From Collaborative RCE Tool Library
IDA Extensions
| Tool name: | Fast IDB2Sig and LoadMap IDA plugins |
| ||
|---|---|---|---|---|
| Author: | TQN | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | September 14, 2004 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | It took me two weeks to write two IDA plugins, a renew, fast IDB2Sig plugin and a new, very fast LoadMap plugin. The IDB2SIG plugin I rewrote base on the orginal source code and idea of: - Quine (quine@blacksun.res.cmu.edu) - Darko - IDB2PAT of J.C. Roberts <mercury@abac.com> Thanks all of you very much. I think all of you will allow me to public the new source code. The LoadMap plugin I wrote base on the idea of Toshiyuki Tega. It will supports loading and parsing VC++, Borland (Delphi/BC++/CBuilder) and DeDe map files. And with two plugins, I need only two days to create two signature file for Delphi 6/7. Very fast and convenience. Hereafter, we can use two above plugins to create signature files, load map symbols... Source is included, and plugins are precompiled for IDA 4.5 and 5.2. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Advanced obj and lib IDA signature ripper |
| ||
|---|---|---|---|---|
| Author: | gerbay | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=9931 | |||
| Current version: | 1.0 | |||
| Last updated: | May 23, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | It loads obj and lib (COFF format) files signature to ida database. It identifies so many labels more than flair signatures. FLIRT signature creation not possible for some situation, for example you can try to create flirt signature for flexlm libs, but this plugin will work in such situations too! | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | BinDiff |
| ||
|---|---|---|---|---|
| Author: | SABRE Security | |||
| Website: | http://www.sabre-security.com/products/bindiff.html | |||
| Current version: | 2.0 | |||
| Last updated: | October 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Commercial (IDA Pro plugin) | |||
| Description: | A very powerful executable file diffing tool, in the form of an IDA Pro plugin. | |||
| Also listed in: | Executable Diff Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | CoverIt |
| ||
|---|---|---|---|---|
| Author: | Ilfak Guilfanov | |||
| Website: | http://www.hexblog.com/2006/03/coverage_analyzer.html | |||
| Current version: | 1.0 | |||
| Last updated: | March 27, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | A code coverage plugin for IDA Pro. It colors all executed instructions directly inside the IDA GUI, including any collapsed functions containing executed instructions. | |||
| Also listed in: | Code Coverage Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Desquirr - Decompiler Plugin for IDA Pro |
| ||
|---|---|---|---|---|
| Author: | David Eriksson | |||
| Website: | http://desquirr.sourceforge.net/desquirr/ | |||
| Current version: | 20070130 (desquirr-20070130-bin-ida_v5_0.zip) | |||
| Last updated: | November 13, 2003 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Desquirr is a decompiler plugin for IDA Pro. Desquirr currently consists of a little more than 5000 lines of C++ code, not counting empty lines or lines beginning with comments Read the Master Thesis at http://desquirr.sourceforge.net/desquirr/desquirr_master_thesis.pdf | |||
| Also listed in: | Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ExtraPass |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | https://www.openrce.org/blog/view/839/An_%22extra_pass%22_for_IDA_Pro | |||
| Current version: | 2.1 | |||
| Last updated: | February 8, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | I made this little IDA plug-in to help working with some Win32 targets that don't disassemble so well. In particular exe's that have a lot of C++ indirections and lots of embedded script stubs.. It basically does a few more passes over an IDA code section. Prefers code over data. It can find a lot of missing code, functions, and alignment blocks. Works particularly well on large EXE's where there is a lot of disconnected code from heavy C++ OOP, script binds, etc. Intended for typical Win32, mainly Microsoft complied binaries. Won't work well (probably for the worse) with Delphi EXE's since those tend to have a lot of mixing of constant data in the ".text" section, but the align and missing function options might be of use still. My 2nd attempt at it, it's simple but it works well. IMHO it's working well now. Really can clean up discombobulated code. [Feb, 8, 2007] 2.1 A lot of improvement! [Nov, 26, 2007] 2.0 version. Now fixes align blocks, and finds missing functions, plus has a UI. [Aug, 28, 2007] New and improved. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | GUID-Finder |
| ||
|---|---|---|---|---|
| Author: | Sirmabus | |||
| Website: | http://www.openrce.org/repositories/users/Sirmabus | |||
| Current version: | 1.0b | |||
| Last updated: | January 17, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | A GUID/UUID finding/fixing IDA plug-in. The COM side of RE'ing (at least with "dead listing") can be pretty elusive. With this you can at least partially glean what interfaces and classes a target is using. This plug-in scans the IDB for class and interfaces GUIDs and creates the matching structure with label. IDA can find these on it's own, but it often misses them, so this can fill in the gap. Plus this plug-in allows you to easily add custom declarations, and is handy to do a general audit for such GUIDs. This is based Frank Boldewin's IDA Python script that you can find here: http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames or off his home page: http://www.reconstructer.org/code/ClassAndInterfaceToNames.zip It's a great utility, I found me self using it regularly. But I wanted one that wasn't dependant on IDA Python, and one that might be a bit faster. I've made some enhancements too (see below). Some interesting reading: http://en.wikipedia.org/wiki/Globally_Unique_Identifier http://en.wikipedia.org/wiki/UUID [How to run it] Just invoke it using your selected IDA hot-key, or from "Edit->Plugins". Normally you will want to keep the ""Skip code segments for speed"" check box checked, because it can make a big difference in the run time. With unchecked, code segments are also scanned. You'll want to scan the code to if the target is a Delphi, or others where data tends to be code/.text segment, or if you just want to be more thorough. It might take some time to scan everything depending on the size of the IDB your computer, etc.. When it's done, you should see a list of interfaces and classes in the IDA log window. If you want to go look at a particular entry to RE (to look at xrefs, etc.) just click on the line and IDA will jump to it. [How it works] 1. Loads in GUID/UUID defs for the two text files "Interfaces.txt" and "Classes.txt". A little enhancement here over Frank's format, you can have blank lines and have comments prefixed with '#' (first char, whole line only. Not a very forgiving parser). In the source is "DumpLib", a utility I created to parse LIB files (like "uuid.lib") to gather more GUIDs. As of this build, it's a collection of Frank's original UUIDs plus all the ones to be found in VS2005 libraries along with DirectX 9.1,. There could be more explicitly created in header (.h/.hpp) files but have yet to make a utility to parse them. If you want to add custom GUID defines (from 3rd party software, etc.), just edit these text files manually. 2. After it loads in the defs, the plug-in iterates through all segments in your currently open IDB. By default it will skip code/".text" segments, and import/export segments for speed. Usually you find GUIDs in the ".rdata", and ".data" segments. I originally intended to sort all the GUIDs by similarity and search with partial wild cards for speed. If you take a look at the GUID defs you will see that many GUIDs share common numbers that often differ only be the least significant digits ("Data4"). At least in theory, searching for groups wild cards should make searching faster. Maybe next version.. [Known problems/issues/limitations] 1. If a given GUID 16byte def just so happens to match something that is not really a GUID, the plug-in will try to convert it to one regardless (another reason not to run it over code sections). So far I have not found this to be much of issue, although it could be. Could add a confirm dialog for each to let the user decide. 2. Some GUID set operations will fail. This is usually because something is bad/wrong at the particular address; like a partial code def, or incorrect xref. The plug-in will display most of these errors in the IDA log window for manual correction. 3. TODO: Other GUID times like "DIID", "LIBID", "CATID", usefull? | |||
| Also listed in: | COM Debugging Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Hex-Rays |
| ||
|---|---|---|---|---|
| Author: | Hex-Rays sprl (Ilfak Guilfanov) | |||
| Website: | http://www.hex-rays.com | |||
| Current version: | 1.0 | |||
| Last updated: | September 17, 2007 | |||
| Direct D/L link: | N/A | |||
| License type: | Commercial (IDA Pro plugin) | |||
| Description: | Hex-Rays is created by Ilfak Guilfanov, famous author of IDA Pro. It is a commercial IDA Pro plugin, and aims to be the best decompiler ever created. | |||
| Also listed in: | Decompilers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | IDA 2 PAT |
| ||
|---|---|---|---|---|
| Author: | J.C. Roberts | |||
| Website: | N/A | |||
| Current version: | 1.0 | |||
| Last updated: | ||||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | For the most part, this plugin is an exercise in futility. There are very few valid reasons why anyone should ever want to build signatures of the functions in an existing disassembly. There are better reasons, methods and tools for creating signatures for use with IDA. Most importantly, the right way to create signatures is from object files, object libraries or dynamically linked libraries, so please realize this plugin is nothing more than a kludge since we are asking FLAIR to do something it was not designed to do. ********************************************************************** Option: Create patterns for Non-Auto Named Functions If you find the rare situation where you want to make patterns from functions in an existing database, this option is probably your best bet. It will only create patterns for functions without auto generated names and it will exclude functions marked as libraries (e.g. they were already found and named through other FLAIR signatures). You may want to remove named functions like _main and WinMain from the resulting pattern file, since these will already exist in the disassembly where it's applied. ********************************************************************** Option: Create Patterns for Library Functions Only I did include the ability to build patterns for functions IDA has already marked as libraries. This is forpeople doing source code recovery/recreation since the pattern file can be further parsed to figure out which header files are needed. There are probably better ways to go about this as well but until I have time to write specific a plugin for figuring out which headers are included, this can give you a step in the right direction.Out side of gathering information on applied library signatures, this feature is pointless since you're building patterns for function that were previously found with other signatures you already have. ********************************************************************** Option: Create Patterns for Public Functions Only This could be useful when dealing with a situation where functions were once stored in a DLL and are now statically linked in an executable. It's still may a better bet to build a signature from the DLL and then apply it to the statically linked executable. ********************************************************************** Option: Create Patterns For Everything You generally do NOT want to build patterns for every function in the disassembly. The only place where I can see a legitimate use for creating signatures of every function in the database is if your goal is to see how similar two executables are. Instead of using a hex editor and doing a re-synchronizing binary compare between the two executables,you could use IDA signatures to get a different/better way to visualize the similarities. There are a lot of problems with trying to do this. The first and most obvious problem is reserved name prefixes (e.g. sub_) on auto generated function names. Another cascading problem is of course references to these names withing other functions and whether or not to keep these references in the patterns in order to cut down the number of collisions. There are plenty of other problems with this approach that I won't mention but there are quite a few of them. I've hacked together a simple work-around. When the user has selected everything mode, the plugin will prepend the auto generated function names with FAKE_ and references to these sub routines are kept to reduce collisions. This should (in theory) work, since every reference will also have it's own public pattern in the resulting file. In other words, the named references will resolve to another (public) function pattern in the file. The problem with this approach is of course having erroneous address numbers in names of functions where the signature is applied (e.g. the nameFAKE_sub_DEADBEEF could be applied to any address where a matching function is found). My guess why this will work is because a module in a library may have a by name reference to another object in the library. The pattern file of a library would keep the references, since the names are defined in other pattern lines of the file. Of course I could be wrong but it's worth a shot. If need be comment out the "sub_" tests in part #7 (references) of make_pattern() to get rid of the refs. ********************************************************************** Option: Create Pattern For User Selected Function This allows the user to select a function from the list and create a pattern for it. It does not work on functions with auto generated names but probably could with a bit more work. ______________________________________________________________________ ********************************************************************** ---------------------------------------------------------------------- LIMITATIONS: * References and tail bytes are only used by sigmake to resolve collisions. Auto generated names with reserved prefixes "loc_" "byte_" "dword_" are not going to be repeatable in the binary where you would apply the resulting signature. If those references were kept and used to resolve a collision, you'd end up with a useless signature that would not be applied because those names do not exist in executable where the resulting signature is being applied. * Reference offsets that greater than 0x8000 bytes from the function start may make this plugin explode or more likely, just make unusable patterns. * All references are assumed to be 4 bytes long. This will cause some problems for situations (e.g. processors) where this is not true. ______________________________________________________________________ ********************************************************************** ---------------------------------------------------------------------- TODO: * Error checking for reference offsets > 0x8000 * Change reference length from being fixed at 4 bytes. * Create "append" versus "overwrite" dialog. * Deal with the user choosing a function with an auto generated name in the "Single Function" mode. ______________________________________________________________________ ********************************************************************** ---------------------------------------------------------------------- DEVELOPMENT: I did this in MSVC++ v6. There are two projects in the workspace. One is for the plugin and the other for IDAG.EXE so we can debug the plugin once IDA loads it e.g. start the plugin and at the choose file dilog break. In the list of modules, you'll find "run()" and other functions from the plugin. Depending on where you install IDA, you'll need to adjust where the plugin is written. I've got output set to "C:\IDA\PLUGINS\IDB2PAT.plw" The same is true for the location of the SDK and such. When it's set to build the debug version, there will be a lot of warnings due to info truncation of debug symbols. It's not a big deal. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | IDA Free 4.9 SDK Library Patch |
| ||
|---|---|---|---|---|
| Author: | xtc | |||
| Website: | http://www.woodmann.com/forum/showthread.php?t=10756 | |||
| Current version: | 0.1 | |||
| Last updated: | November 7, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | This package is for patching the Visual C++ libraries of the IDA 4.9 SDK to work with the free version. The included patchlib program serves two purposes: 1) Remap the export ordinals to match the free version of ida.wll. 2) Ensure that names are not used when importing from the library. To facilitate the remapping, patchlib needs two files, ida.wll.exports and ida.wll.names. ida.wll.exports contains a list of remapped ordinals and undecorated symbol names. ida.wll.names contains a list of decorated symbols. With the patched library you can build loaders and plugins. Processor modules are blocked by the free version. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | IDA2SICE |
| ||
|---|---|---|---|---|
| Author: | Mostek | |||
| Website: | http://mostek.subcultural.com | |||
| Current version: | 4.09 | |||
| Last updated: | October 30, 2006 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | IDA to SoftIce is an IDA plugIn which loades IDA symbols to SoftIce. It can export them as nms file too. To get the last version go to News page. I started the project in May 2000 and it took me almost 9 months to reverse everything needed to make the plugIn (well around 4 month of real work). The main reason for the plug was that at that time, you could only see global procedures and variables. And because there was no local variables in SIce, reversing was really a pain in the .... So this plugIn solves that. :) Some info: Currently PE and LE file types are suported. Use map2sice utilitie for all other types ( included in the package ). One of the nicest feature of the plug is that you can see structures in SIce. ex.: In IDA you set local/global structure and when in SIce you can use command '? myStructure' or '? myStructure.element.element', ..... PlugIn suports structure(union) in structure(union)). | |||
| Also listed in: | SoftICE Extensions | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | IDACompare |
| ||
|---|---|---|---|---|
| Author: | David Zimmer | |||
| Website: | http://labs.idefense.com/software/static.php#more_idacompare | |||
| Current version: | ||||
| Last updated: | December 16, 2005 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=17 | |||
| License type: | Free | |||
| Description: | IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis. Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both. Project also implements a signature scanner, letting you build your own listing of known functions. | |||
| Also listed in: | Executable Diff Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | IDAPerl |
| ||
|---|---|---|---|---|
| Author: | Willem Jan Hengeveld | |||
| Website: | http://www.xs4all.nl/~itsme/projects/idcperl | |||
| Current version: | 0.1 | |||
| Last updated: | May 9, 2008 | |||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | IDAPerl, is a plugin for IDA Pro, which adds Perl scripting support. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | mIDA |
| ||
|---|---|---|---|---|
| Author: | Tenable Network Security | |||
| Website: | http://cgi.tenablesecurity.com/tenable/mida.php | |||
| Current version: | 1.0.8 | |||
| Last updated: | November 14, 2007 | |||
| Direct D/L link: | http://cgi.tenablesecurity.com/tenable/dl.php?p=mIDA-1.0.8.zip | |||
| License type: | Free | |||
| Description: | mIDA is a plugin for the IDA disassembler that can extract RPC interfaces from a binary file and recreate the associated IDL definition. mIDA is free and fully integrates with the latest version of IDA (5.0). This plugin can be used to : * Navigate to RPC functions in IDA * Analyze RPC function arguments * Understand RPC structures * Reconstruct an IDL definition file The IDL code generated by mIDA can be, most of the time, recompiled with the MIDL compiler from Microsoft (midl.exe). | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | ProcessStalker GDL Viewer |
| ||
|---|---|---|---|---|
| Author: | AmesianX | |||
| Website: | https://www.openrce.org/forums/posts/707 | |||
| Current version: | 1.0 | |||
| Last updated: | January 28, 2008 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | A GUI plugin for bringing up the GDL graphs of ProcessStalker directly inside IDA Pro. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Reveal Imports |
| ||
|---|---|---|---|---|
| Author: | ZaiRoN | |||
| Website: | http://zairon.wordpress.com/2007/02/18/approaching-ida-plugin-reveal-imports/ | |||
| Current version: | 1.0 | |||
| Last updated: | February 18, 2007 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Boring rainy day, I decided to fill some spare time writing my first IDA plugin. I have never tried before but I have to admit it’s a powerful tool after all. The idea of the plugin comes from a malware I was analysing in these days, it’s packed… As the name suggests the plugin reveals imports of a dumped process. It will come in handy when you need to analyze a dump without rebuilding the file using an external tool. The plugin could be bugged, it seems to work fine with simple packers but I didn’t test it too much. I don’t want to test the plugin for days (I don’t have to sell it :p), I’ll just use the plugin and when a bug will come out I’ll try to fix it. Usage: put the plugin inside IDA plugin directory and to run the plugin hit ALT+Z. Here is a screeshot. As you can see the plugin creates a new window filled with revealed imports. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.