Using plugins in ida pro
![using plugins in ida pro using plugins in ida pro](https://4.bp.blogspot.com/-FBlooLWftfA/XKuBpS4dGjI/AAAAAAAAACI/B7XpP7GXYrM_ch3hTqKNA70Ls5Du7sxNQCK4BGAYYCw/w1200-h630-p-k-no-nu/1.png)
If you select more than one node (by holding the Ctrl key when selecting nodes) for the UR algorithm, each additional node acts as a sentry node.
![using plugins in ida pro using plugins in ida pro](https://i.ytimg.com/vi/U0PGLNycqYI/maxresdefault.jpg)
It then prompts you for the node text to appear in the new group node. The plug-in performs a graph traversal starting at this node, identifies all reachable nodes, and prunes any nodes (and their reachable nodes) that have predecessor nodes not in the current set. Right click and select "SimplifyGraph -> Create unique-reachable group". Select a node in IDA's graph view to be the start of the reachable search. The plug-in allows you to easily create a new group based on the UR definition. The grey node is reachable from the green node, but because it is reachable from other nodes not in the current UR set it is pruned prior to group creation.įigure 4: Example Unique Reachable selection For example, in Figure 4, all of the Unique-Reachable nodes starting at the green node are highlighted in blue.
![using plugins in ida pro using plugins in ida pro](https://1.bp.blogspot.com/-BTAGBP4iNog/XKt8KiVNbPI/AAAAAAAAABk/FYG5Biqda54R9xDKFNzEVqEE7IOKC49WACK4BGAYYCw/s1600/Untitled.png)
Unique-Reachable nodes are all nodes reachable in the graph from a given start node and that are not reachable from any nodes not currently in the UR set. By combining these together it’s possible to isolate parts of a control flow graph for in-depth reverse engineering, allowing you to look at Figure 3 instead of Figure 1.įigure 3: Isolated subgraph to focus on Create Unique-Reachable (UR) Subgraph The plug-in has several parts, which are introduced below. Pre-built binaries for both are available on the Releases tab for the project repository. The plug-in is source-compatible with the legacy IDA SDK in 6.95, and has been ported to the new SDK for IDA 7.0.
#USING PLUGINS IN IDA PRO PRO#
The SimplifyGraph IDA Pro plug-in we’re releasing is built to automate IDA’s node grouping capability. Doing this manually is certainly possible, but it becomes tedious to follow edges in complex graphs and correctly select all of the relevant nodes without missing any, and without making mistakes. This is done by selecting one or more nodes, right-clicking, and selecting “Group nodes”, as shown in Figure 2. IDA has a built-in mechanism to help simplify graphs: creating groups of nodes, which replaces all of the selected nodes with a new group node representative. Using the overview graph becomes extremely difficult due to the density of nodes and edges, as seen in Figure 1. IDA is often forced to place adjacent nodes relatively far apart, or have edges in the graph cross and have complex paths. Graph mode is great until the function becomes complex. It provides a graphical representation of the control flow graph and gives visual cues about the structure of the current function that helps me better understand the disassembly. My personal preference is to use IDA’s graph mode when doing the majority of my reverse engineering. Prior to this release we submitted it in the 2017 Hex-Rays plugin contest, where it placed third overall.
#USING PLUGINS IN IDA PRO CODE#
Code and binaries are available from the FireEye GitHub repo. The community plugin allows for one daily investigation, whereas enterprise users have the ability to process more files.We’re proud to release a new plug-in for IDA Pro users – SimplifyGraph – to help automate creation of groups of nodes in the IDA’s disassembly graph view. What’s the difference between the community and enterprise plugins? Click on IDA plugin located at the top right corner.Make sure you have an Intezer Analyze community account.Take these two simple steps to start using the plugin: With this information, the reverse engineer can immediately focus on the relevant parts of the binary, reducing the analysis time from hours-and sometimes even days-to minutes. Detect a similar function or part of a function to attribute a malware family or threat actor.Save investigation time by filtering out common code and libraries, allowing you to focus only on a file’s malicious and unique code.The Intezer Analyze IDA Pro plugin accelerates reverse engineering by enriching every function of disassembled machine code with information about where the code was seen previously. IDA Pro is the most common reverse engineering platform for disassembling computer software. The Intezer Analyze IDA Pro plugin is now available to community users!