idamagicstrings: An IDA Python script to extract information from string constants
IDAMagicStrings
An IDA Python plugin to extract information from string constants. The current version of the plugin is able to:
- Display functions to source files relationships (in a tree and in a plain list, a chooser in IDA language).
- Display guessed function names for functions.
- Rename functions according to the source code file their belong + address (for example, memory_mgmt_0x401050).
- Rename functions according to the guessed function name.
Download
git clone https://github.com/joxeankoret/idamagicstrings.git
Running the plugin
When the Python script is executed from within IDA it builds a list of ASCII and Unicode strings found by IDA and then applies a series of regular expressions to extract source code filenames, directories and candidate function names. Then, it shows 3 tabs with information:
- Candidate function names: The function names guessed from the referenced string constants. Some basic and rudimentary false positive detection is implemented and this data is available in the column “FP?” (“False Positive?”).
- If available, it uses NLTK to detect the appropriate words that can be function name candidates (i.e., nouns, verbs and names).
- Source code tree: Just a tree widget showing file names and, inside each one, the functions or references to the source file.
- Source code files: A list (or chooser in the IDA’s language) with source code filenames to function addresses and names.
Copyright (C) 2018 joxeankoret
Source: https://github.com/joxeankoret/
