Tell me more ×
Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. It's 100% free, no registration required.
up vote 9 down vote favorite
3

Are there any good resources for developing debugger plugins in IDA Pro using the SDK that describe the IDA debugger API? An example of this is the IDA Pro ARM debugger plugin on Sourceforge. There seem to be few projects that have accomplished this. Specifically, how do you make a plugin in IDA which registers itself as one of the available debuggers and allows stepping through the IDA database while controlling a target?

share|improve this question

4 Answers

up vote 4 down vote accepted

None of the answers so far answer the actual question so here goes.

A debugger plugin differs from a "normal" one in two points:

  1. it has PLUGIN_DBG in the plugin's flags.
  2. in init(), it must set the global variable dbg to a pointer to an implementation of debugger_t structure. See idd.hpp for the definition.

For examples, see plugins/debugger in the SDK, and also the recently updated idados plugin. Warning: making debugger plugins is not for the faint of heart.

share|improve this answer
up vote 4 down vote

You can look for manual of IDA Plug-in in C/C++ here.

Also You may watch a talk of IDA-Pro Creator Ilfak Guilfanov on Recon 2008 "BUILDING PLUGINS FOR IDA PRO" at SecurityTube

And there is also IDAPython to create small automations too.

share|improve this answer
I already have resources on IDA plugin writing - I'm looking for resources that describe the IDA debugger API. – dingo_kinznerhook Apr 22 at 20:04
@DenisLaskov: when I took the IDA training three and a half years ago Elias told us that Python could now also be used to write plugins and loaders, so "small automations" is somewhat of an understatement ;) – 0xC0000022L Apr 22 at 23:04
@0xC0000022L :) You totally right, I forgot to add quotes around 'automation' :) – Denis Laskov Apr 23 at 3:58
up vote 4 down vote

The debughook.py example script from the idapython suite illustrates all debug events that can be processed by a debugger plugin.

Example script

Here's a very simple script that colorizes all instructions as you trace them with the debugger.

# Simple script that colorizes all instruction the debugger halts at or
# the user traces with the debugger in yellow. Instruction that are hit
# a ssecond time are colored in red.

from idaapi import *
from idc import *

class Colorizer(DBG_Hooks):

  def __init__(self):
    DBG_Hooks.__init__(self)
    self.locations_ = set()

  def colorize(self, ea):
    if ea in self.locations_:
      SetColor(ea, CIC_ITEM, 0x2020c0)
    else:
      SetColor(ea, CIC_ITEM, 0x80ffff)
      self.locations_.add(ea)

  def dbg_bpt(self, tid, ea):
    self.colorize(ea)
    return 0

  def dbg_step_into(self):
    self.colorize(GetRegValue("eip"))

try:
  if debughook:
    print("Removing previous hook ...")
    debughook.unhook()
except:
  pass

colorizer = Colorizer()
colorizer.hook()

Some notes

If you read from process memory in one of your debugger callbacks, you need to call refresh_debugger_memory() first (see file comment for RefreshDebuggerMemory() in idc.py). If you can, avoid that call since it is somewhat expensive.

You can easily access all register via the cpu instance from the idautils package:

print "EAX has the value: %X" % cpu.Eax

To read the current value from the top of the stack, use something like

print "TOS: %X" % Dword(cpu.Esp)
share|improve this answer
up vote 2 down vote

The IDA Pro Book 2nd edition from Chris Eagle has a little info in chapter 24 on interacting with the debugger through IDC and the SDK, but is more automation focused. Other than that maybe reading the source of other plugins that are doing this such as the ARM debugger plugin referenced in the question and digging through dbg.hpp in the SDK to see what it exposes. It also appears the source for IDA's debugger plugins is available in plugins/debugger in the SDK. I haven't seen writing a debugger plugin specifically documented.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.