IDA PRO 2019年插件大賽作品[Plug-In Contest 2019: Hall Of Fame]

This year again, we have examined the plugins of 9 contestants, and once again the scope, and focus of the plugins we examined is very broad. Almost all of the plugins were written Python, which seems to be a solid trend. Here is our pick for the winners:  

今年，我們再次檢查了9位參賽者的插件，並且再次檢查了插件的範圍和重點。 幾乎所有插件都是用Python編寫的，這似乎是一個趨勢。 這是我們爲獲獎者選擇的：

一等獎：karta，作者：艾亞爾·伊特金（Eyal Itkin）

二等獎：deReferencing，作者：丹尼爾·加西亞·古鐵雷斯（Daniel Garcia Gutierrez）

三等獎：idapkg，作者jinmo123

Congratulations to the winners! Below is the full list of submissions:

恭喜獲獎者！ 以下是提交的完整列表：

1.BRUTAL IDA by Tamir Bahar

BRUTAL IDA restores your original workflow by blocking the undo and redo keyboard shortcuts.

BRUTAL IDA通過阻止撤消和重做鍵盤快捷鍵來恢復原始工作流程。

2.CFG Inquisitor by Brenda So 

[…] checks the validity entry and exit blocks of control flow graphs (CFGs)

[…]檢查控制流程圖（CFG）的有效性入口和出口塊

CFG Inquisitor essentially restricts what can be considered a valid entry-, or exit-point of a function. This is a fairly small plugin, with what appears to be somewhat specific heuristics. It’s unclear whether it would be reasonable to extend these to all binaries that IDA can analyze. The plugin is still under active development, and doesn’t seem to support x86_64 at this point.  

CFG查詢器實質上限制了可以被視爲功能的有效入口點或出口點的範圍。 這是一個很小的插件，似乎有些特定的啓發式方法。 目前尚不清楚將這些擴展到IDA可以分析的所有二進制文件是否合理。 該插件仍在積極開發中，目前似乎不支持x86_64。

3.deREferencing by Daniel Garcia Gutierrez [二等獎]

IDA Pro plugin that implements more user-friendly register and stack views

IDA Pro插件，實現了更加用戶友好的寄存器和堆棧視圖

code:https://github.com/danigargu/deREferencing 

4.findrpc by Lucas Georges 

Idapython script to carve binary for internal RPC structures

Idapython腳本爲內部RPC結構雕刻二進制文件

Our comments: findrpc.py is a single-file script which tries to find Windows RPC server and client descriptions in PE binaries. The target audience is somewhat small but apparently RPC is an underexplored part of Windows so it’s a promising area for finding previously unknown vulnerabilities. The declared feature list is quite impressive:

• View in a glance which RPC clients and servers are embedded in the binary
• Locate dispatch tables for RPC servers
• Quicky rename every RPC proc handlers found
• (On Windows) Generate decompiled IDL from RPC declarations

Unfortunately in our tests it only worked reliably on some binaries and it was difficult to diagnose why exactly it failed on others, so there is definitely room for improvement. For displaying results, the authors opted out for native Qt widgets as opposed to IDA’s standard choosers so, for example, copying the text from the result list did not work as it was not implemented IDL decompilation feature uses a separate Windows binary without source code which is not always convenient. That said, when it did work, the results were nice and useful for finding hidden interfaces in Windows binaries  

IDA作者的評論：findrpc.py是一個單文件腳本，試圖在PE二進制文件中查找Windows RPC服務器和客戶端描述。目標受衆雖然人數不多，但是RPC顯然是Windows尚未充分開發的部分，因此對於發現以前未知的漏洞而言，這是一個很有希望的領域。聲明的功能列表非常令人印象深刻：一目瞭然，哪些RPC客戶端和服務器嵌入在RPC服務器的binaryLocate分配表中快速重命名找到的每個RPC proc處理程序（在Windows上）從RPC聲明生成反編譯的IDL不幸的是，在我們的測試中它僅能正常工作可靠地在某些二進制文件上運行，並且很難診斷爲什麼它在其他二進制文件上完全失敗，因此肯定有改進的空間。爲了顯示結果，作者選擇了本機Qt小部件，而不是IDA的標準選擇器，因此，例如，從結果列表複製文本不起作用，因爲未實現IDL反編譯功能使用了單獨的Windows二進制文件而沒有源代碼，並不總是很方便。就是說，當它確實起作用時，結果對於在Windows二進制文件中查找隱藏的界面非常有用。 

5.ifred by jinmo123 

IDA command palette & more

6.idapkg by jinmo123    [三等獎]

Packages for IDA Pro

Our comments: Idapkg tackles the problem of installing IDA plugins and managing their dependencies. Based on an online repository, it will let you search for packages and install or uninstall them. This is still a proof of concept, but is an interesting step towards an easy and standard way of installing IDA plugins.  

IDA作者評論：Idapkg解決了安裝IDA插件和管理其依賴項的問題。 基於在線存儲庫，它將使您搜索軟件包並安裝或卸載它們。 這仍然是概念上的證明，但這是朝着安裝IDA插件的簡單而標準的方式邁出的有趣的一步。 

code:https://github.com/Jinmo/idapkg 

7.Karta by Eyal Itkin   [一等獎]

an IDA Python plugin that identifies and matches open-sourced libraries in a given binary. The plugin uses a unique technique that enables it to support huge binaries (>200,000 functions), with almost no impact on the overall performance.

一個IDA Python插件，用於識別和匹配給定二進制文件中的開源庫。 該插件使用獨特的技術，使其能夠支持巨大的二進制文件（> 200,000個功能），而對整體性能幾乎沒有影響。

 Karta really is a composite of a few things: Karta實際上是由幾件事組成的：

• the ThumbsUp plugin, which helps recovering functions in ARM binaries, where IDA falls short
• ThumbsUp插件，可幫助恢復ARM二進制文件中的功能彌補IDA不足，
• the identifier that identifies what open source libraries were compiled in, and with what version (e.g., from identifier strings)
• 標識符可標識編譯了哪些開源庫，以及匹配器的版本（例如，來自標識符字符串）。
• the matcher, which will match functions coming from the previously-identified libraries
• 它可以匹配來自先前確定的庫的功能

Thumbs Up in and of itself is a rather significant achievement since it uses machine learning to recover what appears to be functions, that IDA didn’t spot, and it appear to be doing a very good job with ARM binaries. For the rest of its work, Karta will use an approach that differs from FLIRT (and other tools) in quite a few aspects: 

Thumbs Up本身就是一個相當重要的成就，因爲它使用機器學習來恢復IDA沒發現的似乎是功能的東西，並且似乎正在做一個ARM二進制文件非常出色。在接下來的工作中，Karta將使用在很多方面與FLIRT（和其他工具）不同的方法：

• it will only try to match functions from a library if the identifier identified that the library is be present in the file,
• 僅當標識符標識該文件中存在該庫時，它纔會嘗試匹配庫中的函數。
• it will use many heuristics to determine the “likeliness” of function presence, based on where they are in the file
• 它將根據它們在文件中的位置使用許多啓發式方法來確定函數存在的“可能性”。

Running the plugin can take a significant amount of time (it’s written in Python), but the results can be very satisfying. For the record, Karta has quite a few dependencies, so be sure those are installed, and reachable through sys.path: 

運行插件可能會花費大量時間（用Python編寫），但結果可能會非常令人滿意。作爲記錄，Karta有很多依賴項，因此請確保已安裝並可以通過sys.path訪問：

• awesomelib
• Cute
• decorator
• elementals
• hexdump.py
• networkx (use version 2.2: newer versions require Python3.)
• Sark
• sklearn

code:https://github.com/CheckPointSW/Karta 

8.SMS-IDA by Edward Larson 

The plugin allows IDA API commands to be run from your phone, anywhere! (Provided you have cell service).

該插件允許IDA API命令在任何地方從您的手機運行！ （前提是您有電池服務）。

We have hard time imagining someone controlling his IDA with SMS messages but if there are any desperate souls that need such a functionality, this plugin is right for you. A bit of set up that includes installing some python packages, registering on an online web site that handles SMS messages, and punching a hole in your firewall, and you are ready to go. Just be informed any person who happens to know where to send SMS messages to will be able to participate, for example, like this:  

我們很難想象有人通過SMS消息控制其IDA，但是如果有任何迫切需要此功能的人，那麼此插件非常適合您。 進行一些設置，包括安裝一些python軟件包，在處理SMS消息的在線網站上註冊以及在防火牆上打一個洞，您就可以開始使用。 只需通知任何碰巧知道向何處發送SMS消息的人就可以參加，例如：

9.Virtuailtor by Gal Zaban 

an IDAPython tool for C++ vtables reconstruction on runtime.

一個IDAPython工具，用於在運行時重建C ++ vtable。

The script does not require any installation, so to use it, just press Alt-F7 and select the Main.pyfile. It will add tons of breakpoints to your database and then once you run the target application using a debugger backend of your choice, it will create C++ virtual tables. Naturally, the application will execute slower than usual because of the breakpoints. Besides of creating virtual tables the script also adds cross references to the called functions. It supports x86, x64, and Aarch64. We like the idea, it has a great potential. Hopefully the author will continue to improve the script.  

該腳本不需要任何安裝，因此要使用它，只需按Alt-F7並選擇Main.py文件。 它將在數據庫中添加大量斷點，然後使用您選擇的調試器後端運行目標應用程序後，它將創建C ++虛擬表。 自然，由於斷點，應用程序的執行速度將比平時慢。 除了創建虛擬表之外，該腳本還爲調用的函數添加了交叉引用。 它支持x86，x64和Aarch64。 我們喜歡這個主意，它有很大的潛力。 希望作者會繼續改進腳本。

Final notes As always, many thanks to all the participants for their useful and interesting submissions. We are looking forward to the next contest! The usual disclaimer Please be aware that all files come from third parties. While we did our best to verify them, we cannot guarantee that they work as advertised, so use them at your own risk. For the plugin support questions, please contact the authors. Date: September 23rd, 2019

結束語：一如既往，非常感謝所有參與者的有用和有趣的意見。 我們期待下一場比賽！ 通常的免責聲明請注意，所有文件均來自第三方。 雖然我們會盡力驗證它們，但我們不能保證它們能像廣告中所宣傳的那樣使用，因此，後果自負。 有關插件支持的問題，請聯繫作者。 日期：2019年9月23日