Collaborative RCE Tool Library - IDA Extensions (including sub-categories)

Tool Updated: IDA Stealth

2009-11-15T23:45:08Z

Listed in categories: IDA Extensions, Tool Hiding Tools

Most recent version:
1.1

Most recent release date:
November 15, 2009

Description:
IDA Stealth is a plugin which aims to hide the IDA debugger from most common anti-debugging techniques. The plugin is composed of two files, the plugin itself and a dll which is injected into the debuggee as soon as the debugger attaches to the process. The injected dll is actually responsible for implementing most of the stealth techniques either by hooking syscalls or by patching some flags in the remote process.

Tool Updated: CodeDoctor

2009-11-12T16:24:49Z

Listed in categories: Deobfuscation Tools, IDA Extensions, OllyDbg Extensions, Resource Editors, Unpacking Tools

Most recent version:
0.90

Most recent release date:
November 12, 2009

Description:
<nowiki>CodeDoctor is a plugin for Olly and IDA.

History:
11.11.2009 - 0.90 - initial public release

________________________________________________________________________________
Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try
to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate - Single Step

This works like previous command, but does one transformation at a time
_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP

Limitations: it breaks all jumps and calls pointing inwards
________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful
for situations, when program jumps here and there and here and there... When
it encounters some instruction, that can't be followed, it stop and copies
all parsed instruction to an allocated place in memory.

Use settings to set some parameters:
Step over calls - if set, it will step over calls, otherwise it will follow them
Step over jccs - dtto, but for Jccs
Deobfuscate - it will deobfuscate instruction, when it encounters Jcc, RET,
JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B

Tool Updated: TurboDiff

2009-10-15T14:25:10Z

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
1.01

Most recent release date:
October 14, 2009

Description:
Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Tool Updated: SiDAg

2009-08-31T16:01:12Z

Listed in categories: IDA Signature Creation Tools

Most recent version:
1.0

Most recent release date:
August 31, 2009

Description:
The is a GUI tool that helps beginners making IDA signatures from Obj files/ librarries and PAT files.

Tool Updated: IDA Inject

2009-07-19T05:01:34Z

Listed in categories: Code Injection Tools, IDA Extensions

Most recent version:
1.0.3

Most recent release date:
July 18, 2008

Description:
This plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.

Tool Updated: BinDiff

2009-06-13T10:14:36Z

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
2.1

Most recent release date:
2009

Description:
A very powerful executable file diffing tool, in the form of an IDA Pro plugin.

Tool Added: IDAAPIHelp

2009-06-04T20:13:26Z

Listed in categories: IDA Extensions

Most recent version:
0.3

Most recent release date:
October 17, 2006

Description:
IDAAPIHelp is a small IDAPython script, that saves time when searching for API Information while e.g. analyzing a malware with IDA Pro. It looks at cursor position for a valid api call and if found it tries to show you the eligible API Info from the provided helpfile.

Tool Added: MFC42Ord2FuncNames

2009-06-04T20:09:38Z

Listed in categories: IDA Extensions

Most recent version:

Most recent release date:
June 03, 2007

Description:
MFC42Ord2FuncNames is a small IDAPython script which converts MFC42 functions into its realnames. Normally IDA Pro should do this automatically, but in some cases the IDA auto-analysis fails. Watch the short flash movie included in the package for details.

Tool Added: ClassAndInterfaceToNames

2009-06-04T20:06:28Z

Listed in categories: IDA Extensions

Most recent version:

Most recent release date:
June 16, 2007

Description:
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA

Tool Added: VtablesStructuresFromPSDK2003R2

2009-06-04T20:03:55Z

Listed in categories: IDA Extensions

Most recent version:

Most recent release date:
July 16, 2007

Description:
This small IDAPython script includes all vtable structures that can be found in the files of the Microsoft PSDK 2003-R2. After running the script in IDA it adds these vtable structures to an IDB file. This will save time while reconstructing COM code.

Tool Updated: Class Informer

2009-04-25T15:55:13Z

Listed in categories: COM Tools, IDA Extensions

Most recent version:
1.01

Most recent release date:
April 2, 2009

Description:
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type data.
Places structure defs, names, labels, and comments to make more sense of class vftables ("Virtual Function Table") and make them read
easier as an aid to reverse engineering.
Creates a list window with found vftables for browsing.

RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI

RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
------------------------------------------------------------

See also screenshot example of vftable info set by plug-in below.

Tool Updated: IDACompare

2009-03-06T09:20:11Z

Listed in categories: Executable Diff Tools, IDA Extensions

Most recent version:
5.4

Most recent release date:
March 5, 2009

Description:
IDACompare is a plugin designed to compare and match up equivalent functions across two IDA databases. IDACompare was primarily designed for analyzing changes across malcode variants, it should also find good use when conducting patch analysis.

Once function matches have been made, names can be ported across disassemblies, or sequentially renamed in both.

Project also implements a signature scanner, letting you build your own listing of known functions.

Tool Updated: Advanced obj and lib IDA signature ripper

2009-01-29T23:35:11Z

Listed in categories: IDA Signature Creation Tools

Most recent version:
1.0

Most recent release date:
May 23, 2007

Description:
It loads obj and lib (COFF format) files signature to ida database.

It identifies so many labels more than flair signatures.

FLIRT signature creation not possible for some situation, for example you can try to create flirt signature for flexlm libs, but this plugin will work in such situations too!

Tool Updated: Ordinal imports/exports resolver

2009-01-26T15:00:46Z

Listed in categories: IDA Extensions

Most recent version:
1

Most recent release date:
2008

Description:
Name says all?

Tool Updated: Com helper

2009-01-26T14:59:24Z

Listed in categories: IDA Extensions

Most recent version:
2

Most recent release date:
2008

Description:
Improved version of DataRescue's com helper plugin.

Tool Updated: Reveal Imports

2008-11-04T17:51:39Z

Listed in categories: IDA Extensions

Most recent version:
1.0

Most recent release date:
November 4, 2008

Description:
The plugin reveals imports of a dumped process. It will come in handy when you need to analyze a dump without rebuilding the file using an external tool.

Usage: put the plugin inside IDA plugin directory and to run the plugin hit ALT+z.
Here is a screeshot. As you can see the plugin creates a new window filled with revealed imports.

Tool Updated: MIDA

2008-10-30T17:37:58Z

Listed in categories: IDA Extensions

Most recent version:
1.0.10

Most recent release date:
October 21, 2008

Description:
mIDA is a plugin for the IDA disassembler that can extract RPC interfaces from a binary file and recreate the associated IDL definition. mIDA is free and fully integrates with the latest version of IDA (5.0).
This plugin can be used to :

* Navigate to RPC functions in IDA
* Analyze RPC function arguments
* Understand RPC structures
* Reconstruct an IDL definition file

The IDL code generated by mIDA can be, most of the time, recompiled with the MIDL compiler from Microsoft (midl.exe).

Tool Updated: PDB

2008-10-18T08:34:24Z

Listed in categories: IDA Extensions

Most recent version:
?

Most recent release date:
2008

Description:

This is yet another extension built on original Datarescue`s PDB plugin.

Main enhancements from original plugin:
* Integrates advantages of Microsoft Debug Information Accessor (DIA). The
interface provided by DIA offers more complete description of executable
against DbgHelp(ImagHlp) API. If DIA server is not installed DbgHelp's engine
is used (use newest version possible to achieve best results).
* Preserved names mangling on public symbols (ida still shows C prototype where
full ida typeinfo can't be successfully set).
* Replication of complex types (struct, enum) and typedefs from PDB.
* Scoped UDT members handled (inherited members and nested typedefs, structs
and enums).
* Exact format to static data symbols and static struct members, forced code at
function start (extern symbols format preserved).
* Full ida typeinfo to static symbols and struct members.
* Names, exact format and full ida typeinfo to function arguments and local
symbols stored at frame, recursive traversal all nested sub-blocks of function
(with DIA only). Supported (both top and bottom) ebp- and esp-based frame
models, support for register variables and params was removed during testing
(see known problems and anomalies/#3).
* Source lines import to idabase where file accessible (as anterior lines).
* Foreign program databases support for importing data types only. Selective
filtering of unwanted types is offered before own storage. For this feature
call the plugin with argument 2 (use IDC command or edit plugins.cfg for that).
* Alots of minor adjustments not worth to mention.
* No UI (lazy) - always apply all features.

Source code included.

Tool Added: Mapgen

2008-10-18T08:30:57Z

Listed in categories: IDA Extensions

Most recent version:
0.985 beta

Most recent release date:
2008

Description:
---------------------------------------------------------------------------
map file exporter plugin for ida pro by servil version 0.985 beta
---------------------------------------------------------------------------

the plugin extends mapfile generating to export better information into
ollydbg. exported files can be processed by modified mapconv plugin included
in this archive.

features:
- imports comments as comments and labels as labels
- all segments
- relocated images (dlls) taken into account
- extended by exporting local variables, enums, struct offsets,
register variables and forced operands

source code: http://sharemation.com/servil/idaplugs/mapgen-src.zip

Tool Added: Fubar

2008-10-18T08:29:22Z

Listed in categories: IDA Extensions

Most recent version:
0.982 beta

Most recent release date:
2008

Description:
---------------------------------------------------------------------------
fubar plugin v0.982 eternal beta: post-analysis tasks for ida pro by servil
supported ida versions: 4.90 and above till API change
(tested on 5.2 without backward compatibility enforcement)
---------------------------------------------------------------------------

various additional idabase formatting and describing, main units:

* resource parser and dereferencer
* mfc message map parser
* vcl object templates parser
* more... see main dialog for available steps, most jobs obvious enough