Expand description
§augur
“In fact, I’ve actually triggered buffer overflows by just entering my real name.”
– A.
Augur is a blazing fast IDA Pro headless plugin that extracts strings and related pseudocode from a binary file. It stores pseudocode of functions that reference strings in an organized directory tree.
§Features
- Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly’s idalib Rust bindings.
- Support for binary targets for any architecture implemented by IDA Pro’s Hex-Rays decompiler.
- Decompilation feature based on the
decompile_to_fileAPI exported by haruspex. - Pseudocode of each function that references a specific string is stored in a separate directory.
§Blog posts
- https://hex-rays.com/blog/streamlining-vulnerability-research-idalib-rust-bindings
- https://hnsecurity.it/blog/streamlining-vulnerability-research-with-ida-pro-and-rust
§See also
- https://github.com/0xdea/rhabdomancer
- https://github.com/0xdea/haruspex
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/idalib-rs/idalib
§Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, install as follows:On Windows, instead, use the following commands:
export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo install augur$env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo install augur
§Compiling
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, compile as follows:On Windows, instead, use the following commands:
git clone --depth 1 https://github.com/0xdea/augur cd augur export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo build --releasegit clone --depth 1 https://github.com/0xdea/augur cd augur $env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo build --release
§Usage
- Make sure IDA Pro is properly configured with a valid license.
- Run as follows:
augur <binary_file> - Find the extracted pseudocode of each decompiled function in the
binary_file.strdirectory, organized by string:vim <binary_file>.str code <binary_file>.str
§Compatibility
- IDA Pro 9.0.241217 - Latest compatible: v0.2.3.
- IDA Pro 9.1.250226 - Latest compatible: v0.6.2.
- IDA Pro 9.2.250908 - Latest compatible: v0.7.5.
- IDA Pro 9.3.260213 - Latest compatible: current version.
[!NOTE] Check the idalib documentation for additional information.
§Changelog
§TODO
- Integrate with oneiromancer.
- Allow users to choose to process string cross-references even if the decompiler is unavailable.
- Consider converting
traverse_xrefsto an iterative walk to avoid potential stack overflows and infinite loops. - Consider integrating proptest to complement unit testing.
- Implement functionality similar to https://github.com/joxeankoret/idamagicstrings.
Functions§
- run
- Extract strings and pseudocode of each function that references them from the binary at
filepathand save them infilepath.str.