hrtng IDA plugin
## hrtng IDA pluginhrtng IDA plugin is a collection of tools, ideas and experiments from different sources I've found interesting and useful in my reversing work.
A practical guide to the reverse of a complex malware using the example of dissecting a FinSpy module with help of hrtng IDA plugin on (https://securelist.com/hrtng-ida-pro-plugin/)
There is no one place in menu where all functionality of the plugin grouped together. hrtng menu items placed closer to logically related standard IDA & Hex-Rays decompiler functions. Messages, menu items, popup windows and dialog boxes belong to this plugin are marked with "``" prefix.
The plugin requires Hex-Rays decompiler presence in your IDA installation. The plugin can be compiled with IDA SDK >= 7.3 but not well tested with old versions.
Special thanks to following peoples for their great plugins were used as base for my work:
* Milan Bohacek, (https://github.com/nihilus/hexrays_tools) and (https://hex-rays.com/contests_details/contest2016/hexlight/hexrays_hlight.py)
* HexRaysDeob by (https://hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler) and (https://blogs.vmware.com/security/2019/02/defeating-compiler-level-obfuscations-used-in-apt10-malware.html)
* Karthik Selvaraj (https://www.hex-rays.com/contests/2012/Krypton_2012_Hex-Rays_Contest.zip)
* Ali Rahbar, Ali Pezeshk and Elias Bachaalany (https://github.com/lallousx86/GraphSlick)
* Markus Gaasedelen (https://github.com/gaasedelen/microavx)
### Features of the plugin:
#### Automation
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/pull-cmt.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/var-auto-rename.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/enum.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/com-helper.md)
#### Interactive pseudocode transformation
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/rename-recast.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/recast.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/reicast.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/collapse.md)
* ["offsetof" convertor](https://github.com/KasperskyLab/hrtng/blob/master/doc/offsetof.md)
#### Decryption
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/decr.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/stk-str.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/arr-str.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/appcall.md)
#### Deal with obfuscated code
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/deob.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/api-hashes.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/unflat.md)
#### Code recognition
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/msig.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/deinline.md)
#### Structures assistance
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/cr_struc.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/struct-gaps.md)
#### Virtual/indirect calls assistance
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/virtual-calls.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/ijmp.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/fix-stack.md)
#### IDA UI improvements
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/xrefs_ex.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/brace.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/func-sync.md)
#### Misk features
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/zeal-api-help.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/avx.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/dump-strings.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/offsets-tbl.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/usercall.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/golang.md)
#### Patching
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/patch-nops.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/patch-dbg.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/search-n-patch.md)
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/create_dec.md)
#### IDA plugin developer help
* (https://github.com/KasperskyLab/hrtng/blob/master/doc/mcode-expl.md)
### Building
* Clone or download (https://github.com/abdes/cryptopp-cmake) source code to `hrtng/src/cryptopp-cmake` folder.
```
cd src
git clone https://github.com/abdes/cryptopp-cmake
```
* Copy `IDA_DIR/plugins/hexrays_sdk/include/hexrays.hpp` file to the `include` directory of the IDA SDK. (Not necessary for IDA 9.0)
* Edit `hrtng/src/CMakeLists.txt` file to set correct path and version of used IDA SDK. To build later with another SDK version you may change cmake's `IDASDK_VER` variable with using `cmake -D`, `ccmake` or `cmake-gui` tools.
* Create build directory, go into it, configure and build cmake project
```
mkdir bld && cd bld
cmake <path-to/hrtng/src>
cmake --build . --config Release -j 4 --clean-first
```
* On the first build attempt there will be compiling error looks like:
```
hrtng/src/deob.cpp:912:60: error: ‘class rangeset_t’ has no member named ‘getbag’
fc.create("tmpfc2", ranges.getbag(), 0);//!!! add line into range.hpp, class rangeset_t: "const rangevec_t &getbag() const { return bag; }"
```
* To fix the error, edit `IDA_SDK/include/range.hpp` file, adding line with `getbag` function implementation into `class rangeset_t` declaration as in the following example:
```
class rangeset_t
{
rangevec_t bag;
...
public:
const rangevec_t &getbag() const { return bag; }
...
};
```
* Copy built binaries into `IDA_DIR/plugins` folder togeter with `apilist.txt` and `literal.txt` files from `hrtng/bin/plugins`
* Profit
### License
This program is released under GPL v3 license
### Authors
* Sergey.Belov at kaspersky.com
(https://github.com/KasperskyLab/hrtng/releases)
页:
[1]