[go: up one dir, main page]

Skip to content

Latest commit

 

History

History
170 lines (96 loc) · 11.4 KB

ida-pro-plugin.md

File metadata and controls

170 lines (96 loc) · 11.4 KB

IDA Pro Plug-in v2.0 Tutorial

The IDA Pro plug-in for Kam1n0 v2.0 creates a folder ~/Kam1n0/ to store the plug-in data and errors. This tutorial first introduces IDA Pro plug-in for Kam1n0 v2.0's basic functionalities and then goes through a simple index and search example.

Functionalities

The Kam1n0 v2.0 engine with the plug-in provides the functionalities to index and search assembly functions.

Icon Functionality Description Hot key
search Search current function Search the function at current address Ctrl+Shift+S
searchs Select functions to search Select functions to search Ctrl+Shift+A
upload Index current function Index the function at current address Ctrl+Shift+K
uploads Select functions to index Select functions to index Ctrl+Shift+J
setting-cnn Composition Analysis Search with a binary file NA
setting-cnn Manage connections Manage connections to different repositories NA
setting Manage storage Mange local/remote accounts and storage NA
page_edit Fragment search (new) Search with the selected assembly fragment NA

These functionalities can be found in the:

  • IDA Pro Search Toolbar:

    image

  • IDA Pro Functions Window:

    image

  • IDA Pro Search Menu:

    image

  • IDA Pro Edit Menu:

    image

  • IDA Pro View A (popup menu):

    image

Even though you can select functions from the popup menu of the IDA Pro Functions Window to search/index functions, using searchs and uploads at other places (e.g. toolbar) opens a Selection Window which provides a more detailed configuration for multiple searches.

image image

For example, you can apply different filters and choose which connection you want to use to search/index them.

Walk through example

Let's go through a simple index and search case using the engine and plugin.

Preparing the data

Suppose we have two binary files libpng-1.7.0b54.dll from libpng and zlib-1.2.7.dll from zlib. These two files are included in our release file Example.zip. We suggest you to try them first as to be consistent with the following descriptions. You may index other binary files later as you wish. We try to index the first binary file libpng-1.7.0b54.dll and search the second one zlib-1.2.7.dll against it.

Start the engine and get the URL for IDA Pro Plugin

In this step, you should start the Kam1n0 engine and get the URL for IDA Pro Plugin from the homepage of the APP you want to use by right-clicking it and choosing "copy link address".

Set up connection

Open IDA Pro and click on the Manage Connection Button in the toolbar cnn. You are now able to review and edit the connections of the plug-in. Fill the URL for IDA Pro Plugin, username, password in the form and then click Update/Add Button and OK.

Indexing

To index only some functions, click on the Select Functions to Index Button in the toolbar (or in the other aforementioned location). Select the functions you want to index and click the Continue Button. Each indexed binary is uniquely identified by its path, and each indexed function by its binary ID and starting address.

image

An embedded chromium browser will pop up and show the progress of indexing. It has the same set of UI as Kam1n0 Web interface. You can leave the page or monitor the progress with it.

image

Functions Search

Open IDA Pro and disassemble the target zlib-1.2.7.dll binary file as usual. Click on the Select Functions to Search Button in the toolbar image. Suppose we want to search for the alder32 and compress2 functions. Select them using ctrl+click in the list. Click on the Continue Button.

image

An embedded chromium browser will pop up and show the progress of searching and it will be redirected to the result page after it completes. Similar to Kam1n0 Web UI, for each retrieved function, you can see the similarity, flow graph comparison, full text alignment, clone group alignment by clicking the corresponding icon. You can also see the clone graph by clicking it from the right side. It has the same set of UI as Kam1n0 Web interface except we have an additional flow graph linking function here.

image

The user can jump from a basic box in the clone search result rendering views to the corresponding basic block in IDA View-A. This functionality is available in both the Clone List View and any Flow Graph View.

image

In any Flow Graph related view, if you double-click a specific basic block in the graph, the IDA View-A will jump to the same basic block either in the text or in a graph. In all the clone list view, if you right-click context menu to the query nodes in the tree, you can see the option jumping to the corresponding assembly function in IDA View-A.

Composition analysis

To search all the functions of the binary file and keep the result in a file which will be shown on your homepage of the server, click on the Composition Analysis in the toolbar image. An embedded chromium browser will pop up and show the progress of analysis. You can leave the page or monitor the progress with it.

image

You can find the result of composition analysis later from your homepage in the same way as you use Web UI to do it.

image

image

Assembly fragment search

picture10

Starting from version 1.x.x, we support assembly fragment search in IDA Pro. You can simply select a couple lines of assembly code and right click on it to pop out the menu. Select the entry Query fragment. An embedded chromium browser will pop up and show the progress of searching and it will be redirected to the result page after it completes. The result page is similar to the result of functions search.

image

Search box

There is a search box to help you quickly locate the wanted information on the web pages of the embedded chromium browser. The search box is hidden on the right edge of every web page. It can be activated and slides out if the user press control+F or click the search icon. After typing the keyword to be searched and pressing the key Enter, one can loop through the search results on the web page. By pressing ESC key, one will clear the search text box as well as all the highlighted search results.

image

How does the Plug-in Work

The plug-in is written in Python using idaapi. In the original Kam1n0 IDA Plug-in, the communication is one-way between IDA Pro and the clone search result rendering windows. After the user sends a clone search request in the IDA Views, the plug-in creates a new IDA form to handle the request and a new process for result rendering windows. If the query contains multiple assembly functions, the IDA form will search each of them and merge the search results. In this process, the IDA Pro Window is frozen and the user cannot use it until the search finishes (as shown in the figure below).

In the updated Kam1n0 v2.x IDA Plug-in, we remove the original IDA form for searching and adopt a web-based interface for progressively searching and merging the clone results. The searching operations are conducted using the plug-in process. Therefore, the main IDA Pro process will not be blocked. The user can still use other IDA window while the clone search is in progress.

In the original IDA Pro plug-in, calling IDA SDK functions in the rendering windows is impossible. We introduce a two-way messaging communication channel between the IDA Pro process and the Plug-in process. In the plug-in process, one can execute any IDA commands using JavaScript or Python. The commands are pushed to a shared messaging queue between these two processes. In the IDA Pro process, we create a message listener that monitors the queue and execute any requested commands. We implemented a simple communication channel since the original multiprocessing module in Python does not work in IDA Pro or other Python-embedded applications. Such a design enables the interaction between clone search result rendering process and the IDA Pro UI process.

User Interface

The user interface consists of two parts:

  • The native idaapi forms and controls: the Connection Management Form, the Select Function to Search Form, and the Select Function to Index Form.
  • Unlike the Kam1n0 v1.x plug-in for IDA Pro, the new plugin directly uses the web page from Kam1n0 server. They share the same set of UI for better code maintainability.

Synchronization

We find it difficult to update the IDA Pro UI asynchronously using idaapi. If a thread other than the main thread updates the interface while the user interacts with (e.g. clicks on) the interface, IDA Pro will freeze/crash. Instead, we create a new process to render the clone search results. Backward communication is realized by a inter-process communication. The user can still use IDA Pro throughout the process of searching and rendering.

Communication

To interact with the Kam1n0 web services, we build our own network wrapper use the built-in urllib in Python to send requests and the json lib to parse the json results. The connection utitly itself can be a standalone client for plugins of other disassemblers. One only needs to implement disassembly extraction utils in IDAUtils for the other disassemblers.