Home

Awesome

rhabdomancer

build doc

"The road to exploitable bugs is paved with unexploitable bugs."

-- Mark Dowd

Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.

Features

Blog post

See also

Installing

The easiest way to get the latest release is via crates.io:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Install rhabdomancer as follows:
    $ export IDASDKDIR=/path/to/idasdk90
    $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
    $ cargo install rhabdomancer
    

Compiling

Alternatively, you can build from source:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Compile rhabdomancer as follows:
    $ git clone https://github.com/0xdea/rhabdomancer
    $ cd rhabdomancer
    $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml
    $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
    $ cargo build --release
    

Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Customize the list of known bad API functions in conf/rhabdomancer.toml if needed.
  3. Run rhabdomancer as follows:
    $ rhabdomancer <binary_file>
    
  4. Open the resulting .i64 IDB file with IDA Pro.
  5. Select View > Open subviews > Bookmarks
  6. Enjoy your results conveniently collected in an IDA Pro window.

Note: rhabdomancer also adds comments at marked call locations.

Tested with

Note: not tested on Windows, check idalib documentation if you want to try it yourself.

Changelog

TODO