IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).

Overview

IDA2Obj

IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).

The working flow is simple:

  • Dump object files (COFF) directly from one executable binary.
  • Link the object files into a new binary, almost the same as the old one.
  • During the dumping process, you can insert any data/code at any location.
    • SBI is just one of the using scenarios, especially useful for black-box fuzzing.

How to use

  1. Prepare the enviroment:

    • Set AUTOIMPORT_COMPAT_IDA695 = YES in the idapython.cfg to support the API with old IDA 6.x style.
    • Install dependency: pip install cough
  2. Create a folder as the workspace.

  3. Copy the target binary which you want to fuzz into the workspace.

  4. Load the binary into IDA Pro, choose Load resources and manually load to load all the segments from the binary.

    image-20210813134907705
  5. Wait for the auto-analysis done.

  6. Dump object files by running the script MagicIDA/main.py.

    • The output object files will be inside ${workspace}/${module}/objs/afl.
    • If you create an empty file named TRACE_MODE inside the workspace, then the output object files will be inside ${workspace}/${module}/objs/trace.
    • By the way, it will also generate 3 files inside ${workspace}/${module} :
      • exports_afl.def (used for linking)
      • exports_trace.def (used for linking)
      • hint.txt (used for patching)
  7. Generate lib files by running the script utils/LibImports.py.

    • The output lib files will be inside ${workspace}/${module}/libs, used for linking later.
  8. Open a terminal and change the directory to the workspace.

  9. Link all the object files and lib files by using utils/link.bat.

    • e.g. utils/link.bat GdiPlus dll afl /RELEASE
    • It will generate the new binary with the pdb file inside ${workspace}/${module}.
  10. Patch the new built binary by using utils/PatchPEHeader.py.

    • e.g. utils/PatchPEHeader.py GdiPlus/GdiPlus.afl.dll
    • For the first time, you may need to run utils/register_msdia_run_as_administrator.bat as administrator.
  11. Run & Fuzz.

More details

HITB Slides : https://github.com/jhftss/jhftss.github.io/blob/main/res/slides/HITB2021SIN%20-%20IDA2Obj%20-%20Mickey%20Jin.pdf

Demo : https://drive.google.com/file/d/1N3DXJCts5jG0Y5B92CrJOTIHedWyEQKr/view?usp=sharing

You might also like...
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting. 🎭

Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool
Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

loggef Facebook automation tool, Facebook account hacking and cloning advanced tool + dictionary attack added Warning Use this tool for educational pu

labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface
labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface

labsecurity labsecurity is a tool that brings together python scripts made for ethical hacking, in a single tool, through a console interface. Warning

All in One CRACKER911181's Tool. This Tool For Hacking and Pentesting.🎭

This is A Python & Bash Programming Based Termux-Tool Created By CRACKER911181. This Tool Created For Hacking and Pentesting. If You Use This Tool To Evil Purpose,The Owner Will Never be Responsible For That.

A tool to brute force a gmail account. Use this tool to crack multiple accounts
A tool to brute force a gmail account. Use this tool to crack multiple accounts

A tool to brute force a gmail account. Use this tool to crack multiple accounts. This tool is developed to crack multiple accounts

Osint-Tool - Information collection tool in python

Osint-Tool Herramienta para la recolección de información Pronto más opciones In

An auxiliary tool for iot vulnerability hunter

firmeye - IoT固件漏洞挖掘工具 firmeye 是一个 IDA 插件,基于敏感函数参数回溯来辅助漏洞挖掘。我们知道,在固件漏洞挖掘中,从敏感/危险函数出发,寻找其参数来源,是一种很有效的漏洞挖掘方法,但程序中调用敏感函数的地方非常多,人工分析耗时费力,通过该插件,可以帮助排除大部分的安全

DNS hijacking via dead records automation tool
DNS hijacking via dead records automation tool

DeadDNS Multi-threaded DNS hijacking via dead records automation tool How it works 1) Dig provided subdomains file for dead DNS records. 2) Dig the fo

Comments
  • I have some questions...

    I have some questions...

    [EN] a year ago - I also wanted to do such a project, but then many people laughed at me. And so ... now I see him realized by you.

    I have a few questions for you: 1.in the objdump.py file def AddRelocation (self, va, symIndex, type): reloc = Relocation () <----------- what is this function? where is she from? where is it described? 2. There is no problem to "parse" the dll-file (which, by definition, has a relocation table) and a completely different matter - when we are dealing with an exe file (which has a relocation table cut out) 3. What if your file has no debug symbols? (pdb file). 4. How about making the converter more intelligent - not sticking the whole section into an obj file, but dividing them as they were before the linker? (I do not argue, this is much more difficult - but, this is what I have to do now, doing real reverse engineering)

    [RU] год назад - тоже захотел сделать такой проект но, тогда многие люди смеялись над о мной. И вот... теперь я вижу его реализованным тобой.

    У меня есть к вам несколько вопросов:

    1. в файле objdump.py def AddRelocation(self, va, symIndex, type): reloc = Relocation() <-----------что это за функция? откуда она? где она описана?
    2. Нет никакой проблемы "распарсить" dll-файл (у которого по определению сохранена таблица релокаций) и совсем другое дело - когда мы имеем дело с exe-файлом (у которого вырезана таблица релокаций)
    3. Как быть, если у твоего файла - нет отладочных символов? (pdb-файл).
    4. Как насчёт того, чтоб сделать конвертер более интеллектуальным - не засовывая всю секцию в obj-файл, а разделяя их так - как они были до linker? (не спорю, это намного труднее - но, это то, что мне приходится делать сейчас, занимаясь реальным реверс-инжинирингом)
    opened by gitmesam 1
Owner
Mickey
Hello World.
Mickey
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

Christopher Roberts 3 Nov 16, 2021
neo Tool is great one in binary exploitation topic

neo Tool is great one in binary exploitation topic. instead of doing several missions by many tools and windows, you can now automate this in one tool in one session.. Enjoy it

Hamza Elansari 4 Oct 10, 2022
DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

DLLirant DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary. Live Demo How to install You need to install Visual Stud

null 314 Dec 30, 2022
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Dec 25, 2022
Get important strings inside [Info.plist] & and Binary file also all output of result it will be saved in [app_binary].json , [app_plist_file].json file

Get important strings inside [Info.plist] & and Binary file also all output of result it will be saved in [app_binary].json , [app_plist_file].json file

null 12 Sep 28, 2022
A blind SQL injection script that uses binary search aka bisection method to dump datas from database.

Blind SQL Injection I wrote this script to solve PortSwigger Web Security Academy's particular Blind SQL injection with conditional responses lab. Bec

Şefik Efe 2 Oct 29, 2022
A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

Mehmet Ali KERİMOĞLU 5 Aug 25, 2022
Patching - Interactive Binary Patching for IDA Pro

Patching - Interactive Binary Patching for IDA Pro Overview Patching assembly code to change the behavior of an existing program is not uncommon in ma

null 589 Dec 30, 2022
Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10

CVE-2021-29440 Unsafe Twig processing of static pages leading to RCE in Grav CMS 1.7.10 Grav is a file based Web-platform. Twig processing of static p

Enox 6 Oct 10, 2022
Static Token And Credential Scanner

Static Token And Credential Scanner What is it? STACS is a YARA powered static credential scanner which suports binary file formats, analysis of neste

STACS 81 Dec 27, 2022