MyNav is an Open Source plugin for IDA Pro which aims to help reverse engineers doing the most typical tasks.
MyNav is licensed under the GPL v2.
As of version 1.0, MyNav supports the following features:
- Differential debugging.
- Function's browser.
- Code paths searching.
- Entry points and target points definition.
- Function's names importer and exporter.Differential debugging in MyNav is implemented using breakpoints. The breakpoints can be set at the 1st instruction of the selected functions (for normal sessions) or in every instruction (for trace sessions). The breakpoints can be either normal breakpoints or trace breakpoints: With trace breakpoints only the $PC register is recorded and with normal breakpoints every register's value is recorded.
The function's browser shows in a navigable GUI every function called from the selected function either showing API calls or not. As simply as it is.
This feature allows to search code paths between either 2 functions or "points". Points are functions selected by the reverse engineer as either "entry points" (points where you can input data to the application) or "target points" (points where you can reach code execution).
This feature allows to export every function in the database with a name different to "sub*" or "j*" to one SQLite database to be imported later in another database. For every function the following data is recorded (in order to be used later for matching the exact function in other databases):
- Number of basic blocks, number of edges, indegree and outdegree.
- Mnemonics, number of instructions and size (in bytes) of the function.In MyNav there are a lot of menu items and somewhat hidden options to accomplish many tasks. The following is a comprehensive list of every menu item and every option or utility.
Open a function's browser showing all code references to functions from the selected function.
Start a new differential debugging session (refer to the section "Differential debugging" for more details). If no breakpoint is set the user will be asked to set a breakpoint in every discovered function in the database.
Related video tutorial:
Analyzing Adobe Acrobat Reader's JavaScript plugin http://joxeankoret.com/video/acrobatjs.htm
Normal sessions started with the command "New session" are functions level sessions, i.e., the unique information recorded is what functions were executed. Trace sessions are instruction level sessions: when you already have a function level session you select this option to trace every instruction belonging to the functions related to the session.
Related video tutorial:
Analyzing Adobe Acrobat Reader's JavaScript plugin http://joxeankoret.com/video/acrobatjs.htm
Like "trace in session" but you only trace the function at cursor.
When recording a session you have 2 ways to tell MyNav the session is over: Stop the program or configure a timeout. For example, if you're debugging a server application you don't want to start and stop it every time you want to test a feature so you can configure a timeout, record a session and it will be considered finished when the timeout is reached.
Due to performance, by default, MyNav sets trace brekapoints to record sessions (either function or trace level sessions) and only records the $PC. If you set CPU recording to true every processor register's value will be stored in the SQLite database.
Select this option to see in a graph a previously recorded function level session.
Select this option to colorize every instruction executed in a previously recorded trace session.
Select this option if you prefer to see a previously recorded function level session in a normal list like the normal IDA's "Functions List".
Trace level sessions are shown coloring executed instructions. Select this option to clear the color.
Add (or remove) a breakpoint in every function discovered in the database.
Add (or remove) every breakpoint recorded in a function level session.
Delete a function level session.
Delete all sessions (either function or trace sessions).
Add (or remove) the function at the cursor as data entry point (functions where you can input data to the application, like socket_recv, etc...) or target point (vulnerable functions or functions where you want to reach code execution for some reason).
Show in a graph every function added as entry point and the relationships (if any) between them.
Show in a graph every function added as target point and the relationships (if any) between them.
Show in a graph the relationships between functions selected as entry points and target points.
Show in a graph the relationships between 2 functions. A dialog box is shown to select the functions.
Show in a graph every function in the current (at the cursor) segment and the relationships between them. USE WITH CAUTION!
Show in a graph every function where a breakpoint is set (either manually or by MyNav) and the relationships between them.
Set a breakpoint in every function between entry points and target points and start a new function level session.
Set a breakpoint in every function between 2 functions and start a new function level session. A dialog box will be shown to select the 2 functions.
Add (or remove) a breakpoint in the function at the cursor and every function called from here.
Add (or remove) a breakpoint in every function between entry points and target points.
Add (or remove) a breakpoint in every function between 2 functions. A dialog box will be shown to select the 2 functions.
Add (or remove) a breakpoint in every function in the current (at the cursor) segment.
When CPU recording is enabled every register's value is recorded as well as ASCII strings pointed directly from a register's value. With this option you can see, in a graph, in what functions some string where used/accessed. Leave the field in blank to show a graph with every recorded string.
See the following snapshot to get an idea: http://img52.imageshack.us/i/mynav7.png/
Export to one SQLite database every function with a name different to "j*" and "sub*". See the section "Function's names importer/exporter" for more details.
Try to import from one SQLite database every function matching those in the current IDA's database. See the section "Function's names importer/exporter" for more details.
Use this option to try to search for functions not discovered by IDA during initial analysis.
Equivalent to the following python code:
AnalyzeArea(SegStart(here()), SegEnd(here()))Equivalent to the following python code:
AnalyzeArea(MinEA(), MaxEA())Usefull, for example, when you added new segments to the database in a debugging session with the command "Take memory snapshot".
Analyze the current segment and search for new functions not discovered by IDA.
While MyNav may be usefull as is, sometimes, we need to perform some special tasks not implemented in the current version. In order to accomplish them using the MyNav API we may use this option and a Python script will be executed registering as global variables the following objects:
mynav: The current "mynav" object of type CMyNav (see mynav.py).
mybrowser: A module object for the "mybrowser" module.
myexport: A module object for the "myexport" module.def addDefaultEntryPoints(): for f in Functions(): if GetFunctionName(f).find("recv") > -1: mynav.addPoint(f, "E") # Add the current function as entry point
def addDefaultTargetPoints(): for f in Functions(): if GetFunctionName(f).find("str") > -1 or GetFunctionName(f).find("cpy") > -1: mynav.removePoint(f, "T") # Add the current function as target point
The author of MyNav is Joxean Koret. You can contact me using any of the following e-mail addresses:
<admin[AT]joxeankoret[DOT]com>
<joxeankoret[AT]yah00[DOT]es>