OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: February 9, 2010 21:48 CST by mamoun .

Hi folk,
i am using IDA 5.5 and copied 1 plugin into the plugins directory, but when ida loads, it says Error (IDA2SQLite3.plw) cant be load.

I wanted to use SQLite3 with IDA pro. to extract the Function calls from the binary contents.

The plug-in DA2SQLite3  is working very fine with my IBM laptop, since I am working in Malware and I don’t want to infect my laptop, I got another PC for the experiment. Therefore, I installed IDA Pro 5.5 and Python 2.5, and I copy the ida2sqlite3.plw to “C:\Program Files\IDA\plugins” into the new PC.

BUT, When I run IDA I got this Error:

-         - LoadLibrary(C:\Program Files\IDA\plugins\ida2sqlite3.plw) error: This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.

-         C:\Program Files\IDA\plugins\ida2sqlite3.plw: can't load file

I tried to fix it but I couldn’t, Any suggestion ?

Thanks!

sohaib		February 17, 2010 01:27.02 CST
help required regarding disassembling 186 code! Q1) I have a hex file which i read from the flash, the processor from which it was interfaced was 80186EB. i need to know how can i disassemble it in IDA pro 5.5? when i opened it in IDA a long disassembled code comes in front screen but i am unable to trace whats the entry point? & whats the proper flow of program..the flash is 128KB. it means it has 17 address lines where as 80186 EB has 20 address lines. Q2) is there any 16 bit supported IDA debugger? Regards Sohaib

RabidCicada		February 18, 2010 13:30.37 CST
It looks like Sohaib has accidentally hijacked the thread. I will answer the original posters question. DISCLAIMER:I have never compiled a plugin for IDA PRO Mamoun. In the totally general case (not specific to IDA Pro Plugins), usually, that error comes from compiling with a dependancy on the C++ Common Run Time DLL or something similar(a dependancy on a DLL that is not present in the default module load path on windows). Usually that problem is from Compiling using MS Visual Studio and forgetting to set it to compile using a static link vs dynamic for the CRT. To fix that go to your project properties->C/C++->Code Generation->RunTimeLibrary and select One of the MultiThreaded options....Not a MultiThreaded DLL. Should be good to go then.

mamoun		February 23, 2010 04:06.44 CST
Hi RabidCicada Thanks a lot a friend in Korea helped me and his answer was exactly as yours.. everything is working fine with me. Thank you vewry much. Another question... Is there any automatic way to disassemble hunderd of files? I got about 1000 Malware file I need to deassembly them and generate 1000.database using ida2sqlite3 plug-in. Do you have any idea if there is an automatic way to do it, Since the manual way are taking time very long time. Thanks in advance Mamoun

slcoleman		February 25, 2010 12:22.47 CST
Is IDA2SQLite3 a new plugin? I can only find two research papers that reference it, but no source code or binaries. SQLite capability would be an interesting/flexible way to do some more extensive analysis with persistence. I was thinking to roll my own, but if it exists already...

mamoun		March 3, 2010 20:10.24 CST
Hi slcoleman I am not sure whether IDA2SQLIT3 is a new plugin or not since my friend from Korea has emailed me the plugin but I believe that he wrote this plugin. The Plugin extracted database from the binary content so if you after listing the API calls I think this plugin is a great choose for you as I saw many methods to extract the API calls from the binary content and I think this plugin is simple and good to use, but you should be good in Python programming language. If you are thinking to do your own plugin give it ago and don’t forget to email me with a copy of your plugin. Good Luck Mamoun

cseagle		March 3, 2010 20:56.59 CST
mamoun, four your 1000 files problem, you should run IDA in batch mode and have an IDC script run the IDA2SQLite3 plugin for each file. Read this post in Ilfak's blog for more information http://hexblog.com/2007/03/on_batch_analysis.html

mamoun		June 2, 2010 23:39.02 CDT
Hi Folk, The code below how to disassemble multiple files automatically and call the plugin you wants, All the best, Regards, Mamoun Alazab #---------------- Begin of python script -----------------# # # Author: Topo <topo@coresecurity.com> # Edit: Mamoun Alazab <mamounazab@yahoo.com> # from os import listdir, path, system, makedirs from sys import argv, exit from threading import Thread, Lock from shutil import copy import os import sys import threading import Queue import shutil IDA_PATH = 'c:\\program files\\ida\\idag.exe' IDA_PARAMS = '-c -A -Smyanalysis.idc' #IDA_Plugin = '-Oida2aqlit3' WORKER_THREADS = 2 # set this number to the number of processors g_files_queue = Queue.Queue() # global queue of files to process # # Name: IDAExecutor # class IDAExecutor(Thread): def __init__(self): Thread.__init__(self) def run(self): file = '' while 1: try: file = g_files_queue.get(False) except Queue.Empty: return else: cmd = 'cmd /c \"\"%s\" %s \"%s\"\"' % (IDA_PATH, IDA_PARAMS, file) system(cmd) # # Name: get_files_list # def getFilesList(params, verbose): # Get file g_files_queue accross multiple directories for currpath in params: if verbose: print '[=] Searching files in directory: %s' % currpath # Normalize path currpath = path.abspath(currpath) + '\\' upperdir = path.abspath(currpath + '..\\') currdir = path.basename(currpath[:-1]) # Get file g_files_queue and prepend it's path before saving them templist = listdir(currpath) for file in templist: if not path.isdir(currpath + file): # create the new directory for the current file newdir = '%s\\%s - %s' % (upperdir, file, currdir) makedirs(newdir) # copy the file to it's new directory copy(currpath + file, newdir) # queue the file full path to process g_files_queue.put(newdir + '\\' + file) # Print the g_files_queue of files if verbose: print '[+] Added file: %s' % file # # Name: process_files # def processFiles(): print '\n[+] Starting files processing. This will take some minutes...\n' # Start the worker threads that initiate the IDA analisis IDA_threads = [] for i in range(WORKER_THREADS): IDA_threads.append(IDAExecutor()) IDA_threads[-1].start() # Wait for the worker threads to finish their jobs and exit for thread in IDA_threads: thread.join() if __name__ == "__main__": if len(argv) == 1: print ' Invalid parameter\n'\ ' usage: python %s <first path to modules> <second> ...' % argv[0] exit(-1) getFilesList(argv[1:], 1) processFiles() #----------------- End of python script ------------------#

mamoun		June 2, 2010 23:42.36 CDT
Regards to my question above if you get the Errors: The error: - - LoadLibrary(C:\Program Files\IDA\plugins\ida2sqlite3.plw) error: This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem. - C:\Program Files\IDA\plugins\ida2sqlite3.plw: can't load file I have solved this Error by install "Visual C++ 2005 SP1 Redistributable Package (x86)" from Microsoft website Regards, Mamoun Alazab

ishant7890		March 15, 2011 05:30.36 CDT
Greetings To everyone I need your help guys.I am trying to disassemble the exe file and document its api call and make .idb file(database) so that malware can be analysed.This is part of my final year project. Plz help Regards

0xvoila		March 15, 2011 10:18.16 CDT
ishant7890: hi .. form which college you are doing your Computer Engineering ?? Well , your question itself incomplete.. Elobrate it more .

ishant7890		March 21, 2011 01:17.50 CDT
Hello i am doing my comp engg from NMIT Blore (www.nmit.ac.in), India.See my project is basically about finding an alternate approach to signatures based malicious code detection so i thought to go for features based detection.But i am not able to proceed in right direction

Note: Registration is required to post to the forums.

There are 28,224 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	cmathieu	Feb/07
Hacker Carnival
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
More ...

Recent Blog Comments
	waleedassar on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit