FindFunc v1.4 releases: IDA PRO plugin to find code functions
FindFunc: Advanced Filtering/Finding of Functions in IDA PRO
FindFunc is an IDA PRO plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.
Filtering with Rules
The main functionality of FindFunc is letting the user specify a set of “Rules” or constraints that a code function in IDA PRO has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be “inverted” to be negative matches. Such rules thus conform to “AND NOT”.
FF will schedule the rules in a smart order to minimize processing time. Feature overview:
- Currently, 6 Rules are available, see below
- Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
- Aware of function chunks
- Smart scheduling of rules for performance
- Saving/Loading rules from/to file in simple ascii format
- Several independent Tabs for experimentation
- Copying rules between Tabs via clipboard (same format as a file format)
- Advanced copying of instruction bytes (all, opcodes only, all except immediate)
Button “Search Functions” clears existing results and starts a fresh search, “Refine Results” considers only results of the previous search.
Advanced Binary Copying
A secondary feature of FF is the option to copy binary representation of instructions with the following options:
- copy all -> copy all bytes to the clipboard
- copy without immediate -> blank out (AA ?? BB) any immediate values in the instruction bytes
- opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)
Changelog v1.4
- new: clone tab option to clone rule + result list (right click on tab)
- new: add advanced copy menu: mask all but opcode and immediate
- guard against empty or invalid input when editing
- middle-click copies the resp. cell in rules and result tables to clipboard
- allow pasting immediates directly (0xABC or ABCh for hex, else dec)
- immediate-rules are now serialized in hex representation
- inverted rules now have red font-color
- rename button ‘Search Functions’ to ‘Find Functions’ – branding! 😉
