Put a MILF in your life

tl;dr: This is a reverse engineering post, it’s not about that kind of milf. No fapping this time, sorry. Well… unless you *really* are into reverse engineering…

 

Quite often, during a reverse engineering session you are confronted with some *tedious* repetitive tasks. Actually more often than you would like.

However these tasks are rather easy to automate using some… (drums)… Python! Specifically I’m referring to the Python bindings for IDA Pro, conveniently named IDAPython.

Some months ago I started a little Google Code project with the objective of creating an IDA Pro plugin that assists with those boring, time consuming tasks.

Since this is all quite basic I named it “My IDA Light Framework” (MILF). Coincidentally, it shares acronym with another popular english term.

Although none of its features are exactly awesome, if you put all of them together it’s really a time saver. It saves a headache or two as well.

The plugin is still in a beta stage. There’s a lot of work to be done and the code sucks. The algorithms could be improved as well…

Anyway, I thought this could be useful to somebody and maybe even someone goes ahead and would like to contribute. You are very welcome if you want to do so :)

 

These are some of its features:

  • Mark dangerous functions
    • Look for references to “dangerous” functions within a binary and colour them for easy spotting.
    • For example: “call memcpy”
  • Find immediate compares
    • Mark all immediate compares in the current function. This is specially useful when analysing a huge function we suspect acts as a parser.
    • For example: cmp esi, 14h
  • Mark switches
  • Show paths between functions
  • Show paths between basic blocks within a function
  • Finds most referenced functions
    • They are things like memory allocators, etc. Reversing those at the beginning allow us to gain insight.
  • Find File IO
    • Find functions calling file i/o imports.
  • Find Network IO
    • Find functions calling network i/o imports.
  • Find Allocations
    • Find functions allocating/freeing memory.
  • Find dangerous „size params“
    • Still a naive approach but interesting. Checks for calls to known problematic functions which accept a “size” parameter. If this argument is not a constant, it’s worth it to take a look in case we can control it :)
  • Create IDA (connection) graphs
    • A class for creating IDA embedded Graphs, showing the paths between two functions and some other info.
  • Create „custom viewers“
    • Useful to display info (for example results of Find Network IO) in an embedded viewer within IDA Pro.

 

From this list the ability to find paths between elements of a binary (functions or  basic blocks within a given function) are specially useful in vulnerability research. The possibility of creating custom viewers and integrating all this info cleanly into the IDA GUI is very important as well.

Anyway, the best way to describe its features is to see it in action so here’s a short example video.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s