search

Cisco-Talos / FIRST

99 stars 16 forks source link

FIRST IDA Pro plugin on Linux #5

Open Antelox opened 7 years ago

Antelox commented 7 years ago

I got the plugin working on Linux using virtualenv + this plugin. I'm writing this because I read here that you still are looking for a solution then I thought to create this ticket.

If you need more information about the setup feel free to ask me.

demonduck commented 7 years ago

Thanks Antelox! I would like more information about the setup so we can include the whole process for linux users in our documentation.

Antelox commented 7 years ago

Well, I simply created a virtualenv:

virtualenv IDAPRO_ENV

Installed requests python module inside it:

source IDAPRO_ENV/bin/activate
sudo pip install requests
deactivate

Then I installed the idapython_virtualenv IDAPro plugin:

File -> Script command... Script language set to Python

and I launched the following snippet as explained in the README.md:

import urllib2,os,hashlib
urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler()))
original_hash = "0ce3569b15bfd01954247cf86503c32bcf30e83e0456a45eda79da5762f5c2af"
env_code = urllib2.urlopen('https://raw.githubusercontent.com/Kerrigan29a/idapython_virtualenv/master/envs.py').read()
calculated_hash = hashlib.sha256(env_code).hexdigest()
idadir = get_user_idadir()
idapythonrc_code = "from envs import detect_env; detect_env()"
if calculated_hash == original_hash:
    open(os.path.join(idadir,'envs.py'),'wb').write(env_code)
    open(os.path.join(idadir,'idapythonrc.py'),'ab').write(idapythonrc_code)
    Warning('Please restart IDA to finish installation')
else:
    Warning('Error validating download (got {} instead of {}), please try manual install'.format(calculated_hash, original_hash))

Restarted IDA Pro.

At this point there are 2 possible ways to activate the _IDAPROENV virtualenv in IDA Pro.

  1. Create a system environment variable called _VIRTUALENV which points to the folder _IDAPROENV. Doing this the IDAPRO_ENV virtualenv will be loaded at runtime, each time you will start IDA Pro thanks to the _idapythonvirtualenv plugin
  2. From the python command line at the bottom of IDA Pro doing:

from envs import activate_virtualenv_env activate_virtualenv_env('PATH_TO_IDAPRO_ENV')



Test if the virtualenv is loaded well doing:

`import requests`

If it's ok then you can install FIRST plugin and make a try as well.

I tested this setup in _Ubuntu 16.04 x64_ with a couple of samples and seems it works well. I would like to hear from you the same after your tests. =)
emdel commented 7 years ago

OK I did different tests. First I tried with a VM I had running Ubuntu 14 LTS and then another one running Ubuntu 16. I always had the same issue that is also present when I created a brand new VM running the latest Ubuntu LTS :


cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"

This is the error that I get from IDA when I run the snippet from the README file of idapython_virtualenv:


Script Default snippet error: Traceback (most recent call last):
  File "<string>", line 4, in <module>
  File "/home/emdel/ida-6.95/python/lib/python27.zip/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/home/emdel/ida-6.95/python/lib/python27.zip/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/home/emdel/ida-6.95/python/lib/python27.zip/urllib2.py", line 454, in _open
    'unknown_open', req)
  File "/home/emdel/ida-6.95/python/lib/python27.zip/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/home/emdel/ida-6.95/python/lib/python27.zip/urllib2.py", line 1265, in unknown_open
    raise URLError('unknown url type: %s' % type)
URLError: <urlopen error unknown url type: https>

In a nutshell I created this VM. I did an update and upgrade. I followed this link to install IDA: http://www.hexblog.com/?p=958 and followed your steps. I installed virtualenv and then requests:

Collecting requests
  Downloading requests-2.17.3-py2.py3-none-any.whl (87kB)
    100% |████████████████████████████████| 92kB 324kB/s 
Collecting idna<2.6,>=2.5 (from requests)
  Downloading idna-2.5-py2.py3-none-any.whl (55kB)
    100% |████████████████████████████████| 61kB 2.4MB/s 
Collecting urllib3<1.22,>=1.21.1 (from requests)
  Downloading urllib3-1.21.1-py2.py3-none-any.whl (131kB)
    100% |████████████████████████████████| 133kB 739kB/s 
Collecting chardet<3.1.0,>=3.0.2 (from requests)
  Downloading chardet-3.0.3-py2.py3-none-any.whl (133kB)
    100% |████████████████████████████████| 143kB 3.2MB/s 
Collecting certifi>=2017.4.17 (from requests)
  Downloading certifi-2017.4.17-py2.py3-none-any.whl (375kB)
    100% |████████████████████████████████| 378kB 1.9MB/s 
Installing collected packages: idna, urllib3, chardet, certifi, requests
Successfully installed certifi-2017.4.17 chardet-3.0.3 idna-2.5 requests-2.17.3 urllib3-1.21.1
(IDAPRO_ENV) emdel@ubuntu:~/IDAPRO_ENV$ deactivate

As a side note, I used the Python interpreter shipped with IDA 6.95. Needless to say the VM is 64bit.

emdel commented 7 years ago

OK problem solved. @Antelox comment is working but before following it we have to pay attention to our own IDA installation. On Ubuntu 16 we need to install libpython2.7 and libssl0.9.8:

sudo apt-get install libpython2.7:i386

And then:

wget http://mirrors.kernel.org/ubuntu/pool/universe/o/openssl098/libssl0.9.8_0.9.8o-7ubuntu3.2.14.04.1_i386.deb
sudo dpkg -i libssl0.9.8_0.9.8o-7ubuntu3.2.14.04.1_i386.deb

In this way we have a working IDAPython environment and we can install the idapython_virtualenv plugin and then FIRST by following @Antelox advices.