Calling IDA APIs from IDAPython with ctypes

IDAPython provides wrappers for a big chunk of IDA SDK. Still, there are some APIs that are not wrapped because of SWIG limitations or just because we didn’t get to them yet. Recently, I needed to test the get_loader_name() API which is not available in IDAPython but I didn’t want to write a full plugin just for one call. For such cases it’s often possible to use the ctypes module to call the function manually.

The IDA APIs are provided by the kernel dynamic library. In Windows, it’s called ida.wll (or ida64.wll), in Linux libida[64].so and on OS X libida[64].dylib. ctypes provides a nice feature that dynamically creates a callable wrapper for a DLL export by treating it as an attribute of a special class instance. Here’s how to get that instance under the three platforms supported by IDA:

import ctypes
idaname = "ida64" if __EA64__ else "ida"
if sys.platform == "win32":
    dll = ctypes.windll[idaname + ".wll"]
elif sys.platform == "linux2":
    dll = ctypes.cdll["lib" + idaname + ".so"]
elif sys.platform == "darwin":
    dll = ctypes.cdll["lib" + idaname + ".dylib"]

We use “windll” because IDA APIs use stdcall calling convention on Windows (check the definition of idaapi in pro.h).

Now we just need to call our function just as if it was an attribute of the “dll” object. But first we need to prepare the arguments. Here’s the declaration from loader.hpp:

idaman ssize_t ida_export get_loader_name(char *buf, size_t bufsize);

ctypes provides a convenience functions for creating character buffers:

buf = ctypes.create_string_buffer(256)

And now we can call the function:

dll.get_loader_name(buf, 256)

To retrieve the contents of the buffer as a Python byte string, just use its .raw attribute. The complete script now looks like this:

import ctypes
idaname = "ida64" if __EA64__ else "ida"
if sys.platform == "win32":
    dll = ctypes.windll[idaname + ".wll"]
elif sys.platform == "linux2":
    dll = ctypes.cdll["lib" + idaname + ".so"]
elif sys.platform == "darwin":
    dll = ctypes.cdll["lib" + idaname + ".dylib"]
buf = ctypes.create_string_buffer(256)
dll.get_loader_name(buf, 256)
print "loader:", buf.raw

ctypes offers many means to interface with C code, so you can use it to call almost any IDA API.

IDA Pro 6.2 beta

Soon we are going to start testing the next IDA version. There will be many improvements. Some of them we have mentioned previously:

Proximity view
PE+ support for Bochs (64-bit PE files)
UI shortcut editor
Filters in choosers
Database snapshots

Other new major features:

  • GUI installers for Linux and OS X


  • Automatic check for new versions:

  • Cross-references to structure members:

  • Floating licenses: our licensing system is now more flexible and allows big enterprises to purchase floating licenses. Contact [email protected] for more information.

If you have an active license and would like to test the beta, please send a message to [email protected].

Filters & Shortcuts

Two of the new UI highlights in the upcoming IDA release are filtering capability for choosers and shortcut management. I’ll be discussing them in this post, although seeing them live in action is much nicer. 😉

Filters

Filters make it possible to either show, hide or highlight one or more categories of items. But enough talk, let’s start with a screenshot.

Filters demo
Continue reading Filters & Shortcuts

Book review: IDA Pro Book, 2nd Edition

A few weeks ago we received an electronic copy of the “IDA Pro Book, 2nd Edition”. In the second edition of his 26 chapters book, Chris Eagle did a good job updating the book and covering the latest changes in IDA Pro 6.1: the IDA Qt graphical interface is illustrated in this edition (all screenshots are up to date), some chapters are slightly updated whereas some have new sections that cover topics such as IDAPython, various debugger plugins and other features.

Continue reading Book review: IDA Pro Book, 2nd Edition

Recon 2011: Practical C++ Decompilation

Last month I visited the Recon conference and had a great time again. I gave a talk on C++ decompilation and how to handle it in IDA and Hex-Rays decompiler. You can get the slides here, and download the recorded talk here.

Edit: for some reason the streaming version does not show anything after the intro, please download the Quicktime version until it’s fixed.

 

IDA Pro 6.2 with database snapshots support

The most frequently asked question we get during the IDA Pro trainings, on the support forum or via support emails is: “When will IDA Pro support the undo feature?” or “How can I undo an operation in IDA Pro”.

Our answer has always been: “Sorry, it is not possible to undo in IDA Pro” or “This feature will eventually be implemented sometime in the future”.

In this blog post, we introduce the new database snapshots feature that will be present in IDA Pro 6.2:

snap_man

Continue reading IDA Pro 6.2 with database snapshots support

Unpacking mpress’ed PE+ DLLs with the Bochs plugin

In IDA Pro 6.1 we extended the Bochs debugger plugin to support debugging of 64bit code snippets. With IDA Pro 6.2 it will be possible to debug PE+ executables as well. Since the execution will be emulated inside Bochs, a 64bit operating system is not required and one could be equally running a 32 or 64bit Linux, Mac OS or Windows operating system and still be able to debug 64bit PE files from IDA Pro.

To illustrate this new feature, we are going to unpack and briefly analyze a PE+ trojan that is compressed with MPRESS from MATCODE Software.We will illustrate how to unpack the DLL, recover the import table and cleanup the database to get it ready for analysis.

bochs_options

Continue reading Unpacking mpress’ed PE+ DLLs with the Bochs plugin

Precompiled PySide binaries for IDA Pro

In a previous blog post we mentioned that it is possible to use IDA Pro with PySide (Python + Qt) after applying some minor code patches to PySide.

For convenience purposes, we precompiled the PySide libraries that work with IDA Pro 6.0+ and Python 2.6/2.7. Below is a brief explanation on how to install and use those binaries.

Edit: 2012-06-29 updated links for IDA 6.3/Python 2.7

Continue reading Precompiled PySide binaries for IDA Pro