2 releases
new 0.1.1 | Nov 29, 2024 |
---|---|
0.1.0 | Nov 22, 2024 |
#1376 in Command line utilities
236 downloads per month
16KB
119 lines
haruspex
"Hacking is the discipline of questioning all your assumptions all of the time."
-- Dave Aitel
Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudo-code generated by IDA Pro's decompiler in a format that should be suitable to be imported into an IDE or parsed by static analysis tools such as Semgrep or weggli.
Features
- Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
- Support for binary targets for any architecture implemented by IDA Pro's Hex-Rays decompiler.
- Pseudo-code of each function is stored in a separated file in the output directory for easy inspection.
- External crates can invoke
decompile_to_file()
to decompile a function and save its pseudo-code to disk.
Blog post
See also
- https://github.com/0xdea/ghidra-scripts/blob/main/Haruspex.java
- https://github.com/0xdea/semgrep-rules
- https://github.com/0xdea/weggli-patterns
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/binarly-io/idalib
- https://github.com/xorpse/parascope
- https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep
Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Install haruspex as follows:
$ export IDASDKDIR=/path/to/idasdk90 $ cargo install haruspex
Compiling
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Compile haruspex as follows:
$ git clone https://github.com/0xdea/haruspex $ cd haruspex $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml $ cargo build --release
Usage
- Make sure IDA Pro is properly configured with a valid license.
- Run haruspex as follows:
$ haruspex <binary_file>
- Find the extracted pseudocode of each decompiled function in the
binary_file.dec
directory.
Tested with
- IDA Pro 9.0.240925 on macOS arm64.
Changelog
TODO
- Integrate with Semgrep scanning (see https://github.com/0xdea/semgrep-rules).
- Integrate with weggli scanning (see https://github.com/0xdea/weggli-patterns).
- Improve decompiler output in the style of HexRaysPyTools and abyss.
- Implement parallel analysis (see https://github.com/fugue-re/fugue-mptp).
Dependencies
~3–14MB
~179K SLoC