Skip to content

thalium/symless

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github/workflows
.github/workflows
 
 
img
img
 
 
plugin
plugin
 
 
scripts
scripts
 
 
symless
symless
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENCE
LICENCE
 
 
README.md
README.md
 
 
run_script.py
run_script.py
 
 
symless.py
symless.py
 
 

Repository files navigation

Symless

Automatic structures recovering plugin for IDA. Able to reconstruct structures/classes and virtual tables used in a binary.

Features

  • Automatic creation of identified structures (c++ classes, virtual tables and others)
  • Xrefs on structures usages
  • Functions typing using gathered information

Two modes are available: Pre-Analysis and Plugin.

Plugin mode

Interactive IDA plugin. Uses static analysis from an entry point selected by the user to build and propagate a structure.

Plugin demo

Installation

$ python plugin/install.py [-u]

Manual installation: copy the symless directory and symless_plugin.py into IDA plugins folder.

Usage

While in IDA disassembly view:

  • Right-click a register that contains a structure pointer
  • Select Propagate structure
  • Select which structure & shift to apply

Symless will then propagate the structure, build it and type untyped functions / operands with the harvested information. This action can be undone with Ctrl-Z. A new structure can be created, an existing one can be completed.

Pre-Analysis mode

Before use

Specify your IDA installation:

export IDA_DIR="$HOME/idapro-M.m"

Edit the config file to suit your case:

Specify the memory allocation functions used in your executable in the imports.csv file. Syntax is discussed there.

Symless uses those to find structures creations from memory allocations. C++ classes can also be retrieved from their virtual tables.

Usage

    $ python3 symless.py [-c config.csv] <target(s)>
  • config.csv - configuration to be used (defaults to imports.csv)
  • target(s) - one or more binaries / IDA bases

Symless will create a new IDA base when given an executable as an argument. Otherwise keep in mind it may overwrite user-modifications on existing bases.

Once done the IDA base will be populated with information about identified structures.

Support

Both stripped and non-stripped binaries are supported. Symbols are only used to name the created structures.

x64 and i386 binairies using the following calling conventions are supported:

  • Windows x64 (__fastcall)
  • Windows i386 (__stdcall & __thiscall)
  • System V x64 (__fastcall)
  • System V i386 (__stdcall)

IDA Pro 7.6 or newer & python 3

Disclaimer

Symless is still in development and might not fit every use cases.

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

168 stars

Watchers

9 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 5

Languages