idahunt是用IDA Pro分析二进制文件并寻找IDA Pro中内容的框架

idahunt是用IDA Pro分析二进制文件并寻找IDA Pro中内容的框架

idahunt

idahunt is a framework to analyze binaries with IDA Pro and hunt for things in IDA Pro. It contains a main command line tool to analyse all executable files recursively from a given folder. It executes in the background so you don't have to open manually each file. It supports executing external IDA python scripts.

Requirements

Python3 only (except IDA Python scripts which are Python2 based)IDA ProWindows, Linux, OS X

Features

Automate creation of IDBs for multiple executablesOpen multiple existing IDBsExecute IDA Python scripts across multiple executablesIDA Python helpers to simplify looking for things in IDA. You can use this to easily build your own IDA Python scriptsIt supports any file format IDA would support (PE/ELF/MACH-O/etc.)

Useful examples include (non-exhaustive list):

Analyse Microsoft Patch Tuesday updatesAnalyse malware of the same familyAnalyse multiple versions of the same software (router/firewall/etc.)Analyse a bunch of binaries (UEFI, etc.)

Scripting

IDA Python scripts capabilities are unlimited. You can import any existing IDA Python script or build your own. Some examples:

Rename functions based on debugging stringsDecrypt strings (e.g. malware)Hunt for the same symbol across multiple versions (using heuristics)Hunt for ROP gadgetsEtc.

Usage

idahunt.py: main tool to analyse executable filesfilters/names.py: contains a basic filter based on name and/or extension to decide which files in an input dir to analyze with idascript_template.py: contains a hello world IDA Python script

C:\idahunt>idahunt.py -husage: idahunt.py [-h] [--inputdir INPUTDIR] [--analyse] [--open] [--scripts SCRIPTS [SCRIPTS ...]] [--filter FILTER] [--cleanup] [--temp-cleanup] [--verbose] [--max-ida MAX_IDA] [--list-only]optional arguments: -h, --help show this help message and exit --inputdir INPUTDIR Input folder to search for files --analyse analyse all files i.e. create .idb for all of them --open open all files into IDA (debug only) --scripts SCRIPTS [SCRIPTS ...] List of IDA Python scripts to execute in this order --filter FILTER External python script with optional arguments defining a filter for the names of the files to analyse. See filters/names.py for example --cleanup Cleanup i.e. remove .asm files that we don't need --temp-cleanup Cleanup temporary database files i.e. remove .id0, .id1, .id2, .nama files if IDA Pro crashed and did not delete them --verbose be more verbose to debug script --max-ida MAX_IDA Maximum number of instances of IDA to run at a time --list-only List only what files would be handled without executing IDA

Simulate without executing

You can use --list-only with any command line to just list what the tool would do without actually doing it.

C:\idahunt>idahunt.py --inputdir C:\re --analyse --filter "filters\names.py -a 32 -v" --list-only[idahunt] Simulating only...[idahunt] ANALYSING FILES[idahunt] Analysing C:\re\cves\cve-2014-4076.dll[idahunt] Analysing C:\re\cves\cve-2014-4076.exe[idahunt] Analysing C:\re\DownloadExecute.exe[idahunt] Analysing C:\re\ReverseShell.exe

Initial analysis

Here we start an initial analysis. It finishes after a few seconds:

C:\idahunt>idahunt.py --inputdir C:\re --analyse --filter "filters\names.py -a 32 -v"[idahunt] ANALYSING FILES[idahunt] Analysing C:\re\cves\cve-2014-4076.dll[idahunt] Analysing C:\re\cves\cve-2014-4076.exe[idahunt] Analysing C:\re\DownloadExecute.exe[idahunt] Analysing C:\re\ReverseShell.exe[idahunt] Waiting on remaining 4 IDA instances

Here we cleanup temporary .asm files created by the initial analysis:

C:\idahunt>idahunt.py --inputdir C:\re --cleanup[idahunt] Deleting C:\re\cves\cve-2014-4076.asm[idahunt] Deleting C:\re\DownloadExecute.asm[idahunt] Deleting C:\re\ReverseShell.asm

We can see the generated .idb as well as some .log files that contain the IDA Pro output window.

C:\idahunt>tree /f C:\reFolder PATH listingVolume serial number is XXXX-XXXXC:\RE│ DownloadExecute.exe│ DownloadExecute.idb│ DownloadExecute.log│ ReverseShell.exe│ ReverseShell.idb│ ReverseShell.log│└───cves cve-2014-4076.dll cve-2014-4076.exe cve-2014-4076.idb cve-2014-4076.log

Execute IDA Python script

Here we execute a basic IDA Python script that prints [script_template] I execute in IDA, yay! in the IDA Pro output window.

C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -a 32 -v" --scripts C:\idahunt\script_template.py[idahunt] EXECUTE SCRIPTS[idahunt] Executing script C:\idahunt\script_template.py for C:\re\cves\cve-2014-4076.dll[idahunt] Executing script C:\idahunt\script_template.py for C:\re\cves\cve-2014-4076.exe[idahunt] Executing script C:\idahunt\script_template.py for C:\re\DownloadExecute.exe[idahunt] Executing script C:\idahunt\script_template.py for C:\re\ReverseShell.exe[idahunt] Waiting on remaining 4 IDA instances

Since it is saved in the .log file, we can check it successfully executed:

Autoanalysis subsystem has been initialized.Database for file 'ReverseShell.exe' has been loaded.Compiling file 'C:\Program Files (x86)\IDA 6.95\idc\ida.idc'...Executing function 'main'...[script_template] I execute in IDA, yay!

Filter name

We can filter that it only analyses files with a given pattern in the name (-n Download below):

C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -a 32 -v -n Download" --scripts C:\idahunt\script_template.py --list-only[idahunt] Simulating only...[idahunt] EXECUTE SCRIPTS[names] Skipping non-matching name Download in cve-2014-4076.dll[names] Skipping non-matching name Download in cve-2014-4076.exe[idahunt] Executing script C:\idahunt\script_template.py for C:\re\DownloadExecute.exe[names] Skipping non-matching name Download in ReverseShell.exe

Filter extension

We can create a filter that tells idahunt to only analyse files with a given extension (-e dll below):

C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -a 32 -v -e dll" --scripts C:\idahunt\script_template.py --list-only[idahunt] Simulating only...[idahunt] EXECUTE SCRIPTS[idahunt] Executing script C:\idahunt\script_template.py for C:\re\cves\cve-2014-4076.dll[names] Skipping non-matching extension .dll in cve-2014-4076.exe[names] Skipping non-matching extension .dll in DownloadExecute.exe[names] Skipping non-matching extension .dll in ReverseShell.exe

Architecture needs to be provided

If you forget to provide the architecture of the files you want to analyse, the basic filters\names.py will return an error:

C:\idahunt>idahunt.py --inputdir C:\re --filter "filters\names.py -v -e dll" --scripts C:\idahunt\script_template.py --list-only[idahunt] Simulating only...[idahunt] EXECUTE SCRIPTS[names] Unknown architecture: None. You need to specify it with -a[names] Skipping non-matching extension .dll in cve-2014-4076.exe[names] Skipping non-matching extension .dll in DownloadExecute.exe[names] Skipping non-matching extension .dll in ReverseShell.exe

Protip: you could build your own filter that would detect the architecture automatically using a win32, elf library.

Note: The architecture is required to know in advance due to a limitation of IDA Pro that contains 2 different executables idaq.exe and idaq64.exe to analyse binaries of the two architectures 32-bit and 64-bit.

Known projects using idahunt

asadbg

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。