Want to Join Us ?

you'll be able to discuss, share and send private messages.

Python IDA Plugin DIE Dynamic IDA Enrichment

Discussion in 'Plugins' started by storm shadow, Jun 20, 2015.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Dynamic IDA Enrichment (aka. DIE)

    [​IMG]
    What is it?

    DIE is an IDA python plugin designed to enrich IDA`s static analysis with dynamic data. This is done using the IDA Debugger API, by placing breakpoints in key locations and saving the current system context once those breakpoints are hit.
    The saved context consist of function arguments and register states, and it is saved upon each function CALL and function RETURN.
    DIE takes advantage of IDA`s powerful analysis engine so that when context is taken DIE is fully aware of known function prototypes, data types, structures, unions, arrays and basically every piece of information IDA provides during static analysis.
    In order to take this one step further, once context has been saved, DIE attempts to parse the individual data types based on an integrated (and extensible!) value parser framework.
    So for example, if the current context has a function argument with type 'CHAR *' DIE will dereference its address and show a human readable ASCII string as value.
    If the current context holds a argument with unknown value, DIE will not give up and attempt to guess the value using all relevant parsers.
    This parser framework is the real power behind DIE, parser plugins can parse anything from BOOL values to image files to injected code.
    The resault is a dynamic databse that holds parsed runtime arguments, which are avilable to the user during static analysis.
    I'm not sure I got it, do you have an example?

    Well, yes. I'm glad you asked! These videos show DIE in action, check them out if you want to understand a little bit more about how DIE works.
    Example Video I


    Bypass Password Protection In which we are going to demonstrate how DIE can be used in order to bypass a (very) simple password protection scheme.
    Example Video II


    Code Coverage In which we will show you how running DIE before even looking at the static analysis helps with code coverage, indirect calls, and function defenitions.
    Example Video III



    Querying DieDB In which we will show you how to use DIEDB to quickly locate the Explosive trojan de-obfuscation fuction.
    I want to write my own value parser plugin

    Great, Value parser plugins are the heart of DIE. Without them DIE is practically usless. Check out the value parser writing manual and if your plugin turns out good, share it with the community!
    Installation

    Prerequisits

    1. IDA >= 6.8 (for versions 6.6 and 6.7 check out the issues page)
    2. Python 2.7
    How to install

    1. Simply download DIE and run pip install -r requirments.txt from DIE's directory.
    2. Copy the file die_proxy.py into IDA plugin directory
    3. Create an enviorment variable named DIEDIR and set it's value to DIE directory.
    For the Windows Handle parser plugin, you will also need to install PyWin32 (manually :( )
    If for some reason you want to install all the dependencies manually:
    1. Yapsy - install using pip install yapsy or your favorite package manager
    2. Pywin32 - install via
    3. Sark - install using pip install -e git+https://github.com/tmr232/Sark.git#egg=Sark
    4. yaml - install using pip install pyyaml
    5. attrdict - install using pip install attrdict
    I have added my own fix for ida pre 6.8 in attachments
    Remember to add %DieDir% to system inveroment


    https://github.com/ynvb/DIE
     

    Attached Files:

    • DIE.zip
      File size:
      3.5 KB
      Views:
      38
    Last edited: Jun 20, 2015
    Rip Cord likes this.
  2. goddkiller

    Member

    first,thx for share an awesome ida plugin~

    i have some problems with my ida6.6. what this plugin need third-party plugin i have install success, but when i launch my ida6.6 ,it shows me below error~~


    DLL load failed: ??????????????????
    Traceback (most recent call last):
    File "D:\Tools\IDAPro6.6\python\idaapi.py", line 601, in IDAPython_ExecScript
    execfile(script, g)
    File "D:/Tools/IDAPro6.6/plugins/die_proxy.py", line 13, in <module>
    plugin = imp.load_source(__name__, plugin_path)
    File "C:\Users\kingsoft\Desktop\DIE-master\DIE.py", line 7, in <module>
    import logging.handlers as handlers
    File "C:\Python27\lib\logging\handlers.py", line 26, in <module>
    import errno, logging, socket, os, cPickle, struct, time, re
    File "C:\Python27\lib\socket.py", line 47, in <module>
    import _socket
    ImportError: DLL load failed: ??????????????????


    i'm sure i can import those red font correctly in my python console~

    is anybody know what does it mean~~~i really have no idea~~

    thx for all!
     
  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    its a import error

    did you install all the dependicies ?

    Code (Text):
    How to install
     
        Simply download DIE and run pip install -r requirments.txt from DIE's directory.
        Copy the file die_proxy.py into IDA plugin directory
        Create an enviorment variable named DIEDIR and set it's value to DIE directory.
     
    For the Windows Handle parser plugin, you will also need to install PyWin32 (manually :( )
     
    If for some reason you want to install all the dependencies manually:
     
        Yapsy - install using pip install yapsy or your favorite package manager
        Pywin32 - install via http://sourceforge.net/projects/pywin32/files/pywin32/
        Sark - install using pip install -e git+https://github.com/tmr232/Sark.git#egg=Sark
        yaml - install using pip install pyyaml
        attrdict - install using pip install attrdict
     

    Also remember to put in your system varibles DieDir = \folderto\DIE
    The error your getting is proberly since it cant find the path.
    http://www.computerhope.com/issues/ch000549.htm


    from Die proxy

    Code (Text):
    DIE_DIR = environ["DieDir"]
    DIE_NAME = "DIE.py"
     
    Last edited: Jun 23, 2015
  4. goddkiller

    Member

    thx for reply!

    i have been installed all the dependicies, also create an environment variable name DIEDIR , and set it's value to DIE directory.

    but it still shows the same error~

    i thought this error may cause "import imp" sentence.

    i try to type "import imp" in my ida6.6 script command window, it shows below error

    Script Default snippet error: Traceback (most recent call last):
    File "<string>", line 1, in <module>
    ImportError: __import__ not found


     
    Last edited: Jun 23, 2015
  5. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    DIEDIR is case sensitive it should be DieDir
     
  6. goddkiller

    Member

    environment variable is case insensitive, i thought it was ida pro ver 6.6 bug..... :-(
     
  7. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    so its working now ?
     
  8. goddkiller

    Member


    no, it can't work~~~
     
  9. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    download newest python 2.7.10 remember when installing, tick add python to path.

    then in ida do help("imp") remember it have to be x86 version
     
  10. goddkiller

    Member

    my python version is 2.7.10 ver x86 ....

    maybe this is ida pro 6.6 idaapi's bug.....
     
  11. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    no dont think so, imp is a build in module of python, so if you get a error just importing it it must be python.Try reinstalling python or repair
     
  12. goddkiller

    Member

    I already try to repair install python 2.7.10... it still can not use the plugin~~~

    this issue https://github.com/ynvb/DIE/issues/11 said

     
  13. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    but if you check first post have you downloaded the fix i made ?.
    Also that issue have nothing todo with that error.
    If you cant even do help("imp") and import imp.its your python settings that are broken.

    do
    Code (Text):
    import sys
    sys.path
    to see if there are any conflicts
     
  14. goddkiller

    Member

    yes, i have used the fix die.py.


    if i disable die_proxy.py plugin i can do help("imp") and import imp

    but if the plugin enable,it can not work.

    standalong type below code ( ps: when the plugin enable )

    Code (Text):
    import sys
    sys.path

    ida print

    Script Default snippet error: Traceback (most recent call last):
    File "<string>", line 1, in <module>
    ImportError: __import__ not found
     
  15. goddkiller

    Member

    i can use plugin in pure window system~~~

    but i found something is wrong with the plugin.

    the Parser View window include StringParse and FunctionParse and other Parse~~~

    they'r state is True, but the Version is 0.0.

    i don't know what's wrong with them~~~

    is anybody know the reason?
     
    storm shadow likes this.
  16. schrodinger

    Member

    Did anyone manage to get it working for IDA 6.6?
    If so, please report as the author said that it is not supported for this version and he is not planning to do so
     
  17. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    the fix is worrking as it should.


    other fix
    els erase all in ida_proxy.py
    paste this ans save in plugins folder.
    Code (Python):
    import imp
    from os import path, environ
    import sys
    import idaapi
     
    idahomedie = idaapi.idadir("plugins\\DIE")
    DIE_DIR = idahomedie
    DIE_NAME = idaapi.idadir("plugins\\DIE\\DIE.py")
     
    sys.path.append(DIE_DIR)
     
    plugin_path = path.join(DIE_DIR, DIE_NAME)
     
    plugin = imp.load_source(__name__, plugin_path)
     
    # Export the plugin entry
    PLUGIN_ENTRY = plugin.PLUGIN_ENTRY
    copy fix in first post and place in plugins\DIE folder.

    remember to activate it under edit >>>plugins

    find it under view menu

    els is the moded plugin attached here.
     

    Attached Files:

    Rip Cord likes this.
  18. schrodinger

    Member

  19. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Can you upload the test file.
     
  20. schrodinger

    Member

    [2015-07-09 14:26:51,131] [INFO] [DIE.Lib.DataParser][DataParser.py:44] : Plugin path is set to C:\Program Files (x86)\IDA 6.6\plugins\DIE\Plugins\DataParsers
    [2015-07-09 14:26:51,131] [INFO] [DIE.Lib.DataParser][DataParser.py:50] : Loading Plugins from C:\Program Files (x86)\IDA 6.6\plugins\DIE\Plugins\DataParsers
    [2015-07-09 14:26:51,145] [ERROR] [yapsy][PluginManager.py:491] : Unable to import plugin: C:\Program Files (x86)\IDA 6.6\plugins\DIE\Plugins\DataParsers\HandleParser\HandleParser
    Traceback (most recent call last):
    File "C:\Python27\lib\site-packages\yapsy\PluginManager.py", line 488, in loadPlugins
    candidate_module = imp.load_module(plugin_module_name,plugin_file,candidate_filepath+".py",("py","r",imp.PY_SOURCE))
    File "C:\Program Files (x86)\IDA 6.6\plugins\DIE\Plugins\DataParsers\HandleParser\HandleParser.py", line 5, in <module>
    from win32api import *
    ImportError: DLL load failed: %1 is not a valid Win32 application.
    [2015-07-09 14:26:51,145] [INFO] [DIE.Lib.DataParser][DataParser.py:62] : Loading plugin StringParser
    [2015-07-09 14:26:51,145] [INFO] [DIE.Lib.DataParser][DataParser.py:62] : Loading plugin BasicStringParser
    [2015-07-09 14:26:51,145] [INFO] [DIE.Lib.DataParser][DataParser.py:62] : Loading plugin FunctionParser
    [2015-07-09 14:26:51,145] [INFO] [DIE.Lib.DataParser][DataParser.py:62] : Loading plugin ModuleParser
    [2015-07-09 14:26:51,145] [INFO] [DIE.Lib.DataParser][DataParser.py:62] : Loading plugin BoolParser
    [2015-07-09 14:27:36,674] [ERROR] [DIE.Lib.DebugAPI][DebugAPI.py:91] : DIE cannot be started with no debugger defined.
    [2015-07-09 14:27:44,407] [INFO] [DIE.Lib.DebugAPI][DebugAPI.py:94] : Hooking to debugger.
    [2015-07-09 14:27:45,608] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function GetModuleHandleA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:45,624] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function DialogBoxParamA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:45,842] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function LoadIconA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:45,858] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function SendMessageA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:45,888] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function SendDlgItemMessageA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:50,825] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function GetDlgItemTextA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:50,825] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function sub_40110B: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:50,841] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function lstrlenA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:50,841] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function MessageBoxA: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:52,154] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function EndDialog: object of type 'func_type_data_t' has no len()
    [2015-07-09 14:27:52,168] [ERROR] [DIE.Lib.IDATypeWrapers][IDATypeWrapers.py:235] : Failed to get function arguments for function ExitProcess: object of type 'func_type_data_t' has no len()
     

    Attached Files:

    storm shadow likes this.
Top