hrtng IDA plugin

hrtng IDA plugin is a collection of tools, ideas and experiments from different sources I've found interesting and useful in my reversing work.

"This open-source tool, now available on GitHub under the GPLv3 license, promises to be a game-changer for cybersecurity professionals and malware analysts worldwide. The plugin allows analysts to focus on higher-level analysis and threat assessment by automating tedious and time-consuming tasks. This could lead to faster identification and mitigation of new malware threats." Guru Baran (https://cybersecuritynews.com)

A practical guide to the reverse of a complex malware using the example of dissecting a FinSpy module with help of hrtng IDA plugin on securelist

Special thanks to following peoples for their great plugins were used as base for my work:

• Milan Bohacek, hexrays_tools and hexrays_hlight
• HexRaysDeob by Rolf Rolles and Takahiro Haruyama
• Karthik Selvaraj Krypton plugin
• Ali Rahbar, Ali Pezeshk and Elias Bachaalany GraphSlick plugin
• Markus Gaasedelen AVX support for the Hex-Rays x64 Decompiler

The plugin requires Hex-Rays decompiler presence in your IDA installation.
Only latest version of IDA is supported and evolves. However the plugin can be compiled with IDA SDK >= 7.3 but new features and fixes have been added for a newer IDA version are not tested with old versions.

Features of the plugin:

There is no one place in menu where all functionality of the plugin grouped together. The plugin's menu items placed closer to logically related standard IDA & Hex-Rays decompiler functions. Messages, menu items, popup windows and dialog boxes belong to this plugin are marked with "[hrt]" prefix.

Automation

• Pull up comments from disasm to pseudocode view
• Automatic renaming local and global variables, struct members
• Automatic enum substitution
• COM helper

Interactive pseudocode transformation

• User interactive renaming/retyping assistance
• Assists with changing type of structure member or local/global variable
• reinterpret_cast
• Collapse selection
• "offsetof" convertor

Decryption

• Strings/data/const decryption
• Build stack strings (optionally with decryption)
• Build array strings (optionally with decryption)
• Mass strings decryption

Deal with obfuscated code

• Decompile obfuscated code
• Scan for API names hashes
• Unflattening
• Microcode optimizers / "Magic" calls

Code recognition

• Microcode signatures
• De-Inline - detection of inlined functions

Type management assistance

• Create dummy structs
• Assist split gaps in structures
• Union creation for a variable is reused with different types
• List of structures with given size, with given offset
• Assist in creation of new structure definitions
• Finds structures with same "shape" as is used
• Import user named functions prototypes into the local type library
• New functionality in Structures view

Virtual/indirect calls assistance

• Virtual calls assistance
• Jump to indirect call destination
• Fix stack pointer for indirect call

Function name and type

• Smart rename func
• Convert function to __usercall, detect spoiled registers
• Set calling conventions bit closer to Go-lang
• Remove function's return type converting it to void func(...)
• Remove function's argument

IDA UI improvements

• Extended xrefs
• Matching brace highlight
• Auto turn on 'Functions' window content synchronisation

Misk features

• Get API help
• AVX lifter
• Dump strings, comments and names from the IDA database
• Offsets table creation
• Print reversing progress percent on a proc renaming
• Recursively decompile callees
• Deal with structures with negative offsets or access based on offsets in a middle of structure

Patching

• Patch custom area with NOPs
• Patch from debugger / Patch from file
• Search & Patch
• Create patched (DEC) file

IDA plugin developer help

• Microcode Explorer

Building

• Clone hrtng together with Crypto++® Library CMake submodule. Or put manually downloaded cryptopp-cmake source code to hrtng/src/cryptopp-cmake folder.

cd src
git clone --recurse-submodules https://github.com/KasperskyLab/hrtng.git

• Copy IDA_DIR/plugins/hexrays_sdk/include/hexrays.hpp file to the include directory of the IDA SDK. (Not necessary since IDA 9.0/8.5)
• Edit hrtng/src/CMakeLists.txt file to set correct path and version of used IDA SDK. To build later with another SDK version you may change cmake's IDASDK_VER variable with using cmake -D, ccmake or cmake-gui tools.
• Create build directory, go into it, configure and build cmake project

mkdir bld && cd bld
cmake <path-to/hrtng/src>
cmake --build . --config Release -j 4 --clean-first

• On the first build attempt with IDA SDK before version 9.1 there will be compiling error looks like:

hrtng/src/deob.cpp:912:60: error: ‘class rangeset_t’ has no member named ‘as_rangevec’
     fc.create("tmpfc2", ranges.as_rangevec(), 0);//!!! add line into range.hpp, class rangeset_t: "const rangevec_t &as_rangevec() const { return bag; }"

• To fix the error, edit IDA_SDK/include/range.hpp file, adding line with as_rangevec function implementation into class rangeset_t declaration as in the following example:

class rangeset_t
{
  rangevec_t bag;
  ...
  public:
  const rangevec_t &as_rangevec() const { return bag; }
  ...
};

• Copy built binaries into IDA_DIR/plugins folder togeter with apilist.txt and literal.txt files from hrtng/bin/plugins
• Profit

License

This program is released under GPL v3 license

Author

• Sergey.Belov at kaspersky.com