Home / Security / Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit

Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit

ESET Research announces IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Notebook into IDA

IDA Pro from Hex-Rays is probably the most popular tool today for reverse-engineering software. For ESET researchers, this tool is a favorite disassembler and has inspired the development of the IPyIDA plugin that embeds an IPython kernel into IDA Pro. Under continuous development since 2014, we’re pleased to announce the release of version 2.0. IPyIDA serves a similar purpose as another plugin called IDA IPython, but with a twist: whereas IDA IPython only supports Windows, IPyIDA supports macOS, Linux, and Windows.

If you are already familiar with IDA Pro and IPython, then skip to the last section of this article on IPyIDA. If you are unfamiliar with IPython, then skip to the middle section. Finally, if you would appreciate a brief introduction to IDA Pro, then read on.

What is IDA Pro?

IDA Pro is a disassembler that translates machine code to assembly code. After loading a file, IDA Pro disassembles it and stores the analysis in database files. IDA Pro provides various windows into the database, each uniquely helping the researcher find and better understand the code of interest.

Let’s look at a few of these windows by loading the MathLibrary.dll file, which can be built with Microsoft’s tutorial on creating a DLL file.

Output window

The Output window displays messages about the status of the analysis of a file, error messages for user-requested operations, and the output from some plugins. Figure 1 shows the Output window after first loading MathLibrary.dll.

Figure 1. The IDA Output window

At the bottom of this window is an input field that accepts commands. Figure 2 shows the two default command language providers shipped with IDA since version 7.3: IDC for commands written in a C-like language native to IDA and the IDAPython plugin for commands written in Python.

Figure 2. The input field to type Python commands in IDA

IDA View window

The IDA View window, also known as the disassembly window, has two display formats: graph view and text view. Graph view visualizes the program flow by dividing functions into blocks with a single entry and a single exit point. Figure 3 shows graph view.

Figure 3. The IDA disassembly graph view

Text view gives a linear view of the disassembly that displays virtual addresses, assembly code, and comments. Figure 4 shows text view.

Figure 4. The IDA disassembly text view

In addition to these and the many other windows that IDA provides, IDA allows you to write custom plugins that extend its features and solve practical reverse-engineering problems. Let’s turn to IPython and some attractive features it offers reverse engineers who use Python scripts in IDA.

A glance at IPython

While IDAPython serves the basic needs for running Python scripts and commands in IDA, Python enthusiasts have been gripped by IPython fever. IPython is a toolkit that offers a more interactive experience with Python. IPython uses a two-process model consisting of a kernel and a client. The kernel is a process that receives commands from the client, executes them, and returns the results. The client can be any interactive console such as Jupyter Console, Jupyter Qt Console, or Jupyter Notebook.

The interactive nature of these clients comes from the host of features that they add to the classic Python shell. Figure 5 shows using a multiline code block to define a function in IPython.

Figure 5. Using a multiline code block to define a function in IPython

Notice the syntax highlighting of integers, keywords, built-in functions, and strings.

By pressing the Tab key, IPython provides a list of relevant attributes, objects, or functions that can complete the code. Figure 6 shows tab completion listing functions relevant to a string object.

Figure 6. Tab completion in IPython

Tab completion is richer if Jedi is installed.

IPython also provides magic functions, which are functions that are typically called with a % or %% prefix and take arguments with a command-line-style syntax. Figure 7 shows the %timeit magic function, which times the execution of a Python expression.

Figure 7. A magic function in IPython

By using the ! character at the beginning of a command line, the IPython console passes the command to the underlying system shell to be run. For example, a popular command is pip, which installs and manages packages from the Python Package Index (PyPi). Figure 8 shows the !pip command being run from IPython.

Figure 8. Running system shell commands from IPython

IPython provides many more interactive features that can be explored in the official documentation.

IPyIDA: Bringing IPython to IDA

With the release of IPyIDA 2.0, writing Python scripts in IDA is more friendly because of the following advantages:

Figure 9 shows the process of opening a Jupyter Notebook from IPyIDA.

Figure 9. The %open_notebook magic function in IPyIDA

Figure 10 shows a Jupyter Console running in a terminal session outside IDA connecting to the IPython kernel in IDA.

Figure 10. A Jupyter Console outside IDA connecting back to the IPython kernel in IDA

The choice of the Jupyter Qt Console for IPyIDA brings additional interactive features to the traditional IPython console, such as inline graphics, saving and printing of the current session, and full syntax highlighting. These are illustrated in the official documentation for the Jupyter Qt Console.

IPyIDA even provides its own interactive features inspired by IDA. Figure 11 shows that Ctrl-clicking (Cmd-clicking on macOS) on addresses or variable names in the IPython console jumps the view to the virtual address in the disassembly window.

Figure 11. Ctrl-clicking a variable or address in IPyIDA jumps to the address in IDA’s disassembly window

Figure 12 shows a hex dump for a byte array with non-ASCII content.

Figure 12. IPyIDA displays hex dumps

If you are new to IDA Pro, IPyIDA is a huge aid to becoming familiar with the IDA API. If you are a veteran, IPyIDA makes Python scripting much easier, and thus the time spent reverse engineering hopefully more focused and fruitful.

Source link

About Deep into Tech

Check Also

ESET APT Activity Report T3 2022

An overview of the activities of selected APT groups investigated and analyzed by ESET Research ...

Leave a Reply

Your email address will not be published.