Hex-Rays Plugin Contest Results 2019
This year again, we have examined the plugins of 9 contestants,
and once again the scope, and focus of the plugins we examined
is very broad. Almost all of the plugins were written Python,
which seems to be a solid trend.
Here is our pick for the winners:
Congratulations to the winners!
Below is the full list of submissions:
- BRUTAL IDA by Tamir Bahar
BRUTAL IDA restores your original workflow by blocking the undo and redo keyboard shortcuts.
Tamir Bahar's plugin is a good reminder that, whatever the reason,
people don't like their workflows broken.
While plugins typically tend to add functionality, this one is here
to remove some: nostalgia is a very powerful feeling indeed! (or
is it Stockholm Syndrome?)
- CFG Inquisitor by Brenda So CFG
[…] checks the validity entry and exit blocks of control flow graphs (CFGs)
CFG Inquisitor essentially restricts what can be considered a
valid entry-, or exit-point of a function.
This is a fairly small plugin, with what appears to be somewhat
specific heuristics. It's unclear whether it would be reasonable
to extend these to all binaries that IDA can analyze.
The plugin is still under active development, and doesn't seem to
support x86_64 at this point.
- deREferencing by Daniel Garcia
Gutierrez deREferencing is an:
IDA Pro plugin that implements more user-friendly register and stack views
deReferencing is an IDA Pro plugin that implements new registers and stack views.
Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).
Supports x86, x86-64, ARM, ARM64, MIPS32 and MIPS64
The plugin adds custom views that try to interpret values in registers and stack as pointers
and automatically dereference them. Values are colored depending on the type of memory they belong to.
It is robust, useful, easy to install and use. The code is nicely modularized and readable.
- findrpc by Lucas Georges findrpc is
Idapython script to carve binary for internal RPC structures
findrpc.py is a single-file script which tries to find Windows RPC server and client descriptions in PE binaries.
The target audience is somewhat small but apparently RPC is an underexplored part of Windows so it's
a promising area for finding previously unknown vulnerabilities.
The declared feature list is quite impressive:
- View in a glance which RPC clients and servers are embedded in the binary
- Locate dispatch tables for RPC servers
- Quicky rename every RPC proc handlers found
- (On Windows) Generate decompiled IDL from RPC declarations
Unfortunately in our tests it only worked reliably on some binaries and it was
difficult to diagnose why exactly it failed on others, so there is definitely room for improvement.
For displaying results, the authors opted out for native Qt widgets as opposed to IDA's standard choosers
so, for example, copying the text from the result list did not work as it was not implemented
IDL decompilation feature uses a separate Windows binary without source code which is not always convenient.
That said, when it did work, the results were nice and useful
for finding hidden interfaces in Windows binaries
- ifred by jinmo123 ifred is:
IDA command palette & more
Ifred is a palette like we have seen several ones. It performs a fuzzy search
on IDA commands and on names from the current database. Compared to other
solutions, we like the attractive, customizable look. It also lets you create
your own palettes.
- idapkg by jinmo123 idapkg is:
Packages for IDA Pro
Idapkg tackles the problem of installing IDA plugins and managing their
dependencies. Based on an online repository,
it will let you search for packages and install or uninstall them. This is
still a proof of concept, but is an interesting step towards an easy and standard
way of installing IDA plugins.
- Karta by Eyal Itkin Karta is:
an IDA Python plugin that identifies and matches open-sourced
libraries in a given binary. The plugin uses a unique technique
that enables it to support huge binaries (>200,000 functions),
with almost no impact on the overall performance.
Karta really is a composite of a few things:
- the ThumbsUp plugin, which helps recovering functions in
ARM binaries, where IDA falls short
- the identifier that identifies what open source libraries
were compiled in, and with what version (e.g., from identifier strings)
- the matcher, which will match functions coming from
the previously-identified libraries
Thumbs Up in and of itself is a rather significant achievement since
it uses machine learning to recover what appears to be functions,
that IDA didn't spot, and it appear to be doing a very good job with
For the rest of its work, Karta will use an approach that differs from FLIRT
(and other tools) in quite a few aspects:
- it will only try to match functions from a library if the identifier
identified that the library is be present in the file,
- it will use many heuristics to determine the “likeliness” of
function presence, based on where they are in the file
Running the plugin can take a significant amount of time (it's written in
Python), but the results can be very satisfying.
For the record, Karta has quite a few dependencies, so be sure
those are installed, and reachable through
- networkx (use version 2.2: newer versions require Python3.)
- the ThumbsUp plugin, which helps recovering functions in
- SMS-IDA by Edward Larson SMS-IDA is:
The plugin allows IDA API commands to be run from your phone, anywhere!
(Provided you have cell service).
We have hard time imagining someone controlling his IDA with SMS messages but
if there are any desperate souls that need such a functionality,
this plugin is right for you.
A bit of set up that includes installing
some python packages, registering on an online web site that handles
SMS messages, and punching a hole in your firewall, and you are ready to go.
Just be informed any person who happens to know where to send SMS messages to
will be able to participate, for example, like this:
- Virtuailtor by Gal Zaban Virtuailtor
an IDAPython tool for C++ vtables reconstruction on runtime.
The script does not require any installation, so to use it, just press
Alt-F7 and select the Main.py file. It will add tons of breakpoints
to your database and then once you run the target application using
a debugger backend of your choice, it will create C++ virtual tables.
Naturally, the application will execute slower than usual because of the
breakpoints. Besides of creating virtual tables the script also adds cross
references to the called functions.
It supports x86, x64, and Aarch64.
We like the idea, it has a great potential.
Hopefully the author will continue to improve the script.
As always, many thanks to all the participants for their useful and interesting submissions.
We are looking forward to the next contest!
The usual disclaimer
Please be aware that all files come from third
parties. While we did our best to verify them, we cannot
guarantee that they work as advertised, so use them at your own risk.
For the plugin support questions, please contact the authors.
Date: September 23rd, 2019