Home

Awesome


IDArling

<p align="center"> <img src="https://i.imgur.com/9Vxm0Fn.png" /> </p>

Overview

IDArling is a collaborative reverse engineering plugin for IDA Pro and Hex-Rays. It allows to synchronize in real-time the changes made to an IDA database by multiple IDA users, by connecting together different instances of IDA Pro.

It works by hooking certain IDA events generated by one user in IDA and propagating the detected changes to other IDA users through a server architecture. It supports working from a given snapshot with changes done by other IDA users re-applied to every other user loading the same snapshot.

Releases

This project is under active development. Feel free to send a PR if you would like to help! :-)

It is stable enough to be used in its current state, but be aware of the features IDArling does not support before using it so you can save a new snapshot to work around the limitations (see below).

Note: this is a fork of https://github.com/IDArlingTeam/IDArling. The IDArlingTeam version supports IDA 7.0+ and Python2/3. Our fork only supports the latest version of IDA Pro (7.5 atm) and Python 3 but has more features.

Note: if you migrate from IDArlingTeam installation, you are advised to backup your old IDBs and start from a fresh new server. This is because we had to break backward compability to add certain features.

Installation

There are two different use cases:

Server-side

Python3 is required.

The IDArling server is run on a remote system from the command-line. Generally simply running ./idarling_server.py --no-ssl is sufficient. A more advanced invocation is:

python3 idarling_server.py -h 192.168.1.1 -p 12345 --no-ssl -l DEBUG

Client-side

The latest version of IDA Pro (7.5 atm) with IDA Python 3 is supported.

Install the IDArling client into the IDA plugins folder.

import urllib2; exec(urllib2.urlopen('https://raw.githubusercontent.com/fidgetingbits/IDArling/master/easy_install.py')).read()

Integrated server

To enable the integrated server, you can choose "Integrated Server" after right-clicking the IDArling widget located in the status bar.

The integrated server requires PyQt5, which is integrated into IDA. If you're using an external Python installation, we recommand using Python 3, which offers a pre-built package that can be installed with a simple pip install PyQt5.

Connection to server and usage

Open the "Settings" dialog accessible from the right-clicking the IDArling widget located in the status bar. Show the servers list by clicking on the "Network Settings" tabs and add your server to it. Connect to the server by clicking on it after right-clicking the widget again. Finally, you should be able to access the following menus to upload or download a database:

Features

General features

The main features of IDArling (advertised originally) are:

Implementation details

In order to understand what change is actually synced vs not synced, it is worth mentioning some implementation details.

We like to define the following terms in the IDArling jargon:

In general, the first thing is to create a project for the research topic you are starting. Then, you create a binary file to analyse a given file with a unique hash (e.g. ntoskrnl.exe on Windows 10 1809 x64 from May 2019) and then you create one initial database snapshot and save the current IDB as that snapshot on the server.

All the changes made for this IDB can live in the same saved snapshot as long as all the changes you do are synced by IDArling. However, if there are some major changes that are not synced by IDArling, you need to create an additional snapshot to save these changes and all users SHOULD then use that particular snapshot.

In general, it is better to always start from the latest snapshot for a given binary file when you start working from the IDArling server, except if you know what you are doing.

Another important detail of IDArling is that it stores in the IDB itself the project, binary file and database snapshot that was used when saving the IDB onto the server. Because of that, it is possible to open a local copy of a given IDB that was previously used with IDArling and the IDArling plugin will recognise what snapshot this IDB is part of.

If you decide to save an IDB to a new snapshot, you are NOT REQUIRED to then close the IDB and open the new snapshot that you have just saved. You can keep working from your existing already-opened IDB. This is because the new project, binary file and database snapshot are automatically updated in your local copy of the IDB. The only exception to this would be if someone else simultaneously saved their own IDB and uploaded a new snapshot and you want to use that snapshot.

Known changes already synced by IDArling

The changes are indicated as "ticks" in the IDArling plugin jaron.

In general, the changes applied to a given snapshot are retrieved the next time you open the particular snapshot as the events will be propagated to the base IDB or your local copy.

Note: the above list is not up-to-date and needs to be updated.

Known changes not currently synced by IDArling

These changes typically require you to create a new database (i.e. snapshot, as explained above) so you don't lose your changes. It is typically the case for actions that do not generate events that IDArling can catch and propagate.

We are tracking in 2 categories the issues on our github repository:

Note that some of the issues have been marked as "won't fix" and closed as atm we don't think they are worth fixing but feel free to add comments if you disagree.

Thanks

This project is inspired by Sol[IDA]rity. It started after contacting its authors and asking if it was ever going to be released to the public. Lighthouse source code was also carefully studied to understand how to write better IDA plugins.

Thanks to Quarkslab for allowing this release.

Authors

If you have any questions not worthy of a bug report, feel free to ping us at #idarling on freenode and ask away.