HexRaysPyTools: Ida Pro plugin to assists in creation classes/structures and detection virtual table

HexRaysPyTools

Plugin assists in creation classes/structures and detection virtual tables. Also helps to transform decompiler output faster and allows to make some stuff otherwise impossible. Was introduced at ZeroNights 2016 (slides).

Features

1) Structure Creation

Best to use with Class Informer plugin, because it helps to automatically get original names of the classes.

Structure Builder (Alt + F8)

The place where all collected information about scanned variables can be viewed and modified. Two ways to collect information:

• Right Click on variable -> Scan Variable. Recognizes fields usage within current function
• Right Click on variable -> Deep Scan Variable. First recursively touches functions to make Ida recognize proper arguments (it happens only once for each function during session). Than recursively applies scanner to variables and functions that get our structure pointer as argument.

• Types with BOLD font are virtual tables. Double click opens list with all virtual functions that helps to visit them. Visited functions are marked with cross and color:

• Types with ITALIC font have been found as void * arguments and are not used in shape recognition.
• Double click on Field’s names to edit
• Double click on offset opens window with every places where this type has been extracted. Click “Ok” button to open selected place in pseudocode window:

Finalize – opens window with editable C-like declaration and assigns new type to all scanned variables.

Disable, Enable – are used for collision resolution.

Origin – switches base from which offset to produce new fields to structure (this value will be added to every offset of new scanned variable).

Array – makes selected field as array, the size of which is calculated automatically.

Pack – creates and substitutes substructure for selected items (collisions for this items should be resolved).

Unpack – dismembers selected structure and adds all it’s fields to builder

Remove – removes information about selected fields.

Clear – clears everything.

Recognize Shape – looks for appropriate structure for selected fields.

2) Disassembler code manipulations

Structures with given size

Usage:

1. In Pseudocode viewer, right click on number -> “Structures with this size”. (hotkey W)
2. Select library in which find structures
3. Select structure. Number will become sizeof(Structure Name) and type will be imported to Local Types

Recognition of structures by shapes

Helps to find suitable structure by information gleaned from pseudocode after variable scanning.

Usage:

• Method 1
  1. Right click on variable with LEGAL_TYPE (See structure builder) -> Select “Recognize Shape”.
  2. Select structure.
  3. Type of variable will be changed automatically.
• Method 2
  1. Clear Structure Builder if it’s currently used.
  2. Right click on variables supposed to be the same -> “Scan Variable”.
  3. Edit types (will be implemented later), disable or remove uninteresting fields and click button “Recognize Shape”.
  4. You can selected several fields and try to recognize shape for them. If found and selected, they will be replaced by new structure.
  5. After final structure selection, types of all scanned variables will be changed automatically.

Install

git clone https://github.com/igogo-x86/HexRaysPyTools.git

Just copy HexRaysPyTools.py file and HexRaysPyTools directory to Ida plugins directory

Use

Source: https://github.com/igogo-x86/