Awesome
Introduction
BETA SUPPORT ONLY - MAC OS SUPPORT ONLY
The Heimdallr IDA plugin exposes a localhost gRPC server for each IDA instances which allows the Heimdallr client to navigate to locations in IDA.
Installation
- Install
heimdallr-ida
with pip (ensure the pip you are using matches the python environment IDA is using)- Using git directly
pip3 install -e git+https://git@github.com/interruptlabs/heimdallr-ida.git#egg=heimdallr_ida
- From a cloned repo
pip3 install -e .
- Using git directly
- Launch IDA and enter the following into the console
import heimdallr
heimdallr.install()
- Relaunch IDA and verify gRPC server sucessfully started up. You should something like the following in the output console:
[Heimdallr RPC] Plugin version 0.0.1
Starting server on 127.0.0.1:51278
Wrote {"pid": 36813, "address": "127.0.0.1:51278", "file_name": "example.i64", "file_hash": "b058de795064344a4074252e15b9fd39"} to /Users/roberts/.idapro/heimdallr/36813
- Install heimdallr-client
Usage
You should now be able to open disas:// URIs from anywhere in the system. This could be a Slack DM, a Confluence page, or a Obsidian note. The format is as follows (these):
disas://example.i64%3Foffset%3D0x1002315b6%26hash%3Db058de795064344a4074252e15b9fd39%26view%3Ddisasm
These are automatically generated by creating a note in the heimdallr_ida
plugin
The search behaviour for a relevant IDB is as follows:
- Search for an open IDA instance with this database already open
- Search IDA recently open files for the location of the database
- Search your
idb_path
for matching files
The search pattern is used to ensure links can be used easily within a team - so long as you have a database based on the same source file and is named the same.
IDBs are matched by both the database name and source file hash. As such changing the database name will cause URIs to no longer be valid.
You can make notes by highlighting the area of text in IDA you want to copy and pressing "Ctrl+Shift+N". The text will be added to a code block with a link back to where it came from and added to your clipboard.
If you want to make a link to share with someone else, pressing "Ctrl+Alt+N", and the link to where you are in IDA will be added.
This currently only works for the Disassembly and Pseudocode views.
Ghidra Cross Compatabiltity
The wonderful people over at Foundry Zero have created a Ghidra plugin which offers the same functionality. You can get it here
The plugins are compatible, meaning links created with their plugin can be opened in IDA with this client, and vice versa. This allows you to collaborate with other researchers regardless of the disassembler you use!
Common Issues
IDA doesn't pick up dependencies
The version of Python IDA is using can be different from that of your system. To verify the version of python you are using you can put the following in the IDA Python console.
Python>import os
Python>os.__file__
'/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/lib/python3.9/os.py'
And doing the same in the terminal
roberts@RobertS-IL-Mac Documents % python3 -q
>>> import os
>>> os.__file__
'/opt/homebrew/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/python3.10/os.py'
From here you can either update IDA to match with:
/Applications/IDA\ Core\ 8.1/idabin/idapyswitch
Or install the packages into the releveant python enviroment by using the path from IDA:
/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/bin/python3 -m pip install -e git+ssh://git@github.com/interruptlabs/heimdallr-ida.git#egg=heimdallr_ida