NOTICE: THIS TOOL MUST BE RUN FROM A DOS WINDOW (cmd.exe). Command-line IDA breaks in powershell This is a toolset for automating tests on binaries, mainly utilizing IDA and IDAPython. It targets either a binary file on disk, or a dump of a specified module from a specified executable. The tool is written in python. If you have the build tools installed, you can use the binStar.bat file. All development and testing was done in 64-bit, but there's no reason it should work for 32-bit binaries. ---------------------------------- Usage ---------------------------------- Usage: >binStar.bat -c Requirements: Python 2.7.X Windows IDA The configuration file is a JSON formatted text file containing information for the tool, as well as information and tests concerning the target binary file(s). The contents are composed of some strings, along with a number of file paths. The file paths can be absolute or relative. NOTE: IF YOU USE RELATIVE PATHS, THEY MUST BE RELATIVE TO THE DIRECTORY FROM WHERE YOU CALL IT ---------------------------------- Application Function ---------------------------------- Function The toolset performs the following functions: Parses configuration file If specified, runs dumpIt utility on executable file dumpIt runs the executable a new process, waits 20 seconds After the delay, it finds the specified module, and writes the memory to disk Runs strings check on target file Loads specified PDB file into a symbol "Lookup" object in memory Once loaded, the Lookup object is 'pickled' into a file on disk Reason: PDB files take a while to load, and IDAPython crawls compared to native. At least 2/3rds faster this way The command-line version of IDA is launched in autonomous mode, and runs the idaStar python script, which performs the rest of the tests, outlined below All of the results are output into two report text files, .idaStar.report.txt .binstringsReport.txt The strings test is (as expected) quite noisy, so it gets its own file ---------------------------------- Tests ---------------------------------- There are a number of tests you are able to run. These are all contained within the idaStar.py file Strings search This test requires a newline-deliminated text file with strings you want to look out for. The tool runs strings on the target file, and searches the list for strings containing any of the "watch" words While both contain this test, the automated mode uses 'binStar.py' to benefit from the speed of native python. Byte pattern search This takes a list of hex strings, and searches the target binary file for matches, and returns all matched addresses. Spot Checks Spot checks take two strings, an integer (I'd advise base 16...) and a hex string. If the string matches the char array starting at the given address in the target file, it reports True. False otherwise String regex search Takes a list of perl-style regex's and searches the strings list of the binary for matches Symbol regex search Takes a list of perl-style regex's and searches the symbol list of the binary's PDB for matches ---------------------------------- Configuration File ---------------------------------- The configuration file expects the following format: { "target_binaries": [ { "filepath":"", "dump_module":"", "target" : "", "cmd_line_args" : "", "pdb_file" : "", "string_regex_list" : [], "symbol_regex_list" : [], "strings_file" : "", "byte_patterns" : [], "spot_checks" : [] } ], "cfg":{ "IDAw":"", "pylibs":"", "dumpIt":"", "strings_exe":"", "idaStar":"", "work_dir":"", "log_file":"" } } NOTE: ALL FILE PATHS MUST HAVE THEIR BACKSLASHES ESCAPED: (i.e. "X:\\gta5\\tools_ng\\...") This is either a python or JSON thing, but fixing is more trouble than its worth at the moment, sorry. target_binaries This is the section containing a list of target file configurations filepath This contains the path to the target file, or executable that contains the target module dump_module This is a boolean, which instructs the tool to dump a module or not. Possible values are "true" or "false", case-insensitive target This is the name of the target module to dump. Optional if dump_module = "false" cmd_line_args Command line arguments that are passed to the target executable when ran by dumpIt Optional pdb_file File path to PDB symbol file that corresponds to the target binary. Optional string_regex_list List of regex strings to search the binary for Optional symbol_regex_list List of regex strings to search the symbol list for Optional byte_patterns List of hex strings to search the memory for Optional spot_checks List of address, value pairs to check in the binary Optional cfg Contains config information for the toolset IDAw File path to the IDAW64.exe binary. pylibs File path to the "libs" directory installed with the tool This directory is expected to contain three modules, two directories for "construct" and "pdbparse", as well as the "idaStar.py" file dumpIt File path to the dumpIt executable. The dumpIt project is included with this toolset, so you can modify and compile your own if needed strings_exe File path to the strings executable. The one included is the TechNet version, but the cygwin works just as well if thats your steez idaStar File path to the idaStar.py module work_dir Arbirtrary directory for all dump, working and output files. Will be created if not already log_file File path for idaStar log. Optional. If not specified, will default to "work_dir\\idaStar.log" Here's a sample configuration. It should work if you have GTAV, IDA 6.7, and the build tools all up to date and default install, and the socialclub.pdb in the right folder!! { "target_binaries": [ { "filepath":"C:\\Program Files\\Rockstar Games\\Grand Theft Auto V\\GTAVLauncher.exe", "dump_module":"true", "target" : "socialclub.dll", "cmd_line_args" : "-rlrosdomainenv=dev -env=dev -patchenv=dev", "pdb_file" : "%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\etc\\socialclub.pdb", "string_regex_list" : ["^.*youWontFindMe.*"], "symbol_regex_list" : ["^.*youWontFindMe.*"], "strings_file" : "%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\etc\\words.txt", "byte_patterns" : ["DEADBEEF"], "spot_checks" : [{"address":"0x0","value":"AAAA"}] } ], "cfg":{ "IDAw":"C:\\Program Files (x86)\\IDA 6.7\\idaw64.exe", "pylibs":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\lib\\", "dumpIt":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\bin\\dumpIt.exe", "strings_exe":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\bin\\strings.exe", "idaStar":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\lib\\idaStar.py", "work_dir":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\work\\", "log_file":"" } }