Patching - Interactive Binary Patching for IDA Pro

Related tags

Security related resourcesreverse-engineeringidaida-proidapythonpatchinghexrays
Overview

Patching - Interactive Binary Patching for IDA Pro

Patching Plugin

Overview

Patching assembly code to change the behavior of an existing program is not uncommon in malware analysis, software reverse engineering, and broader domains of security research. This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.

This project is currently powered by a minor fork of the ubiquitous Keystone Engine, supporting x86/x64 and Arm/Arm64 patching with plans to enable the remaining Keystone architectures in a future release.

Special thanks to Hex-Rays for supporting the development of this plugin.

Releases

  • v0.1 -- Initial release

Installation

This plugin requires IDA 7.6 and Python 3. It supports Windows, Linux, and macOS.

Easy Install

Run the following line in the IDA console to automatically install the plugin:

Windows / Linux

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read())

macOS

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py', cafile='/etc/ssl/cert.pem').read())

Manual Install

Alternatively, the plugin can be manually installed by downloading the distributable plugin package for your respective platform from the releases page and unzipping it to your plugins folder.

It is strongly recommended you install this plugin into IDA's user plugin directory:

import ida_diskio, os; print(os.path.join(ida_diskio.get_user_idadir(), "plugins"))

Usage

The patching plugin will automatically load for supported architectures (x86/x64/Arm/Arm64) and inject relevant patching actions into the right click context menu of the IDA disassembly views:

Patching plugin right click context menu

A complete listing of the contextual patching actions are described in the following sections.

Assemble

The main patching dialog can be launched via the Assemble action in the right click context menu. It simulates a basic IDA disassembly view that can be used to edit one or several instructions in rapid succession.

The interactive patching dialog

The assembly line is an editable field that can be used to modify instructions in real-time. Pressing enter will commit (patch) the entered instruction into the database.

Your current location (a.k.a your cursor) will always be highlighted in green. Instructions that will be clobbered as a result of your patch / edit will be highlighted in red prior to committing the patch.

Additional instructions that will be clobbered by a patch show up as red

Finally, the UP and DOWN arrow keys can be used while still focused on the editable assembly text field to quickly move the cursor up and down the disassembly view without using the mouse.

NOP

The most common patching action is to NOP out one or more instructions. For this reason, the NOP action will always be visible in the right click menu for quick access.

Right click NOP instruction

Individual instructions can be NOP'ed, as well as a selected range of instructions.

Force Conditional Jump

Forcing a conditional jump to always execute a 'good' path is another common patching action. The plugin will only show this action when right clicking a conditional jump instruction.

Forcing a conditional jump

If you never want a conditional jump to be taken, you can just NOP it instead!

Save & Quick Apply

Patches can be saved (applied) to a selected executable via the patching submenu at any time. The quick-apply action makes it even faster to save subsequent patches using the same settings.

Applying patches to the original executable

The plugin will also make an active effort to retain a backup (.bak) of the original executable which it uses to 'cleanly' apply the current set of database patches during each save.

Revert Patch

Finally, if you are ever unhappy with a patch you can simply right click patched (yellow) blocks of instructions to revert them to their original value.

Reverting patches

While it is 'easy' to revert bytes back to their original value, it can be 'hard' to restore analysis to its previous state. Reverting a patch may occasionally require additional human fixups.

Known Bugs

  • Further improve ARM / ARM64 / THUMB correctness
  • Define 'better' behavior for cpp::like::symbols(...) / IDBs (very sketchy right now)
  • Adding / Updating / Modifying / Showing / Warning about Relocation Entries??
  • Handle renamed registers (like against dwarf annotated idb)?
  • A number of new instructions (circa 2017 and later) are not supported by Keystone
  • A few problematic instruction encodings by Keystone

Future Work

Time and motivation permitting, future work may include:

  • Enable the remaining major architectures supported by Keystone:
    • PPC32 / PPC64 / MIPS32 / MIPS64 / SPARC / SystemZ
  • Multi instruction assembly (eg. xor eax, eax; ret;)
  • Multi line assembly (eg. shellcode / asm labels)
  • Interactive byte / data / string editing
  • Symbol hinting / auto-complete / fuzzy-matching
  • Syntax highlighting the editable assembly line
  • Better hinting of errors, syntax issues, etc
  • NOP / Force Jump from Hex-Rays view (sounds easy, but probably pretty hard!)
  • radio button toggle between 'pretty print' mode vs 'raw' mode? or display both? 
    Pretty:  mov     [rsp+48h+dwCreationDisposition], 3
   Raw:  mov     [rsp+20h], 3

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors

Comments
  • idasm is A Python Assembler Script Tool for IDA Pro based on

    idasm is A Python Assembler Script Tool for IDA Pro based on "patching"

    Dear gaasedelen, I extract core codes from your ingenious "patching" plugin. Now we can use "patching" as an automatic patching work engine for IDA. Here is the repository link: https://github.com/lyciumlee/idasm .

    opened by lyciumlee 2
  • OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    When I tried to patch a large chunk, the patch will fail with OSError: [Errno 22] Invalid argument from https://github.com/gaasedelen/patching/blob/main/plugins/patching/util/ida.py#L101 I am trying to set a range of data to 0

    opened by asesidaa 2
  • Thanks for a great plugin

    Thanks for a great plugin

    Great job, what an useful plugin.

    this is not really a bug but rather a question, i tried open a request with no sucess.

    There is any way to assemble jmp +5 style short jumps for example.

    Thanks for your incredible job.

    Ricardo

    opened by ricnar456 2
  • error when click

    error when click "Apply patches to..." 

    ---------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'

    https://github.com/gaasedelen/patching/blob/main/plugins/patching/ui/save_ui.py#L30

    >>> print(self.windowFlags())
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BED15B0>
>>> print(remove_flags)
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BF7EAB0>

    versions info:

    • Windows 10
    • Python 3.10
    • PyQt5 5.15.6
    • patching: last release
    • Ida 7.6
    opened by Cirn09 1
  • need to delete patching.py in plugins dir

    need to delete patching.py in plugins dir

    Python>import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read()) [*] Starting auto installer for 'Patching' plugin... [*] Fetching info from GitHub... [*] Downloading patching_win32.zip... [] Saving patching_win32.zip to disk... [] Removing existing plugin... [*] Unzipping patching_win32.zip... [+] Patching v0.1.2 installed successfully! [!] Restart IDA to use the updated plugin install successfully

    Then i restart ida, C:\Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py: No module named 'patching.util'; 'patching' is not a package Traceback (most recent call last): File "E:\IDA Pro 7.6\python\3\ida_idaapi.py", line 617, in IDAPython_ExecScript exec(code, g) File "C:/Users/asdf/AppData/Roaming/Hex-Rays/IDA Pro/plugins/patching.py", line 42, in import patching File "E:\IDA Pro 7.6\plugins\patching.py", line 43, in from patching.util.python import reload_package ModuleNotFoundError: No module named 'patching.util'; 'patching' is not a package

    Then i try to delete \IDA Pro 7.6\plugins\patching.py, reserve \Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py, thats works.

    opened by helloobaby 0
  • problem with assemble

    problem with assemble

    when i try to use assemble i get error

    изображение i try on ida 7.6 and 7.7 and get some error OC-widows10 executable file-arm64 dylib if you need i can give .dmp file

    opened by mishavac 1
  • [Feature request] In-memory patching

    [Feature request] In-memory patching

    First of all, commendations on your great work ! The built-in assembler for IDA was pretty much unusable so the patching had to be done with an external program, making the whole process really tedious (load file in IDA -> debug -> patch in another app -> reload file in IDA -> reanalyze the whole thing -> debug -> rinse and repeat). This finally lets me drop the external app from the workflow and no reloading required, simply awesome !

    As far as binary patching goes, it currently works as-is. Finally also the "patched bytes" section actually works since your plugin keeps the backup file, and IDA does not get confused anymore on what is actually patched and what is original.

    I have a request though which would make it even better, incorporate the in-memory patching option from (currently defunct and unmaintained, unfortunately) https://github.com/scottmudge/DebugAutoPatch . The "About" section outlines well some of the grievances with the IDA built-in patching system and fixes them. I do not know how non-trivial it would be to add those features to this patcher plugin though

    opened by anzz1 1
  • not working

    not working

    Traceback (most recent call last): File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 127, in activate wid = PatchingController(self.core, get_current_ea(ctx)) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 47, in init self.refresh() File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 223, in refresh self.select_address(self.address) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 68, in select_address if insn.address != ea: AttributeError: 'NoneType' object has no attribute 'address'

    opened by advokat11 0
  • Jump to next line on enter key

    Jump to next line on enter key

    In the Assemble dialog, the cursor should jump to the next line when I press the Enter key. This is a required feature to edit/write multiple assembly code.

    Can you add this behavior?

    opened by CaledoniaProject 0
Releases(v0.1.2)
Owner
turning over rocks and finding nothing is still progress.
GitHub Repository
Detection tool of malware(s) by checksum (useful for forensic)

🐍 malware_checker.py Detection tool of malware(s) by checksum (useful for forensic) 📦 Dependencies installation $ pip3 install -r requirements.txt

Fayred 1 Jan 30, 2022
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 09, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
The self-hostable proxy tunnel

TTUN Server The self-hostable proxy tunnel. Running Running: docker run -e TUNNEL_DOMAIN=Your tunnel domain -e SECURE=True if using SSL ghcr.io/to

Tom van der Lee 2 Jan 11, 2022
A Proof-of-Concept Layer 2 Denial of Service Attack that disrupts low level operations of Programmable Logic Controllers within industrial environments. Utilizing multithreaded processing, Automator-Terminator delivers a powerful wave of spoofed ethernet packets to a null MAC address.

Automator-Terminator A Proof-of-Concept Layer 2 Denial of Service Attack that disrupts low level operations of Programmable Logic Controllers (PLCs) w

25 Oct 10, 2022
Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability

AdminerRead Exploit tool for Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability Installation git clone https://github.com/p0dalirius/AdminerRea

Podalirius 58 Dec 05, 2022
对naabu的端口扫描结果,调用nmap进行指纹识别

naabu2nmap 对naabu的端口扫描结果,调用nmap进行指纹识别

Se7en 12 Nov 22, 2022
Denial Attacks by Various Methods

Denial Service Attack Denial Attacks by Various Methods IIIIIIIIIIIIIIIIIIII PPPPPPPPPPPPPPPPP VVVVVVVV VVVVVVVV I::

Baris Dincer 9 Nov 26, 2022
D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.

Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation

Banny 30 Dec 06, 2022
Log4j-Scanner with Bind-Receipt and custom hostnames

Hrafna - Log4j-Scanner for the masses Features Scanning-system designed to check your own infra for vulnerable log4j-installations start and stop scan

18 Jan 23, 2022
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

mitmproxy mitmproxy is an interactive, SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. mitmdump is the

mitmproxy 29.7k Jan 04, 2023
This program is a WiFi cracker, you can test many passwords for a desired wifi to find the wifi password!

WiFi_Cracker About the Program: This program is a WiFi cracker! Just run code and select a desired wifi to start cracking 💣 Note: you can use this pa

Sina.f 13 Dec 08, 2022
MassStringer, CTF Flag Finder

massStringer MassStringer, CTF Flag Finder Usage: python3 massStringer.py Enter absolute path of the directory to scan for flags Edit "flag = re.searc

SuperTsumu 4 Sep 06, 2022
A small utility to deal with malware embedded hashes.

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn

Abdallah Elshinbary 48 Dec 19, 2022
PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github

CVE-2021-26855 PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github Why does github remove this exploit because

The Hacker's Choice 58 Nov 15, 2022
Blinder is a tool that will help you simplify the exploitation of blind SQL injection

Blinder Have you found a blind SQL injection? Great! Now you need to export it, but are you too lazy to sort through the values? Most likely,

10 Dec 06, 2022
We protect the privacy of the data on your computer by using the camera of your Debian based Pardus operating system. 🕵️

Pardus Lookout We protect the privacy of the data on your computer by using the camera of your Debian based Pardus operating system. The application i

Ahmet Furkan DEMIR 19 Nov 18, 2022
Seamless deployment and management of cybersecurity solutions 🏗️

Description 🖼️ Background 👴🏼 Vision 📜 Concepts 💬 Solutions' Lifecycle. Operations ⭕ Functionalities 🚀 Supported Cybersecurity Solutions 📦 Insta

MutableSecurity 36 Nov 10, 2022
Anti Supercookie - Confusing the ISP & Escaping the Supercookie

Confusing the ISP & Escaping the Supercookie

Baris Dincer 2 Nov 22, 2022