如何用IDA完全代替gdb(as a PWNer)

CTF学习笔记

发布于：2021年9月23日

次浏览

CTF

PWN

字数：1.6k字

时长：8分钟

如何优雅的配置IDA

（本身这个玩意是不值得水一篇blog的……但是，我看到我的IDA/plugins里面乱的和:shit:一样，:older_man:还是决定写一下配置IDA的过程，正好最近IDA Pro7.6泄露了部分（？），:older_man:就配置一下最新的IDA）

IDA毕竟是有图形化的，很多地方操作起来都比pwndbg要有操作空间，或者说是灵活、清晰（可以参考我之前水的exit_hook那篇文章。所以我到现在还选择使用IDA进行动调……

RE篇

尽管:older_man:现在不怎么做Re了，但是PWN还是需要RE的，而且这些基础插件还是很有意思的，所以不管做不做RE，都先装上吧。

LazyIDA

插件地址：https://github.com/L4ys/LazyIDA
安装方法：put LazyIDA.py into IDA/plugins/LazyIDA folder under your IDA Pro installation path.

feature

Remove function return type in Hex-Rays:

Convert data into different formats, output will also be automatically copied to the clipboard:

Scan for format string vulnerabilities:

Jump to vtable functions by double clicking
Lazy shortcuts:
- Disasm Window:
  - w: Copy address of current line into clipboard
- Hex-rays Window:
  - w: Copy address of current item into clipboard
  - c: Copy name of current item into clipboard
  - v: Remove return type of current item

findcrypt

项目地址：https://github.com/polymorf/findcrypt-yara
安装方法：
- pip安装yara-python（注意不是yara
- 将findcrypt3.py和findcrypt3.rules放在/IDA/plugins/findcrypt-yara下

feature

IDA pro plugin to find crypto constants (and more)

Keypatch

项目地址：https://github.com/keystone-engine/keypatch#appendix-install-keystone-for-ida-pro
安装方法：
- pip安装keystone-engine， six
- 将keypatch.py放在/IDA/plugin/keypatch下

feature

Use Patcher tool

At any place in IDA window, press the hotkey Ctrl-Alt-K to open the Patcher dialog.
Use Fill Range tool

Select a range of code in IDA window, then press the hotkey Ctrl-Alt-K to open the "Fill Range" dialog. Note that the same hotkey would open the Patcher window if you do not select a range of code, as in tutorial 1 above.
Revert (undo) the last patching

After any modification (like in tutorial 2 or 3 above), do right-click in IDA window, then choose from the popup menu Keypatch | Undo last patching to revert (undo) the last action.
Save the modification

After all the patching done in tutorial 1, 2, 3 above, save all the modifications by choosing menu Edit | Patch program | Apply patches to input file. Note that this really changes the original binary, so be sure this is what you desire.
Use Search tool
- Open the Search dialog by either right-click in IDA window, then choose from the popup menu Keypatch | Search. Or choose from the main menu Edit | Keypatch | Search.
- Enter assembly instructions in the Assembly control, then click "Search" to search for these instructions in code section. Keypatch would show the result in a new window. in which you can double-click each address to jump to the related code.
  
  Note that it is possible to enter more than one assembly instruction, and separating them by semi-colons signs (ie ;).

Ponce

项目地址：https://github.com/illera88/Ponce
安装方法：Ponce works with both x86 and x64 binaries in any IDA version >= 7.0. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\ folder in your IDA installation directory.

feature

Exploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.
Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.
Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.
CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don't need to worry about setup timing. It's ready to be used!

The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won't have to worry about the config window again.

Rizzo-IDA

项目地址：https://github.com/Reverier-Xu/Rizzo-IDA
安装方法：put rizzo.py into ${IDA-FOLDER}/plugins/rizzo

feature

一个IDAPython插件，可以生成 "模糊"的函数签名，然后在不同的IDB之间共享和应用。

idaemu

项目地址：https://github.com/36hours/idaemu
安装方法：If you want to use idaemu, you have to install unicorn-engine and unicorn's python binding first. Then use the idaemu.py as the idapython script.

feature

emmm……就是unicore做了一个IDA的结合和适配

暂时就这些吧……做逆向的时候要是遇到什么异架构，就现场搜吧……例如wasm还有GoLang……

PWN篇

deREferencing

其实这个插件对于逆向手也十分友好~~（要不PWN篇没得写了~~

项目地址：https://github.com/danigargu/deREferencing
安装方法：Just drop the dereferencing.py file and the dereferencing folder into /IDA/plugins/deference

feature

deReferencing is an IDA Pro plugin that implements new registers and stack views. Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).

Both views can be opened from the menu Debugger -> Debugger Windows or by shortcuts:

deREferencing - Registers (Alt-Shift-D)
deREferencing - Stack (Alt-Shift-E)

You also can save the desktop layout using the Windows -> Save desktop option, so that the plugin starts automatically in other debugging sessions.

HexRaysCodeXplorer

这个插件看起来巨nb，但是这个项目的README没有Install……就离谱！！！！

项目地址：https://github.com/REhints/HexRaysCodeXplorer
安装方法：在release里面下载dll文件放在/IDA/plugins/HexRaysCodeXplorer里面

feature

Automatic type REconstruction for C++ objects.
Virtual function table identification
C-tree graph visualization
Ctree Item View
Extract Ctrees to File
Extract Types to File
Navigation through virtual function calls
Object Explorer

HeapViewer

如果光看栈的话，其实前面的就已经足够了。但是如果看堆的话，IDA目前只有这一个可以查看堆的插件，但是说实话挺难用的……也正是堆，，让我返回gdb的怀抱……

项目地址：https://github.com/danigargu/heap-viewer
安装方法：Just drop the heap_viewer.py file and the heap_viewer folder into IDA's plugin directory.

feature

Heap tracer (malloc/free/calloc/realloc)
- Detection of overlaps and double-frees
- Visualization using villoc
Malloc chunk info
Chunk editor
Multi-arena info (chunks, top, last-remainder)
Bins info (fastbins, unsortedbin, smallbins y largebins)
Tcache info (glibc >= 2.26)
GraphView for linked lists (bins/tcache)
Structs view (malloc_state / malloc_par / tcache_perthread)
Magic utils:
- Unlink merge info
- Freeable/merge info
- Fake fastbin finder
- House of force helper
- Useful libc offsets
- Calc chunk size (request2size)
- IO_FILE structs

后记

因为IDA真心没有好用的查看heap的插件（挖个坑，有空我要自己写一个！！！最后我还是回归了pwndbg的怀抱，但是我又不舍得放弃IDA，于是就有了这个插件：

ret-sync

这个可以在IDA同步显示gdb的内容（仅限代码运行到了哪里，但是IDA可以重命名我就觉得很好用……

项目地址：https://github.com/bootleg/ret-sync
安装方法：Installation

features

synchronize graph and decompilation views with debugger's state
no need to deal with ASLR, addresses are rebased on-the-fly
pass data (comment, command output) from debugger to disassembler
multiple IDBs/GPRs can be synced at the same time allowing to easily trace through multiple modules
disassembler and debugger can be on different hosts / VMs