5 releases
0.2.2 | Nov 25, 2024 |
---|---|
0.2.1 | Nov 16, 2024 |
0.2.0 | Nov 16, 2024 |
0.1.1 | Nov 8, 2024 |
0.1.0 | Nov 5, 2024 |
#616 in Command line utilities
612 downloads per month
21KB
215 lines
rhabdomancer
"The road to exploitable bugs is paved with unexploitable bugs."
-- Mark Dowd
Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.
Features
- Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
- Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
- Bad API function call locations are printed to stdout and marked in the IDB.
- Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
- The list of known bad API functions can be easily customized by editing
conf/rhabdomancer.toml
.
Blog post
See also
- https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/binarly-io/idalib
- https://books.google.it/books/about/The_Art_of_Software_Security_Assessment.html
Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Install rhabdomancer as follows:
$ export IDASDKDIR=/path/to/idasdk90 $ cargo install rhabdomancer
Compiling
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Compile rhabdomancer as follows:
$ git clone https://github.com/0xdea/rhabdomancer $ cd rhabdomancer $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml $ cargo build --release
Usage
- Make sure IDA Pro is properly configured with a valid license.
- Customize the list of known bad API functions in
conf/rhabdomancer.toml
if needed. - Run rhabdomancer as follows:
$ rhabdomancer <binary_file>
- Open the resulting
.i64
IDB file with IDA Pro. - Select
View
>Open subviews
>Bookmarks
- Enjoy your results conveniently collected in an IDA Pro window.
Note: rhabdomancer also adds comments at marked call locations.
Tested with
- IDA Pro 9.0.240925 on macOS arm64.
Changelog
TODO
- Enrich the known bad API function list (see https://github.com/0xdea/semgrep-rules).
- Implement a basic ruleset in the style of VulFi and VulnFanatic.
Dependencies
~7–18MB
~259K SLoC