Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov.
-
Upload
rudolf-brown -
Category
Documents
-
view
235 -
download
1
Transcript of Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov.
Building plugins for IDA ProHex-RaysIlfak Guilfanov
2(c) 2008 Hex-Rays SA
Presentation Outline
Why plugins?IDC is not powerful enough
Simple plugin, explainedThe descriptor and init/term/run
More sample pluginsIDA API overview
Good, bad, and ugly
Your feedback
Online copy of this presentation is available at http://www.hex-rays.com/idapro/ppt/recon2008.ppt
3(c) 2008 Hex-Rays SA
IDA Pro
InteractiveProgrammable
Key macros – really handy (only text version)Alt--, <Hotkey>, <Sequence>, Alt-=
IDC scriptsPlugins
4(c) 2008 Hex-Rays SA
IDC language
“Toy” languageLacks many modern features (arrays, structs, hashes)Yet another language to learnIs it worth improving it?Can not dump it – there are many useful IDC scriptsProvisions for seamless embedding of other scripting languages
5(c) 2008 Hex-Rays SA
Plugin API
A “real” API, no limitations, full accessSubsystems:
Target processorInput file formatAnalysisUser-interfaceDebuggerMiscellaneous
Pure C API with C++ syntax, compatible with all popular compilersUnfortunately, requires knowing C++ - an increasingly scarce skillPlugins are just DLLs you can use any tool to create them
6(c) 2008 Hex-Rays SA
IDA API
It is eclectic – all kinds of naming conventions and paradigms can be foundProbably it reflects my coding preferences over time :)With the community help, we will add doxygen generated web pages in the futureCurrently sample plugins and modules are available with the SDKIt is over 170K lines (only header files almost 40K)API has over 1300 functionsIt has been frozen at IDA v4.9 – existing plugins will be compatible with future versions of IDA
7(c) 2008 Hex-Rays SA
API evolution
Natural evolution vs. design/code/debug cycleIDA Pro is a naturally evolving platformCode transformation and refactoring is our main methodsThings evolve in unforeseen directions:
Addressable quantities (bytes) are not 8 bitAVR Atmel, Microchip's PIC
GUIBytecode machines8-bit to 128-bit computersMultiple chunk functionsDebuggerGraph view
Despite of this, the architecture stays the same
8(c) 2008 Hex-Rays SA
API evolution
Things users wantMultiple processors for the input fileMultiple input files per databaseMultiple users per databaseMultiple debugging sessions per debugger serverMultiple analysis threads
9(c) 2008 Hex-Rays SA
IDA Pro architecture
IDAKERNEL
Userinterface
Input fileloader
Processormodule
Plugins
Database
10(c) 2008 Hex-Rays SA
The Database
Consists of four filesBtree
The most interesting fileNames, comments, etc are kept there
Flags32-bit value for each byte of the programDescribe each byte: iscode, hasname, hascmt, isoff, etc
Name pointersSomething we may ignore (implementation detail)
Type libraryLocal type definitions
11(c) 2008 Hex-Rays SA
Plugin descriptor
The descriptor: name, flags, hotkeys, and init/term/run:
12(c) 2008 Hex-Rays SA
Plugin initialization
Check if our plugin is useful for the current database:Is processor supported by the plugin?Is the file format supported?What IDA version is running?
GUI or text mode (ui_get_hwnd != NULL)version number (get_kernel_version)
Are other required plugins loaded?etc...
13(c) 2008 Hex-Rays SA
Invoking plugins
Old way: Edit, Plugins, MyPlugin => calls run()New way: use add_menu_item() to the menu in the desired menu, the specified callback function will be called when the user selects
14(c) 2008 Hex-Rays SA
Plugins and events
You may register event callbacks and perform all necessary actions there
You may also define a new IDC function and do nothing else
15(c) 2008 Hex-Rays SA
Hello, world! - full source code
16(c) 2008 Hex-Rays SA
Quick exit from IDA Pro
Replacement of Alt-X – quit from IDANo questions asked, just exitWe could use Shift-click on the Windows Close button at the right upper corner (use Ctrl-Shift to exit without saving)
17(c) 2008 Hex-Rays SA
Multiple file search
Search for a function in several databasesWe have an object file for that functionFirst we create a signature from the function
plb object_file mypatternsigmake mypattern mypatterncopy mypattern.sign %idadir%\sig
We will start IDA with a special command line switchIDA will check if the database contains the function and
If found, it may log the result and quit or just switch to interactive modeIf not found, it will silently quit
IDA will be called from a batch file for all databases
18(c) 2008 Hex-Rays SA
Multiple file search plugin
We do everything in init() and return PLUGIN_SKIP
19(c) 2008 Hex-Rays SA
Multiple file search - launching
Run idag from a batch file-O for our plugin-A to suppress dialog boxes
The batch file will run until the signature file matches
20(c) 2008 Hex-Rays SA
Multiple search variants
The same approach could be used to find (just some random ideas)
Precise instruction text (binary search over files won't do)A specific commentFunction of certain length or other attributesIDB created from a file with the specified MD5 checksumDatabases with cryptographic functionsetc...
21(c) 2008 Hex-Rays SA
Analysis improvement
IDA uses lots of heuristic rules during analysisThe built-in heuristics are genericYou could benefit from heuristic rules specific to your filesUnfortunately we can not implement these rules for youYou can do it yourselfOne of the following approaches
Manually run heuristic rules on the current databaseWait for the file to load, scan the database and improveWait for the analysis to finish, then scan the databaseHook to analysis events and improve on the fly
22(c) 2008 Hex-Rays SA
Improve analysis when the file is loaded
iPhone binaries use
as the first instruction of many functions. IDA currently does not recognize such functionsOur plugin will address this shortcomingIt will check for this opcode in ARM binaries and mark the found addresses for function creationIt will be fully automatic
23(c) 2008 Hex-Rays SA
Iphone analysis improver
24(c) 2008 Hex-Rays SA
iPhone analysis improver - results
25(c) 2008 Hex-Rays SA
Post-analysis improvement
26(c) 2008 Hex-Rays SA
On the fly analysis improvement
This is the most powerful improvement methodActive all the timeImmediately reacts to recognized patterns
27(c) 2008 Hex-Rays SA
Symbian (EPOC) return anomaly
ARM processor has many forms of “return” instruction
Sometimes it is encoded as 2 instructions – our plugin will detect this and add a comment
28(c) 2008 Hex-Rays SA
First step: recognize the pattern
29(c) 2008 Hex-Rays SA
Second step: improve the listing
Several methodsRenameAdd commentPatch the databaseChange operand typeSave the data for further analysisetc...
In our plugin we just add a comment
30(c) 2008 Hex-Rays SA
On the fly analysis - results
Well, since we just added a comment, it is not spectacular
31(c) 2008 Hex-Rays SA
On the fly analysis - events
There are many events you can hook to, they happen when IDA
Emulates an instructionThis is the main event to recognize patterns
Adds/deletes a cross reference (IDA v5.3)A code ref usually leads to additional analysis
Creates an instructionWhat about checking instruction sanity?
Creates a data itemYou may automatically pretty format or change number radix
Performs the final passWhat about checking the huge arrays disliked by many users?
Changes a byte valueIntercept this to provide additional actions and analysis
32(c) 2008 Hex-Rays SA
IDA events
Changes an operand typeModifies structure/enum definitionRenames a program locationCreates/changes a segmentCreates/changes a functionetc...
33(c) 2008 Hex-Rays SA
Name watcher
Hook to the “rename” eventIf a new name has “?c_wsz” prefix, convert it to unicode
This is just an idea, you may check for other prefixesOr postfixesFor anything, in fact
You may prohibit some names by returning value < 0
34(c) 2008 Hex-Rays SA
Name watcher callback
35(c) 2008 Hex-Rays SA
Name watcher setup
36(c) 2008 Hex-Rays SA
The “thank you” slide
Thank you for your attention!Questions?