Application security

Introducing IDA scripting

SecRat
May 25, 2015 by
SecRat

IDC scripting language is used by IDA disassemblers to programmatically manipulate data assembly and parameter in the loaded IDB database file. Script can manipulate data regions and assembly output. It is a C-like language, and it uses the same set of keywords and constants used in C language.

Scripts are named with extensions such as .IDC, which then can be run in IDA on any IDB database.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

As I said, IDC is a scripting language using variables and functions just like the C programming language.

There are two types of variables in IDC global and local. It is a dynamically typed language.

Global variables are declared with an external keyword, while local variables are declared as auto.

Examples :

auto i = 0;

auto i = "hello";

extern i = 0;

extern i = "hello";

These variables can be referenced by name inside a function.

Variables have the following type

long, char , float , __int64 ;

Statements are just like C language e.g. comparisons: arithmetic and looping.

IDC script commands can be executed in IDA using the Execute script or using a script file.

Let's begin with writing a sample script file to output hello world in the output window in the bottom corner of IDA pro.

[plain]

// sample.IDC

// Outputs hello world in the output window.

#include <idc.idc> // For User defined functions

static main()

{

auto message = “Hello World.!”;

Message(“%s”, message);

}

[/plain]

Which will output "Hello World.!" inside output window.

The following script will demonstrate the use of built-in functions to decrypt a simple xor routine, and print out the results.

First, we will get the xor data and key used from the binary:

[python]

Python 2.7.6 (default, Mar 22 2014, 23:03:14)

[GCC 4.8.2]

IDAPython v1.6.0 final (serial 0) (c) The IDAPython Team <idapython@googlegroups.com>

--------------------------------------------------------------------------------------

Propagating type information...

Function argument information has been propagated

The initial autoanalysis has been finished.

"Hello World.!”

[/python]

This way, we were able to decode the string statically without running the program; this greatly reduces the analysis time.

There are countless other inbuilt functions we can use:

Using IDAPython for scripting.

IDAPython comes as a plugin for IDA which allows to script in python instead of IDC language. This gives greater flexibility to combine IDA with Python. We can still use python just like the original language and still harness the power of API provided by the IDC language.

The plugin will add a python command box for quick python one-liners:

Let's try to write a script to enumerate all functions in an IDB file.

[python]

#!usr/bin/python

for i in Functions():

print "function start = " + hex(GetFunctionAttr(i, FUNCATTR_START))

print "function end = " + hex(GetFunctionAttr(i, FUNCATTR_END))

GetManyBytes(GetFunctionAttr(i, FUNCATTR_START), GetFunctionAttr(i, FUNCATTR_END) - GetFunctionAttr(i, FUNCATTR_START), 0)

[/python]

SecRat
SecRat

SecRat works at a start-up. He's interested in Windows Driver Programming.