IDA-Pro/plugins/flare-ida/msdn-annotations

From aldeid
Jump to navigation Jump to search
You are here:
MSDN Annotations

Description

MSDN Annotations is a very convenient plugin for malware analysts. It uses the MSDN documentation to document functions, arguments and constants. Below is an example of what it does:

Ida-flare-msdn-annotations-001.png

If you need more information about this plugin, refer to this documentation.

Installation

MSDN documentation

You will first need to download and install the MSDN documentation. The full package is available here.

During the installation process, you only need to install the documentation package:

Ida-flare-msdn-annotations-002.png

The Help files we are interested in are installed in C:\Program Files\Microsoft SDKs\Windows\v7.0\Help\1033.

TILIB.EXE

Download tilib executable from the Hex-Rays download page: https://www.hex-rays.com/products/ida/support/download.shtml (registered users only).

Copy tilib.exe to your IDA Pro installation directory (e.g. C:\Program Files (x86)\IDA 6.6)

Info.png
Note
More information can be found here: https://www.hex-rays.com/products/ida/5.3/tilib.txt

Install BeautifulSoup

The Beautiful python dependency is required by msdn_crawler.py. The recommended way to install it is via pip:

C:\> pip install BeautifulSoup

MSDN_CRAWLER

Ssh-img013.png
Warning
Before you run the script, make sure you create a valid output directory (MSDN_data).
Syntax
msdn_crawler.py <MSDN documentation> <tilib.exe> <til files>
Example
C:\> cd \temp\flare-ida
C:\temp\flare-ida> mkdir MSDN_data
C:\temp\flare-ida> python MSDN_crawler\msdn_crawler.py "C:\Program Files\Microsoft SDKs\Windows\v7.0\Help\1033" "C:\Program Files (x86)\IDA 6.6\tilib.exe" "C:\Program Files (x86)\IDA 6.6\til\pc"
Output
The script will output a file named msdn_data_nn.xml in MSDN_data. Rename it msdn_data.xml and move the entire directory to your IDA installation:
C:\temp\flare-ida> move MSDN_data\msdn_data_nn.xml MSDN_data\msdn_data.xml
C:\temp\flare-ida> move MSDN_data "\Program Files (x86)\IDA 6.6"
Known errors
If the script returns errors (see here), you can use a modified version of msdn_crawler.py or directly download a resulting msdn_data_nn.xml file.

Usage

Start the python script annotate_IDB_MSDN.py (File > Script file...). You will be displayed with the following form:

Ida-pro-flare-ida-msdn-annotations-003.png

When you click OK, the code will be analyzed and you will see annotations.

Comments

blog comments powered by Disqus

Keywords: IDA-Pro plugins msdn annotation function argument constant reverse-engineering