From Collaborative RCE Tool Library

Jump to: navigation, search

IDA Extensions


Tool name: Class Informer
Rating: 5.0 (1 vote)
Author: Sirmabus                        
Website: http://www.macromonkey.com/bb/viewforum.php?f=65
Current version: 1.02
Last updated: March 28, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.
Also listed in: COM Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Process Dumper
Rating: 5.0 (1 vote)
Author: thE Cur!ouZ                        
Website: N/A
Current version: 1.0
Last updated: July 9, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Process Dumper

Plugin to make a dump of the running process under IDA debugger.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Stealth
Rating: 5.0 (1 vote)
Author: Jan Newger                        
Website: http://newgre.net/idastealth
Current version: 1.3.3
Last updated: June 28, 2011
Direct D/L link: http://newgre.net/idastealth
License type: Free / Open Source
Description: IDAStealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.
Also listed in: Tool Hiding Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: RE-SIGS
Rating: 5.0 (1 vote)
Author: dihux                        
Website: N/A
Current version: v0.14
Last updated: August 8, 2011
Direct D/L link: Locally archived copy
License type: Free
Description: from readme.txt:

INFO
RE-SIGS is a signature file for IDA.

RE-SIGS does not support delphi signatures anymore.
Maybe there will be a pure delphi version in the future.

Help out with the project if you want :-)


INSTALL
Copy RESIGS*.sig into IDA\sig


ADDED SIGNATURES
MATH LIBS
- MIRACL v43 v54 v72 v85 v45 v510 v474 v542 v544
- BigLib v0.01e by roy
- ECC Bignums
- Borzoilib
- BigNumberQs
- MPI
- Freelip
- GiantInt
- Mixint v0.7
- Bignum library by drizz v1.0 RC2
- Bignum library v1.0 by _ged/TKM!
- Witeg's biglib
- Pegwit v8.7
- Pegwit modified version found in software
- Slavasoft FastCRC Library v1.51
- Slavasoft QuickCrypt Library v2.51
- Slavasoft QuickHash Library v3.02
- libtomcrypt v1.16
- libtommath v0.39
- Cryptohash by drizz all versions up to v1.0 RC4
- FGInt

+ many more


OTHER
- masm32v10lib
- fpuv10lib // from masm32 pack
- datetimev10lib // from masm32 pack
- mfmplayer v?
- minifmod v?
- pnglib v?
- many user identified procedures
- many known hashes/cipher implementations
- textscroller v? lib // requested
- rceapi // precompiled

+ many more


COUNT
6522 identified functions


OTHER INFO
Requests, incorrect named functions, fake hits, contributions
tips etc. goes to me at IRC EFNet.


HISTORY
v0.14 08.08.2011 PUBLIC
v0.13 10.01.2011 INTERNAL
v0.12 14.11.2010 INTERNAL
v0.11 05.10.2010 INTERNAL
v0.10 02.07.2010 INTERNAL
v0.09 24.06.2010 INTERNAL
v0.08 30.11.2009 INTERNAL
v0.07 24.09.2009 INTERNAL
mr. anon#3 contributed with:
- Pegwit v8.7 // compiled with VC9
- Pegwit modified version found in software
- Slavasoft FastCRC Library v1.51 // precompiled
- Slavasoft QuickCrypt Library v2.51 // precompiled
- Slavasoft QuickHash Library v3.02 // precompiled
- libtomcrypt v1.16 // compiled with vs6 and vs2008
- libtommath v0.39 // compiled with vs6 and vs2008

v0.06 19.09.2009 INTERNAL
mr. anon#2 requested:
- textscroller lib // precompiled

v0.05 06.09.2009 INTERNAL
v0.04 25.08.2009 INTERNAL
v0.03 24.08.2009 INTERNAL
mr. anon#1 requested:
- masm32v10lib // precompiled
- fpuv10lib // precompiled
- datetimev10lib // precompiled
- mfmplayer // precompiled
- minifmod // precompiled
- pnglib // precompiled

v0.02 25.07.2009 INTERNAL
v0.01 09.07.2009 INTERNAL
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: TurboDiff
Rating: 5.0 (1 vote)
Author: Nicolás Economou                        
Website: http://tinyurl.com/turbodiff
Current version: 1.01
Last updated: October 14, 2009
Direct D/L link: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=turbodiff&file=turbodiff_v1.0.1.zip
License type: GPLv2
Description: Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.
Also listed in: Executable Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: BinDiff
Rating: 4.0 (1 vote)
Author: zynamics GmbH                        
Website: http://www.zynamics.com/bindiff.html
Current version: 2.1
Last updated: 2009
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: A very powerful executable file diffing tool, in the form of an IDA Pro plugin.
Also listed in: Executable Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fast IDB2Sig and LoadMap IDA plugins
Rating: 4.0 (2 votes)
Author: TQN                        
Website: N/A
Current version: 1.5
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It took me two weeks to write two IDA plugins, a renew, fast IDB2Sig plugin and a new, very fast LoadMap plugin.
The IDB2SIG plugin I rewrote base on the orginal source code and idea of:
- Quine (quine@blacksun.res.cmu.edu)
- Darko
- IDB2PAT of J.C. Roberts <mercury@abac.com>
Thanks all of you very much. I think all of you will allow me to public the new source code.
The LoadMap plugin I wrote base on the idea of Toshiyuki Tega. It will supports loading and parsing VC++, Borland (Delphi/BC++/CBuilder) and DeDe map files.
And with two plugins, I need only two days to create two signature file for Delphi 6/7. Very fast and convenience. Hereafter, we can use two above plugins to create signature files, load map symbols...

Source is included, and plugins are precompiled for IDA 4.5 and 5.2.

---- UPDATED by Swine
06.10.2011 Fixed behavior for 64-bit disassemblies
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDACompare
Rating: 2.0 (1 vote)
Author: David Zimmer                        
Website: http://labs.idefense.com/software/static.php#more_idacompare
Current version: 5.4
Last updated: March 5, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.
Also listed in: Executable Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Adobe Flash disassembler
Rating: 0.0 (0 votes)
Author: Marian Radu                        
Website: http://www.hex-rays.com/contest2009
Current version:
Last updated: November 19, 2009
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Shockwave Flash is a very common and widely used file format that, unfortunatelly, has not been able to make its way into IDA's recognized file formats. The increasing numbers of grayware and malware SWF files require security researchers to disassemble and analyse such files and IDA is again an ideal tool to use.

The 2 plugins present in this archive will enable IDA to parse SWF files, load all SWF tags as segments for fast search and retrieval, parse all tags that can potentially contain ActionScript2 code, discover all such code(a dedicated processor module has been written for it) and even name the event functions acording to event handled in it (eg. OnInitialize).

There are two different modules: a file loader module and a processor module. Together, they make it possible to analyze Flash SWF files with IDA, as simple as that. It was very easy to install and run the plugin: just copy 2 files to the IDA subdirectories and it is ready.

Flash files can be loaded very easily into IDA, and you'll see a bytecode, as in the screenshot here below.
Also listed in: Flash Disassemblers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Advanced obj and lib IDA signature ripper
Rating: 0.0 (0 votes)
Author: gerbay                        
Website: http://www.woodmann.com/forum/showthread.php?t=9931
Current version: 1.0
Last updated: May 23, 2007
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: It loads obj and lib (COFF format) files signature to ida database.

It identifies so many labels more than flair signatures.

FLIRT signature creation not possible for some situation, for example you can try to create flirt signature for flexlm libs, but this plugin will work in such situations too!
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: AsProtect Signatures for IDA
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.1
Last updated: November 12, 2009
Direct D/L link: http://rapidshare.com/files/301642596/AsProtect.sig
License type: freeware
Description: Signature pack for IDA, that contains many AsProtect functions (~500). Run it on dumped AsProtect.dll.
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ClassAndInterfaceToNames
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version:
Last updated: June 16, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Code Snippet Creator
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.989 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: -------------------------------------------------------------------------------
code snippet creator plugin for ida pro by servil
version 0.989 beta (Feb 2008)
supported ida versions: 4.9 and above till API change
(tested on 5.2 without backward compatibility enforcement)
-------------------------------------------------------------------------------

basic ida plugin to automate migration of one or more functions from host
program to custom assembly project (primarily masm targetted). some effort was
put to be generic and able to process any processor and format based on
function model using basic assembler data types (byte, word, dword...), however
focussed and only properly tested on 32-bit borland and msvc code and is
expected to give best results for these compilers (generally the more actual
format is distant from pe-32 the less functionality you may expect), also all
runtime features only are available for pe-32 formats.

major features:

* static code and data flowgraph traversal
* static data formatting and bounds determining
* code and data integrity care
* integrated runtime evaluated addressing resolver (orig. executable required)
* integrated process data dumping with emulation of accessed virtual data and
stack variables (orig. executable required)
* iat address translation for dynamic runtimes build (pe-32 only)
* lexical compatibility adjustments, name conflicts resolving and basic
output garbage cleanup
* final flowgraph (kernel version 5.1 and newer)

plugin is designed to cover all possible address ranges the root function(s)
can access in real. the plugin is not click and go solution, only benefit csc
gives is reduction of boring uphill work - in most cases output will need
manual adjustments to pass compiler. plugin always builds reportlist hiliting
warnings, problems, unsure places, etc..., beside it doubtful lines are
commented in the sourcecode also.
code traversal is based on x-refs, not raw operand values, so that mutual
linkage of related ranges can be flexibly adjusted by user offsets or x-refs
manager (see below).

the plug got 4 components:

1. code ripper self
this is the main component: basic (optionally) recursive deadcode traversal
and creating output source file. additional options and adjustments are
available from startup dialog. most obvious enough, two run-time features
explained here:
* runtime evaluated addressing resolver is useful for discovering indirect
or runtime-evaluated jump/call targets (eg. call dword ptr [edx+08h], jmp
eax, etc.): while targets are evaluated and reached at run-time in host
application naturally, they are invisible at export time from deadcode,
thus they wouldn't be expectingly not even exported. the resolver cares of
tracing real targets and including targets to output - recommended for
images written by OOP language.
* process data dumper recognizes offsets to image range and to a known heap
block. currently these dynamic block types are recognized: msvc malloc,
delphi/cbuilder getmem, bcc malloc, gnu gcc malloc, virtualalloc, stack
variables. relaxing the rules for offset recognition may increase amount
of false offsets rapidly. runtime engines can process both standalone
executables and dll`s on certain conditions (a loader directly executable
by createprocess is present, loads the dll at some time and executes
desired code there).
2. indirect flow resolver from external debugger (deprecated)
3. flirt names matching (a helper for code ripper)
comparing libnames recognized by flirt to real library names is helpful to
prevent later linking problems (unmatched names get library flag removed),
worx in conjunctin with code ripper's 'include library functions` option
turned off.
4. xrefs manager (plugin call parameter 3)
view/create/remove user links between any two places of disassembly. two
samples of usage: for code ripper to cover code or data ranges not referred
from any of collected static areas or to change anchor point of non-head
memory operands (o_mem).
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CodeDoctor
Rating: 0.0 (0 votes)
Author: hnedka                        
Website: N/A
Current version: 0.90
Last updated: November 12, 2009
Direct D/L link: see details
License type: freeware
Description: <nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F


to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B
Also listed in: Deobfuscation Tools, OllyDbg Extensions, Resource Editors, Unpacking Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Com helper
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 2
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: Improved version of DataRescue's com helper plugin.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: CoverIt
Rating: 0.0 (0 votes)
Author: Ilfak Guilfanov                        
Website: http://www.hexblog.com/2006/03/coverage_analyzer.html
Current version: 1.0
Last updated: March 27, 2006
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A code coverage plugin for IDA Pro. It colors all executed instructions directly inside the IDA GUI, including any collapsed functions containing executed instructions.
Also listed in: Code Coverage Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Delphi 6 Full IDA Signatures
Rating: 0.0 (0 votes)
Author: TQN                        
Website: N/A
Current version: 1.0
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: I am very glad to say with you: Wow, at the end, I have finished creating the full IDA signatures for Delphi 6 (RTL/VCL/BDE/CLX...).
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Delphi 7 Full IDA Signatures
Rating: 0.0 (0 votes)
Author: TQN                        
Website: N/A
Current version: 1.0
Last updated: September 14, 2004
Direct D/L link: Locally archived copy
License type: Free
Description: I am very glad to say with you: Wow, at the end, I have finished creating the full IDA signatures for Delphi 7 (RTL/VCL/BDE/CLX...).
Also listed in: IDA FLIRT Signatures
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Desquirr - Decompiler Plugin for IDA Pro
Rating: 0.0 (0 votes)
Author: David Eriksson                        
Website: http://desquirr.sourceforge.net/desquirr/
Current version: 20070130 (desquirr-20070130-bin-ida_v5_0.zip)
Last updated: November 13, 2003
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Desquirr is a decompiler plugin for IDA Pro.

Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments

Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf
Also listed in: Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Dump_all/load_all Set Of Tools For IDA 5.x
Rating: 0.0 (0 votes)
Author: deroko / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=46
License type: Free
Description: A set made of two programs (an IDA plugin and a dumper) useful to analyze dumped memory regions inside IDA. Useful for malware or VMs to analysis of dynamically allocated memory code sections (full sources included)

dump_all/load_all set of tools by deroko ARTeam

dump_all.exe is program which will dump all regions of a certain executable into specified folder. All dumps are stored as r00000000.dmp where 00000000 is virtual address of a paticilar memory region.

Advice is to create always new folder for these dumped regions, as load_all will load all of these regions to IDA database. Just to keep everything organized, and to avoid loading of wrong files, which could occur under some cicumstances.

load_all.plw is and IDA plugin which will actually load all of these memory regions into IDA database. Example plugin is compiled with IDA 5.2 SDK, but you may compile it for other versions too.

Plugin will prompt you for file, so you are free to select any of these
.dmp, and plugin will load all of them into database. This could be useful
when analyzing malware or some protection with many buffers, for better
analyze of a VM, or import protection. This will avoid need to dump regions
manually.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ExtraPass
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: https://www.openrce.org/blog/view/839/An_%22extra_pass%22_for_IDA_Pro
Current version: 2.1
Last updated: February 8, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: I made this little IDA plug-in to help working with some Win32 targets that don't disassemble so well. In particular exe's that have a lot of C++ indirections and lots of embedded script stubs..

It basically does a few more passes over an IDA code section. Prefers code over data. It can find a lot of missing code, functions, and alignment blocks. Works particularly well on large EXE's where there is a lot of disconnected code from heavy C++ OOP, script binds, etc.

Intended for typical Win32, mainly Microsoft complied binaries.
Won't work well (probably for the worse) with Delphi EXE's since those tend to have a lot of mixing of constant data in the ".text" section, but the align and missing function options might be of use still.

My 2nd attempt at it, it's simple but it works well. IMHO it's working well now.
Really can clean up discombobulated code.

[Feb, 8, 2007] 2.1 A lot of improvement!
[Nov, 26, 2007] 2.0 version. Now fixes align blocks, and finds missing functions, plus has a UI.
[Aug, 28, 2007] New and improved.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: flowinsp
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.977 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Free
Description: ---------------------------------------------------------------------------
Runtime-evaluated addressing resolver plugin for Ida Pro by servil
version 0.977 beta
---------------------------------------------------------------------------

Flow Inspector reveals run-time evaluated call/jump targets
(eg. call dword ptr [ecx+1ch], jmp eax, etc), especially suitable for binaries
written in high-level language using OOP. Resolving is done in application
tracing mode (thus the debuggee is fully run during plugin activity).
Flowinsp only runs for Win32-PE targets (due to tracing layer API).
It is optional how the caller -> callee pairs are described in idabase (as
comments, x-refs, or by renaming o_mem address).
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Fubar
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.982 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: ---------------------------------------------------------------------------
fubar plugin v0.982 eternal beta: post-analysis tasks for ida pro by servil
supported ida versions: 4.90 and above till API change
(tested on 5.2 without backward compatibility enforcement)
---------------------------------------------------------------------------

various additional idabase formatting and describing, main units:

* resource parser and dereferencer
* mfc message map parser
* vcl object templates parser
* more... see main dialog for available steps, most jobs obvious enough
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Function String Associate
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11748
Current version:
Last updated: May 13, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: I thought of this idea the other day based on the observation of "assert()", development, debug text strings, etc., that software developers often leave in programs I want to reverse.
As I'm sure others do, I look at these comments to help me determine what a particular function is for (x86 binary targets that is).
I thought, wouldn't be nice to somehow data mine this stuff and automatically put some of it as a function comment?

Based on this, what this plug-in does is iterate through every function in IDA and auto-comments every function that has these strings (unless it already has a comment). It applies a little logic to it, to try to put the most relevant strings first.

Sort of a proof of concept thing. It's hard to say how useful it is yet.
So far it does seem to help as I browse around a DB. I'm putting together things a bit faster because of it.

Of course it's only works as well as your target uses such messages mixed in it's code.
So far on programs I've used it it on, the plug-in finds such strings on about 15% of all functions.

With source. If you expand on the idea, add helpful modifications, etc., share them please.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: GUID-Finder
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.openrce.org/repositories/users/Sirmabus
Current version: 1.0b
Last updated: January 17, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: A GUID/UUID finding/fixing IDA plug-in.

The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is
using.

This plug-in scans the IDB for class and interfaces GUIDs and creates the matching
structure with label. IDA can find these on it's own, but it often misses them, so
this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.

This is based Frank Boldewin's IDA Python script that you can find here:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
or off his home page:
http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip

It's a great utility, I found me self using it regularly. But I wanted one that
wasn't dependant on IDA Python, and one that might be a bit faster.
I've made some enhancements too (see below).

Some interesting reading:
http://en.wikipedia.org/wiki/Globally_Unique_Identifier
http://en.wikipedia.org/wiki/UUID

[How to run it]
Just invoke it using your selected IDA hot-key, or from "Edit->Plugins".
Normally you will want to keep the ""Skip code segments for speed"" check box checked,
because it can make a big difference in the run time. With unchecked, code segments are
also scanned. You'll want to scan the code to if the target is a Delphi, or others where
data tends to be code/.text segment, or if you just want to be more thorough.

It might take some time to scan everything depending on the size of the IDB your computer,
etc..

When it's done, you should see a list of interfaces and classes in the IDA log window.
If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on
the line and IDA will jump to it.


[How it works]
1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt".
A little enhancement here over Frank's format, you can have blank lines and have
comments prefixed with '#' (first char, whole line only. Not a very forgiving parser).

In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib")
to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs
plus all the ones to be found in VS2005 libraries along with DirectX 9.1,.

There could be more explicitly created in header (.h/.hpp) files but have yet to make
a utility to parse them.

If you want to add custom GUID defines (from 3rd party software, etc.), just edit
these text files manually.

2. After it loads in the defs, the plug-in iterates through all segments in your currently
open IDB. By default it will skip code/".text" segments, and import/export segments for
speed. Usually you find GUIDs in the ".rdata", and ".data" segments.

I originally intended to sort all the GUIDs by similarity and search with partial wild
cards for speed. If you take a look at the GUID defs you will see that many GUIDs share
common numbers that often differ only be the least significant digits ("Data4").
At least in theory, searching for groups wild cards should make searching faster.
Maybe next version..


[Known problems/issues/limitations]
1. If a given GUID 16byte def just so happens to match something that is not really a GUID,
the plug-in will try to convert it to one regardless (another reason not to run it
over code sections). So far I have not found this to be much of issue, although it could
be. Could add a confirm dialog for each to let the user decide.

2. Some GUID set operations will fail. This is usually because something is bad/wrong at the
particular address; like a partial code def, or incorrect xref.
The plug-in will display most of these errors in the IDA log window for manual correction.

3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull?
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Guid Scanner
Rating: 0.0 (0 votes)
Author: ajron                        
Website: http://ajron.vtools.pl/en/guidscanner.html
Current version: build 101114
Last updated: November 14, 2010
Direct D/L link: http://vtools.pl/pliki/scan4g.rar
License type: Free
Description: This tool scans PE files (exe, dll, etc.) for Globally Unique IDentifiers (Classes and Interfaces) in 16-bytes binary form. The results can be copied to the clipboard or saved as a script for the IDA disassembler and applied in the IDA database.

Usage:
scan4g.exe [path]
Also listed in: COM Debugging Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hex-Rays
Rating: 5.0 (3 votes)
Author: Hex-Rays sprl (Ilfak Guilfanov)                        
Website: http://www.hex-rays.com
Current version: 1.0
Last updated: September 17, 2007
Direct D/L link: N/A
License type: Commercial (IDA Pro plugin)
Description: Hex-Rays is created by Ilfak Guilfanov, famous author of IDA Pro. It is a commercial IDA Pro plugin, and aims to be the best decompiler ever created.
Also listed in: Decompilers
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Hotch
Rating: 0.0 (0 votes)
Author: sp                        
Website: http://www.the-interweb.com/serendipity/index.php?/archives/108-Hotch-1.0.0.html
Current version: 1.0.0
Last updated: July 10, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: Hotch - named after everyone's favourite TV profiler - is an IDA plugin that can be used to profile binary files. It sets breakpoints on all basic blocks of a program, records breakpoints hits and tries to figure out statistics from these hits. Click here to seen an example of a simple profiling session (starting Notepad and exiting Notepad again). Click here to see a huge 6.5 MB results file that shows a larger profiling session (loading a file in Notepad and playing around in it).

Random Notes:

* "This is really slow for larger files". Yeah, it is really slow in IDA up to 5.2 but Ilfak fixed some things in IDA 5.3 and it works acceptably fast now. So patience, young padawan.
* "The timing results don't really make sense". Yeah, I know. Since I execute a callback function after each breakpoint hit tight loops take disproportionally much time. For anything but tight loops the timing results should kinda work, at least relative to each other of course.
* Ignore the source file libida.hpp, it's an early version of my experimental-at-best C++ wrapper library for the IDA SDK.
* I take feature requests for Hotch.
Also listed in: Code Coverage Tools, Profiler Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA 2 PAT
Rating: 0.0 (0 votes)
Author: J.C. Roberts                        
Website: N/A
Current version: 1.0
Last updated:
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: For the most part, this plugin is an exercise in futility. There are
very few valid reasons why anyone should ever want to build signatures
of the functions in an existing disassembly. There are better
reasons, methods and tools for creating signatures for use with IDA.
Most importantly, the right way to create signatures is from object
files, object libraries or dynamically linked libraries, so please
realize this plugin is nothing more than a kludge since we are asking
FLAIR to do something it was not designed to do.

**********************************************************************
Option: Create patterns for Non-Auto Named Functions

If you find the rare situation where you want to make patterns
from functions in an existing database, this option is probably your
best bet. It will only create patterns for functions without
auto generated names and it will exclude functions marked as libraries
(e.g. they were already found and named through other FLAIR
signatures). You may want to remove named functions like _main and
WinMain from the resulting pattern file, since these will already
exist in the disassembly where it's applied.

**********************************************************************
Option: Create Patterns for Library Functions Only

I did include the ability to build patterns for functions IDA has
already marked as libraries. This is forpeople doing source code
recovery/recreation since the pattern file can be further parsed to
figure out which header files are needed. There are probably better
ways to go about this as well but until I have time to write specific a
plugin for figuring out which headers are included, this can give you
a step in the right direction.Out side of gathering information on
applied library signatures, this feature is pointless since you're
building patterns for function that were previously found with other
signatures you already have.

**********************************************************************
Option: Create Patterns for Public Functions Only

This could be useful when dealing with a situation where functions
were once stored in a DLL and are now statically linked in an
executable. It's still may a better bet to build a signature from the
DLL and then apply it to the statically linked executable.

**********************************************************************
Option: Create Patterns For Everything

You generally do NOT want to build patterns for every function in
the disassembly. The only place where I can see a legitimate use for
creating signatures of every function in the database is if your goal
is to see how similar two executables are. Instead of using a hex
editor and doing a re-synchronizing binary compare between the two
executables,you could use IDA signatures to get a different/better
way to visualize the similarities.

There are a lot of problems with trying to do this. The first and
most obvious problem is reserved name prefixes (e.g. sub_) on
auto generated function names. Another cascading problem is of course
references to these names withing other functions and whether or not
to keep these references in the patterns in order to cut down the
number of collisions. There are plenty of other problems with this
approach that I won't mention but there are quite a few of them.

I've hacked together a simple work-around. When the user has
selected everything mode, the plugin will prepend the auto generated
function names with FAKE_ and references to these sub routines are
kept to reduce collisions. This should (in theory) work, since every
reference will also have it's own public pattern in the resulting
file. In other words, the named references will resolve to another
(public) function pattern in the file. The problem with this approach
is of course having erroneous address numbers in names of functions
where the signature is applied (e.g. the nameFAKE_sub_DEADBEEF could
be applied to any address where a matching function is found). My
guess why this will work is because a module in a library may have a
by name reference to another object in the library. The pattern file
of a library would keep the references, since the names are defined
in other pattern lines of the file. Of course I could be wrong but
it's worth a shot. If need be comment out the "sub_" tests in
part #7 (references) of make_pattern() to get rid of the refs.


**********************************************************************
Option: Create Pattern For User Selected Function

This allows the user to select a function from the list and
create a pattern for it. It does not work on functions with auto
generated names but probably could with a bit more work.

______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------

LIMITATIONS:

* References and tail bytes are only used by sigmake to resolve
collisions. Auto generated names with reserved prefixes "loc_" "byte_"
"dword_" are not going to be repeatable in the binary where you would
apply the resulting signature. If those references were kept and used
to resolve a collision, you'd end up with a useless signature that
would not be applied because those names do not exist in executable
where the resulting signature is being applied.

* Reference offsets that greater than 0x8000 bytes from the
function start may make this plugin explode or more likely, just make
unusable patterns.

* All references are assumed to be 4 bytes long. This will cause
some problems for situations (e.g. processors) where this is not true.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
TODO:
* Error checking for reference offsets > 0x8000
* Change reference length from being fixed at 4 bytes.
* Create "append" versus "overwrite" dialog.
* Deal with the user choosing a function with an auto
generated name in the "Single Function" mode.


______________________________________________________________________
**********************************************************************
----------------------------------------------------------------------
DEVELOPMENT:

I did this in MSVC++ v6. There are two projects in the workspace. One
is for the plugin and the other for IDAG.EXE so we can debug the
plugin once IDA loads it e.g. start the plugin and at the choose file
dilog break. In the list of modules, you'll find "run()" and other
functions from the plugin.

Depending on where you install IDA, you'll need to adjust where the
plugin is written. I've got output set to "C:\IDA\PLUGINS\IDB2PAT.plw"
The same is true for the location of the SDK and such.

When it's set to build the debug version, there will be a lot of
warnings due to info truncation of debug symbols. It's not a big deal.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Free 4.9 SDK Library Patch
Rating: 0.0 (0 votes)
Author: xtc                        
Website: http://www.woodmann.com/forum/showthread.php?t=10756
Current version: 0.1
Last updated: November 7, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This package is for patching the Visual C++ libraries of the IDA 4.9 SDK to work with the free version.

The included patchlib program serves two purposes:
1) Remap the export ordinals to match the free version of ida.wll.
2) Ensure that names are not used when importing from the library.

To facilitate the remapping, patchlib needs two files, ida.wll.exports and ida.wll.names.
ida.wll.exports contains a list of remapped ordinals and undecorated symbol names.
ida.wll.names contains a list of decorated symbols.

With the patched library you can build loaders and plugins.
Processor modules are blocked by the free version.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Inject
Rating: 0.0 (0 votes)
Author: Jan Newger                        
Website: http://newgre.net/idainject
Current version: 1.0.3
Last updated: July 18, 2008
Direct D/L link: http://newgre.net/system/files/IDAInject.rar
License type: Free / Open Source
Description: This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.
Also listed in: Code Injection Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA Plugin Depack APlib And LZMA
Rating: 0.0 (0 votes)
Author: deroko / ARTeam                        
Website: http://arteam.accessroot.com
Current version: 1.0
Last updated: September 23, 2008
Direct D/L link: http://arteam.accessroot.com/releases.html?fid=45
License type: Free
Description: A plugin for IDA 5.2 and following, to decompress aplib or lzma packed data in your target when analyzing with IDA.

The plugin supports aPlib which is quite common in malware, but there's also support for packman lzma compression, even if this one is very rare.

Run plugin by pressing CTRL+9 and you will be prompted with a window for unpacking or simply go to Edit->plugins->aplib depack

Full C sources are included, aswell. See the readme.txt for further details and instructions.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2PAT Reloaded
Rating: 0.0 (0 votes)
Author: Sirmabus                        
Website: http://www.woodmann.com/forum/showthread.php?t=11916
Current version: 1.0B
Last updated: July 19, 2008
Direct D/L link: Locally archived copy
License type: Free / Open Source
Description: An IDA Pro 5.xx plug-in to generate a pattern file.

You've probably seen or more of the different variants of this plug-in:
"ida2sig", "ida2pat", etc.
We want to create a pattern (".pat") file to assemble a FLIRT signature file (".sig"), using the FLAIR utility "sigmake.exe". This will allow one to apply these sigs to help port updats, etc.

I had preferred TQN's "ida2sig" version since it fastest (see below) I could find. But it had the same problems as the previous version. And I wanted to make a build I could updated with the latest FLAIR lib, etc.

[How to run it]
1. Invoke it using your selected IDA hot-key or from "Edit->Plugins".
2. Select the destination ".pat" file.
3. After it is done, convert your pattern file into a signature file using
"sigmake.exe",.

[Design & Outstanding issues]
There are zero options, the assumption is you want to save only, and all function names that are not autogenerated. That is for the most part, all functions that are not "sub_69B470", and "unknown_libname_228".

There are unfortunately ambiguities, and errors using function name flags like "pFunc->flags & FUNC_LIB", "is_public_name()", "dummy_name_ea()", etc., to determine what is a library, public, etc., function.

Biggest hurdle, consider this.. You go do your RE work, you rename some functions with a name that makes sense to you; or you just rename it specifically so you can come back to it later using a custom sig, etc.
Maybe all is well on the first time because IDA will see it as a user function and thus traditional IDA2PAT will create a pattern for it. But next time after update, etc., you apply the sig. It is no longer a "user function", IDA marks it as a library, or worse as autogenerated. Don't like this. We want to be able to apply a sig, work on the DB rename some functions with better fitting names as my understanding grows, etc., then create a new patterns and not have name collisions, etc.

AFAIK there is no solid way to determine what is "autogenerated", "user-generated" or otherwise, using the stock IDA SDK functions.

What "IDA2PAT Reloaded" does is solely rely on function name patterns instead. It simply rejects functions that start with ""sub_..", "unknown_libname_..", or that start with the characters '$', '@', '?', and '_', etc.

This will be a problem if you intentionally use using something like "sub_MyFunction", or "unknown_libname_MyFunction", etc., as your naming convention. This design assumes IDA is setup to display autogenerated function names as "sub_xxxxxx", etc., in the defaults.

Speed:
TQN's version was definitely faster then others, he replaced the file streaming "qfprintf()" with a very large buffer, then saved the buffer at the end. The real issue was a single "qflush()" call after each pattern create in
Quine's original code. FYI, a file "flush" causes the OS to flush it's write cache causing a file performance hit.

As a baseline, just iterating through around 100k functions (with zero processing) takes ~12seconds on my machine on average. Thus, any processing on top of that is just additive. IDA2PAT-Reloaded only adds ~3 seconds to the base line on a modern machine.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDA2SICE
Rating: 0.0 (0 votes)
Author: Mostek                        
Website: http://mostek.subcultural.com
Current version: 4.09
Last updated: October 30, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDA to SoftIce is an IDA plugIn which loades IDA symbols to SoftIce. It can export them as nms file too.
To get the last version go to News page.

I started the project in May 2000 and it took me almost 9 months to reverse everything needed to make the plugIn (well around 4 month of real work).
The main reason for the plug was that at that time, you could only see global procedures and variables.
And because there was no local variables in SIce, reversing was really a pain in the .... So this plugIn solves that. :)

Some info:
Currently PE and LE file types are suported.
Use map2sice utilitie for all other types ( included in the package ).

One of the nicest feature of the plug is that you can see structures in SIce.
ex.: In IDA you set local/global structure and when in SIce you can use command '? myStructure' or '? myStructure.element.element', .....
PlugIn suports structure(union) in structure(union)).
Also listed in: SoftICE Extensions
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAAPIHelp
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version: 0.3
Last updated: October 17, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IDAPerl
Rating: 0.0 (0 votes)
Author: Willem Jan Hengeveld                        
Website: http://www.xs4all.nl/~itsme/projects/idcperl
Current version: 0.3
Last updated: May 12, 2008
Direct D/L link: N/A
License type: Free / Open Source
Description: IDAPerl, is a plugin for IDA Pro, which adds Perl scripting support.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Key-lok II C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: July 5, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Key-lok II C++ library
version: rev1
Also listed in: Dongle IDA Signatures, KEYLOK Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: MFC42Ord2FuncNames
Rating: 0.0 (0 votes)
Author: Frank Boldewin                         
Website: http://www.reconstructer.org
Current version:
Last updated: June 03, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: mIDA
Rating: 0.0 (0 votes)
Author: Tenable Network Security                        
Website: http://cgi.tenablesecurity.com/tenable/mida.php
Current version: 1.0.10
Last updated: October 21, 2008
Direct D/L link: http://cgi.tenablesecurity.com/tenable/dl.php?p=mIDA-1.0.8.zip
License type: Free
Description: mIDA is a plugin for the IDA disassembler that can extract RPC interfaces from a binary file and recreate the associated IDL definition. mIDA is free and fully integrates with the latest version of IDA (5.0).
This plugin can be used to :

* Navigate to RPC functions in IDA
* Analyze RPC function arguments
* Understand RPC structures
* Reconstruct an IDL definition file

The IDL code generated by mIDA can be, most of the time, recompiled with the MIDL compiler from Microsoft (midl.exe).
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Mapgen
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 0.985 beta
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: ---------------------------------------------------------------------------
map file exporter plugin for ida pro by servil version 0.985 beta
---------------------------------------------------------------------------

the plugin extends mapfile generating to export better information into
ollydbg. exported files can be processed by modified mapconv plugin included
in this archive.

features:
- imports comments as comments and labels as labels
- all segments
- relocated images (dlls) taken into account
- extended by exporting local variables, enums, struct offsets,
register variables and forced operands
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Matrix Dongle 2.6.0 IDA Signatures
Rating: 0.0 (0 votes)
Author: Sope                        
Website: N/A
Current version:
Last updated: September 13, 2008
Direct D/L link: Locally archived copy
License type:
Description: Recently, while RE an target I had to create IDA signature file for Matrix Dongle ver 2.6.0 hence uploaded here. It will help you to identify many fucntions.
Also listed in: Dongle IDA Signatures, Matrix Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Matrix Dongle C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: August 5, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Matrix Dongle C++ library
version: rev1

2007.08.05 rev1:
Matrix SDK v2.60
Also listed in: Dongle IDA Signatures, Matrix Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Ordinal imports/exports resolver
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version: 1
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: Ordinal imports resolver
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: PDB
Rating: 0.0 (0 votes)
Author: servil                        
Website: https://code.google.com/p/idaplugs/downloads/list
Current version:  ?
Last updated: 2008
Direct D/L link: Locally archived copy
License type: Freeware
Description: This is yet another extension built on original Datarescue`s PDB plugin.

Main enhancements from original plugin:
* Integrates advantages of Microsoft Debug Information Accessor (DIA). The
interface provided by DIA offers more complete description of executable
against DbgHelp(ImagHlp) API. If DIA server is not installed DbgHelp's engine
is used (use newest version possible to achieve best results).
* Preserved names mangling on public symbols (ida still shows C prototype where
full ida typeinfo can't be successfully set).
* Replication of complex types (struct, enum) and typedefs from PDB.
* Scoped UDT members handled (inherited members and nested typedefs, structs
and enums).
* Exact format to static data symbols and static struct members, forced code at
function start (extern symbols format preserved).
* Full ida typeinfo to static symbols and struct members.
* Names, exact format and full ida typeinfo to function arguments and local
symbols stored at frame, recursive traversal all nested sub-blocks of function
(with DIA only). Supported (both top and bottom) ebp- and esp-based frame
models, support for register variables and params was removed during testing
(see known problems and anomalies/#3).
* Source lines import to idabase where file accessible (as anterior lines).
* Foreign program databases support for importing data types only. Selective
filtering of unwanted types is offered before own storage. For this feature
call the plugin with argument 2 (use IDC command or edit plugins.cfg for that).
* Alots of minor adjustments not worth to mention.
* No UI (lazy) - always apply all features.

Source code included.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: patchdiff2
Rating: 0.0 (0 votes)
Author: Nicolas Pouvesle                        
Website: http://code.google.com/p/patchdiff2/
Current version: 2.0.8
Last updated: June 10, 2010
Direct D/L link: http://patchdiff2.googlecode.com/files/patchdiff2_0_8.zip
License type: GNU General Public License v2
Description: PatchDiff2 is a plugin for the Windows version of the IDA dissassembler that can analyze two IDB files and find the differences between both. PatchDiff2 is free and fully integrates with the latest version of IDA (5.6). The plugin can perform the following tasks:

- Display the list of identical functions
- Display the list of matched functions
- Display the list of unmatched functions (with the CRC)
- Display a flow graph for identical and matched functions

The main purpose of this plugin is to be fast and give accurate results when working on a security patch or a hotfix. Therefore this tool is not made to find similar functions between two different programs. Patchdiff2 supports all processors that IDA can handle and is available in two versions: 32 bit and a 64 bit.
Also listed in: Diff Tools, Executable Diff Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: ProcessStalker GDL Viewer
Rating: 0.0 (0 votes)
Author: AmesianX                        
Website: https://www.openrce.org/forums/posts/707
Current version: 1.0
Last updated: January 28, 2008
Direct D/L link: Locally archived copy
License type: Free
Description: A GUI plugin for bringing up the GDL graphs of ProcessStalker directly inside IDA Pro.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Reveal Imports
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Website: http://zairon.wordpress.com/2008/11/04/ida-plugin-reveal-imports/
Current version: 1.0
Last updated: November 4, 2008
Direct D/L link: http://www.box.net/shared/static/pbm0okvb86.zip
License type: Free
Description: The plugin reveals imports of a dumped process. It will come in handy when you need to analyze a dump without rebuilding the file using an external tool.

Usage: put the plugin inside IDA plugin directory and to run the plugin hit ALT+z.
Here is a screeshot. As you can see the plugin creates a new window filled with revealed imports.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rockey4 2.x Dongle C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: July 5, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Rockey4 v2.x C++ library
version: rev1

2007.07.05 rev1:
Add Rockey4 v2.05
Add Rockey4 v2.06
Also listed in: Dongle IDA Signatures, Rockey Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Rockey4ND 1.x Dongle C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev2
Last updated: October 11, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signatures: Rockey4ND v1.x C++ library

2007.07.05 rev1:
Add Rockey4ND v1.20

2007.10.11 rev2:
Add Rockey4ND v1.15
Add Rockey4ND v1.16
Also listed in: Dongle IDA Signatures, Rockey Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SSL Key/Cert Finder
Rating: 0.0 (0 votes)
Author: Tobias Klein                        
Website: http://www.trapkit.de/research/sslkeyfinder/
Current version: 1.0
Last updated: February 5, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: IDA plugin that finds and extracts SSL keys/certs from executables.
Also listed in: Crypto Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Safenet Sentinel Hardware Keys 1.x C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev1
Last updated: November 15, 2006
Direct D/L link: Locally archived copy
License type: Free
Description: New sentinel dongle:
http://www.safenet-inc.com/products/sentinel/hardware_keys.asp

IDA Signature: Safenet Sentinel Hardware Keys v1.x C++ library
version: rev1

2006.11.15 rev1:
Sentinel Hardware Keys v1.0.2
Also listed in: Dongle IDA Signatures, Sentinel Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Scripts for Perl Decompiling
Rating: 0.0 (0 votes)
Author: Swine                        
Website: N/A
Current version: 1.0
Last updated: April 1, 2011
Direct D/L link: Locally archived copy
License type: Free/GPL
Description: Bash & IDA Scripts for automated decompiling of Perl program compiled by perlcc

REVISION HISTORY
Version Author Date
1.0 Swine ????????

perlcc parses Perl script and makes C code (which is in turn compiled to executable through CC) that initializes execution tree, which is later interpreted through perl_run documented function. The execution tree can be decompiled by documented Perl B::Decomp module (in latest Perl releases this module has gone along with perlcc). The trick is to inject the call to decompiler into the target program.

See README inside the archive for further details
Also listed in: Decompilers, IDA IDC Scripts
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Sentinel SuperPro 6.x Dongle C/C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev7
Last updated: April 17, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: Sentinel SuperPro v6.x C/C++ library
version: rev7

2007.04.11 rev7:
Fixed some Sentinel obfuscated functions. (Thanks to Meteo)

2007.03.01 rev6:
Fixed Sentinel obfuscated functions. (Thanks to Meteo)

2006.10.27 rev5:
Add Sentinel SuperPro v6.4.4
Add Sentinel SuperPro v6.4.3

2006.03.11 rev4:
Add Sentinel SuperPro v6.4.2
Add Sentinel SuperPro v6.4.1

2005.05.07 rev3:
Add Sentinel SuperPro v6.4

2004.12.31 rev2:
Add Sentinel SuperPro v6.3.1.9
Add Sentinel SuperPro v6.3.1.8
Add Sentinel SuperPro v6.3.1.2
Add Sentinel SuperPro v6.3.1.1

2004.12.09 rev1:
Add Sentinel SuperPro v6.3.1.10
Add Sentinel SuperPro v6.3.1.4
Add Sentinel SuperPro v6.3.1
Add Sentinel SuperPro v6.3
Add Sentinel SuperPro v6.2.1
Add Sentinel SuperPro v6.2
Add Sentinel SuperPro v6.1
Add Sentinel SuperPro v6.0
Also listed in: Dongle IDA Signatures, Sentinel Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SentinelLM Dongle C/C++ library IDA Signatures
Rating: 0.0 (0 votes)
Author: prt                        
Website: N/A
Current version: rev2
Last updated: June 14, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: IDA Signature: SentinelLM C/C++ library
version: rev2

2007.06.14
Add SentinelLM v8.0
Add SentinelLM v8.0.2
Fixed some obfuscated functions.

2004.12.30 rev1:
inculde:
SentinelLM v7.0
SentinelLM v7.0 SP2
SentinelLM v7.1
SentinelLM v7.1.1
SentinelLM v7.1.2
SentinelLM v7.2
SentinelLM v7.2.0.1
SentinelLM v7.2.0.3
SentinelLM v7.2.0.4
SentinelLM v7.2.0.5
SentinelLM v7.2.0.6
SentinelLM v7.2.0.8
SentinelLM v7.2.0.9
SentinelLM v7.2.0.12
SentinelLM v7.2.0.18
SentinelLM v7.3.0
Also listed in: Dongle IDA Signatures, Sentinel Dongle Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: SiDAg
Rating: 0.0 (0 votes)
Author: Zool@nder                        
Website: N/A
Current version: 1.0
Last updated: August 31, 2009
Direct D/L link: Locally archived copy
License type: Free
Description: The is a GUI tool that helps beginners making IDA signatures from Obj files/ librarries and PAT files.
Also listed in: IDA Signature Creation Tools
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: VtablesStructuresFromPSDK2003R2
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version:
Last updated: July 16, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: This small IDAPython script includes all vtable structures that can be found in the files of the Microsoft PSDK 2003-R2. After running the script in IDA it adds these vtable structures to an IDB file. This will save time while reconstructing COM code.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.


Subcategories

There are 3 subcategories to this category.


Retrieved from "http://www.woodmann.com/collaborative/tools/index.php/Category:IDA_Extensions"



Views
Category Navigation Tree
RCE Tools
   Categorized by Target Type  (235)
   Categorized by Tool Type  (1196)
   Anti Anti Test Tools  (16)
   Assemblers  (19)
   Code Coverage Tools  (13)
   Code Injection Tools  (35)
   Code Ripping Tools  (2)
   Crypto Tools  (13)
   Data Extraction Tools  (24)
   Debuggers  (47)
   Decompilers  (27)
   Deobfuscation Tools  (16)
   Dependency Analyzer Tools  (5)
   Diff Tools  (44)
   Disassemblers  (65)
   Dongle Analysis Tools  (24)
   Exe Analyzers  (39)
   Executable File Editors & Patchers  (92)
   Firefox Extensions  (3)
   GUI Manipulation Tools  (18)
   Hardware Reversing Tools  (24)
   Helper Tools  (3)
   Hex Editors  (12)
   IDA Signature Creation Tools  (5)
   Kernel Tools  (13)
   Memory Data Tracing Tools  (7)
   Memory Patchers  (6)
   Memory Search Tools  (7)
   Monitoring Tools  (130)
   Network Tools  (19)
   Packers  (18)
   Patch Packaging Tools  (12)
   Profiler Tools  (11)
   Programming Libraries  (45)
   Regular Expression Tools  (3)
   Resource Editors  (13)
   Reverse Engineering Frameworks  (8)
   Source Code Tools  (11)
   String Finders  (5)
   Symbol Tools  (11)
   System Information Extraction Tools  (9)
   Technical PoC Tools  (8)
   Test and Sandbox Environments  (22)
   Tool Extensions  (169)
   CFF Explorer Extensions  (5)
   Filemon Extensions  (1)
   Firefox Extensions  (3)
   GDB Extensions  (1)
   Hexer Extensions  (1)
   IDA Extensions  (56)
   ImpREC Extensions  (3)
   Obsidian Extensions  (1)
   OllyDbg Custom Versions  (4)
   OllyDbg Extensions  (79)
   Regmon Extensions  (1)
   SoftICE Extensions  (6)
   WinDbg Extensions  (8)
   Tool Hiding Tools  (7)
   Tool Signatures  (17)
   Tracers  (19)
   Unpacking Tools  (80)
   Needs New Category