• Stars
    star
    146
  • Rank 252,769 (Top 5 %)
  • Language
    C++
  • License
    MIT License
  • Created over 7 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Library and tool for reading IDApro databases.

IDBTOOL

A tool for extracting information from IDA databases. idbtool knows how to handle databases from all IDA versions since v2.0, both i64 and idb files. You can also use idbtool to recover information from unclosed databases.

idbtool works without change with IDA v7.0.

Much faster than loading a file in IDA

With idbtool you can search thousands of .idb files in seconds.

More precisely: on my laptop it takes:

  • 1.5 seonds to extract 143 idc scripts from 119 idb and i64 files.
  • 3.8 seonds to print idb info for 441 files.
  • 5.6 seconds to extract 281 enums containing 4726 members from 35 files.
  • 67.8 seconds to extract 5942 structs containing 33672 members from 265 files.

Loading an approximately 5 Gbyte idb file in IDA, takes about 45 minutes. While idb3.h takes basically no time at all, no more than a few milliseconds.

Download

Two versions of this tool exist:

One written in python

One written in C++

Both repositories contain a library which can be used for reading .idb or .i64 files.

An IDA Pro plugin making use of idb3.h can be found here:

This is a plugin making it easy to copy scripts, structs or enums from recent ida databases.

Usage

Usage:

idbtool [options] [database file(s)] [-- address-list]
  • -n or --names will list all named values in the database.

  • -s or --scripts will list all scripts stored in the database.

  • -u or --structs will list all structs stored in the database.

  • -e or --enums will list all enums stored in the database.

  • -i or --info will print some general info about the database.

  • -a list all names, including ..todo..

  • -d dump btree page tree contents.

  • --inc, --dec list all records in ascending / descending order.

  • -q or --query search specific records in the database.

  • -m or --limit limit the number of results returned by -q.

All addresses after -- will be printed as symbol+offset.

Query

Queries need to be specified last on the command line.

Example:

idbtool [database file(s)]  --query  "Root Node;V"

Will list the source binary for all the databases specified on the command line.

A query is a string with the following format:

  • [==,<=,>=,<,>] - optional relation, default: ==
  • a base node key:
    • a DOT followed by the numeric value of the nodeid.
    • a HASH followed by the numeric value of the system-nodeid.
    • a QUESTION followed by the name of the node. -> a 'N'ame node
    • the name of the node. -> the name is resolved, results in a '.'Dot node
  • an optional tag ( A for Alt, S for Supval, etc )
  • an optional index value

Example queries:

  • Root Node;V -> prints record containing the source binary name
  • ?Root Node -> prints the Name record pointing to the root
  • >Root Node -> prints the first 10 records starting with the root node id.
  • <Root Node -> prints the 10 records startng with the records before the root node.
  • .0xff000001;N -> prints the root node name entry.
  • #1;N -> prints the root node name entry.

List the highest node and following record in the database in two different ways, the first: starting at the first record below ffc00000, and listing the next. The second: starting at the first record after ffc00000, and listing the previous:

  • --query "<#0xc00000" --limit 2 --inc -v
  • --query ">#0xc00000" --limit 2 --dec -v

Note that this should be the nodeid in the $ MAX NODE record.

List the last two records:

  • --limit 2 --dec -v

List the first two records, the $ MAX LINK and $ MAX NODE records:

  • --limit 2 --inc -v

A full database dump

Several methods exist for printing all records in the database. This may be useful if you want to investigate more of IDA''s internals. But can also be useful in recovering data from corrupted databases.

  • --inc, --dec can be used to enumerate all b-tree records in either forward, or backward direction.
  • --id0 walks the page tree, instead of the b-tree, printing the contents of each page

LIBRARY

The header file idb3.h contains a library for reading from IDA Pro databases.

IDBFile

Class for accessing sections of an .idb or .i64 file.

Constructor Parameters:

  • std::shared_ptr<std::istream> ( typedefed to stream_ptr )

Methods:

  • stream_ptr getsection(int)

ID0File, ID1File, NAMFile

Constructor Parameters:

  • IDBFile& idb
  • stream_ptr

Constant

  • INDEX - the argument for idb.getsection

ID0File

Methods

  • Cursor find(relation_t, nodeid, ...)

    • ... can be:
      • tag, index
      • tag, hash
      • tag
  • Cursor find(relation_t, std::string key)

  • std::string blob(nodeid, tag, ...)

  • uint64_t node(std::string name)

  • bool is64bit()

    • true for .i64 files.
  • uint64_t nodebase()

    • return 0xFF000000(00000000) for 32/64 bit databases.
  • void enumlist(uint64_t nodeid, char tag, CB cb)

    • call cb for each value in the list.

Convenience Methods

  • std::string getdata(ARGS...args)
  • std::string getstr(ARGS...args)
  • uint64_t getuint(ARGS...args)
  • uint64_t getuint(BtreeBase::Cursor& c)
  • std::string getname(uint64_t node)

ID1File

Methods

  • uint32_t GetFlags(uint64_t ea)

NAMFile

Methods

  • uint64_t findname(uint64_t ea)

Cursor

Methods

  • void next()
    • move cursor to the next btree record
  • void prev()
    • move cursor to the previous btree record
  • bool eof()
    • did we reach the start/end of the btree?
  • std::string getkey()`
    • return the key pointed to by the cursor
  • std::string getval()`
    • return the value pointed to by the cursor

TODO

  • add option to list all comments stored in the database
  • support compressed sections
  • add option to list flags for a list of addresses.

Author

Willem Hengeveld [email protected]

More Repositories

1

ubidump

Tool for viewing and extracting files from an UBIFS image
Python
226
star
2

youtube_tool

Tool for extracting comments or subtitles from youtube video's
Python
136
star
3

pyidbutil

A python library for reading IDA pro databases.
Python
135
star
4

extfstools

Tools for extracting files from ext2,3,4 filesystem images
C++
119
star
5

eimgfs

Tool for editting Windows CE/Mobile firmware images.
C++
63
star
6

vimdecrypt

Python tool for decrypting vim encrypted files.
Python
48
star
7

zipdump

Analyze zipfile, either local, or from url
Python
33
star
8

encrypteddmg

Tool for analyzing and decrypting apple encrypted disk images
Python
31
star
9

idascripts

IDApro idc and idapython script collection
Python
28
star
10

bitcoinexplainer

Interactive examples explaining the details of how bitcoin calculations work.
JavaScript
25
star
11

cpputils

various c++ utility classes
C++
22
star
12

whatsapp-apk-proto

Changes in the whatsapp protocol as extracted from apk files
Shell
17
star
13

findstr

A tool for searching text or byte patterns in binary files.
C++
16
star
14

pyPdfCrack

Investigation in PDF encryption
Python
16
star
15

iphonetools

Tools for inspecting iOS firmware images
C++
15
star
16

hvtool

Create or View Windows CE registry `.hv` hive files.
C++
15
star
17

PythonMonkey

Drop-in replacement for the android Jython monkeyrunner library
Python
13
star
18

idcinternals

IDA plugin investigating the internal representation of IDC scripts
C++
13
star
19

python-bcutils

bitcoin utils
Python
11
star
20

hexdumper

hexdumper tool i use for just about anything.
C++
11
star
21

HACKTIC_demon_dialer

The hacktic demon dialer, from 1991
Assembly
10
star
22

idaperl

perl scripting support for IDApro
C++
10
star
23

githubtool

Commandline tool for searching github
Python
8
star
24

CelbEprDecode

Decode Cellebrite bootloaders from ufedsamsungpack_v21.epr
Python
8
star
25

SquashFSDumper

tool for listing and extracting files from SQUASHFS images
Python
7
star
26

AVRInstructionSet

Investigating the AVR / Arduino instruction set
HTML
7
star
27

pytorify

module which makes sure all sockets use the TOR proxy
Python
6
star
28

whatsapptools

A collection of python scripts i use for managing whatsapp chats from the commandline.
Python
5
star
29

pyCryptoBenchmarking

benchmarking the python pyCrypto and cryptography moduls
Python
5
star
30

hfstools

Tools for reading or recovering files from an apple HFS+ filesystem
Perl
5
star
31

xpcap

tool for analyzing packet capture dumps
Python
4
star
32

ntfs_research_tool

Tool for investigating broken ntfs partitions.
C++
4
star
33

gnubc

Gnu bc calculator with some improvements
C
3
star
34

pyCryptoAdapter

Extend pyCrypto with your own ciphers.
Python
3
star
35

GeometricShapes

Python module for generating the coordinates of the platonic solids in n dimensions
Python
3
star
36

qualcomm-q6zip

decompressor for qualcomm q6zip and delta compressed firmware sections
Python
3
star
37

fatutils

tools for reading from FAT filesytem images
Perl
3
star
38

dllloader

(old) library for loading functions from win32 binaries on macos or linux.
C++
2
star
39

ancient

various ancient documents
2
star
40

transpose

Command line tool for transforming matrices of textual data
Python
2
star
41

oldmstools

win32 tools, originally from the itsutils package.
C++
2
star
42

CompressUtils

(old) perl extension for decompressing WinCE roms.
C++
2
star
43

wikiexport

Tool for downloading the contents of a mediawiki site
Python
2
star
44

findlinks

tool for extracting links for a set of html files
C++
2
star
45

vandale2008reader

Decodes files from the 2008 edition of the vandale dictionary
C++
2
star
46

nlitsme.github.io

my github.io page
HTML
1
star
47

ift4plot

speed and accelaration plot of SpaceX IFT4
Python
1
star
48

arduino-simulator

Minimal Arduino simulator, debug your project on your laptop.
C++
1
star
49

pointenumerator

Several algorithms for enumerating points in an unbounded plane
C++
1
star
50

pyCrcExperiment

Experiment, making the relation of CRC's and polynomials explicit
Python
1
star
51

expressionfinder

Tool for solving math problems involving finding an expression for a given value. (like numberphile's 10958 problem)
C++
1
star
52

magister-tool

Tool for getting information from the magister school server
Python
1
star
53

legacy-itslib-library

Part of the old itsutils library
C++
1
star