如何优雅的配置IDA
(本身这个玩意是不值得水一篇blog的……但是,我看到我的IDA/plugins里面乱的和:shit:一样,:older_man:还是决定写一下配置IDA的过程,正好最近IDA Pro7.6泄露了部分(?),:older_man:就配置一下最新的IDA)
IDA毕竟是有图形化的,很多地方操作起来都比pwndbg要有操作空间,或者说是灵活、清晰(可以参考我之前水的exit_hook那篇文章。所以我到现在还选择使用IDA进行动调……
RE篇
尽管:older_man:现在不怎么做Re了,但是PWN还是需要RE的,而且这些基础插件还是很有意思的,所以不管做不做RE,都先装上吧。
LazyIDA
- 插件地址:https://github.com/L4ys/LazyIDA
- 安装方法:put
LazyIDA.py
intoIDA/plugins/LazyIDA
folder under your IDA Pro installation path.
feature
- Remove function return type in Hex-Rays:
- Convert data into different formats, output will also be automatically copied to the clipboard:
- Scan for format string vulnerabilities:
- Jump to vtable functions by double clicking
- Lazy shortcuts:
- Disasm Window:
w
: Copy address of current line into clipboard
- Hex-rays Window:
w
: Copy address of current item into clipboardc
: Copy name of current item into clipboardv
: Remove return type of current item
- Disasm Window:
findcrypt
- 项目地址:https://github.com/polymorf/findcrypt-yara
- 安装方法:
- pip安装yara-python(注意不是yara
- 将findcrypt3.py和findcrypt3.rules放在/IDA/plugins/findcrypt-yara下
feature
IDA pro plugin to find crypto constants (and more)
Keypatch
- 项目地址:https://github.com/keystone-engine/keypatch#appendix-install-keystone-for-ida-pro
- 安装方法:
- pip安装keystone-engine, six
- 将keypatch.py放在/IDA/plugin/keypatch下
feature
-
Use Patcher tool
At any place in IDA window, press the hotkey
Ctrl-Alt-K
to open the Patcher dialog. -
Use Fill Range tool
Select a range of code in IDA window, then press the hotkey
Ctrl-Alt-K
to open the "Fill Range" dialog. Note that the same hotkey would open the Patcher window if you do not select a range of code, as in tutorial 1 above. -
Revert (undo) the last patching
After any modification (like in tutorial 2 or 3 above), do right-click in IDA window, then choose from the popup menu
Keypatch | Undo last patching
to revert (undo) the last action. -
Save the modification
After all the patching done in tutorial 1, 2, 3 above, save all the modifications by choosing menu
Edit | Patch program | Apply patches to input file
. Note that this really changes the original binary, so be sure this is what you desire. -
Use Search tool
-
Open the Search dialog by either right-click in IDA window, then choose from the popup menu
Keypatch | Search
. Or choose from the main menuEdit | Keypatch | Search
. -
Enter assembly instructions in the Assembly control, then click "Search" to search for these instructions in code section. Keypatch would show the result in a new window. in which you can double-click each address to jump to the related code.
Note that it is possible to enter more than one assembly instruction, and separating them by semi-colons signs (ie
;
).
-
Ponce
- 项目地址:https://github.com/illera88/Ponce
- 安装方法:Ponce works with both x86 and x64 binaries in any IDA version >= 7.0. Installing the plugin is as simple as copying the appropiate files from the latest builds to the
plugins\
folder in your IDA installation directory.
feature
- Exploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.
- Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.
- Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.
- CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don't need to worry about setup timing. It's ready to be used!
The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won't have to worry about the config window again.
Rizzo-IDA
- 项目地址:https://github.com/Reverier-Xu/Rizzo-IDA
- 安装方法:put
rizzo.py
into${IDA-FOLDER}/plugins/rizzo
feature
一个IDAPython插件,可以生成 "模糊"的函数签名,然后在不同的IDB之间共享和应用。
idaemu
- 项目地址:https://github.com/36hours/idaemu
- 安装方法:If you want to use idaemu, you have to install unicorn-engine and unicorn's python binding first. Then use the
idaemu.py
as the idapython script.
feature
emmm……就是unicore做了一个IDA的结合和适配
暂时就这些吧……做逆向的时候要是遇到什么异架构,就现场搜吧……例如wasm还有GoLang……
PWN篇
deREferencing
其实这个插件对于逆向手也十分友好~~(要不PWN篇没得写了~~
- 项目地址:https://github.com/danigargu/deREferencing
- 安装方法:Just drop the
dereferencing.py
file and thedereferencing
folder into /IDA/plugins/deference
feature
deReferencing is an IDA Pro plugin that implements new registers and stack views. Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).
Both views can be opened from the menu Debugger -> Debugger Windows
or by shortcuts:
- deREferencing - Registers (
Alt-Shift-D
) - deREferencing - Stack (
Alt-Shift-E
)
You also can save the desktop layout using the Windows -> Save desktop
option, so that the plugin starts automatically in other debugging sessions.
HexRaysCodeXplorer
这个插件看起来巨nb, 但是这个项目的README没有Install……就离谱!!!!
- 项目地址:https://github.com/REhints/HexRaysCodeXplorer
- 安装方法:在release里面下载dll文件放在/IDA/plugins/HexRaysCodeXplorer里面
feature
- Automatic type REconstruction for C++ objects.
- Virtual function table identification
- C-tree graph visualization
- Ctree Item View
- Extract Ctrees to File
- Extract Types to File
- Navigation through virtual function calls
- Object Explorer
HeapViewer
如果光看栈的话,其实前面的就已经足够了。但是如果看堆的话,IDA目前只有这一个可以查看堆的插件,但是说实话挺难用的……也正是堆,,让我返回gdb的怀抱……
-
安装方法:Just drop the
heap_viewer.py
file and theheap_viewer
folder into IDA's plugin directory.
feature
- Heap tracer (malloc/free/calloc/realloc)
- Detection of overlaps and double-frees
- Visualization using villoc
- Malloc chunk info
- Chunk editor
- Multi-arena info (chunks, top, last-remainder)
- Bins info (fastbins, unsortedbin, smallbins y largebins)
- Tcache info (glibc >= 2.26)
- GraphView for linked lists (bins/tcache)
- Structs view (malloc_state / malloc_par / tcache_perthread)
- Magic utils:
- Unlink merge info
- Freeable/merge info
- Fake fastbin finder
- House of force helper
- Useful libc offsets
- Calc chunk size (request2size)
- IO_FILE structs
后记
因为IDA真心没有好用的查看heap的插件(挖个坑,有空我要自己写一个!!!最后我还是回归了pwndbg的怀抱,但是我又不舍得放弃IDA,于是就有了这个插件:
ret-sync
这个可以在IDA同步显示gdb的内容(仅限代码运行到了哪里,但是IDA可以重命名我就觉得很好用……
features
- synchronize graph and decompilation views with debugger's state
- no need to deal with ASLR, addresses are rebased on-the-fly
- pass data (comment, command output) from debugger to disassembler
- multiple IDBs/GPRs can be synced at the same time allowing to easily trace through multiple modules
- disassembler and debugger can be on different hosts / VMs