#ida #binary-file #reverse-engineering #idalib #vuln-dev

bin+lib haruspex

Vulnerability research assistant that extracts pseudo-code from IDA Hex-Rays decompiler

14 releases (4 breaking)

Uses new Rust 2024

new 0.5.1 Mar 10, 2025
0.5.0 Mar 3, 2025
0.4.2 Feb 28, 2025
0.3.2 Feb 13, 2025
0.1.1 Nov 29, 2024

#1691 in Command line utilities

Download history 128/week @ 2024-11-20 130/week @ 2024-11-27 160/week @ 2024-12-04 133/week @ 2024-12-11 142/week @ 2024-12-18 63/week @ 2025-01-08 189/week @ 2025-01-15 5/week @ 2025-01-22 114/week @ 2025-01-29 31/week @ 2025-02-05 264/week @ 2025-02-12 146/week @ 2025-02-19 328/week @ 2025-02-26 141/week @ 2025-03-05

880 downloads per month
Used in augur

MIT license

20KB
134 lines

haruspex

build doc

"Hacking is the discipline of questioning all your assumptions all of the time."

-- Dave Aitel

Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudo-code generated by IDA Pro's decompiler in a format that should be suitable to be imported into an IDE or parsed by static analysis tools such as Semgrep, weggli, or oneiromancer.

Features

  • Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
  • Support for binary targets for any architecture implemented by IDA Pro's Hex-Rays decompiler.
  • Pseudo-code of each function is stored in a separated file in the output directory for easy inspection.
  • External crates can invoke decompile_to_file to decompile a function and save its pseudo-code to disk.

Blog post

See also

Installing

The easiest way to get the latest release is via crates.io:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Install haruspex as follows:
    $ export IDASDKDIR=/path/to/idasdk
    $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
    $ cargo install haruspex # or run cargo add haruspex to install as a library
    

Note: in addition to the latest IDA SDK and IDA Pro itself, a recent version of LLVM/Clang is required (see idalib documentation).

Compiling

Alternatively, you can build from source:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Compile haruspex as follows:
    $ git clone --depth 1 https://github.com/0xdea/haruspex
    $ cd haruspex
    $ export IDASDKDIR=/path/to/idasdk # or edit .cargo/config.toml
    $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
    $ cargo build --release
    

Note: in addition to the latest IDA SDK and IDA Pro itself, a recent version of LLVM/Clang is required (see idalib documentation).

Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Run haruspex as follows:
    $ haruspex <binary_file>
    
  3. Find the extracted pseudo-code of each decompiled function in the binary_file.dec directory:
    $ vim <binary_file>.dec
    $ code <binary_file>.dec
    

Compatibility

  • IDA Pro 9.0.240925 - Latest compatible: v0.1.3.
  • IDA Pro 9.0.241217 - Latest compatible: v0.4.2.
  • IDA Pro 9.1.250226 - Latest compatible: current version.

Note: only the unix target family is currently supported, check idalib documentation if you're interested in a windows port.

Changelog

TODO

Dependencies

~3–13MB
~177K SLoC