Patching - Interactive Binary Patching for IDA Pro

Related tags

Security related resourcesreverse-engineeringidaida-proidapythonpatchinghexrays
Overview

Patching - Interactive Binary Patching for IDA Pro

Patching Plugin

Overview

Patching assembly code to change the behavior of an existing program is not uncommon in malware analysis, software reverse engineering, and broader domains of security research. This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.

This project is currently powered by a minor fork of the ubiquitous Keystone Engine, supporting x86/x64 and Arm/Arm64 patching with plans to enable the remaining Keystone architectures in a future release.

Special thanks to Hex-Rays for supporting the development of this plugin.

Releases

  • v0.1 -- Initial release

Installation

This plugin requires IDA 7.6 and Python 3. It supports Windows, Linux, and macOS.

Easy Install

Run the following line in the IDA console to automatically install the plugin:

Windows / Linux

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read())

macOS

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py', cafile='/etc/ssl/cert.pem').read())

Manual Install

Alternatively, the plugin can be manually installed by downloading the distributable plugin package for your respective platform from the releases page and unzipping it to your plugins folder.

It is strongly recommended you install this plugin into IDA's user plugin directory:

import ida_diskio, os; print(os.path.join(ida_diskio.get_user_idadir(), "plugins"))

Usage

The patching plugin will automatically load for supported architectures (x86/x64/Arm/Arm64) and inject relevant patching actions into the right click context menu of the IDA disassembly views:

Patching plugin right click context menu

A complete listing of the contextual patching actions are described in the following sections.

Assemble

The main patching dialog can be launched via the Assemble action in the right click context menu. It simulates a basic IDA disassembly view that can be used to edit one or several instructions in rapid succession.

The interactive patching dialog

The assembly line is an editable field that can be used to modify instructions in real-time. Pressing enter will commit (patch) the entered instruction into the database.

Your current location (a.k.a your cursor) will always be highlighted in green. Instructions that will be clobbered as a result of your patch / edit will be highlighted in red prior to committing the patch.

Additional instructions that will be clobbered by a patch show up as red

Finally, the UP and DOWN arrow keys can be used while still focused on the editable assembly text field to quickly move the cursor up and down the disassembly view without using the mouse.

NOP

The most common patching action is to NOP out one or more instructions. For this reason, the NOP action will always be visible in the right click menu for quick access.

Right click NOP instruction

Individual instructions can be NOP'ed, as well as a selected range of instructions.

Force Conditional Jump

Forcing a conditional jump to always execute a 'good' path is another common patching action. The plugin will only show this action when right clicking a conditional jump instruction.

Forcing a conditional jump

If you never want a conditional jump to be taken, you can just NOP it instead!

Save & Quick Apply

Patches can be saved (applied) to a selected executable via the patching submenu at any time. The quick-apply action makes it even faster to save subsequent patches using the same settings.

Applying patches to the original executable

The plugin will also make an active effort to retain a backup (.bak) of the original executable which it uses to 'cleanly' apply the current set of database patches during each save.

Revert Patch

Finally, if you are ever unhappy with a patch you can simply right click patched (yellow) blocks of instructions to revert them to their original value.

Reverting patches

While it is 'easy' to revert bytes back to their original value, it can be 'hard' to restore analysis to its previous state. Reverting a patch may occasionally require additional human fixups.

Known Bugs

  • Further improve ARM / ARM64 / THUMB correctness
  • Define 'better' behavior for cpp::like::symbols(...) / IDBs (very sketchy right now)
  • Adding / Updating / Modifying / Showing / Warning about Relocation Entries??
  • Handle renamed registers (like against dwarf annotated idb)?
  • A number of new instructions (circa 2017 and later) are not supported by Keystone
  • A few problematic instruction encodings by Keystone

Future Work

Time and motivation permitting, future work may include:

  • Enable the remaining major architectures supported by Keystone:
    • PPC32 / PPC64 / MIPS32 / MIPS64 / SPARC / SystemZ
  • Multi instruction assembly (eg. xor eax, eax; ret;)
  • Multi line assembly (eg. shellcode / asm labels)
  • Interactive byte / data / string editing
  • Symbol hinting / auto-complete / fuzzy-matching
  • Syntax highlighting the editable assembly line
  • Better hinting of errors, syntax issues, etc
  • NOP / Force Jump from Hex-Rays view (sounds easy, but probably pretty hard!)
  • radio button toggle between 'pretty print' mode vs 'raw' mode? or display both? 
    Pretty:  mov     [rsp+48h+dwCreationDisposition], 3
   Raw:  mov     [rsp+20h], 3

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors

Comments
  • idasm is A Python Assembler Script Tool for IDA Pro based on

    idasm is A Python Assembler Script Tool for IDA Pro based on "patching"

    Dear gaasedelen, I extract core codes from your ingenious "patching" plugin. Now we can use "patching" as an automatic patching work engine for IDA. Here is the repository link: https://github.com/lyciumlee/idasm .

    opened by lyciumlee 2
  • OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    When I tried to patch a large chunk, the patch will fail with OSError: [Errno 22] Invalid argument from https://github.com/gaasedelen/patching/blob/main/plugins/patching/util/ida.py#L101 I am trying to set a range of data to 0

    opened by asesidaa 2
  • Thanks for a great plugin

    Thanks for a great plugin

    Great job, what an useful plugin.

    this is not really a bug but rather a question, i tried open a request with no sucess.

    There is any way to assemble jmp +5 style short jumps for example.

    Thanks for your incredible job.

    Ricardo

    opened by ricnar456 2
  • error when click

    error when click "Apply patches to..." 

    ---------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'

    https://github.com/gaasedelen/patching/blob/main/plugins/patching/ui/save_ui.py#L30

    >>> print(self.windowFlags())
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BED15B0>
>>> print(remove_flags)
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BF7EAB0>

    versions info:

    • Windows 10
    • Python 3.10
    • PyQt5 5.15.6
    • patching: last release
    • Ida 7.6
    opened by Cirn09 1
  • need to delete patching.py in plugins dir

    need to delete patching.py in plugins dir

    Python>import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read()) [*] Starting auto installer for 'Patching' plugin... [*] Fetching info from GitHub... [*] Downloading patching_win32.zip... [] Saving patching_win32.zip to disk... [] Removing existing plugin... [*] Unzipping patching_win32.zip... [+] Patching v0.1.2 installed successfully! [!] Restart IDA to use the updated plugin install successfully

    Then i restart ida, C:\Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py: No module named 'patching.util'; 'patching' is not a package Traceback (most recent call last): File "E:\IDA Pro 7.6\python\3\ida_idaapi.py", line 617, in IDAPython_ExecScript exec(code, g) File "C:/Users/asdf/AppData/Roaming/Hex-Rays/IDA Pro/plugins/patching.py", line 42, in import patching File "E:\IDA Pro 7.6\plugins\patching.py", line 43, in from patching.util.python import reload_package ModuleNotFoundError: No module named 'patching.util'; 'patching' is not a package

    Then i try to delete \IDA Pro 7.6\plugins\patching.py, reserve \Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py, thats works.

    opened by helloobaby 0
  • problem with assemble

    problem with assemble

    when i try to use assemble i get error

    изображение i try on ida 7.6 and 7.7 and get some error OC-widows10 executable file-arm64 dylib if you need i can give .dmp file

    opened by mishavac 1
  • [Feature request] In-memory patching

    [Feature request] In-memory patching

    First of all, commendations on your great work ! The built-in assembler for IDA was pretty much unusable so the patching had to be done with an external program, making the whole process really tedious (load file in IDA -> debug -> patch in another app -> reload file in IDA -> reanalyze the whole thing -> debug -> rinse and repeat). This finally lets me drop the external app from the workflow and no reloading required, simply awesome !

    As far as binary patching goes, it currently works as-is. Finally also the "patched bytes" section actually works since your plugin keeps the backup file, and IDA does not get confused anymore on what is actually patched and what is original.

    I have a request though which would make it even better, incorporate the in-memory patching option from (currently defunct and unmaintained, unfortunately) https://github.com/scottmudge/DebugAutoPatch . The "About" section outlines well some of the grievances with the IDA built-in patching system and fixes them. I do not know how non-trivial it would be to add those features to this patcher plugin though

    opened by anzz1 1
  • not working

    not working

    Traceback (most recent call last): File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 127, in activate wid = PatchingController(self.core, get_current_ea(ctx)) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 47, in init self.refresh() File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 223, in refresh self.select_address(self.address) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 68, in select_address if insn.address != ea: AttributeError: 'NoneType' object has no attribute 'address'

    opened by advokat11 0
  • Jump to next line on enter key

    Jump to next line on enter key

    In the Assemble dialog, the cursor should jump to the next line when I press the Enter key. This is a required feature to edit/write multiple assembly code.

    Can you add this behavior?

    opened by CaledoniaProject 0
Releases(v0.1.2)
Owner
turning over rocks and finding nothing is still progress.
GitHub Repository
Northwave Log4j CVE-2021-44228 checker

Northwave Log4j CVE-2021-44228 checker Friday 10 December 2021 a new Proof-of-Concept 1 addressing a Remote code Execution (RCE) vulnerability in the

Northwave 125 Dec 09, 2022
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

136 Jan 02, 2023
Python decompiler for Python 1.5-2.4 (for historical archive)

This preserves the early code of a Python decompiler for Python versions 1.5 to 2.4. I have been able to install this using pyenv using Python 2.3.7 u

R. Bernstein 2 Jan 04, 2022
This is an advanced backdoor, created with Python

Backdoor This is a Backdoor, created with Python 3. Types of Commands: Downloading / Uploading files. Launching / Deleting / Reading file's content. S

swagkarna 28 Oct 28, 2022
Sentinel-1 SAR time series analysis for OSINT use

SARveillance Sentinel-1 SAR time series analysis for OSINT use. Description Generates a time lapse GIF of the Sentinel-1 satellite images for the loca

21 Dec 09, 2022
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams

Mitiga 13 Jan 04, 2022
spring-cloud-gateway-rce CVE-2022-22947

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947) 1.installation pip3 install -r requirements.txt 2.Usage $ python3 spring-cloud-gateway

k3rwin 10 Sep 28, 2022
Implementation of an attack on a tropical algebra discrete logarithm based protocol

Implementation of an attack on a tropical algebra discrete logarithm based protocol This code implements the attack detailed in the paper: On the trop

3 Dec 30, 2021
DCSync - DCSync Attack from Outside using Impacket

Adding DCSync Permissions Mostly copypasta from https://github.com/tothi/rbcd-at

n00py 77 Dec 16, 2022
This is a keylogger in python for Windows, Mac and Linux!

Python-Keylogger This is a keylogger in python for Windows, Mac and Linux! #How to use it by downloading the zip file? Download the zip file first The

Zeus_Dxvxm 2 Nov 12, 2021
Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

Unauthenticated Sqlinjection that leads to dump database but this one impersonated Admin and drops a interactive shell

sam 16 Nov 09, 2022
A kAFL based hypervisor fuzzer which fully supports nested VMs

hAFL2 hAFL2 is a kAFL-based hypervisor fuzzer. It is the first open-source fuzzer which is able to target hypervisors natively (including Hyper-V), as

SafeBreach Labs 115 Dec 07, 2022
Simulating Log4j Remote Code Execution (RCE) vulnerability in a flask web server using python's logging library with custom formatter that simulates lookup substitution by executing remote exploit code.

py4jshell Simulating Log4j Remote Code Execution (RCE) CVE-2021-44228 vulnerability in a flask web server using python's logging library with custom f

Narasimha Prasanna HN 86 Aug 21, 2022
D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.

Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation

Banny 30 Dec 06, 2022
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
MD5-CRACKER - A gmail brute force app created with python3

MD5-CRACKER So this is my first app i created with python3 . if you guys downloa

2 Nov 10, 2022
Log4j-Scanner with Bind-Receipt and custom hostnames

Hrafna - Log4j-Scanner for the masses Features Scanning-system designed to check your own infra for vulnerable log4j-installations start and stop scan

18 Jan 23, 2022
Cracker - Tools CRACK FACEBOOK DAN INSTAGRAM DENGAN FITUR BANYAK

CLOME TO TOOLS ME 😁 FITUR TOOLS RESULTS INSTALASI ____/-- INSTALLASI /+/+/+/ t

Jeeck X Nano 3 Jan 08, 2022
A python package with tools to read and postprocess the output of the channel DNS-solver (davecats/channel), as well as its associated postprocessing tools.

Python tools for davecats/channel A python package with tools to read and postprocess the output of the channel dns solver, as well as its associated

Andrea Andreolli 1 Dec 13, 2021
The First Python Compatible Camera Hacking Tool

ZCam Hack webcam using python by sending malicious link. FEATURES : [+] Real-time Camera hacking [+] Python compatible [+] URL Shortener using bitly [

Sanketh J 109 Dec 28, 2022