Some of you might you know that spoonm recently introduced IdaRub to the general public in
. IdaRub is an IDA plugin that is comparable to
. It allows people to write plugins for IDA in yet another language: Ruby. IdaRub 0.07 (including source code, examples and a decent readme file) is available from
dedicated to the tool.
Significantly fewer of you know that I've been beta-testing this tool since version 0.03. This post gives a brief overview of my experiences with IdaRub.
IdaRub supports two execution modes for Ruby scripts: Local and remote.
The first mode is comparable to what you might know from IdaPython.
Once you run the plugin from inside IDA it asks you for a script file
to run. This script file is executed and that's it. The remote mode is
way cooler though. If you choose this mode, the IdaRub IDA plugin opens
a TCP server which can be used to communicate between the script and
IDA.
Remote mode has a lot of advantages over local mode. The
first advantage is obviously that you can execute scripts remotely. But
that's not everything. It even makes sense to use remote mode if you're
working locally. In remote mode you can run your scripts from the
command line. This makes debugging using printf easier and you can
easily use additional functionality like the Ruby profiler to profile
your scripts. I generally develop in remote mode and move to local mode
once I've got the script working.
This coolness comes at a cost
though. Communicating through TCP is of course significantly slower
than communicating through direct DLL calls. That means remote mode -
as cool as it is - isn't suited for scripts that communicate with IDA
frequently. Remote mode is probably restricted to small scripts or
scripts that perform few calls to IDA.
By the way, the actual
script files you use don't have to be modified if you want to switch
from one mode to another. Exactly the same script will work in local
mode and in remote mode. Initializing the IDA object to work on is just
a single line too. It's all very hidden from the script writers. This
makes it very nice to write new scripts. You don't have to worry about
setting up anything. Add one short line and you're ready to go. Well,
two short lines if you count "require 'idarub'" too.
Here's an example of
two script files
you can use with IdaRub. Once again I've used a port of my
InstructionCounter plugin to get an idea of a new IDA framework (like I
did with IdaPython before). Inside the archive file you will find two
versions of the script: One version is for remote mode and one version
is for local mode. The reason for the two versions is that in remote
mode the script is started from the command line and I can dump the
results to stdout while in local mode I need to write the results to a
file.
I suggest you use the instc_local.rb script to count any
kind of larger file. Due to the TCP communication of instc.rb remote
mode takes about 90 seconds on my machine to count the instructions in
notepad.exe. The local script is pretty much instantly on the other
hand. The speed of the Ruby script is on par with the speed of the
Python script. Maybe it's a tiny bit slower, my benchmarks aren't
exactly scientific.
That's all quite nice already but it can be
done significantly better. In my next update I'll show you how IdaRub
can get even cooler.
