The IDA Pro plug-in for Kam1n0 v2.0 creates a folder ~/Kam1n0/
to store the plug-in data and errors.
This tutorial first introduces IDA Pro plug-in for Kam1n0 v2.0's basic functionalities and then goes through a simple index and search example.
The Kam1n0 v2.0 engine with the plug-in provides the functionalities to index and search assembly functions.
These functionalities can be found in the:
-
IDA Pro Search Toolbar:
-
IDA Pro Functions Window:
-
IDA Pro Search Menu:
-
IDA Pro Edit Menu:
-
IDA Pro View A (popup menu):
Even though you can select functions from the popup menu of the IDA Pro Functions Window
to search/index functions, using and at other places (e.g. toolbar) opens a Selection Window
which provides a more detailed configuration for multiple searches.
For example, you can apply different filters and choose which connection you want to use to search/index them.
Let's go through a simple index and search case using the engine and plugin.
Suppose we have two binary files libpng-1.7.0b54.dll
from libpng and zlib-1.2.7.dll
from zlib. These two files are included in our release file Example.zip
. We suggest you to try them first as to be consistent with the following descriptions. You may index other binary files later as you wish. We try to index the first binary file libpng-1.7.0b54.dll
and search the second one zlib-1.2.7.dll
against it.
In this step, you should start the Kam1n0 engine and get the URL for IDA Pro Plugin from the homepage of the APP you want to use by right-clicking it and choosing "copy link address".
Open IDA Pro and click on the Manage Connection Button
in the toolbar . You are now able to review and edit the connections of the plug-in. Fill the URL for IDA Pro Plugin, username, password in the form and then click Update/Add Button
and OK
.
To index only some functions, click on the Select Functions to Index Button
in the toolbar (or in the other aforementioned location). Select the functions you want to index and click the Continue Button
. Each indexed binary is uniquely identified by its path, and each indexed function by its binary ID and starting address.
An embedded chromium browser will pop up and show the progress of indexing. It has the same set of UI as Kam1n0 Web interface. You can leave the page or monitor the progress with it.
Open IDA Pro and disassemble the target zlib-1.2.7.dll
binary file as usual. Click on the Select Functions to Search Button
in the toolbar . Suppose we want to search for the alder32
and compress2
functions. Select them using ctrl+click in the list. Click on the Continue Button
.
An embedded chromium browser will pop up and show the progress of searching and it will be redirected to the result page after it completes. Similar to Kam1n0 Web UI, for each retrieved function, you can see the similarity, flow graph comparison, full text alignment, clone group alignment by clicking the corresponding icon. You can also see the clone graph by clicking it from the right side. It has the same set of UI as Kam1n0 Web interface except we have an additional flow graph linking function here.
The user can jump from a basic box in the clone search result rendering views to the corresponding basic block in IDA View-A. This functionality is available in both the Clone List View and any Flow Graph View.
In any Flow Graph related view, if you double-click a specific basic block in the graph, the IDA View-A will jump to the same basic block either in the text or in a graph. In all the clone list view, if you right-click context menu to the query nodes in the tree, you can see the option jumping to the corresponding assembly function in IDA View-A.
To search all the functions of the binary file and keep the result in a file which will be shown on your homepage of the server, click on the Composition Analysis
in the toolbar . An embedded chromium browser will pop up and show the progress of analysis. You can leave the page or monitor the progress with it.
You can find the result of composition analysis later from your homepage in the same way as you use Web UI to do it.
Starting from version 1.x.x, we support assembly fragment search in IDA Pro. You can simply select a couple lines of assembly code and right click on it to pop out the menu. Select the entry Query fragment
. An embedded chromium browser will pop up and show the progress of searching and it will be redirected to the result page after it completes. The result page is similar to the result of functions search.
There is a search box to help you quickly locate the wanted information on the web pages of the embedded chromium browser. The search box is hidden on the right edge of every web page. It can be activated and slides out if the user press control+F
or click the search icon
. After typing the keyword to be searched and pressing the key Enter
, one can loop through the search results on the web page. By pressing ESC
key, one will clear the search text box as well as all the highlighted search results.
The plug-in is written in Python using idaapi
. In the original Kam1n0 IDA Plug-in, the communication is one-way between IDA Pro and the clone search result rendering windows. After the user sends a clone search request in the IDA Views, the plug-in creates a new IDA form to handle the request and a new process for result rendering windows. If the query contains multiple assembly functions, the IDA form will search each of them and merge the search results. In this process, the IDA Pro Window is frozen and the user cannot use it until the search finishes (as shown in the figure below).
In the updated Kam1n0 v2.x IDA Plug-in, we remove the original IDA form for searching and adopt a web-based interface for progressively searching and merging the clone results. The searching operations are conducted using the plug-in process. Therefore, the main IDA Pro process will not be blocked. The user can still use other IDA window while the clone search is in progress.
In the original IDA Pro plug-in, calling IDA SDK functions in the rendering windows is impossible. We introduce a two-way messaging communication channel between the IDA Pro process and the Plug-in process. In the plug-in process, one can execute any IDA commands using JavaScript or Python. The commands are pushed to a shared messaging queue between these two processes. In the IDA Pro process, we create a message listener that monitors the queue and execute any requested commands. We implemented a simple communication channel since the original multiprocessing
module in Python does not work in IDA Pro or other Python-embedded applications. Such a design enables the interaction between clone search result rendering process and the IDA Pro UI process.
The user interface consists of two parts:
- The native
idaapi
forms and controls: the Connection Management Form, the Select Function to Search Form, and the Select Function to Index Form. - Unlike the Kam1n0 v1.x plug-in for IDA Por, the new plugin directly uses the web page from Kam1n0 server. They share the same set of UI for better code maintainability.
We find it difficult to update the IDA Pro UI asynchronously using idaapi
. If a thread other than the main thread updates the interface while the user interacts with (e.g. clicks on) the interface, IDA Pro will freeze/crash. Instead, we create a new process to render the clone search results. Backward communication is realized by a inter-process communication. The user can still use IDA Pro throughout the process of searching and rendering.
To interact with the Kam1n0 web services, we build our own network wrapper use the built-in urllib
in Python to send requests and the json
lib to parse the json results. The connection utitly itself can be a standalone client for plugins of other disassemblers. One only needs to implement disassembly extraction utils in IDAUtils for the other disassemblers.