search

Jinmo / idapkg

Packages for IDA Pro (written in python but supports all)
MIT License
131 stars 16 forks source link

Wrapping processor/loaders for loading #3

Closed Jinmo closed 5 years ago

Jinmo commented 5 years ago

I was testing changing IDAUSR variable to add directories for plugins/ procs/ loaders/ but it didn't work since IDA cached the list after calling get_ida_subdirs() or etc. I was annoyed since it's not exposed to user, making it impossible to invalidate cache without directly modifying the memory with ctypes. This completely breaks loading of processor/loader since idapkg is loaded after caching the environments.

Wrapping processors/loaders with native .py/.dll solves all of these issue, but needs extra work. e.g. Symbolic linking would not work since it modifies the path. This breaks relative imports.

So my plan is: Writing wrapper function with global constructor, like this.

__attribute__((constructor))
void init() {
  init_processor(); // copies LPH structure from wrapped dll
  init_loader();
  init_plugin();
}

define_wrapper(processor_t, LPH, processor);
define_wrapper(loader_t, LDSC, loader);
define_wrapper(plugin_t, PLUGIN, plugin);

Python wrapper:

import os

filename = '<wrapper path>'
dirname = os.path.dirname(filename)
orig_cwd = os.getcwd()
try:
    os.chdir(dirname)
    execfile(filename, {__file__: filename})
except:
    pass
finally:
    os.chdir(orig_cwd)

Indeed IDAUSR's feature is rich, and I need to implement these:

Not copyable (path-sensitive):
plugins/
procs/
loaders/

Copyable:
ids/
til/
sig/

Personally I don't like copying files, but there's no symlink support without Administrator privileges for Windows, and non-NTFS directories (but possible in NTFS, and w/ admin privilege).

Unless, I can use hardcoded offset for IDA (or use FLIRT for IDA binary?). I'm uploading PoC.

Jinmo commented 5 years ago

will use IDAUSR for now

hugmyndakassi commented 1 year ago

Just since I stumbled over this. I think you could use junction points (junction.exe or mklink.exe /j) to link one directory to another existing one. Just like the symbolic links introduced with Vista, they are reparse points under the hood. True junctions only work for directories, but if I haven't misunderstood your use case, that'd be sufficient, no?

As an aside, the installer for "Git for Windows" even has an option to enable SeCreateSymbolicLinkPrivilege for the user who invoked the setup. And while it's true there are some security concerns regarding symbolic links, most people using IDA are probably well versed in admin matters and could judge for themselves.

Maybe it helps. If not, just ignore.

Thanks for idapkg 😉

Jinmo commented 1 year ago

Hello, actually this project is not maintained anymore, but thanks for the feedback! hardlink and junctions can work in this case, but I chose to copy the contents instead to make things simpler (e.g., I thought deleting junctions in windows is not UX-friendly)