Awesome
IDA Splode
A tool that I wrote to help reversing on Windows. Also proof that I am bad at coming up with catchy names.
Presentation
See the presentation in slides/ for some examples on the sample application. I've also included an .idb that shows some of the features. All comments are auto-generated by the tool. The only input I provided was to give the structures a name, and to select various interesting instructions.
Requirements
%PIN_HOME%points to an installation of Intel's Pin.- MongoDB
- IDA Pro
- VS 2010
Usage
- Run
build.batfrom a MSVC 2010 console - Optionally, enable page heap for
test.exe(gflags /i test.exe +hpa) - Run
release.batto trace the test.exe program in release mode - Start MongoDB
- Run
demo.exe.pyto import the traces - Start IDA Pro, open
demo.exe - Run
py\idapython_script.pyfrom within IDA - If everything worked,
ida-splodeshould automatically recognize all traces for the open binary from the database, and present a list of options. - Press any of the hotkeys presented to do
${things}.- The slides should give you a good idea what is avaiable.
Ctrl+Shift+Hreprints the help message
Tips
- If PageHeap isn't enabled (
+hpa), it will waste a lot of time looking for heap metadata at instrumentation-time. - For whatever reason, if
_NT_SYMBOL_PATHincludes anySYM*paths versus just local paths, it won't find PDBs and you'll only get exports. Use_NT_SYMBOL_PATH=C:\symbolsor similar. - There are lots of twiddly bits to turn on and off. See
knobs.cpp. - This is generally intended to be run off-line. Pin alone will make execution slow; my instrumentation has not been profiled or optimized for speed.
- If you're not using a module white-list, only the main executable will be instrumented. Syntax for the whitelist is
-m foo.exe -m bar.dlland is case-insensitive. - To speed things up, consider using the
-roption to limit instrumentation to inside the scope of a particular routine (so you can skip all the start-up stuff). For example,-r demo!TestCustomMalloc.
- If you're not using a module white-list, only the main executable will be instrumented. Syntax for the whitelist is
Caveats
This is pulled from a working copy, so some things may not work properly. If you run into any issues, feel free to contact me at @ebeip90 or ebeip90 on Freenode.net.