Wrapper class for IDAPython. Regroups various useful functions for reverse engineering of binaries.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitattributes
README.md
enoki.py

README.md

What is Enoki ?

The Enoki script is a wrapper class for IDAPython. It regroups various useful functions for reverse engineering of non-standard and/or uncommon binaries. Many of the scripts currently available online are geared towards malware analysis of Windows Portable Executable (PE) files and as such, most of their functionalities are geared toward Intel-based systems and perform many tasks to detect or deobfuscate malicious, well-known file standards. Enoki seeks to provide a set of basic functions for analysis of binaries, memory maps or other non-malware oriented files for reverse engineering purposes.

Summary

The Enoki script is a wrapper around many IDAPython functions and is designed for analysts conducting reverse engineering on non-standard and uncommon files such as firmware of embedded devices or simply plain unknown files for ICS systems. Enoki provides additional shortcut functions for extracting, searching and analyzing machines code, useful when IDA as issue parsing or detecting the actual processor.

Usage

To use Enoki with IDA, simply load the enoki.py file into IDA. An instance of the Enoki object will automatically be created in the e variable or you can create your own instance using the following command in the interpreter:

e = Enoki()

Simply call any of the function required using the instance, for example:

Python>hex(e.current_file_offset())
0x74fc

Examples

This section provides some example of the functionalities provded by the Enoki script. More details can be found by consulting the wiki of the project.

Find a byte string

One of the function provided by Enoki is the find_byte_string, which allow the analyst to search for specific sequence of bytes or words in the machine code. The function will return all locations where the specific byte string has been found in the range searched.

Python>e.find_byte_string(ScreenEA(), ScreenEA() + 0x1000, "7980 ????")
[150, 155, 173, 198, 208]

If you need the output in hexadecimal addresses, simply wrap the result using the hex() function:

Python>[hex(i) for i in e.find_byte_string(ScreenEA(), ScreenEA() + 0x1000, "7980 ????")]
['0x96', '0x9b', '0xad', '0xc6', '0xd0']

Compare two code ranges for similarity

Another functionality available is to compare the similarity of two code segments via the compare_code function. This function will take two arrays of opcodes or assembly instructions and calculate the similarity of the sequence. In the example below, the similarity is only 11%, meaning the 2 code segments are quite different.

Python>c1 = e.get_words_between(0x2C00, 0x2CFF)
Python>c2 = e.get_words_between(0x8000, 0x80FF)
Python>e.compare_code(c1, c2)
0.11328125

Other functions are available within Enoki and more details can be found in the comments of the script or in the future wiki of the project.

References

If you find this script useful for your projects or research, please add a reference or link to this project to help make it better.