Building plugins for IDA Pro HexRays Ilfak Guilfanov

Building plugins for IDA Pro Hex-Rays Ilfak Guilfanov

Presentation Outline Why plugins? IDC is not powerful enough Simple plugin, explained The descriptor and init/term/run More sample plugins IDA API overview Good, bad, and ugly Your feedback Online copy of this presentation is available at http: //www. hex-rays. com/idapro/ppt/recon 2008. ppt (c) 2008 Hex-Rays SA 2

IDA Pro Interactive Programmable Key macros – really handy (only text version) Alt--, <Hotkey>,

IDC language “Toy” language Lacks many modern features (arrays, structs, hashes) Yet another language to learn Is it worth improving it? Can not dump it – there are many useful IDC scripts Provisions for seamless embedding of other scripting languages (c) 2008 Hex-Rays SA 4

Plugin API A “real” API, no limitations, full access Subsystems: Target processor Input file format Analysis User-interface Debugger Miscellaneous Pure C API with C++ syntax, compatible with all popular compilers Unfortunately, requires knowing C++ - an increasingly scarce skill Plugins are just DLLs you can use any tool to create them (c) 2008 Hex-Rays SA 5

IDA API It is eclectic – all kinds of naming conventions and paradigms can be found Probably it reflects my coding preferences over time : ) With the community help, we will add doxygen generated web pages in the future Currently sample plugins and modules are available with the SDK It is over 170 K lines (only header files almost 40 K) API has over 1300 functions It has been frozen at IDA v 4. 9 – existing plugins will be compatible with future versions of IDA (c) 2008 Hex-Rays SA 6

API evolution Natural evolution vs. design/code/debug cycle IDA Pro is a naturally evolving platform Code transformation and refactoring is our main methods Things evolve in unforeseen directions: Addressable quantities (bytes) are not 8 bit AVR Atmel, Microchip's PIC GUI Bytecode machines 8 -bit to 128 -bit computers Multiple chunk functions Debugger Graph view Despite of this, the architecture stays the same (c) 2008 Hex-Rays SA 7

API evolution Things users want Multiple processors for the input file Multiple input files per database Multiple users per database Multiple debugging sessions per debugger server Multiple analysis threads (c) 2008 Hex-Rays SA 8

IDA Pro architecture Input file loader Processor module User interface IDA KERNEL Data base

The Database Consists of four files Btree The most interesting file Names, comments, etc are kept there Flags 32 -bit value for each byte of the program Describe each byte: iscode, hasname, hascmt, isoff, etc Name pointers Something we may ignore (implementation detail) Type library Local type definitions (c) 2008 Hex-Rays SA 10

Plugin descriptor The descriptor: name, flags, hotkeys, and init/term/run: (c) 2008 Hex-Rays SA 11

Plugin initialization Check if our plugin is useful for the current database: Is processor supported by the plugin? Is the file format supported? What IDA version is running? GUI or text mode (ui_get_hwnd != NULL) version number (get_kernel_version) Are other required plugins loaded? etc. . . (c) 2008 Hex-Rays SA 12

Invoking plugins Old way: Edit, Plugins, My. Plugin => calls run() New way: use add_menu_item() to the menu in the desired menu, the specified callback function will be called when the user selects (c) 2008 Hex-Rays SA 13

Plugins and events You may register event callbacks and perform all necessary actions there

Hello, world! - full source code (c) 2008 Hex-Rays SA 15

Quick exit from IDA Pro Replacement of Alt-X – quit from IDA No questions asked, just exit We could use Shift-click on the Windows Close button at the right upper corner (use Ctrl-Shift to exit without saving) (c) 2008 Hex-Rays SA 16

Multiple file search Search for a function in several databases We have an object file for that function First we create a signature from the function plb object_file mypattern sigmake mypattern copy mypattern. sign %idadir%sig We will start IDA with a special command line switch IDA will check if the database contains the function and If found, it may log the result and quit or just switch to interactive mode If not found, it will silently quit IDA will be called from a batch file for all databases (c) 2008 Hex-Rays SA 17

Multiple file search plugin We do everything in init() and return PLUGIN_SKIP (c) 2008

Multiple file search - launching Run idag from a batch file -O for our

Multiple search variants The same approach could be used to find (just some random ideas) Precise instruction text (binary search over files won't do) A specific comment Function of certain length or other attributes IDB created from a file with the specified MD 5 checksum Databases with cryptographic functions etc. . . (c) 2008 Hex-Rays SA 20

Analysis improvement IDA uses lots of heuristic rules during analysis The built-in heuristics are generic You could benefit from heuristic rules specific to your files Unfortunately we can not implement these rules for you You can do it yourself One of the following approaches Manually run heuristic rules on the current database Wait for the file to load, scan the database and improve Wait for the analysis to finish, then scan the database Hook to analysis events and improve on the fly (c) 2008 Hex-Rays SA 21

Improve analysis when the file is loaded i. Phone binaries use as the first instruction of many functions. IDA currently does not recognize such functions Our plugin will address this shortcoming It will check for this opcode in ARM binaries and mark the found addresses for function creation It will be fully automatic (c) 2008 Hex-Rays SA 22

Iphone analysis improver (c) 2008 Hex-Rays SA 23

i. Phone analysis improver - results (c) 2008 Hex-Rays SA 24

Post-analysis improvement (c) 2008 Hex-Rays SA 25

On the fly analysis improvement This is the most powerful improvement method Active all

Symbian (EPOC) return anomaly ARM processor has many forms of “return” instruction Sometimes it

First step: recognize the pattern (c) 2008 Hex-Rays SA 28

Second step: improve the listing Several methods Rename Add comment Patch the database Change operand type Save the data for further analysis etc. . . In our plugin we just add a comment (c) 2008 Hex-Rays SA 29

On the fly analysis - results Well, since we just added a comment, it

On the fly analysis - events There are many events you can hook to, they happen when IDA Emulates an instruction This is the main event to recognize patterns Adds/deletes a cross reference (IDA v 5. 3) A code ref usually leads to additional analysis Creates an instruction What about checking instruction sanity? Creates a data item You may automatically pretty format or change number radix Performs the final pass What about checking the huge arrays disliked by many users? Changes a byte value Intercept this to provide additional actions and analysis (c) 2008 Hex-Rays SA 31

IDA events Changes an operand type Modifies structure/enum definition Renames a program location Creates/changes

Name watcher Hook to the “rename” event If a new name has “? c_wsz” prefix, convert it to unicode This is just an idea, you may check for other prefixes Or postfixes For anything, in fact You may prohibit some names by returning value < 0 (c) 2008 Hex-Rays SA 33