Skip to content

Hotch 1.0.0

Hotch 1.0.0 - named after everyone's favourite TV profiler - is an IDA plugin that can be used to profile binary files. It sets breakpoints on all basic blocks of a program, records breakpoints hits and tries to figure out statistics from these hits. Click here to seen an example of a simple profiling session (starting Notepad and exiting Notepad again). Click here to see a huge 6.5 MB results file that shows a larger profiling session (loading a file in Notepad and playing around in it).

Random Notes:

  • "This is really slow for larger files". Yeah, it is really slow in IDA up to 5.2 but Ilfak fixed some things in IDA 5.3 and it works acceptably fast now. So patience, young padawan.
  • "The timing results don't really make sense". Yeah, I know. Since I execute a callback function after each breakpoint hit tight loops take disproportionally much time. For anything but tight loops the timing results should kinda work, at least relative to each other of course.
  • Ignore the source file libida.hpp, it's an early version of my experimental-at-best C++ wrapper library for the IDA SDK.
  • I take feature requests for Hotch.

Click here to download Hotch 1.0.0 (full source included, of course).

RubLib 0.04

Version 0.04 of RubLib, a high-level API for writing IDA Pro scripts in Ruby, is here. It grew from 125 methods to 163 methods since version 0.03. The most important new features are:
  • Support for function chunks
  • The Instruction class was restructured a bit
  • The behaviour of the [ ]-operator of the RubLib classes was standardized. It behaves like the [ ]-operator of the standard String class now.
Download RubLib 0.04
Online manual, examples, API documentation

RubLib 0.03

Here comes RubLib 0.03, everybody's favourite high-level Ruby library for writing IDA scripts. RubLib grew from 88 methods to 125 methods since version 0.02. The most significant addition is probably that users have access to the sections of a file now. Lots of other smaller things were added too.

I've even begun to write an actual manual for RubLib. Here it is. Make sure to check out the examples section. The entire RubLib API documentation can now be accessed online too (check the end of the manual).

Download RubLib 0.03

rublib 0.02

Did you ever sit in front of IDA thinking "Wow, I think this function would make more sense if all the lines were randomly shuffled". That's not a problem anymore with rublib 0.02!

foo = file[0].map{|l| l.line}.sort_by{rand}
foo.length.times{|i| file[0][i].manual_line = foo[i]}

And you have the lines of the first function shuffled in random order!

OK, this might be a bit useless. But it shows one of the many improvements of rublib 0.02 over yesterday's version. In the new version it's possible to modify values too. In the old version only read access to the IDB database was possible. There are many other improvements in the new version. It's now significantly longer (88 methods according to rdoc), it contains better code, I've added quite a few bug fixes, there's an actual documentation for it, and I've written unit tests to make sure I don't accidentally break things.

Let's see some more one-liners.

Here's what you do to get all function comments:

p file.map{|f| f.comment}.compact

Or if you want to get all comments from inside a function:

p file[0].map{|l| l.comment}.compact

Or if you want to add some TODO reminder to all functions you named but don't yet have a function comment:

file.select{|f| f[0].user_name? && f[0].auto_name? == false && f.comment == nil}.each{|f| f.comment = "TODO: Add comment"}

There are a few things that are on my list of things to do next.

First, I need a better name for rublib. I should stop naming my stuff after what it does. Many moons ago there was something on Slashdot that commercial products have names that appeal to the general population while open-source products have names for nerds (Exhibit A: Photoshop vs GIMP). Although I doubt that rublib is something for the general population I'd like to move away from GIMP and towards Photoshop.

Second, besides the goal of allowing people to write IDA scripts in as few lines as possible I want to add something that the IDA SDK is missing: Consistency and decent names. Sometimes the IDA SDK names use camelCase and sometimes they_use_underscores, sometimes they use neither. Furthermore names like get_func_qty are not easy to remember compared to number_of_functions. Adding consistent names is relatively easy. Adding consistent behaviour is tricky because no two situations are 100% the same. Sometimes it makes more sense to throw an exception and sometimes it makes more sense to return nil. There's another example. Negative indexes are OK for functions (file[-1] returns the last function in the file) whereas negative indexes are not OK for strings in the string list (file.string_list[-1] throws a RuntimeError).

Third, there are a few design issues. One of them is the question whether it would make sense to create a class hierarchy containing all string classes (ansi, unicode, pascal...)? It probably would.

Oh well, here's rublib 0.02. Enjoy.

A higher level API for IdaRub

I'm still dreaming of IdaHaskell for the sheer expressiveness that language provides. Alas, I fear IdaHaskell will remain a dream for years to come. Using IdaRub it is fortunately possible to make a big step towards the expressiveness of Haskell. I have started to develop a higher level API for IdaRub that allows you to do things in fewer lines of code.

Here are a few examples.

Here's how you get a list of all instructions used in a file:

p file.map{|f| f.map{|i| i.instruction}}.flatten.uniq.sort

Want to find all functions that start with a 'jmp' instruction? Here you go:

p file.map{|f| [f.name, f[0].instruction]}.select{|x| x[1] == 'jmp'}

Or what about listing all functions ordered by the number of functions that call them?

p file.map{|f| [f.name, f[0].crefs_to.length]}.sort{|x,y| y[1] <=> x[1]}

If you want to have a sorted list of all bytes used in the first function you'd do this:

p (file[0].start .. file[0].end).map{|x| x.byte}.uniq.sort{|x,y| x-y}.map{|x| "%02X" % x}

If you want a list of all unicode string references in the file containing an asterisk the following one-liner would do the job:

p file.string_list.select{|x| x.type == 3 && x.offset.unicode =~ /*/}.map{|x| [x.offset.offset, x.offset.unicode]}

I could go on and on and on. The number of one-liners to do neat stuff is nearly endless. It's not quite Haskell yet but I'm reasonably happy.

There's also a new instruction counter script that makes use of the high level API. The new script is noticibly smaller and prettier to look at. Furthermore you will notice that all output is directed through the new idap function. This function prints to stdout if the script is started from the console (remote mode) or to the output window inside IDA if the script is started from within IDA (local mode).

Right now the high-level API is merely a quick one-day hack. Nevertheless you can already do pretty cool stuff with it. You might want to check it out.

First experiences with IdaRub

Some of you might you know that spoonm recently introduced IdaRub to the general public in a talk at ReCon 2006. IdaRub is an IDA plugin that is comparable to IdaPython. It allows people to write plugins for IDA in yet another language: Ruby. IdaRub 0.07 (including source code, examples and a decent readme file) is available from here and there's a Google group dedicated to the tool.

Significantly fewer of you know that I've been beta-testing this tool since version 0.03. This post gives a brief overview of my experiences with IdaRub.

Continue reading "First experiences with IdaRub"

Some ideas about extending the IDA GUI with plugins

The first service pack of IDA 4.9 brought an important change to writing IDA plugins which I doubt many people have noticed. It's now theoretically possible to extend the IDA GUI in any way you like and in a way that's significantly easier than the low-level Win32 API methods already known. The emphasis is still on "theoretically" because even though it's looking really good, a lot of stuff needs to be figured out first. So far the method only works if you write plugins with C++ Builder but in the future it might be possible to make it work with all C++ compilers.

Continue reading "Some ideas about extending the IDA GUI with plugins"

idadoc 1.00

I'm going to start a larger project in March which makes it necessary to automatically create documentation from IDA disassemblies. Kinda like javadoc and Doxygen do for all kinds of languages. My latest plugin idadoc does something like that too. It extracts comments from all parts of an IDA database where I assume useful information about functions is stored. I think this first version already satisfies all my needs but there's also still a lot left to improve.
Continue reading "idadoc 1.00"

Porting the InstructionCounter plugin to Python

The latest release of IDAPython 0.8.0 gave me an incentive to look into the wonderful world of Python for the first time. Equipped with the Python tutorial from the official Python website and Google I decided to port my InstructionCounter plugin to Python, just to find out how Python and IDAPython work.

Here are my first impressions of Python:

1. Despite liberal use of empty lines the Python version is only 48 lines long, compared to the ~150 lines of the C++ plugin. I see four main reasons for this: The C++ plugin has 11 #include directives. It's also necessary to define the plugin structure and some functions IDA expects in the C++ version. If you use IDAPython this is done for you as part of the IDAPython IDA plugin. The third major reason is the lack of lambda expressions in C++ (unless you use something like Boost::lambda). The last reason is that my C++ plugin supports two versions of IDA (4.8 and 4.9) using some kind of conditional compilation which also takes a few lines of code. The actual functional code is pretty much the same in C++ and in Python.

2. Python string formatting using the well-known printf placeholders in combination with the % operator is pretty cool.

3. Where is the ternary operator? Seriously. That's the main issue I'm having with Python so far.

4. I like the Python collections a lot.

5. I think the : behind if-statements or loops should be dropped. Maybe there's some deeper meaning behind it but so far I've only experienced it as syntax pollution.

6. Yay for aspects from functional programming (map, filter, reduce, ...).

7. IDAPython is pretty cool. A perfect intermediate step between IDC scripts and writing entire plugins. I don't think I'll ever write IDC scripts again.

IDA InstructionCounter plugin 1.02

While checking out some ARM binaries I realized that my InstructionCounter plugin contained a bug which I didn't spot earlier because it doesn't really appear when counting instructions in x86 or 6502 disassemblies. In ARM binaries however the problem became apparent.

Here's a fixed version which still doesn't work 100% but about 99% and the few mistakes are easily detectable when looking through the results.

InstructionCounter plugin for IDA Pro

The InstructionCounter plugin for IDA Pro is actually the first plugin I've ever succesfully finished. The main reason for this is probably that it's not exactly a very complicated plugin but basically a copy / paste of the template code from Steve Micallef's awesome IDA plugin tutorial with just a few extra lines added.

The plugin counts all instructions used in a file, orders them by their frequency of occurrence and prints all that information to a text file of your choice.

Here's what the output looks like:

Opcode distribution of file: D:\Coding\nes\new\Page_15.idb
Total opcodes: 6390

0001. 001337    20.92%      LDA
0002. 001022    15.99%      STA
0003. 000589     9.22%      JSR
0004. 000260     4.07%      RTS
0005. 000205     3.21%      AND
0006. 000198     3.10%      LDX
0007. 000186     2.91%      CMP
0008. 000178     2.79%      ADC
0009. 000177     2.77%      BNE
0010. 000171     2.68%      BEQ
...

The ZIP file contains the complete Visual C++ source code and the compiled plugin for IDA 4.8 and IDA 4.9.

There are two minor problems I'm having which are mentioned in the source file. Unfortunately none of the people I bug about my IDA problems have been online in the last few days.

Furthermore I was convinced that a plugin like that already exists but I didn't find anything at the IDA Palace when I needed it a few days ago. If there's really already a plugin like that let me know.

Syntax highlighting for IDC script files in Crimson Editor



I use Crimson Editor for all my text/script editing needs. Unfortunately it didn't yet support syntax highlighting for IDA's scripting language IDC. Thanks to the easy extensibility of syntax highlighting in Crimson Editor I was able to create syntax definition files for the IDC language. Included in the archive is the Perl script I used to extract the names of the standard functions and macro definitions from the main file of the IDC scripting language, IDC.IDC.

Click here to get the archive including all files.

Click here to see a screenshot of Crimson Editor with syntax highlighting for IDC script files.

IDA 4.8 arrived



After working lots of extra hours in the ice mines I've recently managed to cough up enough money to buy IDA Pro from the lovely Belgium-based company Datarescue. I've bought it through their German re-seller German Sales though because quite frankly the original order form scared me. At the German Sales website I just put the product into the e-shopping cart and went to the order page. That's how I prefer to buy stuff.

I'm not Richie Rich so I opted for the Standard edition instead of the Professional edition even though it doesn't support the AMD64 CPU which might have come in handy in the future. And because there are plenty of reviews of the product itself I've decided to make one about the ordering process. Continue reading "IDA 4.8 arrived"