Patching - Interactive Binary Patching for IDA Pro

Related tags

Security related resourcesreverse-engineeringidaida-proidapythonpatchinghexrays
Overview

Patching - Interactive Binary Patching for IDA Pro

Patching Plugin

Overview

Patching assembly code to change the behavior of an existing program is not uncommon in malware analysis, software reverse engineering, and broader domains of security research. This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.

This project is currently powered by a minor fork of the ubiquitous Keystone Engine, supporting x86/x64 and Arm/Arm64 patching with plans to enable the remaining Keystone architectures in a future release.

Special thanks to Hex-Rays for supporting the development of this plugin.

Releases

  • v0.1 -- Initial release

Installation

This plugin requires IDA 7.6 and Python 3. It supports Windows, Linux, and macOS.

Easy Install

Run the following line in the IDA console to automatically install the plugin:

Windows / Linux

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read())

macOS

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py', cafile='/etc/ssl/cert.pem').read())

Manual Install

Alternatively, the plugin can be manually installed by downloading the distributable plugin package for your respective platform from the releases page and unzipping it to your plugins folder.

It is strongly recommended you install this plugin into IDA's user plugin directory:

import ida_diskio, os; print(os.path.join(ida_diskio.get_user_idadir(), "plugins"))

Usage

The patching plugin will automatically load for supported architectures (x86/x64/Arm/Arm64) and inject relevant patching actions into the right click context menu of the IDA disassembly views:

Patching plugin right click context menu

A complete listing of the contextual patching actions are described in the following sections.

Assemble

The main patching dialog can be launched via the Assemble action in the right click context menu. It simulates a basic IDA disassembly view that can be used to edit one or several instructions in rapid succession.

The interactive patching dialog

The assembly line is an editable field that can be used to modify instructions in real-time. Pressing enter will commit (patch) the entered instruction into the database.

Your current location (a.k.a your cursor) will always be highlighted in green. Instructions that will be clobbered as a result of your patch / edit will be highlighted in red prior to committing the patch.

Additional instructions that will be clobbered by a patch show up as red

Finally, the UP and DOWN arrow keys can be used while still focused on the editable assembly text field to quickly move the cursor up and down the disassembly view without using the mouse.

NOP

The most common patching action is to NOP out one or more instructions. For this reason, the NOP action will always be visible in the right click menu for quick access.

Right click NOP instruction

Individual instructions can be NOP'ed, as well as a selected range of instructions.

Force Conditional Jump

Forcing a conditional jump to always execute a 'good' path is another common patching action. The plugin will only show this action when right clicking a conditional jump instruction.

Forcing a conditional jump

If you never want a conditional jump to be taken, you can just NOP it instead!

Save & Quick Apply

Patches can be saved (applied) to a selected executable via the patching submenu at any time. The quick-apply action makes it even faster to save subsequent patches using the same settings.

Applying patches to the original executable

The plugin will also make an active effort to retain a backup (.bak) of the original executable which it uses to 'cleanly' apply the current set of database patches during each save.

Revert Patch

Finally, if you are ever unhappy with a patch you can simply right click patched (yellow) blocks of instructions to revert them to their original value.

Reverting patches

While it is 'easy' to revert bytes back to their original value, it can be 'hard' to restore analysis to its previous state. Reverting a patch may occasionally require additional human fixups.

Known Bugs

  • Further improve ARM / ARM64 / THUMB correctness
  • Define 'better' behavior for cpp::like::symbols(...) / IDBs (very sketchy right now)
  • Adding / Updating / Modifying / Showing / Warning about Relocation Entries??
  • Handle renamed registers (like against dwarf annotated idb)?
  • A number of new instructions (circa 2017 and later) are not supported by Keystone
  • A few problematic instruction encodings by Keystone

Future Work

Time and motivation permitting, future work may include:

  • Enable the remaining major architectures supported by Keystone:
    • PPC32 / PPC64 / MIPS32 / MIPS64 / SPARC / SystemZ
  • Multi instruction assembly (eg. xor eax, eax; ret;)
  • Multi line assembly (eg. shellcode / asm labels)
  • Interactive byte / data / string editing
  • Symbol hinting / auto-complete / fuzzy-matching
  • Syntax highlighting the editable assembly line
  • Better hinting of errors, syntax issues, etc
  • NOP / Force Jump from Hex-Rays view (sounds easy, but probably pretty hard!)
  • radio button toggle between 'pretty print' mode vs 'raw' mode? or display both? 
    Pretty:  mov     [rsp+48h+dwCreationDisposition], 3
   Raw:  mov     [rsp+20h], 3

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors

Comments
  • idasm is A Python Assembler Script Tool for IDA Pro based on

    idasm is A Python Assembler Script Tool for IDA Pro based on "patching"

    Dear gaasedelen, I extract core codes from your ingenious "patching" plugin. Now we can use "patching" as an automatic patching work engine for IDA. Here is the repository link: https://github.com/lyciumlee/idasm .

    opened by lyciumlee 2
  • OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    When I tried to patch a large chunk, the patch will fail with OSError: [Errno 22] Invalid argument from https://github.com/gaasedelen/patching/blob/main/plugins/patching/util/ida.py#L101 I am trying to set a range of data to 0

    opened by asesidaa 2
  • Thanks for a great plugin

    Thanks for a great plugin

    Great job, what an useful plugin.

    this is not really a bug but rather a question, i tried open a request with no sucess.

    There is any way to assemble jmp +5 style short jumps for example.

    Thanks for your incredible job.

    Ricardo

    opened by ricnar456 2
  • error when click

    error when click "Apply patches to..." 

    ---------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'

    https://github.com/gaasedelen/patching/blob/main/plugins/patching/ui/save_ui.py#L30

    >>> print(self.windowFlags())
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BED15B0>
>>> print(remove_flags)
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BF7EAB0>

    versions info:

    • Windows 10
    • Python 3.10
    • PyQt5 5.15.6
    • patching: last release
    • Ida 7.6
    opened by Cirn09 1
  • need to delete patching.py in plugins dir

    need to delete patching.py in plugins dir

    Python>import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read()) [*] Starting auto installer for 'Patching' plugin... [*] Fetching info from GitHub... [*] Downloading patching_win32.zip... [] Saving patching_win32.zip to disk... [] Removing existing plugin... [*] Unzipping patching_win32.zip... [+] Patching v0.1.2 installed successfully! [!] Restart IDA to use the updated plugin install successfully

    Then i restart ida, C:\Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py: No module named 'patching.util'; 'patching' is not a package Traceback (most recent call last): File "E:\IDA Pro 7.6\python\3\ida_idaapi.py", line 617, in IDAPython_ExecScript exec(code, g) File "C:/Users/asdf/AppData/Roaming/Hex-Rays/IDA Pro/plugins/patching.py", line 42, in import patching File "E:\IDA Pro 7.6\plugins\patching.py", line 43, in from patching.util.python import reload_package ModuleNotFoundError: No module named 'patching.util'; 'patching' is not a package

    Then i try to delete \IDA Pro 7.6\plugins\patching.py, reserve \Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py, thats works.

    opened by helloobaby 0
  • problem with assemble

    problem with assemble

    when i try to use assemble i get error

    изображение i try on ida 7.6 and 7.7 and get some error OC-widows10 executable file-arm64 dylib if you need i can give .dmp file

    opened by mishavac 1
  • [Feature request] In-memory patching

    [Feature request] In-memory patching

    First of all, commendations on your great work ! The built-in assembler for IDA was pretty much unusable so the patching had to be done with an external program, making the whole process really tedious (load file in IDA -> debug -> patch in another app -> reload file in IDA -> reanalyze the whole thing -> debug -> rinse and repeat). This finally lets me drop the external app from the workflow and no reloading required, simply awesome !

    As far as binary patching goes, it currently works as-is. Finally also the "patched bytes" section actually works since your plugin keeps the backup file, and IDA does not get confused anymore on what is actually patched and what is original.

    I have a request though which would make it even better, incorporate the in-memory patching option from (currently defunct and unmaintained, unfortunately) https://github.com/scottmudge/DebugAutoPatch . The "About" section outlines well some of the grievances with the IDA built-in patching system and fixes them. I do not know how non-trivial it would be to add those features to this patcher plugin though

    opened by anzz1 1
  • not working

    not working

    Traceback (most recent call last): File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 127, in activate wid = PatchingController(self.core, get_current_ea(ctx)) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 47, in init self.refresh() File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 223, in refresh self.select_address(self.address) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 68, in select_address if insn.address != ea: AttributeError: 'NoneType' object has no attribute 'address'

    opened by advokat11 0
  • Jump to next line on enter key

    Jump to next line on enter key

    In the Assemble dialog, the cursor should jump to the next line when I press the Enter key. This is a required feature to edit/write multiple assembly code.

    Can you add this behavior?

    opened by CaledoniaProject 0
Releases(v0.1.2)
Owner
turning over rocks and finding nothing is still progress.
GitHub Repository
Infection Monkey - An automated pentest tool

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a

Guardicore Ltd. 6k Jan 09, 2023
Automatically download all 10,000 CryptoPunk NFTs.

CryptoPunk Stealer The sole purpose of this script is to download the entire CryptoPunk NFT collection. How does it work? Basically, the website where

Dan 7 Oct 22, 2022
A simple password generator using Python Tkinter.

Password-Generator-using-Python A simple password generator that generates password for you. User can Copy the password to Clipboard. Project made usi

Prashant Agheda 1 Nov 02, 2022
Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

GoodHound ______ ____ __ __ / ____/___ ____ ____/ / / / /___ __ ______ ____/ / / / __/ __ \/ __ \/ __

idna 352 Jan 02, 2023
Seamless deployment and management of cybersecurity solutions 🏗️

Description 🖼️ Background 👴🏼 Vision 📜 Concepts 💬 Solutions' Lifecycle. Operations ⭕ Functionalities 🚀 Supported Cybersecurity Solutions 📦 Insta

MutableSecurity 36 Nov 10, 2022
Make your own huge Wordlist with advanced options

#It's my first tool i hope to be useful for everyone, Make your own huge Wordlist with advanced options, You need python3 to run this tool, If you hav

0.1Arafa 6 Dec 08, 2022
A Tool for subdomain scan with other tools

ReconTracer A Tool for subdomain scan with other tools ReconTracer Find subdomains by using another amazing sources!. Obs: In a close future recontrac

15 Dec 18, 2021
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
Tenssens framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources.

Tenssens framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources.

Md. Nur habib 31 Oct 21, 2022
Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Rehman Ali 3 Jan 03, 2023
Open Source Tool - Cybersecurity Graph Database in Neo4j

GraphKer Open Source Tool - Cybersecurity Graph Database in Neo4j |G|r|a|p|h|K|e|r| { open source tool for a cybersecurity graph database in neo4j } W

Adamantios - Marios Berzovitis 27 Dec 06, 2022
Security tool to test different bypass of forbidden

notForbidden Security tool to test different bypass of forbidden Usage python3 notForbidden.py URL Features Bypass with different methods (POST, OPT

6 Sep 08, 2022
Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD).

What is Spray365? Spray365 is a password spraying tool that identifies valid credentials for Microsoft accounts (Office 365 / Azure AD). How is Spray3

Mark Hedrick 246 Dec 28, 2022
Gitlab RCE - Remote Code Execution

Gitlab RCE - Remote Code Execution RCE for old gitlab version = 11.4.7 & 12.4.0-12.8.1 LFI for old gitlab versions 10.4 - 12.8.1 This is an exploit f

153 Nov 09, 2022
Log4j command generator: Generate commands for CVE-2021-44228

Log4j command generator Generate commands for CVE-2021-44228. Description The vulnerability exists due to the Log4j processor's handling of log messag

1 Jan 03, 2022
EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。

EyeJo EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。 免责声明 本平台集成了大量的互联网公开工具,主要是方便安全人员整理、排查资产、安全测试等,切勿用于非法用途。使用者存在危害网络安全等任何非法行为,后果自负,作

429 Dec 31, 2022
Exploit and Check Script for CVE 2022-1388

F5-CVE-2022-1388-Exploit Exploit and Check Script for CVE 2022-1388 Usage Check against single host python3 CVE-2022-1388.py -v true -u target_url At

Andy Gill 52 Dec 22, 2022
Hadoop Yan RPC unauthorized RCE

Vuln Impact On November 15, 2021, A security researcher disclosed that there was an unauthorized access vulnerability in Hadoop yarn RPC. This vulnera

Al1ex 25 Nov 24, 2022
IDA Frida Plugin for tracing something interesting.

IDAFrida A simple IDA plugin to generate FRIDA script. Edit template for functions or you can use the default template. Select functions you want to t

PandaOS 133 Dec 24, 2022
This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies.

Wallet Tracker This is a Crypto asset tracker that I built to aid my personal journey in cryptocurrencies. build docker build -t wallet-tracker . run

2 Mar 21, 2022