20 unstable releases (3 breaking)
Uses new Rust 2024
new 0.5.4 | Mar 29, 2025 |
---|---|
0.5.3 | Mar 20, 2025 |
0.3.5 | Feb 28, 2025 |
0.3.0 | Jan 17, 2025 |
0.1.1 | Nov 8, 2024 |
#450 in Command line utilities
782 downloads per month
25KB
222 lines
rhabdomancer
"The road to exploitable bugs is paved with unexploitable bugs."
-- Mark Dowd
Rhabdomancer is a blazing fast IDA Pro headless plugin that locates calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.
Features
- Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
- Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
- Bad API function call locations are printed to stdout and marked in the IDB.
- Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
- [BAD 0] High priority - Functions that are generally considered insecure
- [BAD 1] Medium priority - Interesting functions that should be checked for insecure use cases.
- [BAD 2] Low priority - Code paths involving these functions should be carefully checked.
- The list of known bad API functions can be easily customized by editing
conf/rhabdomancer.toml
.
Blog post
See also
- https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/binarly-io/idalib
- https://books.google.it/books/about/The_Art_of_Software_Security_Assessment.html
Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, install as follows:
On Windows, instead, use the following commands:export IDASDKDIR=/path/to/idasdk export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo install rhabdomancer
$env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDASDKDIR="\path\to\idasdk" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo install rhabdomancer
Compiling
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, compile as follows:
On Windows, instead, use the following commands:git clone --depth 1 https://github.com/0xdea/rhabdomancer cd rhabdomancer export IDASDKDIR=/path/to/idasdk # or edit .cargo/config.toml export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo build --release
git clone --depth 1 https://github.com/0xdea/rhabdomancer cd rhabdomancer $env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDASDKDIR="\path\to\idasdk" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo build --release
Usage
- Make sure IDA Pro is properly configured with a valid license.
- Customize the list of known bad API functions in
conf/rhabdomancer.toml
if needed. - Run as follows:
Any existingrhabdomancer <binary_file>
.i64
IDB file will be updated; otherwise, a new IDB file will be created. - Open the resulting
.i64
IDB file with IDA Pro. - Select
View
>Open subviews
>Bookmarks
- Enjoy your results conveniently collected in an IDA Pro window.
Note: rhabdomancer also adds comments at marked call locations.
Compatibility
- IDA Pro 9.0.240925 - Latest compatible: v0.2.4.
- IDA Pro 9.0.241217 - Latest compatible: v0.3.5.
- IDA Pro 9.1.250226 - Latest compatible: current version.
Note: check idalib documentation for additional information.
Changelog
TODO
- Enrich the known bad API function list (see https://github.com/0xdea/semgrep-rules).
- Implement a basic ruleset in the style of VulFi and VulnFanatic.
Dependencies
~7–18MB
~276K SLoC