idamagicstrings: An IDA Python script to extract information from string constants

IDAMagicStrings

An IDA Python plugin to extract information from string constants. The current version of the plugin is able to:

  • Display functions to source files relationships (in a tree and in a plain list, a chooser in IDA language).
  • Display guessed function names for functions.
  • Rename functions according to the source code file their belong + address (for example, memory_mgmt_0x401050).
  • Rename functions according to the guessed function name.

idamagicstringsDownload

git clone https://github.com/joxeankoret/idamagicstrings.git

Running the plugin

When the Python script is executed from within IDA it builds a list of ASCII and Unicode strings found by IDA and then applies a series of regular expressions to extract source code filenames, directories and candidate function names. Then, it shows 3 tabs with information:

  • Candidate function names: The function names guessed from the referenced string constants. Some basic and rudimentary false positive detection is implemented and this data is available in the column “FP?” (“False Positive?”).
    • If available, it uses NLTK to detect the appropriate words that can be function name candidates (i.e., nouns, verbs and names).
  • Source code tree: Just a tree widget showing file names and, inside each one, the functions or references to the source file.
  • Source code files: A list (or chooser in the IDA’s language) with source code filenames to function addresses and names.

Copyright (C) 2018 joxeankoret

Source: https://github.com/joxeankoret/

Share