rhabdomancer

"The road to exploitable bugs is paved with unexploitable bugs."

-- Mark Dowd

Rhabdomancer is a blazing fast IDA Pro headless plugin that locates all calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.

Features

• Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
• Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
• Bad API function call locations are printed to stdout and marked in the IDB.
• Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
  • [BAD 0] High priority - Functions that are generally considered insecure
  • [BAD 1] Medium priority - Interesting functions that should be checked for insecure use cases.
  • [BAD 2] Low priority - Code paths involving these functions should be carefully checked.
• The list of known bad API functions can be easily customized by editing conf/rhabdomancer.toml.

Blog post

• https://security.humanativaspa.it/doing-vulnerability-research-with-ida-pro-and-rust (coming soon)

See also

• https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java
• https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
• https://github.com/binarly-io/idalib
• https://books.google.it/books/about/The_Art_of_Software_Security_Assessment.html

Installing

The easiest way to get the latest release is via crates.io:

1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
3. Install rhabdomancer as follows:

   $ export IDASDKDIR=/path/to/idasdk90
   $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
   $ cargo install rhabdomancer
   

Compiling

Alternatively, you can build from source:

1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
3. Compile rhabdomancer as follows:

   $ git clone https://github.com/0xdea/rhabdomancer
   $ cd rhabdomancer
   $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml
   $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
   $ cargo build --release
   

Usage

1. Make sure IDA Pro is properly configured with a valid license.
2. Customize the list of known bad API functions in conf/rhabdomancer.toml if needed.
3. Run rhabdomancer as follows:

   $ rhabdomancer <binary_file>
   

   Any existing .i64 IDB file will be updated; otherwise, a new file will be created.
4. Open the resulting .i64 IDB file with IDA Pro.
5. Select View > Open subviews > Bookmarks
6. Enjoy your results conveniently collected in an IDA Pro window.

Note: rhabdomancer also adds comments at marked call locations.

Tested with

• IDA Pro 9.0.240925 on macOS arm64 and Linux x64.
• IDA Pro 9.0.241217 on macOS arm64 and Linux x64.

Note: not tested on Windows, check idalib documentation if you want to try it yourself.

Changelog

• CHANGELOG.md

TODO

• Enrich the known bad API function list (see https://github.com/0xdea/semgrep-rules).
• Implement a basic ruleset in the style of VulFi and VulnFanatic.