#ida #binary-file #reverse-engineering #idalib #vuln-dev

bin+lib rhabdomancer

Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file

17 unstable releases (3 breaking)

Uses new Rust 2024

new 0.5.1 Mar 10, 2025
0.5.0 Mar 3, 2025
0.3.5 Feb 28, 2025
0.3.0 Jan 17, 2025
0.1.1 Nov 8, 2024

#474 in Command line utilities

Download history 153/week @ 2024-11-20 32/week @ 2024-11-27 135/week @ 2024-12-04 129/week @ 2024-12-11 145/week @ 2024-12-18 2/week @ 2024-12-25 141/week @ 2025-01-08 133/week @ 2025-01-15 90/week @ 2025-01-29 29/week @ 2025-02-05 185/week @ 2025-02-12 179/week @ 2025-02-19 328/week @ 2025-02-26 133/week @ 2025-03-05

825 downloads per month

MIT license

24KB
224 lines

rhabdomancer

build doc

"The road to exploitable bugs is paved with unexploitable bugs."

-- Mark Dowd

Rhabdomancer is a blazing fast IDA Pro headless plugin that locates calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.

Features

  • Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
  • Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
  • Bad API function call locations are printed to stdout and marked in the IDB.
  • Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
    • [BAD 0] High priority - Functions that are generally considered insecure
    • [BAD 1] Medium priority - Interesting functions that should be checked for insecure use cases.
    • [BAD 2] Low priority - Code paths involving these functions should be carefully checked.
  • The list of known bad API functions can be easily customized by editing conf/rhabdomancer.toml.

Blog post

See also

Installing

The easiest way to get the latest release is via crates.io:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Install rhabdomancer as follows:
    $ export IDASDKDIR=/path/to/idasdk
    $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
    $ cargo install rhabdomancer
    

Note: in addition to the latest IDA SDK and IDA Pro itself, a recent version of LLVM/Clang is required (see idalib documentation).

Compiling

Alternatively, you can build from source:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
  3. Compile rhabdomancer as follows:
    $ git clone --depth 1 https://github.com/0xdea/rhabdomancer
    $ cd rhabdomancer
    $ export IDASDKDIR=/path/to/idasdk # or edit .cargo/config.toml
    $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
    $ cargo build --release
    

Note: in addition to the latest IDA SDK and IDA Pro itself, a recent version of LLVM/Clang is required (see idalib documentation).

Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Customize the list of known bad API functions in conf/rhabdomancer.toml if needed.
  3. Run rhabdomancer as follows:
    $ rhabdomancer <binary_file>
    
    Any existing .i64 IDB file will be updated; otherwise, a new IDB file will be created.
  4. Open the resulting .i64 IDB file with IDA Pro.
  5. Select View > Open subviews > Bookmarks
  6. Enjoy your results conveniently collected in an IDA Pro window.

Note: rhabdomancer also adds comments at marked call locations.

Compatibility

  • IDA Pro 9.0.240925 - Latest compatible: v0.2.4.
  • IDA Pro 9.0.241217 - Latest compatible: v0.3.5.
  • IDA Pro 9.1.250226 - Latest compatible: current version.

Note: only the unix target family is currently supported, check idalib documentation if you're interested in a windows port.

Changelog

TODO

Dependencies

~7–18MB
~278K SLoC