On batch analysis

Ever tried to run many instances of IDA simultaneously? I mean, not only one or two, but much more,
tens of them at the same time? Not everyone needs it but sometimes a whole directory must
be analyzed. Imagine you have created a plugin which finds something interesting
in binaries…

Owners of multi-core multi-processors systems would want to use the full potential
of their processors for such volumnious analyses. Since IDA is not multithreaded yet
and won’t be in the near future,
the only way to parallelize the analysis is to disassemble several files
at once.

Before v5.1, if you tried to launch many copies of IDA from a batch file or a script,
you would eventually get strange error messages. For example, IDA could
complain about the registry access failures. The new version can handle as many copies
as you want, up to the system limit.
Click here
to download a movie of 25 copies of IDA launched simultaneously.

A frequent question related to the batch analysis: which version of IDA is the best to run in the batch mode?

IDA comes with the text and graphical user interface versions.
While all of them support the -B, -A, and -S switches, there are subtle differences regarding
the resource allocation. When you have half a dozen of IDAs running on the system, you want
to reduce it.

At first sight, the text version should require less resources than the gui version.
This is true, the VCL library creates several hundred widgets while the text version
needs only a text window.

However, it is possible to run idag.exe so that it won’t create even a single window.
The -B switch does exactly this.
This way the gui version turns out to be better.

If you need to analyze many files with your own plugin, then you can not use
the -B switch. Use a combination of -A and -S in this case:

idag -A -Smyscript.idc input_file

The contents of myscript.idc could look like this:

static main()
{
  RunPlugin("myplugin", 0); // run myplugin with argument 0
}

The script specified in the -S switch is executed
immediately when the database is opened. At this point the user interface
has not initialized itself yet. If your plugin closes IDA at the end,
the interface will never be initialized, saving
you both memory and processor time.

Another solution would be to use the PLUGIN_FIX flag in the plugin description but
this method would require you to install a hook and wait for the database to be opened.

This entry was posted in IDA Pro. Bookmark the permalink.

6 Responses to On batch analysis

  1. Rolf Rolles says:

    As of 4.9, as I recall, if the contents of myscript.idc includes a call to an IDC function exported by a plugin, the script will either work properly if the plugin has already loaded, or IDA will die with an error message about a missing IDC function if it hasn’t.
    In order to solve this, you have to make sure the plugin whose IDC function you’re calling is loaded. I did this by adding to my plugin’s run() function a dummy argument which simply caused a return:
    void run(int arg)
    {
    // Force-load plugin?
    if(arg == -2)
    {
    return;
    }
    /* normal arguments to show GUI etc */
    }
    And then adding RunPlugin(“bindiff”, -2); to the start of my IDC script. It’s a hack for sure, but it works.
    Is this still necessary in 5.1?

  2. Ilfak Guilfanov says:

    This method should continue to work. It is necessary because IDA has no means to know which plugin creates the IDC function you are calling.
    Your plugin adds the new functions from its init() function, right?

  3. Rolf Rolles says:

    Yes, that’s correct, the IDC function is registered in init().

  4. What about Ida Linux version in background or without output to the screen? Yes, it’s posible. Executing IDa Linux without output to the screen is faster, but how can we do this? After some days of research i finally develop a patch (it’s a very simple patch) to tvision datarescue version. This patch allow execute Ida Linux in background and without any output to the screen, ideal for automated analysis:
    http://www.inkatel.com/index.php/2006/11/17/idalinux-in-background-or-without-output-to-the-screen/

  5. Ilfak Guilfanov says:

    Thanks for the link!
    IDA v5.1 has the IDALOG_SILENT variable for something similar. It won’t suppress all output to the screen but the message window will be empty. Usually the message window is slowing down the analysis very much.

  6. John Chan says:

    How do you pass a pointer to a string from an idc script to a plugin? i.e.,
    static main()
    {
    RunPlugin(“myplugin”, “report.txt”);
    }
    void run(int arg)
    {
    FILE *fp = qfopen((char *)arg,”a”);
    }