[Reverse Engineering Tips] — IDA Python

One of the greatest features of IDA is the ability to use Python directly in the interface to manipulate the disassembly code. IDAPython is basically a way to interact with the IDC scripting. It can be used to automate certain tasks such as deobfuscation or coloring of code. In this short tip we will make a brief tour of IDApython and how to use it.

Documentation

There are several sources that can be used to learn more about IDAPython.

• The official documentation: https://www.hex-rays.com/products/ida/support/idapython_docs/
• IDAPython book: https://leanpub.com/IDAPython-Book
• https://github.com/idapython/

Basic Functionalities

There are basic features that can be used to manipulate data. This nice cheat sheet created by Pavel Rusanov provides more details on the features you can use.

Source: https://github.com/inforion/idapython-cheatsheet

Running Script

There are several ways to run your Python code in IDA. First, you can use the built-in interpreter in the bottom panel

IDAPython Interpreter

It is also possible to load a script directly into file> Script file.

Load Script FIle

Finally, you can also write a script directly by clicking File> Script Command.

Execute Script Command

Find Suspicious Functions

It is also possible to color part of the disassembly to quickly locate the information sought. So it might be interesting to use IDAPython to spot a specific function that can be used for a specific purpose.

In the example below, we browse the IAT using IDAPython and color the API we are looking for in red.

import idaapi
colorsuspicious = []
def import(ea, name, ord):
    # Add the function you want to highlight
    suspicious_func = ["CreateToolhelp32Snapshot", "WNetGetConnectionW"]
    
    if not name:
        print "%08x: ord#%d" % (ea, ord)
    else:
        for suspicious in suspicious_func:
             if suspicious == name:
                 print("Suspicious functions found!")
                 print "%08x: %s (ord#%d)" % (ea, name, ord)
                 colorsuspicious.append(ea)
return True
nimps = idaapi.get_import_module_qty()
for i in xrange(0, nimps):
    name = idaapi.get_import_module_name(i)
    if not name:
        print "Failed to get import module name for #%d" % i
        continue
    print "Walking-> %s" % name
    idaapi.enum_import_names(i, import)
    # Color the identified functions
    for i in colorsuspicious:
        SetColor(i, CIC_ITEM, 0x0000ff)
        Message("suspicious Functions: %08x\n" % i)

The result in IDA will look like this.

Highlight suspicious functions

This can be very useful to speed up your analysis and identify the function commonly used by ransomware or identify a specific function related to evasion techniques for example.

There are many other possibilities with IDAPython and it is very powerful for deobfuscating or highlighting part of code for example.

That’s it! If you like this content you can follow me on Twitter @fr0gger_ or on Medium for more stuffs such as this one. ❤