Hex-Rays Plugin Contest Results 2019
This year again, we have examined the plugins of 9 contestants, and once again the scope, and focus of the plugins we examined is very broad. Almost all of the plugins were written Python, which seems to be a solid trend.
Here is our pick for the winners:
Congratulations to the winners!
Below is the full list of submissions:
- BRUTAL IDA by Tamir Bahar
BRUTAL IDA restores your original workflow by blocking the undo and redo keyboard shortcuts.
Tamir Bahar’s plugin is a good reminder that, whatever the reason, people don’t like their workflows broken.
While plugins typically tend to add functionality, this one is here to remove some: nostalgia is a very powerful feeling indeed! (or is it Stockholm Syndrome?)
- CFG Inquisitor by Brenda SoCFG Inquisitor:
[…] checks the validity entry and exit blocks of control flow graphs (CFGs)
CFG Inquisitor essentially restricts what can be considered a valid entry-, or exit-point of a function.
This is a fairly small plugin, with what appears to be somewhat specific heuristics. It’s unclear whether it would be reasonable to extend these to all binaries that IDA can analyze.
The plugin is still under active development, and doesn’t seem to support x86_64 at this point.
- deREferencing by Daniel Garcia GutierrezdeREferencing is an:
IDA Pro plugin that implements more user-friendly register and stack views
deReferencing is an IDA Pro plugin that implements new registers and stack views. Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).
Supports x86, x86-64, ARM, ARM64, MIPS32 and MIPS64
The plugin adds custom views that try to interpret values in registers and stack as pointers and automatically dereference them. Values are colored depending on the type of memory they belong to.
It is robust, useful, easy to install and use. The code is nicely modularized and readable.
- findrpc by Lucas Georgesfindrpc is an:
Idapython script to carve binary for internal RPC structures
findrpc.py is a single-file script which tries to find Windows RPC server and client descriptions in PE binaries.
The target audience is somewhat small but apparently RPC is an underexplored part of Windows so it’s a promising area for finding previously unknown vulnerabilities.
The declared feature list is quite impressive:
- View in a glance which RPC clients and servers are embedded in the binary
- Locate dispatch tables for RPC servers
- Quicky rename every RPC proc handlers found
- (On Windows) Generate decompiled IDL from RPC declarations
Unfortunately in our tests it only worked reliably on some binaries and it was difficult to diagnose why exactly it failed on others, so there is definitely room for improvement.
For displaying results, the authors opted out for native Qt widgets as opposed to IDA’s standard choosers so, for example, copying the text from the result list did not work as it was not implemented
IDL decompilation feature uses a separate Windows binary without source code which is not always convenient.
That said, when it did work, the results were nice and useful for finding hidden interfaces in Windows binaries
- ifred by jinmo123ifred is:
IDA command palette & more
Ifred is a palette like we have seen several ones. It performs a fuzzy search on IDA commands and on names from the current database. Compared to other solutions, we like the attractive, customizable look. It also lets you create your own palettes.
- idapkg by jinmo123idapkg is:
Packages for IDA Pro
Idapkg tackles the problem of installing IDA plugins and managing their dependencies. Based on an online repository, it will let you search for packages and install or uninstall them. This is still a proof of concept, but is an interesting step towards an easy and standard way of installing IDA plugins.
- Karta by Eyal ItkinKarta is:
an IDA Python plugin that identifies and matches open-sourced libraries in a given binary. The plugin uses a unique technique that enables it to support huge binaries (>200,000 functions), with almost no impact on the overall performance.
Karta really is a composite of a few things:
- the ThumbsUp plugin, which helps recovering functions in ARM binaries, where IDA falls short
- the identifier that identifies what open source libraries were compiled in, and with what version (e.g., from identifier strings)
- the matcher, which will match functions coming from the previously-identified libraries
Thumbs Up in and of itself is a rather significant achievement since it uses machine learning to recover what appears to be functions, that IDA didn’t spot, and it appear to be doing a very good job with ARM binaries.
For the rest of its work, Karta will use an approach that differs from FLIRT (and other tools) in quite a few aspects:
- it will only try to match functions from a library if the identifier identified that the library is be present in the file,
- it will use many heuristics to determine the “likeliness” of function presence, based on where they are in the file
Running the plugin can take a significant amount of time (it’s written in Python), but the results can be very satisfying.
For the record, Karta has quite a few dependencies, so be sure those are installed, and reachable through
- networkx (use version 2.2: newer versions require Python3.)
- SMS-IDA by Edward LarsonSMS-IDA is:
The plugin allows IDA API commands to be run from your phone, anywhere! (Provided you have cell service).
We have hard time imagining someone controlling his IDA with SMS messages but if there are any desperate souls that need such a functionality, this plugin is right for you.
A bit of set up that includes installing some python packages, registering on an online web site that handles SMS messages, and punching a hole in your firewall, and you are ready to go.
Just be informed any person who happens to know where to send SMS messages to will be able to participate, for example, like this:
- Virtuailtor by Gal ZabanVirtuailtor is:
an IDAPython tool for C++ vtables reconstruction on runtime.
The script does not require any installation, so to use it, just press Alt-F7 and select the Main.py file. It will add tons of breakpoints to your database and then once you run the target application using a debugger backend of your choice, it will create C++ virtual tables. Naturally, the application will execute slower than usual because of the breakpoints. Besides of creating virtual tables the script also adds cross references to the called functions.
It supports x86, x64, and Aarch64.
We like the idea, it has a great potential. Hopefully the author will continue to improve the script.
As always, many thanks to all the participants for their useful and interesting submissions. We are looking forward to the next contest!
The usual disclaimer
Please be aware that all files come from third parties. While we did our best to verify them, we cannot guarantee that they work as advertised, so use them at your own risk.
For the plugin support questions, please contact the authors.
Date: September 23rd, 2019