抱歉,您的浏览器无法访问本站

本页面需要浏览器支持(启用)JavaScript


了解详情 >

BlackBird的博客

这世界上所有的不利状况,都是当事者能力不足导致的

如何优雅的配置IDA

(本身这个玩意是不值得水一篇blog的……但是,我看到我的IDA/plugins里面乱的和:shit:一样,:older_man:还是决定写一下配置IDA的过程,正好最近IDA Pro7.6泄露了部分(?),:older_man:就配置一下最新的IDA)

IDA毕竟是有图形化的,很多地方操作起来都比pwndbg要有操作空间,或者说是灵活、清晰(可以参考我之前水的exit_hook那篇文章。所以我到现在还选择使用IDA进行动调……

RE篇

尽管:older_man:现在不怎么做Re了,但是PWN还是需要RE的,而且这些基础插件还是很有意思的,所以不管做不做RE,都先装上吧。

LazyIDA

feature

  • Remove function return type in Hex-Rays:

2016-06-12 11 05 29

  • Convert data into different formats, output will also be automatically copied to the clipboard:

2016-06-12 11 01 57 2016-06-12 11 03 18

  • Scan for format string vulnerabilities:

2016-06-15 8 19 03

  • Jump to vtable functions by double clicking
  • Lazy shortcuts:
    • Disasm Window:
      • w: Copy address of current line into clipboard
    • Hex-rays Window:
      • w: Copy address of current item into clipboard
      • c: Copy name of current item into clipboard
      • v: Remove return type of current item

findcrypt

feature

IDA pro plugin to find crypto constants (and more)

Keypatch

feature

  • Use Patcher tool

    At any place in IDA window, press the hotkey Ctrl-Alt-K to open the Patcher dialog.

  • Use Fill Range tool

    Select a range of code in IDA window, then press the hotkey Ctrl-Alt-K to open the "Fill Range" dialog. Note that the same hotkey would open the Patcher window if you do not select a range of code, as in tutorial 1 above.

  • Revert (undo) the last patching

    After any modification (like in tutorial 2 or 3 above), do right-click in IDA window, then choose from the popup menu Keypatch | Undo last patching to revert (undo) the last action.

  • Save the modification

    After all the patching done in tutorial 1, 2, 3 above, save all the modifications by choosing menu Edit | Patch program | Apply patches to input file. Note that this really changes the original binary, so be sure this is what you desire.

  • Use Search tool

    • Open the Search dialog by either right-click in IDA window, then choose from the popup menu Keypatch | Search. Or choose from the main menu Edit | Keypatch | Search.

    • Enter assembly instructions in the Assembly control, then click "Search" to search for these instructions in code section. Keypatch would show the result in a new window. in which you can double-click each address to jump to the related code.

      Note that it is possible to enter more than one assembly instruction, and separating them by semi-colons signs (ie ;).

Ponce

  • 项目地址:https://github.com/illera88/Ponce
  • 安装方法:Ponce works with both x86 and x64 binaries in any IDA version >= 7.0. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\ folder in your IDA installation directory.

feature

  • Exploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.
  • Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.
  • Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.
  • CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don't need to worry about setup timing. It's ready to be used!

The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won't have to worry about the config window again.

Rizzo-IDA

feature

一个IDAPython插件,可以生成 "模糊"的函数签名,然后在不同的IDB之间共享和应用。

idaemu

feature

emmm……就是unicore做了一个IDA的结合和适配

暂时就这些吧……做逆向的时候要是遇到什么异架构,就现场搜吧……例如wasm还有GoLang……

PWN篇

deREferencing

其实这个插件对于逆向手也十分友好~~(要不PWN篇没得写了~~

feature

deReferencing is an IDA Pro plugin that implements new registers and stack views. Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).

Both views can be opened from the menu Debugger -> Debugger Windows or by shortcuts:

  • deREferencing - Registers (Alt-Shift-D)
  • deREferencing - Stack (Alt-Shift-E)

You also can save the desktop layout using the Windows -> Save desktop option, so that the plugin starts automatically in other debugging sessions.

HexRaysCodeXplorer

这个插件看起来巨nb, 但是这个项目的README没有Install……就离谱!!!!

feature

  • Automatic type REconstruction for C++ objects.
  • Virtual function table identification
  • C-tree graph visualization
  • Ctree Item View
  • Extract Ctrees to File
  • Extract Types to File
  • Navigation through virtual function calls
  • Object Explorer

HeapViewer

如果光看栈的话,其实前面的就已经足够了。但是如果看堆的话,IDA目前只有这一个可以查看堆的插件,但是说实话挺难用的……也正是堆,,让我返回gdb的怀抱……

feature

  • Heap tracer (malloc/free/calloc/realloc)
    • Detection of overlaps and double-frees
    • Visualization using villoc
  • Malloc chunk info
  • Chunk editor
  • Multi-arena info (chunks, top, last-remainder)
  • Bins info (fastbins, unsortedbin, smallbins y largebins)
  • Tcache info (glibc >= 2.26)
  • GraphView for linked lists (bins/tcache)
  • Structs view (malloc_state / malloc_par / tcache_perthread)
  • Magic utils:
    • Unlink merge info
    • Freeable/merge info
    • Fake fastbin finder
    • House of force helper
    • Useful libc offsets
    • Calc chunk size (request2size)
    • IO_FILE structs

后记

因为IDA真心没有好用的查看heap的插件(挖个坑,有空我要自己写一个!!!最后我还是回归了pwndbg的怀抱,但是我又不舍得放弃IDA,于是就有了这个插件:

ret-sync

这个可以在IDA同步显示gdb的内容(仅限代码运行到了哪里,但是IDA可以重命名我就觉得很好用……

features

  • synchronize graph and decompilation views with debugger's state
  • no need to deal with ASLR, addresses are rebased on-the-fly
  • pass data (comment, command output) from debugger to disassembler
  • multiple IDBs/GPRs can be synced at the same time allowing to easily trace through multiple modules
  • disassembler and debugger can be on different hosts / VMs

参考链接

从无到有 配置IDA7.0

IDA Pro扩展

IDA插件收集

评论