• Stars
    star
    284
  • Rank 145,616 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 9 years ago
  • Updated almost 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Run IDA Pro disassembler in Docker containers for automating, scaling and distributing the use of IDAPython scripts.

Docker IDA

Run IDA Pro by Hex Rays disassembler in Docker containers. Ideal for automating, scaling and distributing the use of IDAPython scripts to perform large-scale reverse engineering tasks.

alt tag

Our blog: http://www.intezer.com/blog/

Requirements

  • Machine with Docker installed. Install Docker
  • IDA Pro Linux version installation file (.run) and a valid license for running multiple instances. Get IDA Pro

Installation

  1. Clone docker-ida repository:

    $ git clone https://github.com/intezer/docker-ida
    
  2. Copy IDA Pro installation file to the repository's ida directory:

    $ cp <ida-installation-file-path> docker-ida/ida/ida.run
    
  3. Build IDA docker image:

    $ sudo docker build -t ida --build-arg IDA_PASSWORD=<password> docker-ida/ida
    

    Note: It is recommended to push the built image to a private Docker Hub repository (Pushing a repository to Docker Hub). Otherwise you have to build the image on every machine

Start an IDA Service Container

IDA service container receives remote IDA commands over HTTP and executes them. To start a container, run this command:

$ sudo docker run -v <host_shared>:/shared -p <host_port>:4000 -it ida -c <cores> -t <timeout>
  • <host_shared> is a local directory on the host containing the files you want IDA to work with. Scripts, files to disassemble, etc.

    Note: If you use Docker Toolbox on Windows, you might experience some issues parsing paths. Use // in the beginning of the paths (see discussion on stackoverflow)

  • <host_port> is the port you tell the host you would like to use to connect to the specific docker container. (see Publish port)

  • <cores> is the number of IDA worker processes. This number should be up to 4 workers per core in the host. Default is 8.

  • <timeout> is the server timeout for each request. Default is 30.

Note: In order to run multiple containers on the same host, publish each container to a different host port

Usage

On The server:

  • Start two IDA containers as daemon:

    $ sudo docker run -v /path/to/current/folder/docker-ida/example_volume:/shared -p 4001:4000 -d ida -c 4
    $ sudo docker run -v /path/to/current/folder/docker-ida/example_volume:/shared -p 4002:4000 -d ida -c 4
    

On The client:

  1. Install ida_client Python library:

    On Windows:

    $ pip install "git+https://github.com/intezer/docker-ida#egg=ida_client&subdirectory=ida_client"
    

    On Linux / Mac OS X:

    $ pip install 'git+https://github.com/intezer/docker-ida#egg=ida_client&subdirectory=ida_client'
    

    Note: pip version must be 8.1.1 or higher

  2. Send commands to the containers using the Python library:

    >>> import ida_client
    >>>
    >>> client = ida_client.Client(['http://localhost:4001', 'http://localhost:4002'])
    >>>
    >>> client.send_command('idal -Sextract_file_functions.py -A zlib.dll.sample', timeout=600)
    True
    >>>
    >>> files = ['zlib.dll.sample', 'Win32OpenSSL.sample']
    >>>
    >>> # Building list of commands to send at once
    >>> commands = ['idal -Sextract_file_functions.py -A %s' % file for file in files]
    >>>
    >>> client.send_multiple_commands(commands, timeout=600)
    [True, True]

Advanced Usage

  • Add additional python libraries to the repository's ida/requirements.txt before building the image.

    The Sark library is already installed for rapid IDAPython scripting.

  • For IDA 64 bit files:

    >>> client.send_command('idal64 -Sida_python_script.py -A sample_x64.exe', timeout=600)
    True
  • You can use any of the IDA command line arguments (except for GUI-related switches)

Troubleshooting

If the script doesn't run correctly:

  • Examine the log files in the volume <host_shared>/logs/. Each container has a different log file named <container-name>-ida-service.log
  • Make sure the IDAPython script is Python 2.7 compatible, Python 3.x is not supported in IDAPython.
  • Make sure to add Python libraries to the requirements.txt before building the docker image. When requirements.txt changes, the docker image and containers can always be rebuilt.
  • Make sure the paths to the IDAPython scripts and files to disassemble in the send command are relative to the <host_shared> volume.

Notes

More Repositories

1

linux-explorer

Easy-to-use live forensics toolbox for Linux endpoints
HTML
406
star
2

yara-rules

YARA
121
star
3

MemoryPatchDetector

Detects code differentials between executables in disk and the corresponding processes/modules in memory
Python
113
star
4

GithubDownloader

Find and download files from multiple Github repositories
Python
98
star
5

MoP

MoP - "Master of Puppets" - Advanced malware tracking framework
Python
81
star
6

analyze-community-ghidra-plugin

Ghidra plugin for https://analyze.intezer.com
Python
69
star
7

Malware-Reverse-Engineering-for-Beginners

This repository contains relevant samples and data related to "Malware Reverse Engineering for Beginners" articles.
C
59
star
8

log4jscan

Shell
58
star
9

ELF-Malware-Analysis-101

This repository contains relevant samples and data related to the ELF Malware Analysis 101 articles
C
38
star
10

ssdeep-elastic

An example for implementation of ssdeep similarity search optimized with elasticsearch
Python
36
star
11

analyze-python-sdk

Basic SDK for Intezer Analyze API 2.0
Python
28
star
12

analyze-scripts

Python
25
star
13

ost-map

YARA
20
star
14

scripts

Python
16
star
15

DynamicDNS

Finds dynamic DNS (like no-ip.org) domains from a given list of domains
Python
14
star
16

ssdeep-windows

Python
12
star
17

analyze-cli

Python
12
star
18

community-intellignce

Here we gather IOCs that are related to campaigns initiated by APTs and Cybercrime groups.
11
star
19

intezer-volatility-plugin

Intezer plugin for Volatility 3 to conduct memory dump analysis.
Python
8
star
20

CassandraAccessControl

Weโ€™re releasing an open-source tool you can use now, which we developed as a homemade Just-In-Time database access control tool for our sensitive database. This tool syncs with our directory service, slack, SIEM, and finally, our Apache Cassandra database.
Python
6
star
21

Linux-binaries-map

JavaScript
6
star
22

r2analyze

Python
5
star
23

EDRConnectDeployment

Deployment For Intezer's EDR Connect
PowerShell
2
star
24

intezer.github.io

CSS
2
star
25

Windows11-FlareVM-Install

2
star
26

vs-autocompiler

PowerShell
1
star
27

EDRConnect

Python
1
star
28

microsoft-sentinel-integration

1
star
29

python-cassandra-driver

A docker image where python installed with datastax's cassandra driver
Shell
1
star