#ida #reverse-engineering #binary-file #idalib #vuln-dev

bin+lib haruspex

Vulnerability research assistant that extracts pseudo-code from IDA Hex-Rays decompiler

2 releases

new 0.1.1 Nov 29, 2024
0.1.0 Nov 22, 2024

#1376 in Command line utilities

Download history 105/week @ 2024-11-17 131/week @ 2024-11-24

236 downloads per month

MIT license

16KB
119 lines

haruspex

build doc

"Hacking is the discipline of questioning all your assumptions all of the time."

-- Dave Aitel

Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudo-code generated by IDA Pro's decompiler in a format that should be suitable to be imported into an IDE or parsed by static analysis tools such as Semgrep or weggli.

Features

  • Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
  • Support for binary targets for any architecture implemented by IDA Pro's Hex-Rays decompiler.
  • Pseudo-code of each function is stored in a separated file in the output directory for easy inspection.
  • External crates can invoke decompile_to_file() to decompile a function and save its pseudo-code to disk.

Blog post

See also

Installing

The easiest way to get the latest release is via crates.io:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Install haruspex as follows:
    $ export IDASDKDIR=/path/to/idasdk90
    $ cargo install haruspex
    

Compiling

Alternatively, you can build from source:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Compile haruspex as follows:
    $ git clone https://github.com/0xdea/haruspex
    $ cd haruspex
    $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml
    $ cargo build --release
    

Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Run haruspex as follows:
    $ haruspex <binary_file>
    
  3. Find the extracted pseudocode of each decompiled function in the binary_file.dec directory.

Tested with

  • IDA Pro 9.0.240925 on macOS arm64.

Changelog

TODO

Dependencies

~3–14MB
~179K SLoC