Building plugins for IDA Pro

1
Building plugins for IDA Pro
Hex-Rays Ilfak Guilfanov
2
Presentation Outline

• Why plugins?
• IDC is not powerful enough
• Simple plugin, explained
• The descriptor and init/term/run
• More sample plugins
• IDA API overview
• Good, bad, and ugly
• Your feedback
• Online copy of this presentation is available at
  http//www.hex-rays.com/idapro/ppt/recon2008.ppt

3
IDA Pro

• Interactive
• Programmable
• Key macros really handy (only text version)?
• Alt--, ltHotkeygt, ltSequencegt, Alt-
• IDC scripts
• Plugins

4
IDC language

• Toy language
• Lacks many modern features (arrays, structs,
  hashes)?
• Yet another language to learn
• Is it worth improving it?
• Can not dump it there are many useful IDC
  scripts
• Provisions for seamless embedding of other
  scripting languages

5
Plugin API

• A real API, no limitations, full access
• Subsystems
• Target processor
• Input file format
• Analysis
• User-interface
• Debugger
• Miscellaneous
• Pure C API with C syntax, compatible with all
  popular compilers
• Unfortunately, requires knowing C - an
  increasingly scarce skill
• Plugins are just DLLs you can use any tool to
  create them

6
IDA API

• It is eclectic all kinds of naming conventions
  and paradigms can be found
• Probably it reflects my coding preferences over
  time )?
• With the community help, we will add doxygen
  generated web pages in the future
• Currently sample plugins and modules are
  available with the SDK
• It is over 170K lines (only header files almost
  40K)?
• API has over 1300 functions
• It has been frozen at IDA v4.9 existing plugins
  will be compatible with future versions of IDA

7
API evolution

• Natural evolution vs. design/code/debug cycle
• IDA Pro is a naturally evolving platform
• Code transformation and refactoring is our main
  methods
• Things evolve in unforeseen directions
• Addressable quantities (bytes) are not 8 bit
• AVR Atmel, Microchip's PIC
• GUI
• Bytecode machines
• 8-bit to 128-bit computers
• Multiple chunk functions
• Debugger
• Graph view
• Despite of this, the architecture stays the same

8
API evolution

• Things users want
• Multiple processors for the input file
• Multiple input files per database
• Multiple users per database
• Multiple debugging sessions per debugger server
• Multiple analysis threads

9
(No Transcript)
10
The Database

• Consists of four files
• Btree
• The most interesting file
• Names, comments, etc are kept there
• Flags
• 32-bit value for each byte of the program
• Describe each byte iscode, hasname, hascmt,
  isoff, etc
• Name pointers
• Something we may ignore (implementation detail)?
• Type library
• Local type definitions

11
Plugin descriptor

• The descriptor name, flags, hotkeys, and
  init/term/run

12
Plugin initialization

• Check if our plugin is useful for the current
  database
• Is processor supported by the plugin?
• Is the file format supported?
• What IDA version is running?
• GUI or text mode (ui_get_hwnd ! NULL)?
• version number (get_kernel_version)?
• Are other required plugins loaded?
• etc...

13
Invoking plugins

• Old way Edit, Plugins, MyPlugin gt calls run()?
• New way use add_menu_item() to the menu in the
  desired menu, the specified callback function
  will be called when the user selects

14
Plugins and events

• You may register event callbacks and perform all
  necessary actions there
• You may also define a new IDC function and do
  nothing else

15
Hello, world! - full source code
16
Quick exit from IDA Pro

• Replacement of Alt-X quit from IDA
• No questions asked, just exit
• We could use Shift-click on the Windows Close
  button at the right upper corner (use Ctrl-Shift
  to exit without saving)?

17
Multiple file search

• Search for a function in several databases
• We have an object file for that function
• First we create a signature from the function
• plb object_file mypattern
• sigmake mypattern mypattern
• copy mypattern.sign idadir\sig
• We will start IDA with a special command line
  switch
• IDA will check if the database contains the
  function and
• If found, it may log the result and quit or just
  switch to interactive mode
• If not found, it will silently quit
• IDA will be called from a batch file for all
  databases

18
Multiple file search plugin

• We do everything in init() and return PLUGIN_SKIP

19
Multiple file search - launching

• Run idag from a batch file
• -O for our plugin
• -A to suppress dialog boxes
• The batch file will run until the signature file
  matches

20
Multiple search variants

• The same approach could be used to find (just
  some random ideas)?
• Precise instruction text (binary search over
  files won't do)?
• A specific comment
• Function of certain length or other attributes
• IDB created from a file with the specified MD5
  checksum
• Databases with cryptographic functions
• etc...

21
Analysis improvement

• IDA uses lots of heuristic rules during analysis
• The built-in heuristics are generic
• You could benefit from heuristic rules specific
  to your files
• Unfortunately we can not implement these rules
  for you
• You can do it yourself
• One of the following approaches
• Manually run heuristic rules on the current
  database
• Wait for the file to load, scan the database and
  improve
• Wait for the analysis to finish, then scan the
  database
• Hook to analysis events and improve on the fly

22
Improve analysis when the file is loaded

• iPhone binaries use as the first instruction of
  many functions. IDA currently does not recognize
  such functions
• Our plugin will address this shortcoming
• It will check for this opcode in ARM binaries and
  mark the found addresses for function creation
• It will be fully automatic

23
Iphone analysis improver
24
iPhone analysis improver - results
25
Post-analysis improvement
26
On the fly analysis improvement

• This is the most powerful improvement method
• Active all the time
• Immediately reacts to recognized patterns

27
Symbian (EPOC) return anomaly

• ARM processor has many forms of return
  instruction
• Sometimes it is encoded as 2 instructions our
  plugin will detect this and add a comment

28
First step recognize the pattern
29
Second step improve the listing

• Several methods
• Rename
• Add comment
• Patch the database
• Change operand type
• Save the data for further analysis
• etc...
• In our plugin we just add a comment

30
On the fly analysis - results

• Well, since we just added a comment, it is not
  spectacular

31
On the fly analysis - events

• There are many events you can hook to, they
  happen when IDA
• Emulates an instruction
• This is the main event to recognize patterns
• Adds/deletes a cross reference (IDA v5.3)?
• A code ref usually leads to additional analysis
• Creates an instruction
• What about checking instruction sanity?
• Creates a data item
• You may automatically pretty format or change
  number radix
• Performs the final pass
• What about checking the huge arrays disliked by
  many users?
• Changes a byte value
• Intercept this to provide additional actions and
  analysis

32
IDA events

• Changes an operand type
• Modifies structure/enum definition
• Renames a program location
• Creates/changes a segment
• Creates/changes a function
• etc...

33
Name watcher

• Hook to the rename event
• If a new name has ?c_wsz prefix, convert it to
  unicode
• This is just an idea, you may check for other
  prefixes
• Or postfixes
• For anything, in fact
• You may prohibit some names by returning value lt 0

34
Name watcher callback
35
Name watcher setup
36
The thank you slide

• Thank you for your attention!Questions?