IDA2Obj – Static Binary Instrumentation
IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).
The working flow is simple:
- Dump object files (COFF) directly from one executable binary.
- Link the object files into a new binary, almost the same as the old one.
- During the dumping process, you can insert any data/code at any location.
- SBI is just one of the using scenarios, especially useful for black-box fuzzing.
How to use
-
Prepare the enviroment:
- Set
AUTOIMPORT_COMPAT_IDA695 = YES
in theidapython.cfg
to support the API with old IDA 6.x style. - Install dependency:
pip install cough
- Set
-
Create a folder as the workspace.
-
Copy the target binary which you want to fuzz into the workspace.
-
Load the binary into IDA Pro, choose Load resources and manually load to load all the segments from the binary.
-
Wait for the auto-analysis done.
-
Dump object files by running the script
MagicIDA/main.py
.- The output object files will be inside
${workspace}/${module}/objs/afl
. - If you create an empty file named
TRACE_MODE
inside the workspace, then the output object files will be inside${workspace}/${module}/objs/trace
. - By the way, it will also generate 3 files inside
${workspace}/${module}
:- exports_afl.def (used for linking)
- exports_trace.def (used for linking)
- hint.txt (used for patching)
- The output object files will be inside
-
Generate lib files by running the script
utils/LibImports.py
.- The output lib files will be inside
${workspace}/${module}/libs
, used for linking later.
- The output lib files will be inside
-
Open a terminal and change the directory to the workspace.
-
Link all the object files and lib files by using
utils/link.bat
.- e.g.
utils/link.bat GdiPlus dll afl /RELEASE
- It will generate the new binary with the pdb file inside
${workspace}/${module}
.
- e.g.
-
Patch the new built binary by using
utils/PatchPEHeader.py
.- e.g.
utils/PatchPEHeader.py GdiPlus/GdiPlus.afl.dll
- For the first time, you may need to run
utils/register_msdia_run_as_administrator.bat
as administrator.
- e.g.
-
Run & Fuzz.
More details
HITB Slides : https://github.com/jhftss/jhftss.github.io/blob/main/res/slides/HITB2021SIN%20-%20IDA2Obj%20-%20Mickey%20Jin.pdf
Demo : https://drive.google.com/file/d/1N3DXJCts5jG0Y5B92CrJOTIHedWyEQKr/view?usp=sharing
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.