Flag: Tornado! Hurricane!

Creating IDA Plug-ins with C# or VB6

Friday, July 15 2005 09:38.53 CDT
Author: dzzie # Views: 57320 Printer Friendly ...

This article highlightstechnique where you can use a high level language such as C# or VB6 to create GUIs for IDA plugins. Why bother? Why not. These two languages make complex UI programming very easy, are easy to debug, and are great for rapid prototyping.

What we will be doing is creating a traditional IDA plug-in stub in VC, which will be used to add menu items to IDA, and export a wrapped set of IDA API functions for the high level language plug-in to utilize. A basic block diagram of what we want to accomplish looks like this:


Conceptual Block Diagram


To make VB6, .NET, and VC all play nice together, we have set up our plug-ins so that they can be accessed as COM Dll's. To access the .NET dll as a COM object, you will have to use the regasm utility to setup the proper registry entries for the interface as well as produce a type library file (.tlb) so we can early bind to it in our VC stub. VB6 can only produce ActiveX DLLs, and already sets up all registry entries and adds the type library information directly to its DLLs during compilation. If you are just trying out the demo, you will still need to register the VB6 sample dll using regsvr32.

So for a quick walk through of the code. In both of our plug-in examples here we are early binding to our Dlls. This means that you should compile the VB6 or .NET dlls first and make sure that binary compatability is set so that their interface GUIDs do not change the next time you compile (or you will have to recompile your stub again). This is not really a problem because the interface we use to launch the plug-ins is very simple and never needs to change. It is only used to initalize the library and runtimes and get it executing. In out VC stub you will see the following declaration:
    #import "./bin_4.7/CSharpIDASample.tlb" raw_interfaces_only

    using namespace CSharpIDASample;

    ICpluginPtr pIPlug(__uuidof(Cplugin));
This uses some VC VooDoo to load the type library interfaces, and create an initalized object pointer instance of our main class. The names of the namespace, class, and Interface pointer are all set in the typelibrary and can be viewed using any type library viewer such as the free demo that comes from Matt Curlands Power VB site or other tools like the Microsoft Ole View utility.


Microsoft Ole View Utility


When it comes time to display our interface, all we have to do is call our class method to launch it. In the example code below, we are passing it the hwnd of the main IDA window so that we can display our form modally. (At this point I have not tried to set it as a MDI child of the main window using SetParent which may also work.)
    int h = (int)callui(ui_get_hwnd).vptr; //ida main window hwnd
    pIPlug->DopluginAction( h , &lRet);
Here the lRet variable will receive the HRESULT COM return value which we dont have to worry about. Once our plug-in form is displayed, the IDA API functionality is accessed via function declares written in our form. These declare statements were made as a way to give VB developers access to stdcall Win32 API and are still present in .NET so that you can access custom C dlls. Below are C prototypes and corrosponding C# and VB6 declares.
C Prototypes:
    int __stdcall NumFuncs(void)
    int __stdcall FunctionStart(int n)
    int __stdcall FunctionEnd(int n)


VB6:
    Private Declare Function NumFuncs Lib "vcSample.plw" () As Long
    Private Declare Function FunctionStart Lib "vcSample.plw" (ByVal functionIndex As Long) As Long
    Private Declare Function FunctionEnd Lib "vcSample.plw" (ByVal functionIndex As Long) As Long

C#:
    [DllImport("c_stub.plw")]
    public static extern int NumFuncs();
    
    [DllImport("c_stub.plw")]
    public static extern int FunctionStart(int index);
    
    [DllImport("c_stub.plw")]
    public static extern int  FunctionEnd(int index);
Using this mechanism to access wrapped API exports from our CPP stub gives us alittle more flexability and frees us from having to worring about COM compatability issues relating to changing interfaces. Included in the sample zip are VB6 and C# samples of example IDA plug-ins. In addition to the basic example framework provided, I have also included a file with another 36 IDA API wrappers that you can use in your own projects. If for some reason you would prefer to late bind to the COM objects you can find older examples of that on my site. The reason I use early binding here is that to late bind takes about a page and half of long winded code.

Be sure to read the README files in the applications home directories to learn how to setup the projects. Precompiled binaries are provided for IDA 4.7.

If you would like to play with some more involved samples, I have also made some of my personal plug-ins. Note that these other samples were thrown together relativly quickly from scraps of code so they will probably have their share of bugs.

Anyway, enjoy..

-dzzie

Article Comments Write Comment / View Complete Comments

    Username Comment Excerpt Date
dzzie if you dont have VB dont worry...you can also u... Saturday, December 31 2005 17:06.18 CST
dzzie a lil digging turned up a solution to the modal... Wednesday, July 20 2005 22:31.21 CDT
alexk Wow this is great :) Thanks... I'll be exploring. Saturday, July 16 2005 21:36.48 CDT

There are 31,319 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit