Patching - Interactive Binary Patching for IDA Pro

Related tags

Security related resourcesreverse-engineeringidaida-proidapythonpatchinghexrays
Overview

Patching - Interactive Binary Patching for IDA Pro

Patching Plugin

Overview

Patching assembly code to change the behavior of an existing program is not uncommon in malware analysis, software reverse engineering, and broader domains of security research. This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.

This project is currently powered by a minor fork of the ubiquitous Keystone Engine, supporting x86/x64 and Arm/Arm64 patching with plans to enable the remaining Keystone architectures in a future release.

Special thanks to Hex-Rays for supporting the development of this plugin.

Releases

  • v0.1 -- Initial release

Installation

This plugin requires IDA 7.6 and Python 3. It supports Windows, Linux, and macOS.

Easy Install

Run the following line in the IDA console to automatically install the plugin:

Windows / Linux

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read())

macOS

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py', cafile='/etc/ssl/cert.pem').read())

Manual Install

Alternatively, the plugin can be manually installed by downloading the distributable plugin package for your respective platform from the releases page and unzipping it to your plugins folder.

It is strongly recommended you install this plugin into IDA's user plugin directory:

import ida_diskio, os; print(os.path.join(ida_diskio.get_user_idadir(), "plugins"))

Usage

The patching plugin will automatically load for supported architectures (x86/x64/Arm/Arm64) and inject relevant patching actions into the right click context menu of the IDA disassembly views:

Patching plugin right click context menu

A complete listing of the contextual patching actions are described in the following sections.

Assemble

The main patching dialog can be launched via the Assemble action in the right click context menu. It simulates a basic IDA disassembly view that can be used to edit one or several instructions in rapid succession.

The interactive patching dialog

The assembly line is an editable field that can be used to modify instructions in real-time. Pressing enter will commit (patch) the entered instruction into the database.

Your current location (a.k.a your cursor) will always be highlighted in green. Instructions that will be clobbered as a result of your patch / edit will be highlighted in red prior to committing the patch.

Additional instructions that will be clobbered by a patch show up as red

Finally, the UP and DOWN arrow keys can be used while still focused on the editable assembly text field to quickly move the cursor up and down the disassembly view without using the mouse.

NOP

The most common patching action is to NOP out one or more instructions. For this reason, the NOP action will always be visible in the right click menu for quick access.

Right click NOP instruction

Individual instructions can be NOP'ed, as well as a selected range of instructions.

Force Conditional Jump

Forcing a conditional jump to always execute a 'good' path is another common patching action. The plugin will only show this action when right clicking a conditional jump instruction.

Forcing a conditional jump

If you never want a conditional jump to be taken, you can just NOP it instead!

Save & Quick Apply

Patches can be saved (applied) to a selected executable via the patching submenu at any time. The quick-apply action makes it even faster to save subsequent patches using the same settings.

Applying patches to the original executable

The plugin will also make an active effort to retain a backup (.bak) of the original executable which it uses to 'cleanly' apply the current set of database patches during each save.

Revert Patch

Finally, if you are ever unhappy with a patch you can simply right click patched (yellow) blocks of instructions to revert them to their original value.

Reverting patches

While it is 'easy' to revert bytes back to their original value, it can be 'hard' to restore analysis to its previous state. Reverting a patch may occasionally require additional human fixups.

Known Bugs

  • Further improve ARM / ARM64 / THUMB correctness
  • Define 'better' behavior for cpp::like::symbols(...) / IDBs (very sketchy right now)
  • Adding / Updating / Modifying / Showing / Warning about Relocation Entries??
  • Handle renamed registers (like against dwarf annotated idb)?
  • A number of new instructions (circa 2017 and later) are not supported by Keystone
  • A few problematic instruction encodings by Keystone

Future Work

Time and motivation permitting, future work may include:

  • Enable the remaining major architectures supported by Keystone:
    • PPC32 / PPC64 / MIPS32 / MIPS64 / SPARC / SystemZ
  • Multi instruction assembly (eg. xor eax, eax; ret;)
  • Multi line assembly (eg. shellcode / asm labels)
  • Interactive byte / data / string editing
  • Symbol hinting / auto-complete / fuzzy-matching
  • Syntax highlighting the editable assembly line
  • Better hinting of errors, syntax issues, etc
  • NOP / Force Jump from Hex-Rays view (sounds easy, but probably pretty hard!)
  • radio button toggle between 'pretty print' mode vs 'raw' mode? or display both? 
    Pretty:  mov     [rsp+48h+dwCreationDisposition], 3
   Raw:  mov     [rsp+20h], 3

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors

Comments
  • idasm is A Python Assembler Script Tool for IDA Pro based on

    idasm is A Python Assembler Script Tool for IDA Pro based on "patching"

    Dear gaasedelen, I extract core codes from your ingenious "patching" plugin. Now we can use "patching" as an automatic patching work engine for IDA. Here is the repository link: https://github.com/lyciumlee/idasm .

    opened by lyciumlee 2
  • OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    When I tried to patch a large chunk, the patch will fail with OSError: [Errno 22] Invalid argument from https://github.com/gaasedelen/patching/blob/main/plugins/patching/util/ida.py#L101 I am trying to set a range of data to 0

    opened by asesidaa 2
  • Thanks for a great plugin

    Thanks for a great plugin

    Great job, what an useful plugin.

    this is not really a bug but rather a question, i tried open a request with no sucess.

    There is any way to assemble jmp +5 style short jumps for example.

    Thanks for your incredible job.

    Ricardo

    opened by ricnar456 2
  • error when click

    error when click "Apply patches to..." 

    ---------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'

    https://github.com/gaasedelen/patching/blob/main/plugins/patching/ui/save_ui.py#L30

    >>> print(self.windowFlags())
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BED15B0>
>>> print(remove_flags)
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BF7EAB0>

    versions info:

    • Windows 10
    • Python 3.10
    • PyQt5 5.15.6
    • patching: last release
    • Ida 7.6
    opened by Cirn09 1
  • need to delete patching.py in plugins dir

    need to delete patching.py in plugins dir

    Python>import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read()) [*] Starting auto installer for 'Patching' plugin... [*] Fetching info from GitHub... [*] Downloading patching_win32.zip... [] Saving patching_win32.zip to disk... [] Removing existing plugin... [*] Unzipping patching_win32.zip... [+] Patching v0.1.2 installed successfully! [!] Restart IDA to use the updated plugin install successfully

    Then i restart ida, C:\Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py: No module named 'patching.util'; 'patching' is not a package Traceback (most recent call last): File "E:\IDA Pro 7.6\python\3\ida_idaapi.py", line 617, in IDAPython_ExecScript exec(code, g) File "C:/Users/asdf/AppData/Roaming/Hex-Rays/IDA Pro/plugins/patching.py", line 42, in import patching File "E:\IDA Pro 7.6\plugins\patching.py", line 43, in from patching.util.python import reload_package ModuleNotFoundError: No module named 'patching.util'; 'patching' is not a package

    Then i try to delete \IDA Pro 7.6\plugins\patching.py, reserve \Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py, thats works.

    opened by helloobaby 0
  • problem with assemble

    problem with assemble

    when i try to use assemble i get error

    изображение i try on ida 7.6 and 7.7 and get some error OC-widows10 executable file-arm64 dylib if you need i can give .dmp file

    opened by mishavac 1
  • [Feature request] In-memory patching

    [Feature request] In-memory patching

    First of all, commendations on your great work ! The built-in assembler for IDA was pretty much unusable so the patching had to be done with an external program, making the whole process really tedious (load file in IDA -> debug -> patch in another app -> reload file in IDA -> reanalyze the whole thing -> debug -> rinse and repeat). This finally lets me drop the external app from the workflow and no reloading required, simply awesome !

    As far as binary patching goes, it currently works as-is. Finally also the "patched bytes" section actually works since your plugin keeps the backup file, and IDA does not get confused anymore on what is actually patched and what is original.

    I have a request though which would make it even better, incorporate the in-memory patching option from (currently defunct and unmaintained, unfortunately) https://github.com/scottmudge/DebugAutoPatch . The "About" section outlines well some of the grievances with the IDA built-in patching system and fixes them. I do not know how non-trivial it would be to add those features to this patcher plugin though

    opened by anzz1 1
  • not working

    not working

    Traceback (most recent call last): File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 127, in activate wid = PatchingController(self.core, get_current_ea(ctx)) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 47, in init self.refresh() File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 223, in refresh self.select_address(self.address) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 68, in select_address if insn.address != ea: AttributeError: 'NoneType' object has no attribute 'address'

    opened by advokat11 0
  • Jump to next line on enter key

    Jump to next line on enter key

    In the Assemble dialog, the cursor should jump to the next line when I press the Enter key. This is a required feature to edit/write multiple assembly code.

    Can you add this behavior?

    opened by CaledoniaProject 0
Releases(v0.1.2)
Owner
turning over rocks and finding nothing is still progress.
GitHub Repository
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

37 Nov 09, 2022
Port scanning tool that uses Python3. Created by Noble Wilson

Hello There! My name is Noble Wilson and I am an aspiring IT/InfoSec coder practicing for my future. ________________________________________________

1 Nov 23, 2021
Searches through git repositories for high entropy strings and secrets, digging deep into commit history

truffleHog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accident

Truffle Security 10.1k Jan 09, 2023
Python DNS Lookup: The Domain Name System (DNS) is basically the phonebook of the Internet

-Python-DNS-Lookup- ✨ 🌟 Python DNS Lookup ✨ 🌟 The Domain Name System (DNS) is

Ronnie Atuhaire 2 Feb 14, 2022
orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner

Introduction orfipy is a tool written in python/cython to extract ORFs in an extremely and fast and flexible manner. Other popular ORF searching tools

Urminder Singh 34 Nov 21, 2022
Python tool for dumping flash via uboot reliably

Reliable Uboot Flash Dumper is a Python tool for dumping flash via uboot reliably. If you've ever had to dump flash via uboot and a serial connection and became frustrated about doing it several time

SecurityJon 25 May 10, 2022
Something I built to test for Log4J vulnerabilities on customer networks.

Log4J-Scanner Something I built to test for Log4J vulnerabilities on customer networks. I'm not responsible if your computer blows up, catches fire or

1 Dec 20, 2021
Script hecho en python para sacar la informacion del numero de telefono, Hecha con el API de numverify

Script hecho en python para sacar la informacion del numero de telefono, Hecha con el API de numverify

DW Dariel 5 Dec 03, 2022
the metasploit script(POC) about CVE-2021-36260

CVE-2021-36260-metasploit the metasploit script(POC) about CVE-2021-36260. A command injection vulnerability in the web server of some Hikvision produ

Taroballz 14 Nov 09, 2022
Now patched 0day for force reseting an accounts password

Animal Jam 0day No-Auth Force Password Reset via API Now patched 0day for force reseting an accounts password Used until patched to cause anarchy. Pro

IRIS 10 Nov 17, 2022
Password List Maker

Red-Key Red-Key Password List Maker Version 1.1.2 Created By FireKing255 -=Features=- Create Random Password List Create Password List Create Password

FireKing255 7 Dec 26, 2021
Wireguard VPN Server Installer for: on Ubuntu, Debian, Arch, Fedora and CentOS

XGuard (Wireguard Server Installer) This Python script should make the installation of a Wireguard VPN server as easy as possible. Wireguard is a mode

Johann 3 Nov 04, 2022
Lite version of my Gatekeeper backdoor for public use.

Gatekeeper Lite Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning

Joe Helle 56 Mar 25, 2022
DependConfusion-X Tool is written in Python3 that scans and monitors list of hosts for Dependency Confusion

DependConfusion-X Tool is written in Python3 which allows security researcher/bug bounty hunter to scan and monitor list of hosts for Dependency Confusion.

Ali Fathi Ali Sawehli 4 Dec 21, 2021
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
A tool to brute force a gmail account. Use this tool to crack multiple accounts

A tool to brute force a gmail account. Use this tool to crack multiple accounts. This tool is developed to crack multiple accounts

Saad 12 Dec 30, 2022
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
Tools ini digunakan untuk krekk pacebuk:v

E-Crack By Aang-XD Fitur Login • Login via token facebook • Login via cookie facebook Install On Termux $ pkg update && pkg upgrade $ pkg install pyth

Aang Ardiansyah-XD 2 Dec 24, 2021
ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

Poming huang 312 Dec 09, 2022
Signatures and IoCs from public Volexity blog posts.

threat-intel This repository contains IoCs related to Volexity public threat intelligence blog posts. They are organised by year, and within each year

Volexity 130 Dec 29, 2022