第1页 / 共126页
第2页 / 共126页
第3页 / 共126页
第4页 / 共126页
第5页 / 共126页
第6页 / 共126页
第7页 / 共126页
第8页 / 共126页
IDA Plugin Writing in C/C++.pdf
IDA PLUG-IN WRITING
IN
C/C++
[Version 1.1]
Copyright © 2009 Steve Micallef
steve@binarypool.com
Table of Contents
1. Introduction...............................................................................................................................6
1.1 Why This Tutorial?.................................................................................................................6
1.2 What's Covered.....................................................................................................................6
1.3 What's Not Covered..............................................................................................................6
1.4 Knowledge Required.............................................................................................................6
1.5 Software Required.................................................................................................................7
1.6 Alternatives to C/C++............................................................................................................7
1.7 About This Document............................................................................................................7
1.8 Change History......................................................................................................................7
1.9 Credits...................................................................................................................................8
1.10 Further Reading...................................................................................................................8
2. The IDA SDK..............................................................................................................................9
2.1 Installation.............................................................................................................................9
2.2 Directory Layout..................................................................................................................10
2.3 Header Files........................................................................................................................10
2.4 Using the SDK.....................................................................................................................11
3. Setting up a Build Environment.............................................................................................12
3.1 Windows, Using Visual Studio.............................................................................................12
3.2 Windows, Using Dev-C++ with GCC and MinGW...............................................................13
3.3 Linux, Using GCC................................................................................................................13
3.4 Other Platforms...................................................................................................................14
3.5 A Plug-in Template..............................................................................................................14
3.6 Configuring and Running Plug-ins.......................................................................................15
4. Fundamentals..........................................................................................................................17
4.1 Core Types..........................................................................................................................17
4.2 Core Structures and Classes...............................................................................................18
4.2.1 Meta Information...........................................................................................................18
4.2.2 Areas............................................................................................................................18
4.2.2.1 The area_t Structure..............................................................................................19
4.2.2.2 The areacb_t Class................................................................................................19
4.2.3 Segments and Functions..............................................................................................20
4.2.3.1 Segments...............................................................................................................20
4.2.3.2 Functions................................................................................................................21
4.2.4 Code Representation....................................................................................................22
4.2.4.1 Operand Types.......................................................................................................23
4.2.4.2 Operands................................................................................................................23
4.2.4.3 Mnemonics.............................................................................................................24
4.2.4.4 Instructions.............................................................................................................24
4.2.5 Cross Referencing........................................................................................................25
4.2.5.1 The xrefblk_t Structure...........................................................................................26
4.2.5.2 Code ......................................................................................................................26
4.2.5.3 Data........................................................................................................................27
4.3 Byte Flags...........................................................................................................................28
4.4 The Debugger.....................................................................................................................29
4.4.1 The debugger_t Struct..................................................................................................30
4.4.2 Registers.......................................................................................................................30
4.4.3 Breakpoints...................................................................................................................31
4.4.4 Tracing..........................................................................................................................32
4.4.5 Processes and Threads................................................................................................34
4.5 Event Notifications...............................................................................................................34
4.5.1 Receiving Notification...................................................................................................35
4.5.2 UI Event Notifications....................................................................................................36
4.5.3.1 Low Level Events...................................................................................................37
4.5.3.2 High Level Event Notifications................................................................................38
4.5.3.3 Function Result Notifications..................................................................................39
4.6 Strings.................................................................................................................................40
5. Functions.................................................................................................................................42
5.1 Common Function Replacements.......................................................................................42
5.2 Messaging...........................................................................................................................42
5.2.1 msg...............................................................................................................................43
5.2.2 info................................................................................................................................43
5.2.3 warning.........................................................................................................................43
5.2.4 error..............................................................................................................................43
5.3 UI Navigation.......................................................................................................................44
5.3.1 get_screen_ea..............................................................................................................44
5.3.2 jumpto...........................................................................................................................44
5.3.3 get_cursor.....................................................................................................................44
5.3.4 get_curline....................................................................................................................45
5.3.5 read_selection...............................................................................................................45
5.3.6 callui..............................................................................................................................45
5.3.7 askaddr.........................................................................................................................46
5.3.8 AskUsingForm_c...........................................................................................................46
5.4 Entry Points.........................................................................................................................47
5.4.1 get_entry_qty................................................................................................................47
5.4.2 get_entry_ordinal..........................................................................................................47
5.4.3 get_entry.......................................................................................................................48
5.4.4 get_entry_name............................................................................................................48
5.5 Areas...................................................................................................................................48
5.5.1 get_area........................................................................................................................49
5.5.2 get_area_qty.................................................................................................................49
5.5.3 getn_area......................................................................................................................49
5.5.4 get_next_area...............................................................................................................50
5.5.5 get_prev_area...............................................................................................................50
5.6 Segments............................................................................................................................51
5.6.1 get_segm_qty...............................................................................................................51
5.6.2 getnseg.........................................................................................................................51
5.6.3 get_segm_by_name.....................................................................................................52
5.6.4 getseg...........................................................................................................................52
5.6.5 get_segm_name...........................................................................................................52
5.7 Functions.............................................................................................................................53
5.7.1 get_func_qty.................................................................................................................53
5.7.2 get_func........................................................................................................................53
5.7.3 getn_func......................................................................................................................54
5.7.4 get_func_name.............................................................................................................54
5.7.5 get_next_func...............................................................................................................55
5.7.6 get_prev_func...............................................................................................................55
5.7.7 get_func_cmt................................................................................................................55
5.8 Instructions..........................................................................................................................56
5.8.1 generate_disasm_line...................................................................................................56
5.8.2 decode_insn..................................................................................................................56
5.8.3 create_insn...................................................................................................................57
5.8.4 ua_ana0 (DEPRECATED)............................................................................................57
5.8.5 ua_code (DEPRECATED)............................................................................................58
5.8.6 ua_mnem......................................................................................................................58
5.8.7 ua_outop2.....................................................................................................................59
5.8.8 ua_outop (DEPRECATED)...........................................................................................60
5.9 Cross Referencing...............................................................................................................60
5.9.1 first_from.......................................................................................................................61
5.9.2 first_to...........................................................................................................................61
5.9.3 next_from......................................................................................................................61
5.9.4 next_to..........................................................................................................................62
5.10 Names...............................................................................................................................62
5.10.1 get_name....................................................................................................................63
5.10.2 get_name_ea..............................................................................................................63
5.10.3 get_name_value.........................................................................................................64
5.11 Searching..........................................................................................................................65
5.11.1 find_text......................................................................................................................65
5.11.2 find_binary..................................................................................................................66
5.12 IDB....................................................................................................................................67
5.12.1 open_linput.................................................................................................................67
5.12.2 close_linput.................................................................................................................67
5.12.3 load_loader_module...................................................................................................68
5.12.4 load_binary_file...........................................................................................................68
5.12.5 gen_file.......................................................................................................................69
5.12.6 save_database............................................................................................................70
5.13 Flags..................................................................................................................................70
5.13.1 get_flags_novalue.......................................................................................................71
5.13.2 isEnabled....................................................................................................................71
5.13.3 isHead.........................................................................................................................71
5.13.4 isCode.........................................................................................................................72
5.13.5 isData..........................................................................................................................72
5.13.6 isUnknown..................................................................................................................73
5.14 Data...................................................................................................................................74
5.14.1 get_byte......................................................................................................................74
5.14.2 get_many_bytes..........................................................................................................74
5.14.3 get_dbg_byte..............................................................................................................75
5.14.4 patch_byte..................................................................................................................75
5.14.5 patch_many_bytes......................................................................................................76
5.15 I/O......................................................................................................................................76
5.15.1 fopenWT.....................................................................................................................76
5.15.2 openR.........................................................................................................................77
5.15.3 ecreate........................................................................................................................77
5.15.4 eclose.........................................................................................................................77
5.15.5 eread...........................................................................................................................78
5.15.6 ewrite..........................................................................................................................78
5.16 Debugging .......................................................................................................................79
5.16.0 A Note on Requests....................................................................................................79
5.16.1 run_requests...............................................................................................................80
5.16.2 get_process_state.......................................................................................................80
5.16.3 get_process_qty..........................................................................................................81
5.16.4 get_process_info.........................................................................................................81
5.16.5 start_process *............................................................................................................82
5.16.6 continue_process *.....................................................................................................82
5.16.7 suspend_process *.....................................................................................................83
5.16.8 attach_process *.........................................................................................................83
5.16.9 detach_process *........................................................................................................84
5.16.10 exit_process *...........................................................................................................84
5.16.11 get_thread_qty..........................................................................................................84
5.16.12 get_current_thread....................................................................................................85
5.16.13 getn_thread...............................................................................................................85
5.16.14 get_reg_val...............................................................................................................85
5.16.15 thread_get_sreg_base (member of dbg)...................................................................86
5.16.16 read_memory (member of dbg)................................................................................86
5.16.17 write_memory (member of dbg)................................................................................87
5.16.18 set_reg_val *.............................................................................................................87
5.16.19 invalidate_dbgmem_contents...................................................................................88
5.16.20 invalidate_dbgmem_config.......................................................................................89
5.16.21 run_to *.....................................................................................................................89
5.16.22 step_into *.................................................................................................................90
5.16.23 step_over *................................................................................................................90
5.16.24 step_until_ret *..........................................................................................................91
5.17 Breakpoints .....................................................................................................................91
5.17.1 get_bpt_qty.................................................................................................................91
...............................................................................................................................................92
5.17.2 getn_bpt......................................................................................................................92
5.17.3 get_bpt........................................................................................................................92
5.17.4 add_bpt *....................................................................................................................93
5.17.5 del_bpt *......................................................................................................................93
5.17.6 update_bpt..................................................................................................................94
5.17.7 enable_bpt *................................................................................................................94
5.18 Tracing..............................................................................................................................95
5.18.1 set_trace_size.............................................................................................................95
5.18.2 clear_trace *................................................................................................................95
5.18.3 is_step_trace_enabled................................................................................................96
5.18.4 enable_step_trace *....................................................................................................96
5.18.5 is_insn_trace_enabled................................................................................................96
5.18.6 enable_insn_trace *....................................................................................................97
5.18.7 is_func_trace_enabled................................................................................................97
5.18.8 enable_func_trace *....................................................................................................97
5.18.9 get_tev_qty.................................................................................................................98
5.18.10 get_tev_info..............................................................................................................98
5.18.11 get_insn_tev_reg_val................................................................................................99
5.18.12 get_insn_tev_reg_result............................................................................................99
5.18.13 get_call_tev_callee.................................................................................................100
5.19 Strings.............................................................................................................................101
5.19.1 refresh_strlist............................................................................................................102
5.19.2 get_strlist_qty............................................................................................................102
5.19.3 get_strlist_item..........................................................................................................102
5.20 Miscellaneous..................................................................................................................103
5.20.1 tag_remove...............................................................................................................103
5.20.2 open_url....................................................................................................................103
5.20.3 call_system...............................................................................................................104
5.20.4 idadir.........................................................................................................................104
5.20.5 getdspace.................................................................................................................104
5.20.6 str2ea........................................................................................................................105
5.20.7 ea2str........................................................................................................................105
5.20.8 get_nice_colored_name............................................................................................105
6. Examples...............................................................................................................................107
6.1 Looking for Calls to sprintf, strcpy, and sscanf..................................................................107
6.2 Listing Functions Containing MOVS et al..........................................................................110
6.3 Auto-loading DLLs into the IDA Database.........................................................................112
6.4 Bulk Breakpoint Setter & Saver.........................................................................................115
6.5 Selective Tracing (Method 1).............................................................................................118
6.6 Selective Tracing (Method 2).............................................................................................120
6.7 Binary Copy & Paste.........................................................................................................122
6.8 BeingDebugged Flipper (Windows only)...........................................................................125
1. Introduction
1.1 Why This Tutorial?
After spending a lot of time going through the header files in the IDA SDK as well as looking at
the source to other people’s plug-ins, I figured there should be an easier way to get started with
writing IDA plug-ins. Although the header file commentary is amazingly thorough, I found it a little
difficult navigating and finding things when I needed them without a lot of searching and trial-and-
error. I thought that I'd write this tutorial to try and help those getting started as well as hopefully
provide a quick reference point for people developing plug-ins. I've also dedicated a section to
setting up a development environment which should make the development process quicker to
get into.
1.2 What's Covered
This tutorial will get you started with writing IDA plug-ins, beginning with an introduction to the
SDK, followed by setting up a development/build environment on various platforms. You'll then
gain a good understanding of how various classes and structures are used, followed by usage of
some of the more widely used functions exported. Finally, I'll show some examples of using the
IDA API for basic things like looping through functions, to hooking into the debugger and
manipulating the IDA database (IDB). After reading this, you should be able to apply the
knowledge gained to write your own plug-ins and hopefully share them with the IDA user
community.
1.3 What's Not Covered
I'm focusing on x86 assembly because it's what I have most experience in, although most of the
material presented should cover any architecture supported by IDA (which is practically all of
them). Also, if you want a comprehensive reference to all IDA functions, I suggest looking through
the header files.
This tutorial is focused more on "read only" functionality within the SDK, rather than functions for
adding comments, correcting errors, defining data structures, and so on. These sorts of things are
a big part of the SDK, but aren't covered here in an attempt to keep this tutorial at a manageable
size.
I have intentionally left out netnodes from this tutorial, as well as many struct/class members
because the IDA SDK is massive, and contains a lot of things for specialised purposes – a tutorial
cannot cover everything. If there is something you feel really should be in here, drop me a line
and I'll probably include it in the next version if it isn't too specialised. I came pretty close to
including a section about graphing, but realised that there were already several sample plug-ins
in the SDK, and it would blow out the size of this tutorial. Laziness was probably a contributing
factor as well!
1.4 Knowledge Required
First and foremost, you must know how to use IDA to the point where you can comfortably
navigate disassembled binaries and step through the debugger. You should be equipped with a
thorough knowledge of the C/C++ language as well as x86 assembly. C++ knowledge is quite
important because the SDK is pretty much all C++. If you don't know C++ but know C, you should
at least understand general OOP concepts like classes, objects, methods and inheritance.
1.5 Software Required
To write and run IDA plug-ins, you will need the IDA Pro disassembler 5.4, the IDA SDK (which,
as a licensed user of IDA, you get for free from http://www.hex-rays.com) and a C/C++ compiler
with related tools (Visual Studio, GCC toolset, Borland, etc).
Because it’s been so long since the last version of this document (sorry about that!), this version
will focus solely on version 5.4 of the API. It would just be too cumbersome to highlight all the
changes since IDA 4.8. The SDK was actually frozen (mostly) since 4.9, so older versions may
work.
1.6 Alternatives to C/C++
If C is not your thing, take a look at IDAPython, which has all the functionality the C++ API offers
in the more accessible language of Python. Check out http://d-dome.net/idapython/ for details.
There
IDAPython by Ero Carrera at
http://dkbza.org/idapython_intro.html, though it doesn’t appear to have been updated since 2006.
written on using
is a
tutorial
There was also an article written in 2005 about using VB6 and C# to write IDA plugins – check it
out here: http://www.openrce.org/articles/full_view/13. A php.net-style version of the first version
of this document has also been placed on OpenRCE, enabling users to add comments, sample
code, etc. to each function.
1.7 About This Document
If you have any comments or suggestions, or if you notice any errors, please contact me, Steve
Micallef, at steve@binarypool.com. If you really feel like you've learnt something from this, I'd also
appreciate an email, just to make this process worth while :-)
It’s been four years since the last version of this tutorial, so I will make a better attempt at keeping
this document up-to-date in the future. You will always be able to obtain the latest copy at
http://www.binarypool.com/idapluginwriting/.
1.8 Change History
•
•
-
First release
Version 1.0 [July, 2005]:
Version 1.1 [May, 2009]:
Brought up-to-date for IDA 5.4 SDK
-
- Minor clarity improvements and error corrections
-
-
-
Changed Visio 2003 example to Visio 2008
Some new functions covered
Additional example plug-in (BeingDebugged Flipper)
1.9 Credits
I'd like to thank the Ilfak Guilfanov and Hex-Rays for their continued support with putting this
together and for such a great product.
1.10 Further Reading
(http://www.hex-rays.com/idapro/idasupport.htm)
Since the first version of this tutorial, there still appears to be limited information specifically on
writing IDA plug-ins available. The two single best resources remain the IDA support page at
Hex-Rays
IDA Palace
(http://idapalace.net/). If you get stuck while writing a plug-in, you can always ask for help on the
Hex-Rays Support Forum (http://www.hex-rays.com/forum), where even though the SDK is
officially unsupported, someone from Hex-Rays (or one of the many IDA users) is likely to help
you out.
and
the
Another great resource is http://www.openrce.org/, where you'll find not only some great articles
on reverse engineering, but tools, plug-ins and documentation too. There are also a lot of
switched-on people on this board, who will most likely be able to help you with almost any IDA or
general reverse engineering problem.
Since the first release of this tutorial, Chris Eagle with No Starch Press released “The IDA Pro
Book.” I highly recommend this book to any serious IDA user and plug-in writer. If you want to
purchase it through Amazon, please use the following link to show your appreciation for this
tutorial (I get a tiny percentage of the sale price, but at no extra cost to you!):
http://www.amazon.com/gp/product/1593271786?ie=UTF8&tag=binarypool-
20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1593271786
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
