ESET Analysis publicizes IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Pocket book into IDA
IDA Pro from Hex-Rays might be the most well-liked instrument at present for reverse-engineering software program. For ESET researchers, this instrument is a favourite disassembler and has impressed the event of the IPyIDA plugin that embeds an IPython kernel into IDA Professional. Underneath steady improvement since 2014, we’re happy to announce the discharge of model 2.0. IPyIDA serves an analogous function as one other plugin referred to as IDA IPython, however with a twist: whereas IDA IPython solely helps Home windows, IPyIDA helps macOS, Linux, and Home windows.
If you’re already accustomed to IDA Professional and IPython, then skip to the last section of this text on IPyIDA. If you’re unfamiliar with IPython, then skip to the middle section. Lastly, in the event you would recognize a quick introduction to IDA Professional, then learn on.
What’s IDA Professional?
IDA Professional is a disassembler that interprets machine code to meeting code. After loading a file, IDA Professional disassembles it and shops the evaluation in database information. IDA Professional offers varied home windows into the database, every uniquely serving to the researcher discover and higher perceive the code of curiosity.
Let’s take a look at a number of of those home windows by loading the MathLibrary.dll file, which might be constructed with Microsoft’s tutorial on creating a DLL file.
Output window
The Output window shows messages in regards to the standing of the evaluation of a file, error messages for user-requested operations, and the output from some plugins. Determine 1 exhibits the Output window after first loading MathLibrary.dll.
Determine 1. The IDA Output window
On the backside of this window is an enter subject that accepts instructions. Determine 2 exhibits the 2 default command language suppliers shipped with IDA since model 7.3: IDC for instructions written in a C-like language native to IDA and the IDAPython plugin for instructions written in Python.
Determine 2. The enter subject to sort Python instructions in IDA
IDA View window
The IDA View window, often known as the disassembly window, has two show codecs: graph view and textual content view. Graph view visualizes this system movement by dividing capabilities into blocks with a single entry and a single exit level. Determine 3 exhibits graph view.
Determine 3. The IDA disassembly graph view
Textual content view offers a linear view of the disassembly that shows digital addresses, meeting code, and feedback. Determine 4 exhibits textual content view.
Determine 4. The IDA disassembly textual content view
Along with these and the various different home windows that IDA offers, IDA permits you to write customized plugins that stretch its options and remedy sensible reverse-engineering issues. Let’s flip to IPython and a few enticing options it provides reverse engineers who use Python scripts in IDA.
A look at IPython
Whereas IDAPython serves the essential wants for working Python scripts and instructions in IDA, Python fans have been gripped by IPython fever. IPython is a toolkit that gives a extra interactive expertise with Python. IPython makes use of a two-process mannequin consisting of a kernel and a consumer. The kernel is a course of that receives instructions from the consumer, executes them, and returns the outcomes. The consumer might be any interactive console comparable to Jupyter Console, Jupyter Qt Console, or Jupyter Notebook.
The interactive nature of those shoppers comes from the host of options that they add to the traditional Python shell. Determine 5 exhibits utilizing a multiline code block to outline a operate in IPython.
Determine 5. Utilizing a multiline code block to outline a operate in IPython
Discover the syntax highlighting of integers, key phrases, built-in capabilities, and strings.
By urgent the Tab key, IPython offers a listing of related attributes, objects, or capabilities that may full the code. Determine 6 exhibits tab completion itemizing capabilities related to a string object.
Determine 6. Tab completion in IPython
Tab completion is richer if Jedi is put in.
IPython additionally offers magic capabilities, that are capabilities which can be sometimes referred to as with a % or %% prefix and take arguments with a command-line-style syntax. Determine 7 exhibits the %timeit magic operate, which instances the execution of a Python expression.
Determine 7. A magic operate in IPython
Through the use of the ! character initially of a command line, the IPython console passes the command to the underlying system shell to be run. For instance, a well-liked command is pip, which installs and manages packages from the Python Package Index (PyPi). Determine 8 exhibits the !pip command being run from IPython.
Determine 8. Operating system shell instructions from IPython
IPython offers many extra interactive options that may be explored within the official documentation.
IPyIDA: Bringing IPython to IDA
With the discharge of IPyIDA 2.0, writing Python scripts in IDA is extra pleasant due to the next benefits:
- Help for IDA on Home windows, Linux, and macOS
- An set up script for simple setup, even in a virtual environment
- A Jupyter Qt Console working in an IDA window
- An IPython kernel that may hook up with entrance ends, like Jupyter Console, from exterior IDA.
- A Jupyter kernel proxy to assist opening a Jupyter Pocket book that connects again to the IPython kernel with the %open_notebook magic operate
Determine 9 exhibits the method of opening a Jupyter Pocket book from IPyIDA.
Determine 9. The %open_notebook magic operate in IPyIDA
Determine 10 exhibits a Jupyter Console working in a terminal session exterior IDA connecting to the IPython kernel in IDA.
Determine 10. A Jupyter Console exterior IDA connecting again to the IPython kernel in IDA
The selection of the Jupyter Qt Console for IPyIDA brings extra interactive options to the standard IPython console, comparable to inline graphics, saving and printing of the present session, and full syntax highlighting. These are illustrated within the official documentation for the Jupyter Qt Console.
IPyIDA even offers its personal interactive options impressed by IDA. Determine 11 exhibits that Ctrl-clicking (Cmd-clicking on macOS) on addresses or variable names within the IPython console jumps the view to the digital handle within the disassembly window.
Determine 11. Ctrl-clicking a variable or handle in IPyIDA jumps to the handle in IDA’s disassembly window
Determine 12 exhibits a hex dump for a byte array with non-ASCII content material.
Determine 12. IPyIDA shows hex dumps
If you’re new to IDA Professional, IPyIDA is a large assist to turning into accustomed to the IDA API. If you’re a veteran, IPyIDA makes Python scripting a lot simpler, and thus the time spent reverse engineering hopefully extra centered and fruitful.