86 Emulator plugin. Windows, Linux, OS X |
* [http://www.idabook.com/x86emu/ x86emu], x86 Emulator plugin. Windows, Linux, OS X |
||
+ | * [https://bitbucket.org/daniel_plohmann/idapatchwork idapatchwork], emulator based on PyEmu ([https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf slides]) |
||
− | * Plugin contests [https://www.hex-rays.com/contests/2012/index.shtml 2012], [https://www.hex-rays.com/contests/2011/index.shtml 2011], [https://www.hex-rays.com/contests/2010/index.shtml 2010], [https://www.hex-rays.com/contests/2009/index.shtml 2009] |
||
+ | * [https://github.com/drvink/epanos epanos], a MIPS decompiler, for IDA > 6.5 |
||
+ | * [http://newgre.net/idastealth IDAStealth], anti-anti-debugging, for Windows |
||
+ | * [https://thesprawl.org/projects/ida-sploiter/ IDA-sploiter], helps developing ROP exploits |
||
+ | * Plugin contests [https://www.hex-rays.com/contests/2015/index.shtml 2015], [https://www.hex-rays.com/contests/2014/index.shtml 2014], [https://www.hex-rays.com/contests/2013/index.shtml 2013], [https://www.hex-rays.com/contests/2012/index.shtml 2012], [https://www.hex-rays.com/contests/2011/index.shtml 2011], [https://www.hex-rays.com/contests/2010/index.shtml 2010], [https://www.hex-rays.com/contests/2009/index.shtml 2009] |
||
+ | * [https://github.com/patois/dr.rer.oec.gadget dr.rer.oec.gadget], Develop and analyze ROP exploits for all processor architectures supported by IDA itself |
||
+ | * [https://github.com/dzzie/IDACompare IDACompare] |
||
+ | * [http://www.mfmokbel.com/Down/RCE/Documentation.html IDAEye] |
||
+ | * [http://techbliss.org/threads/adb-qt-super-version.626/ ADB Qt] |
||
+ | * [https://github.com/james91b/ida_ipython IDA IPython], An IDA Pro Plugin for embedding an IPython Kernel |
||
+ | * [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=turbodiff TurboDiff], a program diffing plugin |
||
+ | * [https://github.com/nologic/idaref IDA Pro Instruction Reference Plugin] |
||
+ | * [https://github.com/danigargu/IDAtropy IDAtropy] meant to generate charts of entropy and histograms |
||
+ | * [https://github.com/tmr232/graphgrabber GraphGrabber] to grab full-resolution images of IDA graphs |
||
+ | * [https://tuts4you.com/download.php?list.77 list] |
||
+ | * [https://github.com/nihilus?tab=repositories list] |
||
+ | * [https://github.com/onethawt/idaplugins-list list] |
||
+ | |||
+ | =Debugging= |
||
+ | IDA Pro has some debugging capabilities too. |
||
+ | <br>Local debugging: win32, windbg |
||
+ | Remote debugging: |
||
+ | gdbserver --multi <client_ip>:<port> # default IDA port: 23946 |
||
+ | Then on IDA: select Remote GDB debugger, paths should be paths on the gdbserver host. |
||
+ | <br>Tuning: |
||
+ | * Debugger / options / Stop on process entry point |
||
+ | * Compatible with lib preloading, cf below |
||
+ | * from 6.4, can make use of Intel PIN tools for diff debugging, see [https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf tutorial (pdf)] |
||
+ | ==Android== |
||
+ | * [http://www.hexblog.com/?p=809 Dalvik debugger] |
||
+ | * [http://finn.svbtle.com/remotely-debugging-android-binaries-in-ida-pro Remotely Debugging Android Binaries in IDA Pro] |
Latest revision as of 00:18, 17 March 2017
Intro
IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.
- Official page
- Windows, Linux, Mac OS X
- x86-32, x86-64, ARM and many others
- ELF, Java bytecode, Dalvik, ARM,...
- disassembler, some debugger
Resources
- The IDA Pro Book
- https://leanpub.com/IDAPython-Book
- Reverse Engineering Code with IDA Pro by IOActive
- https://duksctf.github.io/Make-IDA-Pro-Great-Again/
PIN Tracer
Install
Adapted from https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf
apt-get install gcc-multilib g++-multilib pushd pin-2.13-61206-gcc.4.4.7-linux/ia32/runtime ln -s libelf.so.0.8.13 libelf.so popd pushd pin-2.13-61206-gcc.4.4.7-linux/intel64/runtime ln -s libelf.so.0.8.13 libelf.so popd mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66 cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66 wget https://www.hex-rays.com/products/ida/support/freefiles/idapin66.zip 7z x idapin66.zip make TARGET=ia32e make TARGET=ia32
Usage
In IDA select "PIN Tracer" and configure it.
- Path to PIN: pin-2.13-61206-gcc.4.4.7-linux/pin
- Path to tool: pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66/
See PIN tutorial
Python
Based on idapython (shipped with IDA Pro)
Install for ida 6.5
Some require PySide as well
To install it on Linux for IDA Pro, see Hexblog, but let's install it locally in idapython instead of /
Download PySide 2011/12/30 for IDAPython 1.5+, Python 2.7 (2.6) and Qt 4.8.4 (IDA 6.5), Linux version
tar xvfz os_package_pyside_python27_package.tgz -C /path/to/ida
Install for ida 6.6
PySide is now also part of IDA Pro, nothing to do anymore :)
Patching
IDA Pro can natively patch code/data in its DB but not the original file, but you can do:
- patch in the DB:
- Edit / Patch program / ...
- produce a diff file:
- File / Produce file / Create DIF
- patch the file:
- Edit / Patch program / Apply patches to input file
- patch the file from a DIF file:
See also plugins Fentanyl and idapatcher here below
Extensions
Development
ida-patcher
Make ida-patcher.py available in ida-6.6/plugins/
- View->Open subviews->Patches
Fentanyl
Easy patching!
See also here
File > Script file > Fentanyl/main.py
Alt-N Convert instructions to nops Alt-X Nop all xrefs to this function Alt-J Invert conditional jump Alt-P Patch instruction Alt-Z Undo modification (Won't always work. Should still be careful editing.) Alt-Y Redo modification (Won't always work. Should still be careful editing.) Alt-S Save file Alt-C Find Code Caves Ctrl-Alt-F Make jump unconditional Ctrl-Alt-N Neuter the binary (remove calls to fork, setuid, setgid, getpwnam, set groups, and chdir)
Hex-Rays
The most expensivepowerful IDA Pro plugin is the Hex-Rays decompiler
- x86 and ARM
- decompiler
Limitations specific to ARM:
- floating point instructions are not supported
- VFP/SIMD/Neon/... instructions are not supported
- functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)
Addons
ida-decompiler
Decompile small functions in IDA
arm-thumb-decompiler
Mainly for Thumb right now
IDA Pro ARM debugger
Support ARM code debugging via JTAG or software emulators
Garts: Get all referenced text strings
aka A Better String Viewer
File > Script file > garts.py
IDA toolbag
- Under Linux put toolbag content under ~/.idapro
>>> import toolbag
Miasm
Some bridges between IDA and Miasm:
Diaphora
A program diffing plugin, working with IDA 6.7 and 6.8
Doc here (pdf)
When running scritp I got this issue about importing md5.
To solve it I had to install manually libssl0.9.8:i386 from old Debian repo
As bonus, it exports IDA DBs in Sqlite format
WWCD
What Would Capstone Decode - IDA plugin that implements a Capstone powered IDA view
To sort
- IDAscope
- Zynamics bindiff
- patchdiff2 or here, couldn't get even the git version working on linux and IDA 6.8 (compiled after some patches but fail parsing IDA DB)
- DarunGrim, another binary diff tool, opensource but discontinued?
- x86emu, x86 Emulator plugin. Windows, Linux, OS X
- idapatchwork, emulator based on PyEmu (slides)
- epanos, a MIPS decompiler, for IDA > 6.5
- IDAStealth, anti-anti-debugging, for Windows
- IDA-sploiter, helps developing ROP exploits
- Plugin contests 2015, 2014, 2013, 2012, 2011, 2010, 2009
- dr.rer.oec.gadget, Develop and analyze ROP exploits for all processor architectures supported by IDA itself
- IDACompare
- IDAEye
- ADB Qt
- IDA IPython, An IDA Pro Plugin for embedding an IPython Kernel
- TurboDiff, a program diffing plugin
- IDA Pro Instruction Reference Plugin
- IDAtropy meant to generate charts of entropy and histograms
- GraphGrabber to grab full-resolution images of IDA graphs
- list
- list
- list
Debugging
IDA Pro has some debugging capabilities too.
Local debugging: win32, windbg
Remote debugging:
gdbserver --multi <client_ip>:<port> # default IDA port: 23946
Then on IDA: select Remote GDB debugger, paths should be paths on the gdbserver host.
Tuning:
- Debugger / options / Stop on process entry point
- Compatible with lib preloading, cf below
- from 6.4, can make use of Intel PIN tools for diff debugging, see tutorial (pdf)