rhabdomancer
| Crates.io | rhabdomancer |
| lib.rs | rhabdomancer |
| version | 0.2.3 |
| source | src |
| created_at | 2024-11-05 09:31:03.764476 |
| updated_at | 2024-12-04 12:06:12.496099 |
| description | Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file. |
| homepage | https://0xdeadbeef.info/ |
| repository | https://github.com/0xdea/rhabdomancer |
| max_upload_size | |
| id | 1436259 |
| size | 65,776 |
raptor (0xdea)
documentation
https://0xdeadbeef.info/rhabdomancer/rhabdomancer/
README
rhabdomancer
"The road to exploitable bugs is paved with unexploitable bugs."
-- Mark Dowd
Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.
Features
- Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
- Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
- Bad API function call locations are printed to stdout and marked in the IDB.
- Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
- The list of known bad API functions can be easily customized by editing
conf/rhabdomancer.toml.
Blog post
See also
- https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/binarly-io/idalib
- https://books.google.it/books/about/The_Art_of_Software_Security_Assessment.html
Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Install rhabdomancer as follows:
$ export IDASDKDIR=/path/to/idasdk90 $ cargo install rhabdomancer
Compiling
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Compile rhabdomancer as follows:
$ git clone https://github.com/0xdea/rhabdomancer $ cd rhabdomancer $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml $ cargo build --release
Usage
- Make sure IDA Pro is properly configured with a valid license.
- Customize the list of known bad API functions in
conf/rhabdomancer.tomlif needed. - Run rhabdomancer as follows:
$ rhabdomancer <binary_file> - Open the resulting
.i64IDB file with IDA Pro. - Select
View>Open subviews>Bookmarks - Enjoy your results conveniently collected in an IDA Pro window.
Note: rhabdomancer also adds comments at marked call locations.
Tested with
- IDA Pro 9.0.240925 on macOS arm64.
Changelog
TODO
- Enrich the known bad API function list (see https://github.com/0xdea/semgrep-rules).
- Implement a basic ruleset in the style of VulFi and VulnFanatic.