Flag: Tornado!
Hurricane!
|
|
| APIScan_22.zip |
209 KB |
Feb 8 2008 |
APIScan 2.2 By Sirmabus
=============================================================================
Intro
------
APIScan is a simple tool to gather a list of APIs that a target process uses.
You can use this list in an initial analysis to help determine a target's
general operating nature. Also can be used to help determine patch/update
changes by doing a WinDif on "before" and "after".
There are similar tools, often more robust (like "Dependency Walker"), but
most of these just parse the target IAT ("Import Address Table") alone.
APIScan catches dynamically/delayed loaded modules too; and dumps them as a
simple list.
While only tested only on Windows XP SP2 32bit, should work on everything from
W2K to Vista) 32bit only.
How to use it:
---------------
Two ways of running APIScan: Invoke it directly (a file dialog will come up),
or run it from the command line. The command line will allow passing
parameters to the target.
I.E. "APIScan C:\MyTarget\TheTarget.exe -P MyParms -C MoreParms"
Once you started the target:
1. Run it, excising it's options that should cause any modules to be loaded
dynamically, etc.
2. Exit the target application. Even though the APIScan splash screen is
gone, the hook DLL continues to collect information until the application
is fully closed. Only after this point is the output list file complete
and valid.
The output file:
-----------------
The output file (to be stored in the target directory) is simply a list of
alphabetically sorted modules followed by the API call names. The calls are
listed (unsorted) as they are parsed and loaded.
The API flags provide some additional information:
'I' = There is one or more IAT reference.
'D' = One or more times the API was dynamically loaded (via
GetProcAddress()").
'O' = One or more reference where the API was accessed via ordinal.
'F' = One or more attempted dynamic load that failed (as in if the module or
the export doesn't exist)
How it works:
--------------
It loads the specified process and injects "apiscan.dll" into it before it
runs. "apiscan.dll" first parses the targets IAT(s) and then apples a
"GetProcAddress()" API hook to it. This hook should catch all attempts at
delayed and dynamic API loading. The DLL will continue to be resident inside
the target collecting data until the application is closed. Upon closing
(detach stage) the data is collated and the list file saved into the target-
/source path.
Know issues:
-------------
1. The "GetProcAddress()" hook catches all references target process wide.
So even APIs dynamically/delayed loaded in modules will show up in the
list. In the future there might be a switch to select main module, or
"all".
2. Won't catch applications using low level ways to load APIs like
"LdrGetProcedureAddress()" from "ntdll.dll". Using "GetProcAddress()" is
the WinOS independent way for now.
3. If the target application uses a loader, APIScan will only see/collect data
form that process, it doesn't currently ride along to child processes.
This could be done (more API hooks) in the future.
4. Might not work correctly with packed, and, or protected processes
Not surprising, this is the same problem one might run in to with any
similar tool.
One might have to unpack, and, or unprotect the process first.
APIScan could get around some of this in the future by hooking at a lower
level layer.
Changes:
--------
2.2 Got rid of the index numbers around the DLL and API dumps, that made
WinDiff'ing a mess.
2.1 Fixed a bug that would occasionally not flag 'O' (ordinal) for some APIs.
Ordinal export names now resolved (when possible) from the IAT too.
Now sorts API names too to make the output more consistent and
useful with WinDif.
2.0 Reworked with a much better and simpler API hooking then 1.0b.
Just a single text file output now, no .CSV output file.
Ordinal references are resolved to export name strings if possible.
1.0b Initial version.
Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability or fitness for any particular use. It may contain bugs, so use
this software is at your own risk. We take no responsibly for any damage
that may unintentionally be caused through its use.
|
| Class_Informer101.zip |
386 KB |
Apr 2 2009 |
"Class Informer"
=========================================================
IDA Pro 5.xx Win32 class vftable finder, namer, fixer, lister plug-in.
Version 1.01, April 2009
By Sirmabus
---------------------------------------------------------
Scans an MSVC 32bit target IDB for vftables with C++ RTTI, and MFC RTCI type
data. Places structure defs, names, labels, and comments to make more sense of
class vftables ("Virtual Function Table") and make them read easier as an aid
to reverse engineering.
Creates a list window with found vftables for browsing.
RTTI ("Run-Time Type Identification"):
http://en.wikipedia.org/wiki/RTTI
RTCI ("Run Time Class Information") the MFC forerunner to "RTTI":
http://msdn.microsoft.com/en-us/library/fych0hw6(VS.80).aspx
It's currently targeted specifically for Microsoft Visual C++ 32bit complied
binaries only. Will get unpredictable results if used on other targets.
Currently somewhat limited for other then the norm of vftables being in
".rdata", and code in the ".text" segments.
Based off of the article and IDC scripts by Igor Skochinsky:
http://www.openrce.org/articles/full_view/23
http://www.openrce.org/downloads/details/196
And derivative work:
http://www.blackhat.com/presentations/bh-dc-07/Sabanal_Yason/
Paper/bh-dc-07-Sabanal_Yason-WP.pdf
-- [Install] --------------------------------------------
Copy the plug-in to your IDA Pro 5.xx "plugins" directory.
Then edit your "..\plugins\plugins.cfg" to setup with a hotkey.
IE: Add these two lines:
; Sirmabus "Class Informer" plug-in
Class-Informer IDA_ClassInformer_PlugIn.plw Alt-7 0
See IDA documentation for more on installing and using plug-ins.
-- [How to run it] --------------------------------------
Invoke as typical in IDA with hot key, or through IDA's Edit->Plugins menu.
If you are working on an unpacked target, you should fix the PE sections
and name the ".text" and ".rdata" segments you want to examine.
It will typically run from a few seconds to several minutes, depending on the
size of the target, and generally how fast your machine is (with hard drive
speed being a contributing factor).
Since version 1.01, placing structures is only about 2x slower not 40x!
So using the place structures option is less of a burden.
Try using my "Extra Pass" plug-in first for best results, as the ".text" clean-
up might expose more validated tables.
On completion a list window will come up showing any found vftables and
and class information.
Click on a line to jump to it.
If you want to save the list to text file, get a debug output viewer like
Mark Russinovich's excellent "DebugView" at:
http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx
Example list output:
0046769C 077 CEdit:CWnd, CCmdTarget, CObject; (SI)
This is: vftable address, method count, then class hierarchy, and ended with
some additional class info.
To make things easier to read, all known type names are considered to be a
"class" unless explicitly proceeded with "struct" to indicate "structure" type.
The addition info at the end:
"(SI)" single inheritance hierarchy, "(MI)" multiple inheritance,
"(VI)" virtual inheritance, or "(MI VI)" multiple virtual inheritance.
If there is an absence of one of these then it's a MFC 'RTCI' type.
Using latest IDA SDK and tested on versions 5.2 and 5.3,.
-- [Design] -------------------------------------------
I read Igor Skochinsky's excellent article "Reversing Microsoft Visual C++"
some time ago. But only recently tried his IDC scripts accompanying the article.
I was amazed at how well it worked in identifying vftables with type info and
how it cleaned the IDB up (a large MSVC compiled target).
IMHO it can be overlooked if you RE'ing MSVC C++ targets.
I wanted to put it into a plug-in for speed, flexibility, and as a general test
bed for R&D on the area.
I originally wanted to have automatic member naming.
The idea being to take the class name and at least partially naming
member functions (mostly ignoring calling and returning arguments).
But decided it probably isn't that useful.
And there will probably be a lot of redundancy that can ends up in custom sigs,
as noise.
Also the same reasoning I did not use the ctor and dtor identifications
found in Igorsk's scripts.
For my RE work I just want to see these classes by name, and where to find
them for examination.
Essentially, it works a lot like Igorsk's scripts, with some differences like
doing MFC 'RTCI' types, placing type structures (rather then the individual
fields), and does static/global ctor/dtor processing.
I got tired of IDA's only partially functioning wait box, so I
sub-classed it. Should now have near instant cancel when you click the "Cancel"
button or press the "break" key.
And to better show progress, I fancied it up a bit with with a progress bar,
and indicator w/text animation.
-- [Known problems] -----------------------------------
For some odd reason, when you first load a IDB and activate the plug-in, IDA does
something that causes it to be active (in plug-in terms "autoIsOk() == FALSE").
Just invoke the plug-in again to pass it.
Please report any (other) problems, and, or errors to me at openrce.org,
or woodmann.com,.
-- [Changes] ------------------------------------------
1.01 - 1) No longer pops up an error and exits IDA when an incompatible IDB is loaded!
Just displays a "not loaded" log message now.
2) Fixed IDA tab page update issue.
3) Now built with IDA SDK 5.4, and tested with IDA 5.4.
4) Fixed incorrect string placement in the RTTI type info struct.
Now the structures are right which make a cleaner DB.
This was a major bottleneck that caused the structure placement to be about
36x slower, now only about 1x.
5) Fixed some misspellings.
-- [TODO] ---------------------------------------------
Get compiler specific info for at least other popular compilers (Intel,
Borland, GCC, etc).
- Sirmabus
Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability or fitness for any particular use. It may contain bugs, so use
this software is at your own risk. The author(s) are not responsible for
any damage that may be caused through its use.
|
| IDA2PAT_Reloaded.zip |
63 KB |
Aug 7 2008 |
Yet another IDB2Sig/IDB2PAT plug-in for IDA Pro with some improvements.
Instead of relying on broken function types/tags, this uses function name text patterns.
Easier to go from one IDA DB to the next for updated targets, easier to update function names, don't have to combine multiple .PAT files, etc.
And as fast as TQN's version with out the huge buffer.
See the help file for more info.. |
| IDA_ExtraPass_PlugIn21.zip |
72 KB |
Feb 8 2008 |
"IDA_ExtraPass_PlugIn"
An IDA Pro 5.xx Win32 executable clean up plug-in.
By Sirmabus V: 2.1
IDA Pro is amazing, IMHO the best disassembler of it's class.
But it's nice to have perfect disassemblies. Certain targets just
don't disassemble very well. In particular heavy C++ OOP created programs,
ones with embedded script systems (with a zillion little bind stubs), etc.
You could be miss something important in your reversing work.
If you didn't know, you can manually clean/fix an IDA Pro database by hand.
Start at the top of the code sections (I.E. ".text") and text search down for
each " dd ", then " db ", make them "unknown" then fix code and data where
needed. You'll find blocks of missed code, messed up arrays/tables that are
actually code, not data, etc.
Normally this will work easy enough, but try this on a huge 10mb EXE (that could
be a 100mb+ database!) and watch the tedious hours roll by. After doing this a few
times, some times taking over eight hours; There had to be a better way..
This is where this plug-in comes in. It simply duplicates the manual steps above
(and a few more) automatically. It's not perfect, you'll still probably need
to do at least some manual fixing, but it can cut off hours of work.
It does essentially four passes:
1. Convert all stray data to "unknown" (for the following passes).
2. Fixes "align xx" blocks.
These are internally runs of CCh (int 3), or 90h ('nop') bytes.
3. Scans for missing code. Basically tells IDA to convert stray data bytes to code.
Finds new blocks of codes, or reverts back to data (unfortunately such as in return'less
exception blocks, or unfortunately some times messes up data/index tables.
4. Finds missing/undefined functions. It does this by finding gaps from the end of one
function to the next.
The plug-in will error on the side of code that can potentially mess up
data/index tables (kind used with C/C++ "switch()" statements), but the
sacrifice is for the better IMHO. The assumption most will want
to find and examine code first, data second.
It's better to run this plug-in just after initial IDA analyze, after the
first save and before you actually start your major work on it.
It's intended for typical Win32 binary executables, so it may, or may not work
on other targets, the odd complied code, etc.
In particular Delphi programs, or any other that tend to mix data and code a lot
in the same section. In the end you might end up with less functions then when you
started. To catch this problem, again be sure to save first, then after the plug-in
has run, look in the IDA log window for a negative found function count.
[Install]
Copy the plug-in to your IDA Pro 5.xx "plugins" directory.
Edit your "plugins.cfg' with a hotkey to run it, etc., as you would install any other
plug-in. See the IDA docs for more help on this.
[How to run it]
1. Make a backup of your IDA Pro DB. If there are adverse effects, you can
restore to your backup.
2. Run the plug-in. Here you have a choice of which passes to run.
Normally you want them all checked, but if say you are working on a Delphi
exe you might just want to use the last two options to fix alignment blocks,
and find missing functions.
Currently the plug-in will process just the first CODE segment it finds.
Usually this will be the ".text" segment.
3. If you touch your screen, if you click off the IDA window, IDA will look like
it locked up. Appears to be a message pump thread starvation issue.
Don't know if this can be fixed as it appears other plug-ins have the same problem.
Some times you can fix it by minimizing then restoring the IDA window.
If all else fails and you are not sure what is going on, hold down the "Pause/Break"
key and the plug-in should abort.
4. Let it run and do it's passes..
It might take a while. On my Core2 Duo 3Ghz, it took about 12 minutes
to do all passes on a large 11mb (50mb IDA DB) exe.
When it's done and all goes well there should be a plus number of "Found-
functions:" (a before and after function count), and a lot less gray spots
on your IDA's navigator scale bar!
For best results, run the plug-in at least two times.
On a particular bad 11mb exe I tested, it recovered ~13,000 missing functions on the
first, ~1000 on 2nd, and ~900 on 3rd runs!
To make the DB real clean I still had to go through it manually, but the
time spent is much shorter then the laborious hours..
[Changes]
2.1 - Jan, 18, 2008 - Fixed an obvious issue in the missing function detection.
Works much better now finding a lot more functions.
When a problem function is found, it's start address is output
to the log window for the user to click on and inspect and fix.
Added IDA wait dialog.
2.0 - Nov, 25, 2007 - Put in the passes for alignment blocks and finding missing
functions.
Put a wrapper around "jump" to fix an occasional crash.
Converted to VS2005 and added some speed optimizations.
Added UI to allow selection of what operations to do.
1.1 - Aug, 28, 20007 - Put WORD scanning back in, and now only attempts
to restore code only in the final (byte) pass.
This ends up with more code recovered and makes the
whole process faster.
-Sirmabus
Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability or fitness for any particular use. It may contain bugs, so use
this software is at your own risk. The author(s) no responsibly for any
damage that may unintentionally be caused through its use.
|
| IDA_FunctionStringAssociate_PlugIn.zip |
56 KB |
May 13 2008 |
"Function String Associate"
An IDA Pro 5.xx plug-in that automatically comments functions by strings
it has inside it.
By Sirmabus V: 1.0B
From the chaos of a 10,000+ functions et al, this plug-in is to help
reverse by extracting various "assert"(1), etc. strings, making some sense
of them and adding them as a function comment.
As you browse around, at a glance the comment might show a bit what the
functions purpose is.
Works best (of course) for targets that have a lot of string references in
them. Some will have many, some will have none.
<(1) http://en.wikipedia.org/wiki/Assert>
[Install]
Copy the plug-in to your IDA Pro 5.xx "plugins" directory.
Edit your "plugins.cfg" with a hotkey to run it, etc.
See the IDA docs for more help on this.
Example:
"FunctionStringAssociate IDA_FunctionStringAssociate_PlugIn.plw Alt-6 0"
[How to run it]
Just invoke it using your selected IDA hot-key or from "Edit->Plugins".
[How it works]
Iterates every function, for each function iterates elements looking for
strings. Then sorts, these strings, etc., with some assumption about
relevance.
-Sirmabus
Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability, or fitness for any particular use. It may contain bugs, so use
this software is at your own risk. The author takes no responsibly for
any damage that might be caused through its use.
|
| IDA_FunctionStringAssociate_PlugIn.zip |
56 KB |
May 13 2008 |
"Function String Associate"
An IDA Pro 5.xx plug-in that automatically comments functions by strings
it has inside it.
By Sirmabus V: 1.0B
From the chaos of a 10,000+ functions et al, this plug-in is to help
reverse by extracting various "assert"(1), etc. strings, making some sense
of them and adding them as a function comment.
As you browse around, at a glance the comment might show a bit what the
functions purpose is.
Works best (of course) for targets that have a lot of string references in
them. Some will have many, some will have none.
<(1) http://en.wikipedia.org/wiki/Assert>
[Install]
Copy the plug-in to your IDA Pro 5.xx "plugins" directory.
Edit your "plugins.cfg" with a hotkey to run it, etc.
See the IDA docs for more help on this.
Example:
"FunctionStringAssociate IDA_FunctionStringAssociate_PlugIn.plw Alt-6 0"
[How to run it]
Just invoke it using your selected IDA hot-key or from "Edit->Plugins".
[How it works]
Iterates every function, for each function iterates elements looking for
strings. Then sorts, these strings, etc., with some assumption about
relevance.
-Sirmabus
Terms of Use
------------
This software is provided "as is", without any guarantee made as to its
suitability, or fitness for any particular use. It may contain bugs, so use
this software is at your own risk. The author takes no responsibly for
any damage that might be caused through its use.
|
| IDA_GUID-Finder_PlugIn10B.zip |
342 KB |
Jan 17 2008 |
A GUID/UUID finding/fixing plug-in.
Like Frank Boldewin's IDA Python script:
http://www.openrce.org/downloads/details/250/ClassAndInterfaceToNames
but as a plug-in with some enhancements.
The COM side of RE'ing (at least with "dead listing") can be pretty elusive.
With this you can at least partially glean what interfaces and classes a target is using.
This plug-in scans the IDB for class and interfaces GUIDs and creates the matching structure with label. IDA can find these on it's own, but it often misses them, so this can fill in the gap.
Plus this plug-in allows you to easily add custom declarations, and is handy to do
a general audit for such GUIDs.
|
| IDB2PAT_and_IDACompare_5.zip |
43 KB |
Sep 7 2007 |
IDB2PAT and David Zimmer's "IDACompare" that works with
IDA Pro 5.xx.
|
| OpenSSL_Sigs1.zip |
286 KB |
Feb 1 2009 |
Some not so complete OpenSSL sigs for static libs for
Windows.
Since there is no standard library distribution, such sigs
made of libraries like these may or not match.
But chances are you'll get some matches, that might be some help.
|
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}