Hex Rays

Plug-In Contest 2019: Hall Of Fame


Hex-Rays Plugin Contest Results 2019
This year again, we have examined the plugins of 9 contestants, and once again the scope, and focus of the plugins we examined is very broad. Almost all of the plugins were written Python, which seems to be a solid trend. Here is our pick for the winners:  
  • First prize: Karta, by Eyal Itkin
  • Second prize: deREferencing, by Daniel Garcia Gutierrez
  • Third prize: idapkg, by jinmo123
  Congratulations to the winners! Below is the full list of submissions:
  • BRUTAL IDA by Tamir Bahar
    BRUTAL IDA restores your original workflow by blocking the undo and redo keyboard shortcuts.
    Our comments: Tamir Bahar’s plugin is a good reminder that, whatever the reason, people don’t like their workflows broken. While plugins typically tend to add functionality, this one is here to remove some: nostalgia is a very powerful feeling indeed! (or is it Stockholm Syndrome?)   Download BRUTAL-IDA-master.zip Get BRUTAL IDA from github
  • CFG Inquisitor by Brenda SoCFG Inquisitor:
    […] checks the validity entry and exit blocks of control flow graphs (CFGs)
    Our comments: CFG Inquisitor essentially restricts what can be considered a valid entry-, or exit-point of a function. This is a fairly small plugin, with what appears to be somewhat specific heuristics. It’s unclear whether it would be reasonable to extend these to all binaries that IDA can analyze. The plugin is still under active development, and doesn’t seem to support x86_64 at this point.   Download cfg_inquisitor.zip
  • deREferencing by Daniel Garcia GutierrezdeREferencing is an:
    IDA Pro plugin that implements more user-friendly register and stack views
    Our comments: deReferencing is an IDA Pro plugin that implements new registers and stack views. Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc). Supports x86, x86-64, ARM, ARM64, MIPS32 and MIPS64 The plugin adds custom views that try to interpret values in registers and stack as pointers and automatically dereference them. Values are colored depending on the type of memory they belong to. It is robust, useful, easy to install and use. The code is nicely modularized and readable.   Download deREferencing-master.zip Get deREferencing from github
  • findrpc by Lucas Georgesfindrpc is an:
    Idapython script to carve binary for internal RPC structures
    Our comments: findrpc.py is a single-file script which tries to find Windows RPC server and client descriptions in PE binaries. The target audience is somewhat small but apparently RPC is an underexplored part of Windows so it’s a promising area for finding previously unknown vulnerabilities. The declared feature list is quite impressive:
    • View in a glance which RPC clients and servers are embedded in the binary
    • Locate dispatch tables for RPC servers
    • Quicky rename every RPC proc handlers found
    • (On Windows) Generate decompiled IDL from RPC declarations
    Unfortunately in our tests it only worked reliably on some binaries and it was difficult to diagnose why exactly it failed on others, so there is definitely room for improvement. For displaying results, the authors opted out for native Qt widgets as opposed to IDA’s standard choosers so, for example, copying the text from the result list did not work as it was not implemented IDL decompilation feature uses a separate Windows binary without source code which is not always convenient. That said, when it did work, the results were nice and useful for finding hidden interfaces in Windows binaries   Download findrpc-master.zip Get findrpc from github
  • ifred by jinmo123ifred is:
    IDA command palette & more
    Our comments: Ifred is a palette like we have seen several ones. It performs a fuzzy search on IDA commands and on names from the current database. Compared to other solutions, we like the attractive, customizable look. It also lets you create your own palettes.   Download ifred.zip Get ifred from github
  • idapkg by jinmo123idapkg is:
    Packages for IDA Pro
    Our comments: Idapkg tackles the problem of installing IDA plugins and managing their dependencies. Based on an online repository, it will let you search for packages and install or uninstall them. This is still a proof of concept, but is an interesting step towards an easy and standard way of installing IDA plugins.   Download idapkg.zip Get idapkg from github
  • Karta by Eyal ItkinKarta is:
    an IDA Python plugin that identifies and matches open-sourced libraries in a given binary. The plugin uses a unique technique that enables it to support huge binaries (>200,000 functions), with almost no impact on the overall performance.
    Our comments: Karta really is a composite of a few things:
    • the ThumbsUp plugin, which helps recovering functions in ARM binaries, where IDA falls short
    • the identifier that identifies what open source libraries were compiled in, and with what version (e.g., from identifier strings)
    • the matcher, which will match functions coming from the previously-identified libraries
    Thumbs Up in and of itself is a rather significant achievement since it uses machine learning to recover what appears to be functions, that IDA didn’t spot, and it appear to be doing a very good job with ARM binaries. For the rest of its work, Karta will use an approach that differs from FLIRT (and other tools) in quite a few aspects:
    • it will only try to match functions from a library if the identifier identified that the library is be present in the file,
    • it will use many heuristics to determine the “likeliness” of function presence, based on where they are in the file
    Running the plugin can take a significant amount of time (it’s written in Python), but the results can be very satisfying. For the record, Karta has quite a few dependencies, so be sure those are installed, and reachable through sys.path:
    • awesomelib
    • Cute
    • decorator
    • elementals
    • hexdump.py
    • networkx (use version 2.2: newer versions require Python3.)
    • Sark
    • sklearn
      Download Karta-master.zip Get Karta from github
  • SMS-IDA by Edward LarsonSMS-IDA is:
    The plugin allows IDA API commands to be run from your phone, anywhere! (Provided you have cell service).
    Our comments: We have hard time imagining someone controlling his IDA with SMS messages but if there are any desperate souls that need such a functionality, this plugin is right for you. A bit of set up that includes installing some python packages, registering on an online web site that handles SMS messages, and punching a hole in your firewall, and you are ready to go. Just be informed any person who happens to know where to send SMS messages to will be able to participate, for example, like this:   Download sms-ida.tar
  • Virtuailtor by Gal ZabanVirtuailtor is:
    an IDAPython tool for C++ vtables reconstruction on runtime.
    Our comments: The script does not require any installation, so to use it, just press Alt-F7 and select the Main.py file. It will add tons of breakpoints to your database and then once you run the target application using a debugger backend of your choice, it will create C++ virtual tables. Naturally, the application will execute slower than usual because of the breakpoints. Besides of creating virtual tables the script also adds cross references to the called functions. It supports x86, x64, and Aarch64. We like the idea, it has a great potential. Hopefully the author will continue to improve the script.   Download Virtuailor-master.zip Get Virtuailtor from github

Final notes As always, many thanks to all the participants for their useful and interesting submissions. We are looking forward to the next contest! The usual disclaimer Please be aware that all files come from third parties. While we did our best to verify them, we cannot guarantee that they work as advertised, so use them at your own risk. For the plugin support questions, please contact the authors. Date: September 23rd, 2019
Go to top of page