rhabdomancer
| Crates.io | rhabdomancer |
| lib.rs | rhabdomancer |
| version | 0.1.1 |
| source | src |
| created_at | 2024-11-05 09:31:03.764476 |
| updated_at | 2024-11-08 20:53:36.238568 |
| description | Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file. |
| homepage | https://0xdeadbeef.info/ |
| repository | https://github.com/0xdea/rhabdomancer |
| max_upload_size | |
| id | 1436259 |
| size | 110,091 |
raptor (0xdea)
documentation
https://0xdeadbeef.info/rhabdomancer/rhabdomancer/
README
rhabdomancer
"The road to exploitable bugs is paved with unexploitable bugs."
-- Mark Dowd
Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.
Features
- Blazing fast, headless user experience courtesy of IDA Pro and Binarly's idalib Rust bindings.
- Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
- Bad API function call locations are printed to stdout and marked with comments in the IDB.
- Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
Blog post
See also
- https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/binarly-io/idalib/
- https://books.google.it/books/about/The_Art_of_Software_Security_Assessment.html
Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Install rhabdomancer as follows:
$ export IDASDKDIR=/path/to/idasdk90 $ cargo install rhabdomancer
Compiling
Alternatively, you can build the tool from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
- Compile rhabdomancer as follows:
$ git clone https://github.com/0xdea/rhabdomancer $ cd rhabdomancer $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml $ cargo build --release
Usage
- Make sure IDA Pro is properly configured with a valid license.
- Run rhabdomancer as follows:
$ rhabdomancer [binary file] - Open the resulting
.i64IDB file with IDA Pro. - Select
Search>Text..., flagFind all occurrences, and search for[BAD. - Enjoy your results conveniently collected in an IDA Pro window (but double check that all results are displayed, as text search is buggy and sometimes misses some comments).
Tested with
- IDA Pro 9.0.240925 on macOS arm64.
Changelog
TODO
- Try the
bookmarks_tAPI, despite it being cumbersome and having aMAX_MARK_SLOTof 1024. - Enrich the known bad API function list (see https://github.com/0xdea/semgrep-rules).
- Implement a basic ruleset in the style of https://github.com/Accenture/VulFi.