• Stars
    star
    422
  • Rank 102,753 (Top 3 %)
  • Language
    Python
  • License
    Creative Commons ...
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hexrays Toolbox - Find code patterns within the Hexrays ctree

HexRays Toolbox

HexRays Toolbox (hxtb) is a powerful set of IDAPython scripts that can be used to find and locate code patterns in binaries, independent from their underlying processor architecture.

Use Cases

  • scan binary files for vulnerabilities and variants
  • locate code patterns from previously reverse engineered executables in newly decompiled code
  • malware variant analysis
  • find code similarities across several binaries (i.e. for proving "code theft", license violations, ...)
  • find code patterns from binaries compiled for architecture A in binaries compiled for architecture B
  • probably a lot more...

The query illustrated by the animation below is an example for how a vulnerability that affected WhatsApp for Android (CVE-2019-3568, libwhatsapp.so) can be located using HexRays Toolbox. This is done by formulating a desired code pattern that is to be located using an IDAPython lambda function. Find the example script here.

toolbox animated gif

Requirements

A valid IDA license and a valid HexRays decompiler license per target architecture is required.

Usage

There are several ways of using Hexrays Toolbox, each with a varying degree of flexibility.

  • run queries on behalf of hxtb_shell, an interactive GUI
  • custom IDAPython scripting
  • interactive.py, a script that adds convenience functions to be used with the IDA command line interface
  • automation.py, a script that processes and runs hxtb queries on a given set of files in batch mode

hxtb-shell

Executing the included hxtb_shell.py script from within IDA opens a GUI window that can be used to develop, load and run hxtb queries. The screenshot below shows what a query loaded with hxtb-shell may look like.

hxtb shell

hxtb-shell also accepts Python expressions that are created by the HRDevHelper plugin's context viewer. They can be copied from it and directly pasted into the hxtb-shell GUI.

HRDevHelper context viewer


Further example queries that can be loaded with hxtb-shell can be found in the hxtbshell_queries sub-folder included with HexRays Toolbox.

Scripting

Loading hxtb.py with IDA (Alt-F7) makes functions such as find_expr() and find_item() available to both the IDAPython CLI and the script interpreter (Shift-F2). Among others, these functions can be used to run queries on the currently loaded IDA database. Please check out some of the examples shown below.

    find_item(ea, q)
    find_expr(ea, q)

    Positional arguments:
        ea:         address of a valid function within
                    the current database
        q:          lambda function
                    custom lambda function with the following arguments:
                    1. cfunc: cfunc_t
                    2. i/e:   cinsn_t/cexpr_t
    Returns:
        list of query_result_t objects

    Example:
        find_expr(here(), lambda cf, e: e.op is cot_call)
    
        -> finds and returns all function calls within a current function.
        The returned data is a list of query_result_t objects (see hxtb.py).

        The returned list can be passed to an instance of the ic_t class,
        which causes the data to be displayed by a chooser as follows:

        from idaapi import *
        import hxtb
        hxtb.ic_t(find_expr(here(), lambda cf,e:e.op is cot_call))


    Please find the cfunc_t, citem_t, cinsn_t and cexpr_t structures
    within hexrays.hpp for further help and details.

Examples

List expressions that compare anything to zero ("x == 0")

         cot_eq
         /   \
      x /     \ y
(anything)  cot_num --- n.numval() == 0
from idaapi import *
from hxtb import find_expr
query = lambda cfunc, e: e.op is cot_eq and e.y.op is cot_num and e.y.numval() == 0
r = find_expr(here(), query)
for e in r:
    print(e)

List (direct) function calls

        cot_call
         / 
      x /
 cot_obj
from idaapi import *
from hxtb import find_expr
query = lambda cfunc, e: e.op is cot_call and e.x.op is cot_obj
r = find_expr(here(), query)
for e in r:
    print(e)

list of calls

List memcpy calls where "dst" argument is on stack

        cot_call --- arg1 is cot_var
         /           arg1 is on stack
      x /
 cot_obj --- name(obj_ea) == 'memcpy'
from idaapi import *
from hxtb import find_expr
r = []
query = lambda cfunc, e: (e.op is cot_call and
           e.x.op is cot_obj and
           get_name(e.x.obj_ea) == 'memcpy' and
           len(e.a) == 3 and
           e.a[0].op is cot_var and
           cfunc.lvars[e.a[0].v.idx].is_stk_var())
for ea in Functions():
    r += find_expr(ea, query)
for e in r:
    print(e)

List calls to sprintf(str, fmt, ...) where fmt contains "%s"

        cot_call --- arg2 ('fmt') contains '%s'
         /
      x /
 cot_obj --- name(obj_ea) == 'sprintf'
from idaapi import *
from hxtb import find_expr
r = []
query = lambda cfunc, e: (e.op is cot_call and
    e.x.op is cot_obj and
    get_name(e.x.obj_ea) == 'sprintf' and
    len(e.a) >= 2 and
    e.a[1].op is cot_obj and
    is_strlit(get_flags(get_item_head(e.a[1].obj_ea))) and
    b'%s' in get_strlit_contents(e.a[1].obj_ea, -1, 0, STRCONV_ESCAPE))
for ea in Functions():
    r += find_expr(ea, query)
for e in r:
    print(e)

Show all instructions using signed operators in a list view

from idaapi import *
from hxtb import ic_t
query = lambda cfunc, e: (e.op in
            [cot_asgsshr, cot_asgsdiv,
            cot_asgsmod, cot_sge,
            cot_sle, cot_sgt,
            cot_slt, cot_sshr,
            cot_sdiv, cot_smod])
ic_t(query)

list of signed operators

Show all "if" statements in a list view

from idaapi import *
from hxtb import ic_t
ic_t(lambda cf, i: i.op is cit_if)

list of if statements

Find all loop statements within current db, display result in a list view

from idaapi import *
from hxtb import ic_t, query_db
ic_t(query_db(lambda cf,i: is_loop(i.op)))

list of loops

Show potential memory copy operations in a list view

from hxtb import ic_t, query_db, find_child_expr
from ida_hexrays import *


find_copy_query = lambda cfunc, i: (i.op is cot_asg and
                                i.x.op is cot_ptr and
                                i.y.op is cot_ptr)

find_loop_query = lambda cfunc, i: (is_loop(i.op) and
                            find_child_expr(cfunc, i, find_copy_query))


ic_t(query_db(find_loop_query))

list of copy loops

More Repositories

1

dsync

IDAPython plugin that synchronizes disassembler and decompiler views
Python
438
star
2

HRDevHelper

HexRays ctree visualization plugin
Python
349
star
3

abyss

abyss - augmentation of Hexrays decompiler output
Python
315
star
4

IDACyber

Data Visualization Plugin for IDA Pro
Python
285
star
5

genmc

Display Hex-Rays Microcode
Python
220
star
6

IDAPyHelper

IDAPyHelper is a script for the Interactive Disassembler that helps writing IDAPython scripts and plugins.
Python
163
star
7

xray

Hexrays decompiler plugin that colorizes and filters the decompiler's output based on regular expressions
Python
114
star
8

mrspicky

MrsPicky - An IDAPython decompiler script that helps auditing memcpy() and memmove() calls
Python
108
star
9

RETracker

Reverse Engineering Framework for the Polyend Tracker
Python
93
star
10

FuncScanner

Collects extended function properties from IDA Pro databases
Python
91
star
11

hexrays_scripts

Various scripts for the Hexrays decompiler
Python
87
star
12

DrGadget

dr.rer.oec.gadget IDAPython plugin for the Interactive Disassembler <ABANDONED PROJECT>
Python
62
star
13

nesldr

Nintendo Entertainment System (NES) ROM loader module for IDA Pro (for IDA 4.9)
C++
46
star
14

NDSLdr

Nintendo DS ROM loader module for IDA Pro
C++
34
star
15

NECromancer

IDA Pro V850 Processor Module Extension
Python
30
star
16

idaplugins

Old and probably outdated IDA plugins
C++
24
star
17

NTRDisasm

Annotated disassembly of the NTR 2.x custom firmware for the Nintendo N3DS
Assembly
24
star
18

BFS2019

Bluefrost Exploitation Challenge 2019 - Exploit and Writeup
Assembly
21
star
19

zohocorp_dc

Zoho ManageEngine Desktop Central CVEs
Python
15
star
20

winmagic_sd

Technical Write-Up on and PoC Exploit for CVE-2020-11519 and CVE-2020-11520
Python
13
star
21

iOS-stuff

tools, hacks and stuff for iOS (this is old stuff based on an old iOS version and wasn't tested for functioning on recent iOS devices)
Python
13
star
22

MadNES

IDA plugin to export symbols and names from IDA db so they can be loaded into FCEUXD SP
C++
12
star
23

ida_vs2017

IDA 7.x VisualStudio 2017 Sample Project for IDA and HexRays plugins (works with Community Edition)
C++
11
star
24

bankswitch

IDA Pro plugin module for NES ROMs, simulates bank switching/paging
C++
10
star
25

A5Pack

Firmware Utility for ASM Hydrasynth Synthesizers
Python
8
star
26

NESTrainers

NES Game Hacking examples (adding cheating functionality/trainers)
Assembly
8
star
27

tools

various tools
Python
8
star
28

vds5plugin

vds5plugin - vds5.py script taken from IDAPython and turned into a plugin
Python
6
star
29

3DSProjects

Nintendo 3DS Projects
C
5
star
30

CTFs

Write-ups and solutions for CTF challenges
Python
5
star
31

FEZ

FEZ tools and stuff
Python
3
star
32

nesdbg

Failed attempt in creating an IDA Pro debugger plugin for NES ROMs
C++
2
star
33

touchosc-templates

Templates / Layouts for the touchosc iOS app
2
star
34

FancyVote

My solution to the BFS Ekoparty Exploitation Challenge
Python
2
star