Patching - Interactive Binary Patching for IDA Pro

Related tags

Security related resourcesreverse-engineeringidaida-proidapythonpatchinghexrays
Overview

Patching - Interactive Binary Patching for IDA Pro

Patching Plugin

Overview

Patching assembly code to change the behavior of an existing program is not uncommon in malware analysis, software reverse engineering, and broader domains of security research. This project extends the popular IDA Pro disassembler to create a more robust interactive binary patching workflow designed for rapid iteration.

This project is currently powered by a minor fork of the ubiquitous Keystone Engine, supporting x86/x64 and Arm/Arm64 patching with plans to enable the remaining Keystone architectures in a future release.

Special thanks to Hex-Rays for supporting the development of this plugin.

Releases

  • v0.1 -- Initial release

Installation

This plugin requires IDA 7.6 and Python 3. It supports Windows, Linux, and macOS.

Easy Install

Run the following line in the IDA console to automatically install the plugin:

Windows / Linux

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read())

macOS

import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py', cafile='/etc/ssl/cert.pem').read())

Manual Install

Alternatively, the plugin can be manually installed by downloading the distributable plugin package for your respective platform from the releases page and unzipping it to your plugins folder.

It is strongly recommended you install this plugin into IDA's user plugin directory:

import ida_diskio, os; print(os.path.join(ida_diskio.get_user_idadir(), "plugins"))

Usage

The patching plugin will automatically load for supported architectures (x86/x64/Arm/Arm64) and inject relevant patching actions into the right click context menu of the IDA disassembly views:

Patching plugin right click context menu

A complete listing of the contextual patching actions are described in the following sections.

Assemble

The main patching dialog can be launched via the Assemble action in the right click context menu. It simulates a basic IDA disassembly view that can be used to edit one or several instructions in rapid succession.

The interactive patching dialog

The assembly line is an editable field that can be used to modify instructions in real-time. Pressing enter will commit (patch) the entered instruction into the database.

Your current location (a.k.a your cursor) will always be highlighted in green. Instructions that will be clobbered as a result of your patch / edit will be highlighted in red prior to committing the patch.

Additional instructions that will be clobbered by a patch show up as red

Finally, the UP and DOWN arrow keys can be used while still focused on the editable assembly text field to quickly move the cursor up and down the disassembly view without using the mouse.

NOP

The most common patching action is to NOP out one or more instructions. For this reason, the NOP action will always be visible in the right click menu for quick access.

Right click NOP instruction

Individual instructions can be NOP'ed, as well as a selected range of instructions.

Force Conditional Jump

Forcing a conditional jump to always execute a 'good' path is another common patching action. The plugin will only show this action when right clicking a conditional jump instruction.

Forcing a conditional jump

If you never want a conditional jump to be taken, you can just NOP it instead!

Save & Quick Apply

Patches can be saved (applied) to a selected executable via the patching submenu at any time. The quick-apply action makes it even faster to save subsequent patches using the same settings.

Applying patches to the original executable

The plugin will also make an active effort to retain a backup (.bak) of the original executable which it uses to 'cleanly' apply the current set of database patches during each save.

Revert Patch

Finally, if you are ever unhappy with a patch you can simply right click patched (yellow) blocks of instructions to revert them to their original value.

Reverting patches

While it is 'easy' to revert bytes back to their original value, it can be 'hard' to restore analysis to its previous state. Reverting a patch may occasionally require additional human fixups.

Known Bugs

  • Further improve ARM / ARM64 / THUMB correctness
  • Define 'better' behavior for cpp::like::symbols(...) / IDBs (very sketchy right now)
  • Adding / Updating / Modifying / Showing / Warning about Relocation Entries??
  • Handle renamed registers (like against dwarf annotated idb)?
  • A number of new instructions (circa 2017 and later) are not supported by Keystone
  • A few problematic instruction encodings by Keystone

Future Work

Time and motivation permitting, future work may include:

  • Enable the remaining major architectures supported by Keystone:
    • PPC32 / PPC64 / MIPS32 / MIPS64 / SPARC / SystemZ
  • Multi instruction assembly (eg. xor eax, eax; ret;)
  • Multi line assembly (eg. shellcode / asm labels)
  • Interactive byte / data / string editing
  • Symbol hinting / auto-complete / fuzzy-matching
  • Syntax highlighting the editable assembly line
  • Better hinting of errors, syntax issues, etc
  • NOP / Force Jump from Hex-Rays view (sounds easy, but probably pretty hard!)
  • radio button toggle between 'pretty print' mode vs 'raw' mode? or display both? 
    Pretty:  mov     [rsp+48h+dwCreationDisposition], 3
   Raw:  mov     [rsp+20h], 3

I welcome external contributions, issues, and feature requests. Please make any pull requests to the develop branch of this repository if you would like them to be considered for a future release.

Authors

Comments
  • idasm is A Python Assembler Script Tool for IDA Pro based on

    idasm is A Python Assembler Script Tool for IDA Pro based on "patching"

    Dear gaasedelen, I extract core codes from your ingenious "patching" plugin. Now we can use "patching" as an automatic patching work engine for IDA. Here is the repository link: https://github.com/lyciumlee/idasm .

    opened by lyciumlee 2
  • OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    OSError: [Errno 22] Invalid argument when trying to patch a large chunk

    When I tried to patch a large chunk, the patch will fail with OSError: [Errno 22] Invalid argument from https://github.com/gaasedelen/patching/blob/main/plugins/patching/util/ida.py#L101 I am trying to set a range of data to 0

    opened by asesidaa 2
  • Thanks for a great plugin

    Thanks for a great plugin

    Great job, what an useful plugin.

    this is not really a bug but rather a question, i tried open a request with no sucess.

    There is any way to assemble jmp +5 style short jumps for example.

    Thanks for your incredible job.

    Ricardo

    opened by ricnar456 2
  • error when click

    error when click "Apply patches to..." 

    ---------------------------------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'
Traceback (most recent call last):
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 148, in activate
    controller = SaveController(self.core)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save.py", line 30, in __init__
    self.view = SaveDialog(self)
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 13, in __init__
    self._ui_init()
  File "C:\Users/Cirn09/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\save_ui.py", line 30, in _ui_init
    self.setWindowFlags(self.windowFlags() & remove_flags)
TypeError: unsupported operand type(s) for &: 'WindowFlags' and 'WindowFlags'

    https://github.com/gaasedelen/patching/blob/main/plugins/patching/ui/save_ui.py#L30

    >>> print(self.windowFlags())
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BED15B0>
>>> print(remove_flags)
<PyQt5.QtCore.Qt.WindowFlags object at 0x000002048BF7EAB0>

    versions info:

    • Windows 10
    • Python 3.10
    • PyQt5 5.15.6
    • patching: last release
    • Ida 7.6
    opened by Cirn09 1
  • need to delete patching.py in plugins dir

    need to delete patching.py in plugins dir

    Python>import urllib.request as r; exec(r.urlopen('https://github.com/gaasedelen/patching/raw/main/install.py').read()) [*] Starting auto installer for 'Patching' plugin... [*] Fetching info from GitHub... [*] Downloading patching_win32.zip... [] Saving patching_win32.zip to disk... [] Removing existing plugin... [*] Unzipping patching_win32.zip... [+] Patching v0.1.2 installed successfully! [!] Restart IDA to use the updated plugin install successfully

    Then i restart ida, C:\Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py: No module named 'patching.util'; 'patching' is not a package Traceback (most recent call last): File "E:\IDA Pro 7.6\python\3\ida_idaapi.py", line 617, in IDAPython_ExecScript exec(code, g) File "C:/Users/asdf/AppData/Roaming/Hex-Rays/IDA Pro/plugins/patching.py", line 42, in import patching File "E:\IDA Pro 7.6\plugins\patching.py", line 43, in from patching.util.python import reload_package ModuleNotFoundError: No module named 'patching.util'; 'patching' is not a package

    Then i try to delete \IDA Pro 7.6\plugins\patching.py, reserve \Users\asdf\AppData\Roaming\Hex-Rays\IDA Pro\plugins\patching.py, thats works.

    opened by helloobaby 0
  • problem with assemble

    problem with assemble

    when i try to use assemble i get error

    изображение i try on ida 7.6 and 7.7 and get some error OC-widows10 executable file-arm64 dylib if you need i can give .dmp file

    opened by mishavac 1
  • [Feature request] In-memory patching

    [Feature request] In-memory patching

    First of all, commendations on your great work ! The built-in assembler for IDA was pretty much unusable so the patching had to be done with an external program, making the whole process really tedious (load file in IDA -> debug -> patch in another app -> reload file in IDA -> reanalyze the whole thing -> debug -> rinse and repeat). This finally lets me drop the external app from the workflow and no reloading required, simply awesome !

    As far as binary patching goes, it currently works as-is. Finally also the "patched bytes" section actually works since your plugin keeps the backup file, and IDA does not get confused anymore on what is actually patched and what is original.

    I have a request though which would make it even better, incorporate the in-memory patching option from (currently defunct and unmaintained, unfortunately) https://github.com/scottmudge/DebugAutoPatch . The "About" section outlines well some of the grievances with the IDA built-in patching system and fixes them. I do not know how non-trivial it would be to add those features to this patcher plugin though

    opened by anzz1 1
  • not working

    not working

    Traceback (most recent call last): File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\actions.py", line 127, in activate wid = PatchingController(self.core, get_current_ea(ctx)) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 47, in init self.refresh() File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 223, in refresh self.select_address(self.address) File "C:\Users/user/AppData/Roaming/Hex-Rays/IDA Pro/plugins\patching\ui\preview.py", line 68, in select_address if insn.address != ea: AttributeError: 'NoneType' object has no attribute 'address'

    opened by advokat11 0
  • Jump to next line on enter key

    Jump to next line on enter key

    In the Assemble dialog, the cursor should jump to the next line when I press the Enter key. This is a required feature to edit/write multiple assembly code.

    Can you add this behavior?

    opened by CaledoniaProject 0
Releases(v0.1.2)
Owner
turning over rocks and finding nothing is still progress.
GitHub Repository
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the conte

hashlookup 96 Dec 20, 2022
FOSSLight Scanner performs open source analysis after downloading the source by passing a link that can be cloned by wget or git.

FOSSLight Scanner Analyze at once for Open Source Compliance. FOSSLight Scanner performs open source analysis after downloading the source by passing

FOSSLight 8 Nov 03, 2022
Selamat Datang DiTools Crack-Old, Crack Old Adalah Sebuah Crack Tanpa Login Dan Crack Menggunakan Akun Facebook Tua/Old.

Selamat Datang DiTools Crack-Old, Crack Old Adalah Sebuah Crack Tanpa Login Dan Crack Menggunakan Akun Facebook Tua/Old. ([Welcome to Crack-Old Tools, Old Crack Is A Crack Without Login And Crack Usi

Risky [ Zero Tow ] 7 Dec 25, 2022
A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

Codex 9 Oct 05, 2022
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

Abhinav Pathak 5 May 18, 2022
Natas teaches the basics of serverside web-security.

over-the-wire-natas Natas teaches the basics of serverside web-security. Each level of natas consists of its own website located at http://natasX.nata

Siddhant Chouhan 1 Nov 27, 2021
A honeypot for the Log4Shell vulnerability (CVE-2021-44228)

Log4Pot A honeypot for the Log4Shell vulnerability (CVE-2021-44228). License: GPLv3.0 Features Listen on various ports for Log4Shell exploitation. Det

Thomas Patzke 79 Dec 27, 2022
A simple python script for hosting a Snowflake Proxy in your python program or with it's standalone cli

snowflake-cli Snowflake is a system to defeat internet censorship, made by Tor Project. The system works by volunteers who run the snowflake extension

Guilherme Paixão 6 Jul 14, 2022
Operational information regarding the vulnerability in the Log4j logging library.

Log4j Vulnerability (CVE-2021-44228) This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-442

Nationaal Cyber Security Centrum (NCSC-NL) 1.9k Dec 26, 2022
proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

Evi1cg 63 Nov 15, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
Password List Creator Simple !

Password List Creator Simple !

MR.D3F417 4 Jan 27, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own compute

Li Ka Lok 2 Dec 02, 2022
Experimental musig2 python code, not for production use!

musig2-py Experimental musig2 python code, not for production use! This is just for testing things out. All public keys are encoded as 32 bytes, assum

Samuel Dobson 14 Jul 08, 2022
Kunyu, more efficient corporate asset collection

Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

Knownsec, Inc. 772 Jan 05, 2023
HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

EntySec 5 May 10, 2022
大宝剑-信息收集和资产梳理工具(红队、蓝队、企业组织架构、子域名、Web资产梳理、Web指纹识别、ICON_Hash资产匹配)

大宝剑-信息收集和资产梳理工具(红队、蓝队、企业组织架构、子域名、Web资产梳理、Web指纹识别、ICON_Hash资产匹配)

Wolf Group Security Team 835 Jan 05, 2023
POC for detecting the Log4Shell (Log4J RCE) vulnerability

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 2.1k Jan 08, 2023
Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

GoodHound ______ ____ __ __ / ____/___ ____ ____/ / / / /___ __ ______ ____/ / / / __/ __ \/ __ \/ __

idna 352 Jan 02, 2023