Hmily 发表于 2014-3-24 19:11

IDA Patcher 0.1

IDA Patcher is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's ability to patch binary files and memory. The plugin is useful for tasks related to malware analysis, exploit development as well as bug patching. IDA Patcher blends into the standard IDA user interface through the addition of a subview and several menu items.

Folks, as this is the first public release (and my first IDA plugin), I would be infinitely grateful for any bug reports, feature requests or criticism of anything that just doesn't work right. Thanks =
Table of Contents
[*]Installation
[*]Compatibility
[*]User guide

[*]Patches subview
[*]Fill selection
[*]Restore original byte(s)
[*]Edit patch byte(s)
[*]Import data
[*]Applying Patches
[*]Known bugs
[*]Special Note
[*]References

InstallationSimply copy idapatcher.py into IDA's plugins folder. The plugin will be automatically loaded the next time you start IDA Pro.CompatibilityThe plugin uses pure IDA Python API, so it should be compatible with all versions of IDA on different platforms. However, it was only extensively tested on IDA Pro 6.5 for Windows with x86, x86-64 and ARM binaries.User guideThis guide will walk you through various features of the plugin by examining and patching a simple program below:.text:00401000 ; int __cdecl main(int argc, char **argv).text:00401000 _main         proc near .text:00401000.text:00401000 argc            = dword ptr8.text:00401000 argv            = dword ptr0Ch.text:00401000.text:00401000               push    ebp.text:00401001               mov   ebp, esp.text:00401003               cmp   , 0.text:00401007               jz      short $LN6.text:00401009               push    offset Format   ; "Terminating...\n".text:0040100E               call    ds:__imp__printf.text:00401014               add   esp, 4.text:00401017               push    1               ; Code.text:00401019               call    ds:__imp__exit.text:0040101F ; -------------------------------------------------------------------.text:0040101F.text:0040101F $LN6:                                 ; CODE XREF: _main+7j.text:0040101F               push    offset aYouHavePatched ; "patched...".text:00401024               call    ds:__imp__printf.text:0040102A               add   esp, 4.text:0040102D               xor   eax, eax.text:0040102F               pop   ebp.text:00401030               retn.text:00401030 _main         endp.text:00401030As you can see, the program will always follow the "Terminating..." branch since the conditional jump at 00401007 will never be true (argc is normally greater than 0).Let's patch the application to reverse the logic and change jz to jnz. The traditional way to do this in IDA is to open the Hex subview and change the appropriate byte corresponding to jz (0x74) to jnz(0x75) as follows:http://thesprawl.org/media/projects/idapatcher0.pngAt this point it is impossible to revert the patched byte to its original form or manage all of the patched bytes in the database without developing several one off IDA scripts.IDA Patcher addresses this and many other use cases to make binary patching in IDA easy and convenient.Patches subviewIn order to quickly navigate and manage all of the applied patches, the plugin includes a new subview simply called Patches. To open the subview select View->Open subviews->Patches. It is the very last item after the Problems subview.http://thesprawl.org/media/projects/idapatcher1.pngNOTE: You may need to select Refresh from the Edit submenu or press Ctrl-U to see the latest changes.In the view above you can see the patch we have just made to the database together with the exact address, name of the function and segment, size, modified and original bytes as well as any comments at that location.TIP: To quickly jump to the location of the patch in the IDA subview simply double-click on one of the entries in the Patches subview.Fill selectionLet's make another modification to the database by filling a range of addresses with NOPs. To do this select a range of instructions or hex bytes from IDA or Hex subviews respectively. Next, open the Fill selection dialog from Edit->Patch program and populate the value field with 0x90:http://thesprawl.org/media/projects/idapatcher2.pngThe start and end addresses of the selection are automatically populated; however, you can adjust them from the dialog. Press the Fill button to apply changes in the database and switch back to thePatches subview:http://thesprawl.org/media/projects/idapatcher3.pngNotice that single byte patches were combined into larger consecutive buffers to make it easier to manage. The reason why there are two separate entries with NOPs instead of a single large one is due to the presence of the 0x90 byte somewhere in the original binary blob. As a result, IDA Patcher produced two separate entries since one byte in the middle was not actually updated. Here is the source of the issue:.text:00401009 68 00 21 40 00                  push    offset Format .text:0040100E FF 15 90 20 40 00               call    ds:__imp__printf.text:00401014 83 C4 04                        add   esp, 4.text:00401017 6A 01                           push    1               ; Code.text:00401019 FF 15 8C 20 40 00               call    ds:__imp__exitFilling a range of bytes with the same value is useful when you need to quickly NOP-out a series of instructions or simply fill a memory area with a known value in the debugger (e.g. 0xCC to break execution when landing in that memory area).Restore original byte(s)At this point you may decide to restore original byte values since it wasn't really necessary to overwrite that many bytes. To accomplish this select one or more entries from the Patches subview and click onRestore original byte(s)... menu entry by right clicking anywhere within the subview:http://thesprawl.org/media/projects/idapatcher4.pngFor each of the items in the selection, you will get a popup similar to the one below confirming the change:http://thesprawl.org/media/projects/idapatcher5.pngNOTE: You will not be able to edit bytes when restoring them. If you want to edit patched bytes, use one of the methods described belowPress Restore to apply changes to the database.Edit patch byte(s)There are several ways to edit bytes in IDA Patcher depending on whether you are editing an existing patch or applying a new one.The edit dialog to alter already patched bytes can be triggered by selecting Edit from the right-click context menu in the Patches subview:http://thesprawl.org/media/projects/idapatcher6.pngNotice the variety of valid hex input representations that can be mixed together. You can safely input fewer or greater number of bytes than the original patch buffer. In the case of fewer bytes, the original bytes at the end will be restored. Inputting more than the original length will simply continue overwriting the database as expected.You can also bring up a similar edit dialog by selecting a range of addresses from IDA or Hex views and clicking on the Edit->Patch Program->Edit Selection... menu item. All of the bytes in the selected range will be already populated in the dialog edit box; however, you are free to edit more or less than the selected buffer just like in the previous example. While similar to the previous method, this dialog allows you to create new patches instead of editing existing ones.Import dataA powerful way of importing binary blobs into the database involves the use of Import data dialog. It can be opened from the Edit menu while IDA or Hex subviews are active. By selecting a range of memory addresses (or at least a starting point), you can paste large blobs of binary data from external files or pasted as hex bytes or string literals. The example below illustrates how to quickly inject shellcode into the stack memory area to aid in exploit development:http://thesprawl.org/media/projects/idapatcher7.pngYou can switch between different import types to change where the data is coming from and how to interpret it. For example, string literal type will interpret pasted buffer as raw bytes without trying to decode it as a hex values.The trim to selection checkbox will ensure that imported data does not exceed specified address ranges by trimming whatever extra bytes at the end.Applying PatchesWith all of the modifications done to the IDA database you may want to apply them to the original input file. You have two identical ways of accomplishing this: using IDA's own Edit->Apply patches to input file... or the plugin's replica dialog which can be called from the right-click menu in the Patchessubview:http://thesprawl.org/media/projects/idapatcher8.pngIt is important to note that not all binary modifications in the database can be applied to the input file. For example, modifications done in the debugger example above can't be applied to the input file because stack memory area is dynamically generated and not linked to any particular segment in the original file. The screenshot above illustrates different icons associated with each patch entry: a little save disk icon for the patches that can be applied and a little red cross for the ones that can't be applied.Just like in the original Apply patches to input file dialog, you have an option to create a backup file or simply restore the previously patched file to its original form. Once you click OK, all of the patches which can be applied will be stored in the specified input file.Known bugs
[*]64-bit version of IDA Pro 6.5 for Windows does not correctly report selected address ranges (most significant 4 bytes appear to be zeroed out).
Special NoteThank you Ilfak Guilfanov and Hex-Rays development team for the excellent product and quick support. The plugin would not be possible if not for Chris Eagle's excellent IDA Pro book from which I have learned about the world of IDA and reverse engineering, thank you sir!References
[*]The IDA Pro Book
[*]Hex-Rays IDA Pro

http://thesprawl.org/projects/ida-patcher/

8818147 发表于 2014-3-24 19:12

本帖最后由 8818147 于 2014-3-24 19:14 编辑

看不懂,写的啥,嘎嘎
翻译了一下,知道是什么了

shaunkelly 发表于 2014-3-25 15:20

嘟哝,我的浏览器可以自动FY,哈哈,一看全明白了~!果然好~!

cxj98 发表于 2014-3-24 19:28

说真的,用 IDA 来修改反汇编,我还是继续我的 OllyDBG

凌云9 发表于 2014-3-24 19:22

虽然看不懂是什么,但一定要赞一下
页: [1]
查看完整版本: IDA Patcher 0.1