Flag: Tornado! Hurricane!

Creating IDA Plug-ins with C# or VB6

Friday, July 15 2005 09:38.53 CDT
Author: dzzie # Views: 48790 Printer Friendly ...

This article highlightstechnique where you can use a high level language such as C# or VB6 to create GUIs for IDA plugins. Why bother? Why not. These two languages make complex UI programming very easy, are easy to debug, and are great for rapid prototyping.

What we will be doing is creating a traditional IDA plug-in stub in VC, which will be used to add menu items to IDA, and export a wrapped set of IDA API functions for the high level language plug-in to utilize. A basic block diagram of what we want to accomplish looks like this:

Conceptual Block Diagram

To make VB6, .NET, and VC all play nice together, we have set up our plug-ins so that they can be accessed as COM Dll's. To access the .NET dll as a COM object, you will have to use the regasm utility to setup the proper registry entries for the interface as well as produce a type library file (.tlb) so we can early bind to it in our VC stub. VB6 can only produce ActiveX DLLs, and already sets up all registry entries and adds the type library information directly to its DLLs during compilation. If you are just trying out the demo, you will still need to register the VB6 sample dll using regsvr32.

So for a quick walk through of the code. In both of our plug-in examples here we are early binding to our Dlls. This means that you should compile the VB6 or .NET dlls first and make sure that binary compatability is set so that their interface GUIDs do not change the next time you compile (or you will have to recompile your stub again). This is not really a problem because the interface we use to launch the plug-ins is very simple and never needs to change. It is only used to initalize the library and runtimes and get it executing. In out VC stub you will see the following declaration:
    #import "./bin_4.7/CSharpIDASample.tlb" raw_interfaces_only

    using namespace CSharpIDASample;

    ICpluginPtr pIPlug(__uuidof(Cplugin));
This uses some VC VooDoo to load the type library interfaces, and create an initalized object pointer instance of our main class. The names of the namespace, class, and Interface pointer are all set in the typelibrary and can be viewed using any type library viewer such as the free demo that comes from Matt Curlands Power VB site or other tools like the Microsoft Ole View utility.

Microsoft Ole View Utility

When it comes time to display our interface, all we have to do is call our class method to launch it. In the example code below, we are passing it the hwnd of the main IDA window so that we can display our form modally. (At this point I have not tried to set it as a MDI child of the main window using SetParent which may also work.)
    int h = (int)callui(ui_get_hwnd).vptr; //ida main window hwnd
    pIPlug->DopluginAction( h , &lRet);
Here the lRet variable will receive the HRESULT COM return value which we dont have to worry about. Once our plug-in form is displayed, the IDA API functionality is accessed via function declares written in our form. These declare statements were made as a way to give VB developers access to stdcall Win32 API and are still present in .NET so that you can access custom C dlls. Below are C prototypes and corrosponding C# and VB6 declares.
C Prototypes:
    int __stdcall NumFuncs(void)
    int __stdcall FunctionStart(int n)
    int __stdcall FunctionEnd(int n)

    Private Declare Function NumFuncs Lib "vcSample.plw" () As Long
    Private Declare Function FunctionStart Lib "vcSample.plw" (ByVal functionIndex As Long) As Long
    Private Declare Function FunctionEnd Lib "vcSample.plw" (ByVal functionIndex As Long) As Long

    public static extern int NumFuncs();
    public static extern int FunctionStart(int index);
    public static extern int  FunctionEnd(int index);
Using this mechanism to access wrapped API exports from our CPP stub gives us alittle more flexability and frees us from having to worring about COM compatability issues relating to changing interfaces. Included in the sample zip are VB6 and C# samples of example IDA plug-ins. In addition to the basic example framework provided, I have also included a file with another 36 IDA API wrappers that you can use in your own projects. If for some reason you would prefer to late bind to the COM objects you can find older examples of that on my site. The reason I use early binding here is that to late bind takes about a page and half of long winded code.

Be sure to read the README files in the applications home directories to learn how to setup the projects. Precompiled binaries are provided for IDA 4.7.

If you would like to play with some more involved samples, I have also made some of my personal plug-ins. Note that these other samples were thrown together relativly quickly from scraps of code so they will probably have their share of bugs.

Anyway, enjoy..


Article Comments Write Comment / View Complete Comments

    Username Comment Excerpt Date
dzzie if you dont have VB dont worry...you can also u... Saturday, December 31 2005 17:06.18 CST
dzzie a lil digging turned up a solution to the modal... Wednesday, July 20 2005 22:31.21 CDT
alexk Wow this is great :) Thanks... I'll be exploring. Saturday, July 16 2005 21:36.48 CDT

There are 31,016 total registered users.

Recently Created Topics
Ultimate Hacking Cha...
let 'IDAPython' impo...
set 'IDAPython' as t...
GuessType return une...
About retrieving the...
How to find specific...
How to get data depe...
Identify RVA data in...
Immunity Debugger Re...

Recent Forum Posts
How to find specific...
Problem with ollydbg
How can I write olly...
New LoadMAP plugin v...
Intel pin in loaded ...
OOP_RE tool available?
OOP_RE tool available?
Should binaries be n...
Problem with ollydbg
!findtrampoline Immu...

Recent Blog Entries
Android Application Reversing

Breaking IonCUBE VM

Anatomy of a code tracer

IAT Patcher - new tool for ...

CryptoShark: code tracer ba...

More ...

Recent Blog Comments
nieo on:
IAT Patcher - new tool for ...

djnemo on:
Kernel debugger vs user mod...

acel on:
Kernel debugger vs user mod...

pedram on:
frida.github.io: scriptable...

capadleman on:
Using NtCreateThreadEx for ...

More ...

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit