Lib.rs

Command line utilities
#binary-file #reverse-engineering #ida #idalib #ida-pro #ida-plugin #vuln-dev

bin+lib rhabdomancer

Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file

Owned by 0xdea.

1 unstable release

new 0.1.0 Nov 5, 2024

#3 in #ida

MIT license

18KB
201 lines

rhabdomancer

"The road to exploitable bugs is paved with unexploitable bugs."

-- Mark Dowd

Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.

Features

  • Blazing fast, headless user experience courtesy of IDA Pro and Binarly's idalib Rust bindings.
  • Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
  • Bad API function call locations are printed to stdout and marked with comments in the IDB.
  • Known bad API functions are grouped in tiers of badness to help prioritize the audit work.

Blog post

See also

Compiling

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Compile rhabdomancer as follows: 
    $ git clone https://github.com/0xdea/rhabdomancer
$ cd rhabdomancer
$ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml
$ cargo build --release

Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Run rhabdomancer as follows: 
    $ ./target/release/rhabdomancer [binary file]
  3. Open the resulting .i64 IDB file with IDA Pro.
  4. Select Search > Text..., flag Find all occurrences, and search for [BAD .
  5. Enjoy your results conveniently collected in an IDA Pro window (but double check that all results are displayed, as text search is buggy and sometimes misses some comments).

Tested with

  • IDA Pro 9.0.240925 on macOS arm64.

Changelog

TODO

Dependencies

~6–18MB
~259K SLoC