Crate haruspex

Crate haruspex 

Source
Expand description

§haruspex

build doc

“Hacking is the discipline of questioning all your assumptions all of the time.”

– Dave Aitel

Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudocode generated by IDA Pro’s decompiler in a format that should be suitable to be imported into an IDE, or parsed by static analysis tools such as Semgrep, weggli, or oneiromancer.

§Features

  • Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly’s idalib Rust bindings.
  • Support for binary targets for any architecture implemented by IDA Pro’s Hex-Rays decompiler.
  • Pseudocode of each function is stored in a separated file in the output directory for easy inspection.
  • External crates can invoke decompile_to_file to decompile a function and save its pseudocode to disk.

§Blog posts

§See also

§Installing

The easiest way to get the latest release is via crates.io:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
  3. On Linux/macOS, install as follows:
    export IDADIR=/path/to/ida # if not set, the build script will check common locations
cargo install haruspex
    On Windows, instead, use the following commands:
    $env:LIBCLANG_PATH="\path\to\clang+llvm\bin"
$env:PATH="\path\to\ida;$env:PATH"
$env:IDADIR="\path\to\ida" # if not set, the build script will check common locations
cargo install haruspex

§Compiling

Alternatively, you can build from source:

  1. Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
  2. Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
  3. On Linux/macOS, compile as follows:
    git clone --depth 1 https://github.com/0xdea/haruspex
cd haruspex
export IDADIR=/path/to/ida # if not set, the build script will check common locations
cargo build --release
    On Windows, instead, use the following commands:
    git clone --depth 1 https://github.com/0xdea/haruspex
cd haruspex
$env:LIBCLANG_PATH="\path\to\clang+llvm\bin"
$env:PATH="\path\to\ida;$env:PATH"
$env:IDADIR="\path\to\ida" # if not set, the build script will check common locations
cargo build --release

§Usage

  1. Make sure IDA Pro is properly configured with a valid license.
  2. Run as follows:
    haruspex <binary_file>
  3. Find the extracted pseudocode of each decompiled function in the binary_file.dec directory:
    vim <binary_file>.dec
code <binary_file>.dec

§Compatibility

Only the latest IDA Pro release is officially supported, but older versions may work as well. The following table summarizes the latest compatible release for each IDA Pro version:

IDA Pro versionLatest compatible release
v9.0.240925v0.2.4
v9.0.241217v0.3.5
v9.1.250226v0.6.2
v9.2.250908v0.7.5
v9.3.260213v0.8.1
v9.3.260327v0.9.0
v9.3.260421current release

[!NOTE] Check the idalib documentation for additional information.

§Changelog

§TODO

Enums§

HaruspexError
Haruspex error type

Functions§

decompile_to_file
Decompile Function func in IDB idb and save its pseudocode to the output file at filepath.
run
Extract pseudocode of functions in the binary file at filepath and save it in filepath.dec.