ynvb / die Goto Github PK

View Code? Open in Web Editor NEW

466.0 44.0 95.0 5.33 MB

Dynamic IDA Enrichment

License: MIT License

Python 100.00%

die's Introduction

Contributed By Check Point Software Technologies LTD.

Dynamic IDA Enrichment (aka. DIE)

What is it?

DIE is an IDA python plugin designed to enrich IDA`s static analysis with dynamic data. This is done using the IDA Debugger API, by placing breakpoints in key locations and saving the current system context once those breakpoints are hit.

The saved context consist of function arguments and register states, and it is saved upon each function CALL and function RETURN.

DIE takes advantage of IDA`s powerful analysis engine so that when context is taken DIE is fully aware of known function prototypes, data types, structures, unions, arrays and basically every piece of information IDA provides during static analysis.

In order to take this one step further, once context has been saved, DIE attempts to parse the individual data types based on an integrated (and extensible!) value parser framework.

So for example, if the current context has a function argument with type 'CHAR *' DIE will dereference its address and show a human readable ASCII string as value.

If the current context holds a argument with unknown value, DIE will not give up and attempt to guess the value using all relevant parsers.

This parser framework is the real power behind DIE, parser plugins can parse anything from BOOL values to image files to injected code.

The resault is a dynamic databse that holds parsed runtime arguments, which are avilable to the user during static analysis.

I'm not sure I got it, do you have an example?

Well, yes. I'm glad you asked! These videos show DIE in action, check them out if you want to understand a little bit more about how DIE works.

Example Video I

Bypass Password Protection In which we are going to demonstrate how DIE can be used in order to bypass a (very) simple password protection scheme.

Example Video II

Code Coverage In which we will show you how running DIE before even looking at the static analysis helps with code coverage, indirect calls, and function defenitions.

Example Video III

Querying DieDB In which we will show you how to use DIEDB to quickly locate the Explosive trojan de-obfuscation fuction.

I want to write my own value parser plugin

Great, Value parser plugins are the heart of DIE. Without them DIE is practically usless. Check out the value parser writing manual and if your plugin turns out good, share it with the community!

Installation

Prerequisits

IDA >= 6.8 (Only Windows version is currently supported)
Python 2.7

How to install

Simply download DIE and run pip install -r requirements.txt from DIE's directory.
Copy the file die_proxy.py into IDA plugin directory
Create an enviorment variable named DIEDIR and set it's value to DIE directory.

For the Windows Handle parser plugin, you will also need to install PyWin32 (manually :( )

If for some reason you want to install all the dependencies manually:

Yapsy - install using pip install yapsy or your favorite package manager
Pywin32 - install via
Sark - If your IDA version < 7.4: pip install "sark<7.4" otherwise: pip install -e git+https://github.com/tmr232/Sark.git#egg=Sark
yaml - install using pip install pyyaml
attrdict - install using pip install attrdict

die's People

Contributors

Stargazers

Watchers

Forkers

crowell awakecoding quend claudiouzelac amesianx chubbymaggie aussiehash luorui110120 idkwim oppenheim gaurav9991 justdionysus melbshark ida-re-things isra17 flycrane zeuscane truebasic2011 binsrc whyliuxing sjas nihilus iurnah obaby alexwmf pterx apcwowo hackertool damnya rmusser01 cherishlan hsheep yodamaster c4rpi ezio3593 marc-etienne majinxin2003 bibekmahrzn defanlt 453483289 mtowalski zerowindow crazykid199 p-state techlord-rce solertis jamesshew chairgraveyard olivierh59500 snyiu100 a1ext houcy dbuentello heartingrass 4144 crackercat secice cor3sm4sh3r derez0 wgwjifeng shuixi2013 richinseattle perfectswpuboy1 l9sk happydpc seabreg gitmesam arryboom clayne imulmul freemanzyq breathleas tata19884 frank13810055034 5l1v3r1 jingqiangliu tubbz-alt waders909 wliuxingxiangyu requizm jeffli678 3ur0c3nt5y idapluginproject cw2k bsrbhanwarsingh ifeelagood roboschmied zuola221

die's Issues

some bug in this program

in file DIE\Lib\FunctionContext.py,the function getRegisters(self) is not work,it just use idaapi dbg_get_registers,and that just return register definition from the current loaded debugger.
we should feed it ourself.—— in ida 7.0.

Purged Issue

** Purged **

Add support for IDA 6.9

Hello, I'm trying to run it on ida 6.9, but got an error of QDialog on AboutWindow, after i fix it with QWidget, i got an log message output of parsers loaded and nothing else - menu item doesn't appears. Can you please fix it?

DIE fails to initialize if IDA's working directory is not a writable folder

Open C:\Windows\System32\notepad.exe
Acknowledge warning in IDA and save .idb in writable folder (e.g. %temp%\notepad.idb)
Note DIE fails to initialize

This is due to its use of os.getcwd(). (IDA sets its working directory to the input folder, at least on Windows.) It should instead write its config data to either the DIEDIR or perhaps storage it with the IDB via idautils.GetIdbDir().

IDA Version 6.8.150428
DIE main branch commit 39be410

Does not load, no errors. IDA 6.95

I followed the pre-compiled steps, but there is no "DIE" meny choice for me.
I've set a system variable "DIEDIR" to "C:\Program Files (x86)\IDA 6.95\plugins\DIE-master" (tried to add the "\DIE" as well), and copied the die_proxy.py to "C:\Program Files (x86)\IDA 6.95\plugins". I've installed new version on Python27 with pip, and installed the requirements.
Running Win10.

Any idea what to try out? 😃

Support attaching to existing process

Hi ynvb, this is a great plugin. Thanks for sharing. I wonder if it can support attaching to existing process so that remote tracing can become possible.

Currently multi-threading program is not supported?

Hello author, great project! However, I'm having issues when using it in a multi-threaded program. I checked the related code in DebugAPI.py and it seems that the current support for multi-threaded programs is incomplete.

I tried modifying the project myself to add support for multi-threading (Before this, I also modified the code to support Python3 and IDA 8.2.), but there are still bugs. I'm not sure if the bugs are from the plugin itself or if they're related to IDA.

Are you still maintaining this project? If so, I would like to discuss the related code with you.

DIE doesn't collect any information

IDA 6.8, installed all the requirements, loads fine, I see the menu. I set settings as in the code-coverage-hd example video, run my exe file, and then nothing new happens. No new xrefs, no arguments captured.

DIEDb is never unloaded

When switching from one executable to another with IDA open, DIE does not purge the DB. this results in a weird mash-up of values from both executables.

yaspy doesn't seem to exist anymore

(ida_venv) minishwoods tools/DIE ‹master› » pip install yaspy                                               23 ↵
Collecting yaspy
  Could not find a version that satisfies the requirement yaspy (from versions: )
No matching distribution found for yaspy

IDA 7.0: Function View is always empty.

When I select "All threads" or any other thread in "Thread" combobox, I always get this error and nothing happens (function view stay empty).

Traceback (most recent call last):
File "D:\DIE\DIE\UI\FunctionViewEx.py", line 907, in on_thread_combobox_change
self.reset_function_count(thread_id) # reset function count according to currently selected thread
File "D:\DIE\DIE\UI\FunctionViewEx.py", line 626, in reset_function_count
rows = root_item.rowCount()
AttributeError: 'NoneType' object has no attribute 'rowCount'

die_proxy.py: DLL load failed: %1 is not a valid Win32 application

I'm using 64-bit Python, but throws the error as follows:

Traceback (most recent call last):
File "D:\tools\IDAPro6.8\python\idaapi.py", line 601, in IDAPython_ExecScript
execfile(script, g)
File "D:/tools/IDAPro6.8/plugins/die_proxy.py", line 13, in
plugin = imp.load_source(name, plugin_path)
File "D:\tools\IDAPro6.8\DIE\DIE.py", line 7, in
import logging.handlers as handlers
File "C:\Python27\Lib\logging\handlers.py", line 26, in
import errno, logging, socket, os, cPickle, struct, time, re
File "C:\Python27\Lib\socket.py", line 47, in
import _socket
ImportError: DLL load failed: %1 is not a valid Win32 application

Feature request: Sort columns in DIE's views

While I use DIE, I see a need to sort columns in various views of DIE like Value View, Function View... so that I could sort and find the function I want to focus on easier.

Bug with DIE under IDAPro 6.95

Hello. I don't know if DIE is still maintained but here is a blocking issue with IDAPro 6.95

I've installed DIE carefully following instructions and I got this error when IDA starts:

[2] Loading data parsers
die_proxy.py: global name 'idaapi' is not defined
Traceback (most recent call last):
File "D:\IDA695\python\ida_idaapi.py", line 509, in IDAPython_ExecScript
execfile(script, g)
File "D:/IDA695/plugins/die_proxy.py", line 13, in
plugin = imp.load_source(name, plugin_path)
File "D:\IDA695\DIE\DIE.py", line 24, in
import DIE.UI.BPView
File "D:\IDA695\DIE\DIE\UI\BPView.py", line 5, in
from DIE.Lib import BpHandler
File "D:\IDA695\DIE\DIE\Lib\BpHandler.py", line 546, in
_bp_handler = BpHandler()
File "D:\IDA695\DIE\DIE\Lib\BpHandler.py", line 36, in init
self.iat = StaticImports() # Static IAT
File "D:\IDA695\DIE\DIE\Lib\DbgImports.py", line 24, in init
self.get_iat_data()
File "D:\IDA695\DIE\DIE\Lib\DbgImports.py", line 42, in get_iat_data
imp_num = idaapi.get_import_module_qty() # Number of imported modules
NameError: global name 'idaapi' is not defined

Additional info:

DIE installed from a git clone of the latest master downloaded from here.
Python is provided by Anaconda2
all DIE dependencies are installed (with anaconda-provided pip) using DIE's requirements.txt
pywin32 has been also installed through anaconda2.
All dependencies are within the python path.
IDAPython is working. Simple commands (such as "import imp" and " help("imp") " ) entered on CLI within idaq.exe are executed correctly. Even "import idaapi" works
%DIEDIR% exists and points to D:\IDA695\DIE and I tried to point to

Please advise,
Best Regards.

Unhandled IDA Crashes

IDA sometimes crashes when running DIE.
These crashes are inconsistent and seems to be hard to replicate.

can not get parameter of function

there are many errors log in DIE.log,some of them show below

[2015-07-06 12:05:51,851] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function kernel32_GetCurrentProcessId: object of type 'func_type_data_t' has no len()
[2015-07-06 12:05:51,851] [INFO] [DIE.Lib.FunctionContext][FunctionContext.py:180] : New function was defined at: 0x77751470L
[2015-07-06 12:05:51,851] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function kernel32_GetCurrentThreadId: object of type 'func_type_data_t' has no len()
[2015-07-06 12:05:51,868] [INFO] [DIE.Lib.FunctionContext][FunctionContext.py:180] : New function was defined at: 0x7775144cL
[2015-07-06 12:05:51,868] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function kernel32_GetTickCount: object of type 'func_type_data_t' has no len()
[2015-07-06 12:05:51,868] [INFO] [DIE.Lib.FunctionContext][FunctionContext.py:180] : New function was defined at: 0x77751527L
[2015-07-06 12:05:51,868] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function kernel32_QueryPerformanceCounter: object of

how to sovle it?

DIE Does not load with IDA 6.7

DIE Fails to load with IDA version 6.7

IDA v6.6 Failed to initialize DIE

I get a message when initialization, "Failed to initialize DIE.", it raise an exception MenuHelperException("Failed adding menu item.")

DIE Does not load with IDA 6.6

IDA fails to load when using IDA version 6.6

IDA 7.7 not work 😰

One of my favorite plugins when upgrading my (IDA) I realized that it doesn't run on 7.7
there is no problem with dependencies

I think the fixes are too small for it to run on 7.7 and I don't have any Phytom knowledge to do anything.

IDA 7.7
python-3.10.5

pip3 install -U git+https://github.com/tmr232/Sark.git#egg=Sark

`C:\Isolation\IDA _7.7\plugins\DIE.py: (unicode error) 'unicodeescape' codec can't decode bytes in position 4-5: truncated \UXXXXXXXX escape (C:/Isolation/IDA _7.7/plugins/DIE.py, line 326)
Traceback (most recent call last):
  File "C:\Isolation\IDA _7.7\python\3\ida_idaapi.py", line 579, in IDAPython_ExecScript
    code = compile(raw.decode(encoding), path, 'exec')
  File "C:/Isolation/IDA _7.7/plugins/DIE.py", line 326
    self.add_menu_item_helper("DIE:markexecutionflow", "Mark\Unmark Execution Flow",
                                                                                   ^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 4-5: truncated \UXXXXXXXX escape

C:\Isolation\IDA _7.7\plugins\die_proxy.py: (unicode error) 'unicodeescape' codec can't decode bytes in position 4-5: truncated \UXXXXXXXX escape (DIE.py, line 326)
Traceback (most recent call last):
  File "C:\Isolation\IDA _7.7\python\3\ida_idaapi.py", line 580, in IDAPython_ExecScript
    exec(code, g)
  File "C:/Isolation/IDA _7.7/plugins/die_proxy.py", line 13, in <module>
    plugin = imp.load_source(__name__, plugin_path)
  File "C:\Python310\Lib\imp.py", line 170, in load_source
    module = _exec(spec, sys.modules[name])
  File "<frozen importlib._bootstrap>", line 619, in _exec
  File "<frozen importlib._bootstrap_external>", line 879, in exec_module
  File "<frozen importlib._bootstrap_external>", line 1017, in get_code
  File "<frozen importlib._bootstrap_external>", line 947, in source_to_code
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Isolation\IDA _7.7\plugins\DIE.py", line 326
    self.add_menu_item_helper("DIE:markexecutionflow", "Mark\Unmark Execution Flow",
                                                                                   ^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 4-5: truncated \UXXXXXXXX escape`

c++ or java can i do something? but python i have no idea!

DIE fails to load on ida for linux

import of networkx fails

IDA 7.0 not work

[2] Loading data parsers C:\Program Files\IDA 7.0\plugins\die_proxy.py: global name 'idaapi' is not defined Traceback (most recent call last): File "C:\Program Files\IDA 7.0\python\ida_idaapi.py", line 553, in IDAPython_ExecScript execfile(script, g) File "C:/Program Files/IDA 7.0/plugins/die_proxy.py", line 13, in <module> plugin = imp.load_source(__name__, plugin_path) File "c:\Users\x230\Documents\GitHub\DIE\DIE.py", line 24, in <module> import DIE.UI.BPView File "c:\Users\x230\Documents\GitHub\DIE\DIE\UI\BPView.py", line 5, in <module> from DIE.Lib import BpHandler File "c:\Users\x230\Documents\GitHub\DIE\DIE\Lib\BpHandler.py", line 546, in <module> _bp_handler = BpHandler() File "c:\Users\x230\Documents\GitHub\DIE\DIE\Lib\BpHandler.py", line 36, in __init__ self.iat = StaticImports() # Static IAT File "c:\Users\x230\Documents\GitHub\DIE\DIE\Lib\DbgImports.py", line 24, in __init__ self.get_iat_data() File "c:\Users\x230\Documents\GitHub\DIE\DIE\Lib\DbgImports.py", line 42, in get_iat_data imp_num = idaapi.get_import_module_qty() # Number of imported modules NameError: global name 'idaapi' is not defined

Fresh installation on Windows 10 / Python 2.7 / IDA Pro 7.6 cannot import dependencies

I followed the instructions to the letter, when IDA Pro is started, this error happens:

C:\Tools\IDAPro\plugins\die_proxy.py: cannot import name base
Traceback (most recent call last):
  File "C:\Tools\IDAPro\python\2\ida_idaapi.py", line 647, in IDAPython_ExecScript
    execfile(path, g)
  File "C:/Tools/IDAPro/plugins/die_proxy.py", line 14, in <module>
    plugin = imp.load_source(__name__, plugin_path)
  File "C:\Tools\DIE\DIE.py", line 3, in <module>
    import sark
  File "C:\Python27\lib\site-packages\sark\__init__.py", line 14, in <module>
    from . import (core,
  File "C:\Python27\lib\site-packages\sark\code\__init__.py", line 2, in <module>
    from . import base
ImportError: cannot import name base

It might very well be an issue with sark itself, but it still makes me wonder how anyone was able to use DIE at any time?