Crate haruspex

haruspex - Tool to extract IDA decompiler’s pseudo-code Copyright (c) 2024-2025 Marco Ivaldi raptor@0xdeadbeef.info

“Hacking is the discipline of questioning all your assumptions all of the time.”

– Dave Aitel

Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudo-code generated by IDA Pro’s decompiler in a format that should be suitable to be imported into an IDE or parsed by static analysis tools such as Semgrep, weggli, or oneiromancer.

Features

• Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly’s idalib Rust bindings.
• Support for binary targets for any architecture implemented by IDA Pro’s Hex-Rays decompiler.
• Pseudo-code of each function is stored in a separated file in the output directory for easy inspection.
• External crates can invoke decompile_to_file to decompile a function and save its pseudo-code to disk.

Blog post

• https://security.humanativaspa.it/streamlining-vulnerability-research-with-ida-pro-and-rust

See also

• https://github.com/0xdea/ghidra-scripts/blob/main/Haruspex.java
• https://github.com/0xdea/semgrep-rules
• https://github.com/0xdea/weggli-patterns
• https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
• https://github.com/binarly-io/idalib
• https://github.com/xorpse/parascope
• https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep

Installing

The easiest way to get the latest release is via crates.io:

1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
3. Install haruspex as follows:

   $ export IDASDKDIR=/path/to/idasdk90
   $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
   $ cargo install haruspex # or run cargo add haruspex to install as a library

Compiling

Alternatively, you can build from source:

1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
2. Download and extract the IDA SDK (see https://docs.hex-rays.com/developer-guide).
3. Compile haruspex as follows:

   $ git clone https://github.com/0xdea/haruspex
   $ cd haruspex
   $ export IDASDKDIR=/path/to/idasdk90 # or edit .cargo/config.toml
   $ export IDADIR=/path/to/ida # if not set, the build script will check common locations
   $ cargo build --release

Usage

1. Make sure IDA Pro is properly configured with a valid license.
2. Run haruspex as follows:

   $ haruspex <binary_file>

3. Find the extracted pseudo-code of each decompiled function in the binary_file.dec directory:

   $ vim <binary_file>.dec
   $ code <binary_file>.dec

Tested with

• IDA Pro 9.0.240925 on macOS arm64 and Linux x64.
• IDA Pro 9.0.241217 on macOS arm64 and Linux x64.

Note: only the unix target family is currently supported, check idalib documentation if you want to port it to windows yourself.

Changelog

• https://github.com/0xdea/haruspex/blob/master/CHANGELOG.md

TODO

• Implement support for the windows target family.
• Integrate with Semgrep scanning (see https://github.com/0xdea/semgrep-rules).
• Integrate with weggli scanning (see https://github.com/0xdea/weggli-patterns).
• Improve decompiler output in the style of HexRaysPyTools and abyss.
• Implement parallel analysis (see https://github.com/fugue-re/fugue-mptp).

Enums

• HaruspexError

Statics

• COUNTER 🔒
  Number of decompiled functions

Functions

• decompile_to_file
  Decompile function func in IDB idb and save its pseudo-code to output file at filepath.
• run
  Extract pseudo-code of functions in the binary file at filepath and save it in filepath.dec.