吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 5525|回复: 21
收起左侧

[IDA Plugin] Patching - Interactive Binary Patching for IDA Pro

  [复制链接]
EternalBlue 发表于 2022-2-12 00:16
本帖最后由 EternalBlue 于 2022-2-12 00:23 编辑

Patching - Interactive Binary Patching for IDA Pro

01.png

Overview

Patching assembly code to change the behavior of an existing program is not uncommon in malware analysis, software reverse engineering, and broader domains of security research. This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.

This project is currently powered by a minor fork of the ubiquitous Keystone Engine, supporting x86/x64 and Arm/Arm64 patching with plans to enable the remaining Keystone architectures in a future release.

Special thanks to Hex-Rays for supporting the development of this plugin.

Releases

  • v0.1 -- Initial release

Installation

This plugin requires IDA 7.6 and Python 3. It supports Windows, Linux, and macOS.

Easy Install

Run the following line in the IDA console to automatically install the plugin:

Windows / Linux

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read())

macOS

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py', cafile='/etc/ssl/cert.pem').read())

Manual Install

Alternatively, the plugin can be manually installed by downloading the distributable plugin package for your respective platform from the releases page and unzipping it to your plugins folder.

It is strongly recommended you install this plugin into IDA's user plugin directory:

import ida_diskio, os; print(os.path.join(ida_diskio.get_user_idadir(), "plugins"))

Usage

The patching plugin will automatically load for supported architectures (x86/x64/Arm/Arm64) and inject relevant patching actions into the right click context menu of the IDA disassembly views:

02.gif

A complete listing of the contextual patching actions are described in the following sections.

Assemble

The main patching dialog can be launched via the Assemble action in the right click context menu. It simulates a basic IDA disassembly view that can be used to edit one or several instructions in rapid succession.

03.gif

The assembly line is an editable field that can be used to modify instructions in real-time. Pressing enter will commit (patch) the entered instruction into the database.

Your current location (a.k.a your cursor) will always be highlighted in green. Instructions that will be clobbered as a result of your patch / edit will be highlighted in red prior to committing the patch.

04.png

Finally, the UP and DOWN arrow keys can be used while still focused on the editable assembly text field to quickly move the cursor up and down the disassembly view without using the mouse.

NOP

The most common patching action is to NOP out one or more instructions. For this reason, the NOP action will always be visible in the right click menu for quick access.

05.gif

Individual instructions can be NOP'ed, as well as a selected range of instructions.

Force Conditional Jump

Forcing a conditional jump to always execute a 'good' path is another common patching action. The plugin will only show this action when right clicking a conditional jump instruction.

06.gif

If you never want a conditional jump to be taken, you can just NOP it instead!

Save & Quick Apply

Patches can be saved (applied) to a selected executable via the patching submenu at any time. The quick-apply action makes it even faster to save subsequent patches using the same settings.

07.gif

The plugin will also make an active effort to retain a backup (.bak) of the original executable which it uses to 'cleanly' apply the current set of database patches during each save.

Revert Patch

Finally, if you are ever unhappy with a patch you can simply right click patched (yellow) blocks of instructions to revert them to their original value.

08.gif

While it is 'easy' to revert bytes back to their original value, it can be 'hard' to restore analysis to its previous state. Reverting a patch may occasionally require additional human fixups.

Known Bugs

  • Further improve ARM / ARM64 / THUMB correctness
  • Define 'better' behavior for cpp::like::symbols(...) / IDBs (very sketchy right now)
  • Adding / Updating / Modifying / Showing / Warning about Relocation Entries??
  • Handle renamed registers (like against dwarf annotated idb)?
  • A number of new instructions (circa 2017 and later) are not supported by Keystone
  • A few problematic instruction encodings by Keystone

Future Work

Time and motivation permitting, future work may include:

  • Enable the remaining major architectures supported by Keystone:
    • PPC32 / PPC64 / MIPS32 / MIPS64 / SPARC / SystemZ
  • Multi instruction assembly (eg. xor eax, eax; ret;)
  • Multi line assembly (eg. shellcode / asm labels)
  • Interactive byte / data / string editing
  • Symbol hinting / auto-complete / fuzzy-matching
  • Syntax highlighting the editable assembly line
  • Better hinting of errors, syntax issues, etc
  • NOP / Force Jump from Hex-Rays view (sounds easy, but probably pretty hard!)
  • radio button toggle between 'pretty print' mode vs 'raw' mode? or display both?
    Pretty:  mov     [rsp+48h+dwCreationDisposition], 3
     Raw:  mov     [rsp+20h], 3

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors

Source


免费评分

参与人数 6吾爱币 +4 热心值 +6 收起 理由
suifei + 1 我很赞同!
小朋友呢 + 2 + 1 谢谢@Thanks!
李佑辰 + 1 我很赞同!
aa530416 + 1 + 1 热心回复!
woyucheng + 1 + 1 谢谢@Thanks!
smile1110 + 1 谢谢@Thanks!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

coolzhan 发表于 2022-2-12 15:12
使用后   Patching cancelled...   怎么处理
 楼主| EternalBlue 发表于 2022-2-12 00:26
本帖最后由 EternalBlue 于 2022-2-12 00:28 编辑

v0.1.2 - Improve Python 3 Compatibility
Removes use of PEP515 numeric literal to support older versions of Python 3

转一份到国内网盘
https://www.lanzoul.com/b05zw3dpe
密码:58q8
不苦小和尚 发表于 2022-2-12 04:28
iamok 发表于 2022-2-12 09:16
看样子比keypatch好太多
菠萝蜜 发表于 2022-2-12 09:42
你这个就有点 international
HAHAKALAYO 发表于 2022-2-12 09:59
EternalBlue 发表于 2022-2-12 00:26
v0.1.2 - Improve Python 3 Compatibility
Removes use of PEP515 numeric literal to support older vers ...

下载的这个插件文件怎么手动安装到IDA,谢谢
godsoncai 发表于 2022-2-12 13:07
谢谢楼主,学习ing ,辛苦你了! 顶上!
唯爱丶雪 发表于 2022-2-12 15:11
没看懂,要怎么去安装它
唯爱丶雪 发表于 2022-2-12 15:15
ida  7.7  放进去没有你说的列表
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2025-1-12 13:15

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表