Sebastian Porst ( http://www.the-interweb.com )
February, 2007
RubLib is a high level API for IdaRub. The goal is to maximize expressiveness and to minimize the lines of code necessary to write IDA Pro scripts. As of version 0.04 RubLib provides more than 160 methods that simplify access to segments, functions, instructions and the string list of IDA projects.
RubLib is licensed under the zlib/libpng license. Check out
http://www.opensource.org/licenses/zlib-license.php for more information.
Copyright (c) 2006 Sebastian Porst
This software is provided 'as-is', without any express or
implied warranty.
In no event will the authors be held liable for any damages arising from the use
of this software.
Permission is granted to anyone to use this software for any purpose, including
commercial
applications, and to alter it and redistribute it freely, subject to the
following restrictions:
1. The origin of this software must not be misrepresented; you must not claim
that you
wrote the original software. If you use this software in a product, an
acknowledgment
in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented
as being the original software.
3. This notice may not be removed or altered from any source distribution.
RubLib is the another way to write scripts for the IDA Pro, the most popular disassembler for binary files. It is built upon the API exposed by spoonm's IdaRub plugin. Thanks to language features provided by the Ruby programming language, IdaRub can already be used to write very high-level IDA Pro scripts. RubLib takes that approach to another level. RubLib puts object-oriented wrappers around the API exposed by IdaRub with the primary goal to minimize the number of lines the end-user has to write in his IDA Pro scripts. This makes RubLib the perfect prototyping library for IDA Pro plugins.
In this section familiarity with IdaRub is assumed. If you don't know how to use IdaRub please consult the IdaRub helpfile.
The first steps towards using RubLib are very simple. You only have to include idarub and rublib in your Ruby script.
require 'idarub'
require 'rublib'
If that was successful you can use RubLib.
The first thing you need to do is to create an IdaFile object. The IdaFile object is the central object in the RubLib API. It represents the currently loaded file and you use it to access all aspects of the file.
Here's how you create the IdaFile object.
ida, = IdaRub.auto_client
file = IdaFile.new(ida)
Here's a short guide on using RubLib. Combined with the examples this guide provides a quick introduction to RubLib. More detailed information about the RubLib API can be found in the API section.
function = file[0]
p "%s: %08X" % [ function.name, function.address ]
Output
"_FreeGlobal@0: 01001929"
function = file[0]
function[0..4].each { |line| p line.line }
Output
"mov eax, _g_PageSetupDlg.hDevMode"
"test eax, eax"
"push esi"
"mov esi, ds:__imp__GlobalFree@4; GlobalFree(x)"
"jz short loc_100193C"
file.each { |function| p function.name }
Output
"_FreeGlobal@0"
"_SetPageSetupDefaults@0"
"_NPSize@8"
"_NpSaveDialogHookProc@16"
"_GotoAndScrollInView@4"
"_SkipProgramName@4"
"_UpdateStatusBar@4"
"sub_1003F4C"
...
file.map { |function| function.name }.select { |function_name| function_name[0] == ?_ }
Output
["_FreeGlobal@0", "_SetPageSetupDefaults@0", "_NPSize@8", "_NpSaveDialogHookProc
@16", "_GotoAndScrollInView@4", "_SkipProgramName@4", "_UpdateStatusBar@4",
"_WinEventFunc@28", "_PFileInPath@4", "_NpResetMenu@4", "_MergeStrings@12",
"_AlertBox@20", "_SignalCommDlgError@0", "_ReplaceSel@4", "_GotoDlgProc@16",
"_fDetermineFileType@8", "_StringCopyWorkerW@12", "_NpOpenDialogHookProc@16",
"_CheckSave@4", "_WinMain@16", "_SetTitle@4", "_NPCommand@12",
"_FileDragOpen@0", "_doDrop@8", ...
p file.map{ |f | [ f.name, f[0].crefs_to.length ] }.sort{ |x, y| y[1] <=> x[1] }
Output
[["_RegWriteInt@12", 24], ["_RegGetInt@12", 24],
["@__security_check_cookie@4",17], ["_AlertBox@20", 14], ["_SkipBlanks@4", 6],
["_UpdateStatusBar@4", 6], ["_AlertUser_FileFail@4", 5], ["_CheckSave@4", 5],
["sub_1003F4C", 5], ["_LoadFile@8", 5], ["_SetTitle@4", 5], ["_NPSize@8", 4],
["_SaveFile@12", 4], ["_RegGetString@20", 3], ["_GetFileName@8", 3],
["_RegWriteString@12", 3], ["_StringCopyWorkerW@12", 3],
["_GotoAndScrollInView@4", 3], ["_New@4", 3], ["_Search@4", 3],
["_ReverseEndian@12", 3], ["_PrintHeaderFooter@8", 2], ["_DestroyAbortWnd@0",
2], ...
p file.map { |f| f.map { |i| i.mnemonic } }.flatten.uniq.sort
Output
["add", "and", "call", "cdq", "cmp", "dec", "idiv", "imul", "inc", "ja", "jb", "jbe",
"jg", "jge", "jl", "jle", "jmp", "jnb", "jns", "jnz", "js", "jz", "lea",
"leave", "mov", "movs", "movsx", "movzx", "neg", "not", "or", "pop", "push", "pushf",
"retn", "sar", "sbb", "setnz", "setz", "shl", "shr", "stos", "sub", "test", "xor"]
print "<ul>\n"
file.select { |function| function.comment != nil }.each { |function| print "<li>%s
( %08X ): %s\n" % [ function.name, function.address, function.comment ] }
print "</ul>\n"
Output
<ul>
<li>_NPInit@16 ( 01004565 ): First function comment
<li>_ReverseEndian@12 ( 01004B65 ): Second function comment
</ul>
file.string_list.each { |string| p string.value }
Output
"RegisterPenApp"
"notepad.chm"
"hhctrl.ocx"
"CLSID\\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\\InprocServer32"
"CommDlgExtendedError"
"GetPrinterDriverW"
"OpenPrinterW"
"WINSPOOL.DRV"
"CreateStatusWindowW"
"COMCTL32.dll"
"GetCurrentProcessId"
...
Please click here for an automatically generated documentation of the RubLib API. That documentation contains descriptions of all methods and classes RubLib provides.
RubLib 0.04 - February 2007