Augmenting Static Reverse Engineering with Dynamic Analysis and Instrumentation
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
demo
py
slides
src
.gitignore
LICENSE
Nmakefile
README.md
build.bat
debug.bat
ida-splode.sln
ida-splode.vcxproj
rebuild.bat
release.bat
run.bat

README.md

IDA Splode

A tool that I wrote to help reversing on Windows. Also proof that I am bad at coming up with catchy names.

Presentation

See the presentation in slides/ for some examples on the sample application. I've also included an .idb that shows some of the features. All comments are auto-generated by the tool. The only input I provided was to give the structures a name, and to select various interesting instructions.

Requirements

  • %PIN_HOME% points to an installation of Intel's Pin.
  • MongoDB
  • IDA Pro
  • VS 2010

Usage

  • Run build.bat from a MSVC 2010 console
  • Optionally, enable page heap for test.exe (gflags /i test.exe +hpa)
  • Run release.bat to trace the test.exe program in release mode
  • Start MongoDB
  • Run demo.exe.py to import the traces
  • Start IDA Pro, open demo.exe
  • Run py\idapython_script.py from within IDA
  • If everything worked, ida-splode should automatically recognize all traces for the open binary from the database, and present a list of options.
  • Press any of the hotkeys presented to do ${things}.
    • The slides should give you a good idea what is avaiable.
    • Ctrl+Shift+H reprints the help message

Tips

  • If PageHeap isn't enabled (+hpa), it will waste a lot of time looking for heap metadata at instrumentation-time.
  • For whatever reason, if _NT_SYMBOL_PATH includes any SYM* paths versus just local paths, it won't find PDBs and you'll only get exports. Use _NT_SYMBOL_PATH=C:\symbols or similar.
  • There are lots of twiddly bits to turn on and off. See knobs.cpp.
  • This is generally intended to be run off-line. Pin alone will make execution slow; my instrumentation has not been profiled or optimized for speed.

Caveats

This is pulled from a working copy, so some things may not work properly. If you run into any issues, feel free to contact me at @ebeip90 or ebeip90 on Freenode.net.