Plugin for IDA Pro
Table of Contents
The plugin assists in the creation of classes/structures and detection of virtual tables. It also facilitates transforming decompiler output faster and allows to do some stuff which is otherwise impossible.
Note: The plugin supports IDA Pro 7.x with Python 2/3.
Just copy HexRaysPyTools.py
file and HexRaysPyTools
directory to Ida plugins directory.
Can be found at IDADIR\cfg\HexRaysPyTools.cfg
debug_message_level
. Set 10 if you have a bug and want to show the log along with the information about how it was encountered in the issue.propagate_through_all_names
. Set True
if you want to rename not only the default variables for the Propagate Name feature.store_xrefs
. Specifies whether to store the cross-references collected during the decompilation phase inside the database. (Default - True)scan_any_type
. Set True
if you want to apply scanning to any variable type. By default, it is possible to scan only basic types like DWORD
, QWORD
, void *
e t.c. and pointers to non-defined structure declarations.The reconstruction process usually comprises the following steps:
1) Open structure builder. 2) Find a local variable that points to the structure you would like to reconstruct. 3) Apply "Scan variable". It will collect the information about the fields that were accessed in the boundaries of one function. As an option, you can apply "Deep Scan variable", which will do the same thing but will also recursively visit other functions that has the same variable as its argument. 4) After applying steps 2 and 3 enough times, resolve conflicts in the structure builder and finalize structure creation. All the scanned variables will get a new type. Also, cross-references will be remembered and usable anytime.
Now, a few more details.
The place where all the collected information about the scanned variables can be viewed and modified. Ways of collecting information:
Structure builder stores collected information and enables interaction:
Name
or Type
to edit.Offset
opens a window with all the places, where this field has been extracted. Click the "Ok" button to open a selected place in the pseudocode window:Buttons serve the following purpose:
Finalize - opens a window with an editable C-like declaration and assigns new types to all scanned variables.
Disable, Enable - are used for collision resolution.
Origin - switches the base offset which is used to produce new fields to structure (this value will be added to every offset of a newly-scanned variable, default = 0).
Array - renders a selected field as an array the size of which is automatically calculated.
Pack - creates and substitutes a substructure for selected items (collisions for these items should be resolved).
Unpack - dismembers a selected structure and adds all its fields to the builder.
Remove - removes the information about selected fields.
Clear - clears all.
Recognize Shape - looks for appropriates structure for selected fields.
Resolve Conflicts (new) - attempts to disable less meaningful fields in favor of more useful ones. (char
> _BYTE
, SOCKET
> _DWORD
etc). Doesn't help to find arrays.
With HexRaysPyTools, every time the F5 button is pressed and code is decompiled, the information about addressing to fields is stored inside cache. It can be retrieved with the "Field Xrefs" menu. So, it is better to apply reconstructed types to as many locations as possible to have more information about the way structures are used.
Note: IDA 7.4 has now an official implementation of this feature, available through Shift-X hotkey.
Warning!! Very raw feature. The idea is to help find where a variable came from so as to run Deep Scan Process at the very top level and not to skip large amounts of code.
Usage:
sizeof(Structure Name)
, and type will be imported to Local Types.Helps find a suitable structure by the information gleaned from pseudocode after variable scanning.
Usage:
Helps find containing structure and makes code prettier by replacing pointers with CONTAINING_RECORD macro
Before:
After:
Usage:
If a variable is a structure pointer and there's an access to outside of the boundaries of that structure, then:
Every time you have two sides in an expression, where each side may be a local or global variable, argument or return value of the function signature, it is possible to right-click or press the hotkey to give both sides of the expression similar types. Below, there is the table of possible conversions:
Original | Shift+L | Shift+R |
---|---|---|
var = (TYPE) expr | var type -> TYPE | |
exp = (TYPE) var | var type -> TYPE | |
function(..., (TYPE) var, ...) | functions' argument -> TYPE | var type -> TYPE |
(TYPE) function(...) | functions' return type -> TYPE | |
return (TYPE) var | functions' return type -> TYPE | var type -> TYPE |
struct.field = (TYPE) var | type(field) -> TYPE | |
pstruct->field = (TYPE) var | type(field) -> TYPE |
When you have an expression like function(..., some_good_name, ...)
, you can rename function parameter.
When you have an expression like function(..., v12, ...)
, and function has an appropriate parameter name, you can quickly apply this name to the variable.
Also possible to rename vXX = v_named
into _v_named = v_named
and vice versa.
And there's a feature for massive renaming functions using assert statements. If you find a function that looks like an assert, right-click the string argument with the function name and select "Rename as assert argument". All the functions where a call to assert statement has happened will be renamed (provided that there is no conflicts, either way, you'll see the warning in the output window)
This feature does the same recursive traversal over functions as the Deep Scan Variable does. But this time, all elements that have a connection with the selected one receive its name. It’s possible to rename it or use names of both local and global variables, as well as structure members. By default, the plugin propagates names only over default names like v1
, a2
. See Configuration in order to change that.
if
manually allows to switch then
and else
branchesBefore:
...
if (condition) {
statement_1;
statement_2;
...
return another_value;
}
return value;
After:
...
if (opposite_condition) {
return value;
}
statement_1;
statement_2;
...
return another_value; // if 'then' branch has no return, than `return value;`
Also, it can be found at View->Open Subview->Classes. Helps to manage classes (structures with virtual tables).
Class, virtual tables, and functions names are editable. Also a function's declaration can be edited. After editting, the altered items change font to italic. Right click opens the following menu options:
You can also filter classes using Regexp either by class_name or by existence of specific functions. Simply input an expression in line edit for filtering by class_name or prepend it with "!" to filter by function name.
Shows relationship between structures:
Also: dark green node is union, light green - enum.
Usage:
Under construction