Writing a Scripted Loader

In IDA 5.6 Hex-Rays introduced the capability to implement loaders using Python or IDC scripts. In the Hex Blog posting announcing this new capability,[134] Elias Bachaalany of Hex-Rays describes a loader, implemented in Python, used to load a particular type of malicious .pdf file containing shellcode. The nature of malicious .pdf files is such that the loader does not generalize across all .pdf files, but the loader is an excellent example of how to load unsupported file formats in IDA.

Scripted loaders may be implemented in either IDC or Python and require at least two functions, accept_file and load_file, which perform functions similar to those previously described for SDK-based loaders. An IDC-based loader for the Simpleton file format is shown here:

#include <idc.idc>

#define SIMPLETON_MAGIC 0x1DAB00C

//Verify the input file format
//   li - loader_input_t object. See IDA help file for more information
//   n  - How many times we have been called
//Returns:
//   0 - file unrecognized
//   Name of file type - if file is recognized
static accept_file(li, n) {
   auto magic;
   if (n) return 0;
   li.readbytes(&magic, 4, 0);
   if (magic != SIMPLETON_MAGIC) {
      return 0;
   }
   return "IDC Simpleton Loader";
}

//Load the file
//   li - loader_input_t object
//   neflags - refer to loader.hpp for valid flags
//   format  - The file format selected nby the user
//Returns:
//   1 - success
//   0 - failure
static load_file(li, neflags, format) {
   auto magic, size, base;
   li.seek(0, 0);
   li.readbytes(&magic, 4, 0);
   li.readbytes(&size, 4, 0);
   li.readbytes(&base, 4, 0);
   // copy bytes to the database
   loadfile(li, 12, base, size);
   // create a segment
   AddSeg(base, base + size, 0, 1, saRelPara, scPub);
   // add the initial entry point
   AddEntryPoint(base, base, "_start", 1);
   return 1;
}

Other than the use of IDC functions in place of SDK functions, the similarities between the IDC version of the simpleton loader and the C++ version presented earlier should be fairly obvious. Loader scripts are installed by copying them to <IDADIR>/loaders.

Python may also be used to develop loaders and allows for more robust development because it offers much greater access to IDA’s underlying SDK. Implemented in Python, the simpleton loader might look something like this.

#Verify the input file format
#   li - loader_input_t object. See IDA help file for more information
#   n  - How many times we have been called
#Returns:
#   0 - file unrecognized
#   Name of file type - if file is recognized
def accept_file(li, n):
   if (n):
      return 0
   li.seek(0)
   magic = struct.unpack("<I", li.read(4))[0]
   if magic != 0x1DAB00C:
      return 0
   return "Python Simpleton Loader"

#Load the file
#   li - loader_input_t object
#   neflags - refer to loader.hpp for valid flags
#   format  - The file format selected nby the user
#Returns:
#   1 - success
#   0 - failure
def load_file(li, neflags, format):
   li.seek(0)
   (magic, size, base) = struct.unpack("<III", li.read(12))
   # copy bytes to the database
   li.file2base(12, base, base + size, 1)
   # create a segment
   add_segm(0, base, base + size, ".text", "CODE")
   # add the initial entry point
   add_entry(base, base, "_start", 1)
   return 1;

One of the greatest strengths of scripting loaders (and plug-ins for that matter) is that they allow for rapid prototyping of modules that might eventually be implemented using the SDK.


[134] See http://www.hexblog.com/?p=110.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.4.181