Lib.rs

Command line utilities
#ida #binary-file #reverse-engineering #idalib #api-calls #vuln-dev

bin+lib rhabdomancer

Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file

by raptor

8 releases

new 0.2.5 Dec 20, 2024
0.2.4 Dec 16, 2024
0.2.2 Nov 25, 2024
0.1.1 Nov 8, 2024

#1252 in Command line utilities

Download history 108/week @ 2024-11-01 121/week @ 2024-11-08 222/week @ 2024-11-15 153/week @ 2024-11-22 123/week @ 2024-11-29 44/week @ 2024-12-06 127/week @ 2024-12-13

454 downloads per month

MIT license

21KB
216 lines

rhabdomancer

build doc

"The road to exploitable bugs is paved with unexploitable bugs."

-- Mark Dowd

Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.

Features

  • Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
  • Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
  • Bad API function call locations are printed to stdout and marked in the IDB.
  • Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
  • The list of known bad API functions can be easily customized by editing conf/rhabdomancer.toml.

Blog post

See also

Installing

The easiest way to get the latest release is via crates.io:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Install rhabdomancer as follows: 
    $ export IDASDKDIR=/path/to/idasdk90
$ export IDADIR=/path/to/ida # if not set, the build script will check common locations
$ cargo install rhabdomancer

Compiling

Alternatively, you can build from source:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Compile rhabdomancer as follows: 
    $ git clone https://github.com/0xdea/rhabdomancer
$ cd rhabdomancer
$ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml
$ export IDADIR=/path/to/ida # if not set, the build script will check common locations
$ cargo build --release

Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Customize the list of known bad API functions in conf/rhabdomancer.toml if needed.
  3. Run rhabdomancer as follows: 
    $ rhabdomancer <binary_file>
  4. Open the resulting .i64 IDB file with IDA Pro.
  5. Select View > Open subviews > Bookmarks
  6. Enjoy your results conveniently collected in an IDA Pro window.

Note: rhabdomancer also adds comments at marked call locations.

Tested with

  • IDA Pro 9.0.240925 on macOS arm64 and Linux x64.
  • IDA Pro 9.0.241217 on macOS arm64 and Linux x64.

Note: not tested on Windows, check idalib documentation if you want to try it yourself.

Changelog

TODO

Dependencies

~7–18MB
~265K SLoC