idahunt is a framework to analyze binaries with IDA Pro and hunt for things in IDA Pro. It contains a main command line tool to analyse all executable files recursively from a given folder. It executes in the background so you don't have to open manually each file. It supports executing external IDA Python scripts.
- Python3 only (except IDA Python scripts which are Python2 based)
- IDA Pro
- Windows, Linux, OS X
- Automate creation of IDBs for multiple executables
- Open multiple existing IDBs
- Execute IDA Python scripts across multiple executables
- IDA Python helpers to simplify looking for things in IDA. You can use this to easily build your own IDA Python scripts
- It supports any file format IDA would support (PE/ELF/MACH-O/etc.)
Useful examples include (non-exhaustive list):
- Analyse Microsoft Patch Tuesday updates
- Analyse malware of the same family
- Analyse multiple versions of the same software (router/firewall/etc.)
- Analyse a bunch of binaries (UEFI, etc.)
IDA Python scripts capabilities are unlimited. You can import any existing IDA Python script or build your own. Some examples:
- Rename functions based on debugging strings
- Decrypt strings (e.g. malware)
- Hunt for the same symbol across multiple versions (using heuristics)
- Hunt for ROP gadgets
- Etc.
idahunt.py
: main tool to analyse executable filesfilters/names.py
: contains a basic filter for name and/or extensionscript_template.py
: contains ahello world
IDA Python script
C:\idahunt>idahunt.py -h
usage: idahunt.py [-h] [--inputdir INPUTDIR] [--analyse] [--open]
[--scripts SCRIPTS [SCRIPTS ...]] [--filter FILTER]
[--cleanup] [--temp-cleanup] [--verbose] [--max-ida MAX_IDA]
[--list-only]
optional arguments:
-h, --help show this help message and exit
--inputdir INPUTDIR Input folder to search for files
--analyse analyse all files i.e. create .idb for all of them
--open open all files into IDA (debug only)
--scripts SCRIPTS [SCRIPTS ...]
List of IDA Python scripts to execute in this order
--filter FILTER External python script with optional arguments
defining a filter for the names of the files to
analyse
--cleanup Cleanup i.e. remove .asm files that we don't need
--temp-cleanup Cleanup temporary database files i.e. remove .id0,
.id1, .id2, .nama files if IDA Pro crashed and did not
delete them
--verbose be more verbose to debug script
--max-ida MAX_IDA Maximum number of instances of IDA to run at a time
--list-only List only what files would be handled without
executing IDA
You can use --list-only
with any command line to just list what the tool would
do without actually doing it.
C:\idahunt>idahunt.py --inputdir C:\re --analyse --filter "filters\names.py -a 32 -v" --list-only
[idahunt] Simulating only...
[idahunt] ANALYSING FILES
[idahunt] Analysing C:\re\cves\cve-2014-4076.dll
[idahunt] Analysing C:\re\cves\cve-2014-4076.exe
[idahunt] Analysing C:\re\DownloadExecute.exe
[idahunt] Analysing C:\re\ReverseShell.exe
Here we start an initial analysis. It finishes after a few seconds:
C:\idahunt>idahunt.py --inputdir C:\re --analyse --filter "filters\names.py -a 32 -v"
[idahunt] ANALYSING FILES
[idahunt] Analysing C:\re\cves\cve-2014-4076.dll
[idahunt] Analysing C:\re\cves\cve-2014-4076.exe
[idahunt] Analysing C:\re\DownloadExecute.exe
[idahunt] Analysing C:\re\ReverseShell.exe
[idahunt] Waiting on remaining 4 IDA instances
Here we cleanup temporary .asm
files created by the initial analysis:
C:\idahunt>idahunt.py --inputdir C:\re --cleanup
[idahunt] Deleting C:\re\cves\cve-2014-4076.asm
[idahunt] Deleting C:\re\DownloadExecute.asm
[idahunt] Deleting C:\re\ReverseShell.asm
We can see the generated .idb
as well as some .log
files that contain the
IDA Pro output window.
C:\idahunt>tree /f C:\re
Folder PATH listing
Volume serial number is XXXX-XXXX
C:\RE
│ DownloadExecute.exe
│ DownloadExecute.idb
│ DownloadExecute.log
│ ReverseShell.exe
│ ReverseShell.idb
│ ReverseShell.log
│
└───cves
cve-2014-4076.dll
cve-2014-4076.exe
cve-2014-4076.idb
cve-2014-4076.log
Here we execute a basic IDA Python script that prints
[script_template] I execute in IDA, yay!
in the IDA Pro output window.
C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -a 32 -v" --scripts C:\idahunt\script_template.py
[idahunt] EXECUTE SCRIPTS
[idahunt] Executing script C:\idahunt\script_template.py for C:\re\cves\cve-2014-4076.dll
[idahunt] Executing script C:\idahunt\script_template.py for C:\re\cves\cve-2014-4076.exe
[idahunt] Executing script C:\idahunt\script_template.py for C:\re\DownloadExecute.exe
[idahunt] Executing script C:\idahunt\script_template.py for C:\re\ReverseShell.exe
[idahunt] Waiting on remaining 4 IDA instances
Since it is saved in the .log
file, we can check it successfully executed:
Autoanalysis subsystem has been initialized.
Database for file 'ReverseShell.exe' has been loaded.
Compiling file 'C:\Program Files (x86)\IDA 6.95\idc\ida.idc'...
Executing function 'main'...
[script_template] I execute in IDA, yay!
We can filter that it only analyses files with a given pattern in the name
(-n Download
below):
C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -a 32 -v -n Download" --scripts C:\idahunt\script_template.py --list-only
[idahunt] Simulating only...
[idahunt] EXECUTE SCRIPTS
[names] Skipping non-matching name Download in cve-2014-4076.dll
[names] Skipping non-matching name Download in cve-2014-4076.exe
[idahunt] Executing script C:\idahunt\script_template.py for C:\re\DownloadExecute.exe
[names] Skipping non-matching name Download in ReverseShell.exe
We can create a filter that tells idahunt to only analyse files with a given
extension (-e dll
below):
C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -a 32 -v -e dll" --scripts C:\idahunt\script_template.py --list-only
[idahunt] Simulating only...
[idahunt] EXECUTE SCRIPTS
[idahunt] Executing script C:\idahunt\script_template.py for C:\re\cves\cve-2014-4076.dll
[names] Skipping non-matching extension .dll in cve-2014-4076.exe
[names] Skipping non-matching extension .dll in DownloadExecute.exe
[names] Skipping non-matching extension .dll in ReverseShell.exe
If you forget to provide the architecture of the files you want to analyse, the
basic filters\names.py
will return an error:
C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -v -e dll" --scripts C:\idahunt\script_template.py --list-only
[idahunt] Simulating only...
[idahunt] EXECUTE SCRIPTS
[names] Unknown architecture: None. You need to specify it with -a
[names] Skipping non-matching extension .dll in cve-2014-4076.exe
[names] Skipping non-matching extension .dll in DownloadExecute.exe
[names] Skipping non-matching extension .dll in ReverseShell.exe
Protip: you could build your own filter that would detect the architecture automatically using a win32, elf library.
Note: The architecture is required to know in advance due to a limitation of IDA
Pro that contains 2 different executables idaq.exe
and idaq64.exe
to analyse
binaries of the two architectures 32-bit and 64-bit.