building plugins for ida pro hex-rays ilfak guilfanov

Building plugins for IDA ProHex-RaysIlfak Guilfanov

2(c) 2008 Hex-Rays SA

Presentation Outline

Why plugins?IDC is not powerful enough

Simple plugin, explainedThe descriptor and init/term/run

More sample pluginsIDA API overview

Good, bad, and ugly

Your feedback

Online copy of this presentation is available at http://www.hex-rays.com/idapro/ppt/recon2008.ppt


IDA Pro

InteractiveProgrammable

Key macros – really handy (only text version)Alt--, <Hotkey>, <Sequence>, Alt-=

IDC scriptsPlugins


IDC language

“Toy” languageLacks many modern features (arrays, structs, hashes)Yet another language to learnIs it worth improving it?Can not dump it – there are many useful IDC scriptsProvisions for seamless embedding of other scripting languages


Plugin API

A “real” API, no limitations, full accessSubsystems:

Target processorInput file formatAnalysisUser-interfaceDebuggerMiscellaneous

Pure C API with C++ syntax, compatible with all popular compilersUnfortunately, requires knowing C++ - an increasingly scarce skillPlugins are just DLLs you can use any tool to create them


IDA API

It is eclectic – all kinds of naming conventions and paradigms can be foundProbably it reflects my coding preferences over time :)With the community help, we will add doxygen generated web pages in the futureCurrently sample plugins and modules are available with the SDKIt is over 170K lines (only header files almost 40K)API has over 1300 functionsIt has been frozen at IDA v4.9 – existing plugins will be compatible with future versions of IDA


API evolution

Natural evolution vs. design/code/debug cycleIDA Pro is a naturally evolving platformCode transformation and refactoring is our main methodsThings evolve in unforeseen directions:

Addressable quantities (bytes) are not 8 bitAVR Atmel, Microchip's PIC

GUIBytecode machines8-bit to 128-bit computersMultiple chunk functionsDebuggerGraph view

Despite of this, the architecture stays the same


API evolution

Things users wantMultiple processors for the input fileMultiple input files per databaseMultiple users per databaseMultiple debugging sessions per debugger serverMultiple analysis threads


IDA Pro architecture

IDAKERNEL

Userinterface

Input fileloader

Processormodule

Plugins

Database


The Database

Consists of four filesBtree

The most interesting fileNames, comments, etc are kept there

Flags32-bit value for each byte of the programDescribe each byte: iscode, hasname, hascmt, isoff, etc

Name pointersSomething we may ignore (implementation detail)

Type libraryLocal type definitions


Plugin descriptor

The descriptor: name, flags, hotkeys, and init/term/run:


Plugin initialization

Check if our plugin is useful for the current database:Is processor supported by the plugin?Is the file format supported?What IDA version is running?

GUI or text mode (ui_get_hwnd != NULL)version number (get_kernel_version)

Are other required plugins loaded?etc...


Invoking plugins

Old way: Edit, Plugins, MyPlugin => calls run()New way: use add_menu_item() to the menu in the desired menu, the specified callback function will be called when the user selects


Plugins and events

You may register event callbacks and perform all necessary actions there

You may also define a new IDC function and do nothing else


Hello, world! - full source code


Quick exit from IDA Pro

Replacement of Alt-X – quit from IDANo questions asked, just exitWe could use Shift-click on the Windows Close button at the right upper corner (use Ctrl-Shift to exit without saving)


Multiple file search

Search for a function in several databasesWe have an object file for that functionFirst we create a signature from the function

plb object_file mypatternsigmake mypattern mypatterncopy mypattern.sign %idadir%\sig

We will start IDA with a special command line switchIDA will check if the database contains the function and

If found, it may log the result and quit or just switch to interactive modeIf not found, it will silently quit

IDA will be called from a batch file for all databases


Multiple file search plugin

We do everything in init() and return PLUGIN_SKIP


Multiple file search - launching

Run idag from a batch file-O for our plugin-A to suppress dialog boxes

The batch file will run until the signature file matches


Multiple search variants

The same approach could be used to find (just some random ideas)

Precise instruction text (binary search over files won't do)A specific commentFunction of certain length or other attributesIDB created from a file with the specified MD5 checksumDatabases with cryptographic functionsetc...


Analysis improvement

IDA uses lots of heuristic rules during analysisThe built-in heuristics are genericYou could benefit from heuristic rules specific to your filesUnfortunately we can not implement these rules for youYou can do it yourselfOne of the following approaches

Manually run heuristic rules on the current databaseWait for the file to load, scan the database and improveWait for the analysis to finish, then scan the databaseHook to analysis events and improve on the fly


Improve analysis when the file is loaded

iPhone binaries use

as the first instruction of many functions. IDA currently does not recognize such functionsOur plugin will address this shortcomingIt will check for this opcode in ARM binaries and mark the found addresses for function creationIt will be fully automatic


Iphone analysis improver


iPhone analysis improver - results


Post-analysis improvement


On the fly analysis improvement

This is the most powerful improvement methodActive all the timeImmediately reacts to recognized patterns


Symbian (EPOC) return anomaly

ARM processor has many forms of “return” instruction

Sometimes it is encoded as 2 instructions – our plugin will detect this and add a comment


First step: recognize the pattern


Second step: improve the listing

Several methodsRenameAdd commentPatch the databaseChange operand typeSave the data for further analysisetc...

In our plugin we just add a comment


On the fly analysis - results

Well, since we just added a comment, it is not spectacular


On the fly analysis - events

There are many events you can hook to, they happen when IDA

Emulates an instructionThis is the main event to recognize patterns

Adds/deletes a cross reference (IDA v5.3)A code ref usually leads to additional analysis

Creates an instructionWhat about checking instruction sanity?

Creates a data itemYou may automatically pretty format or change number radix

Performs the final passWhat about checking the huge arrays disliked by many users?

Changes a byte valueIntercept this to provide additional actions and analysis


IDA events

Changes an operand typeModifies structure/enum definitionRenames a program locationCreates/changes a segmentCreates/changes a functionetc...


Name watcher

Hook to the “rename” eventIf a new name has “?c_wsz” prefix, convert it to unicode

This is just an idea, you may check for other prefixesOr postfixesFor anything, in fact

You may prohibit some names by returning value < 0


Name watcher callback


Name watcher setup


The “thank you” slide

Thank you for your attention!Questions?

building plugins for ida pro hex-rays ilfak guilfanov

Documents