23 May

Updated IDA Pro plugins

I updated my IDA Pro plugins back in March here IDA Plugins.
I made a post on the IDA forum IDA Pro fourm but forgot to note it here until now.

Added a few new features to some like code and or data segment selectors, etc.
The best thing I’ve removed most if not all of the slow string searching (where it was used) and in general did some speed optimizations.
Now several key ones like “Class Informer” and “ExtraPass” are exponentially faster.

For reversing Windows executables I find IMHO two that are pretty much a necessity:

1) ExtraPass – Cleans up some potential IDA problems by doing an “extra pass” (actually several passes) and finding missing code sections and in turn missing functions, etc.
Can cleanup some of the mess found in large disconnected (from functions that have no references) executables.

ExtraPass fixed 17,920 functions, and 323 alignment blocks fixed in a large 75k function target.

2) Class Informer – Finds C++ RTTI, and MFC RTCI type data and structure defs, names, labels, and comments to make more sense of class vftables.
For executables that have this type info it can bring a huge amount of understanding to see actual class and structure names.
Might provide some kind of conceptual anchor points between different versions of your target executable.
You might see methods from familiar static libraries too and so on.
Plus with all the structure placing it can do some clean up the target data section(s) and trigger more IDA autoanalizing that in turn cleans up more code spaces too.
Made it to “External Resources” on the IDA Support page 🙂

After

Another IMHO that can be very useful is my Function String Associate plug-in that automatically comments functions by strings it has contained within it.
When you are browsing around in your target IDB for functions that have “assert”, or otherwise “error” type strings you will see them.
You might just by seeing these strings associate some kind of context to what the function is for et al.

Example with

You can find my released plugins here: IDA plugins

3 thoughts on “Updated IDA Pro plugins

  1. Hi, I thought I posted this comment here before but guess I must not have. I would have posted this on your forums but for some reason the captcha image doesn’t show up so I can’t register.

    First I would like to say thank you, I love your plug-ins and can’t thank you enough for them. I don’t know if you check your blog comments regularly but hopefully you do. I have run into a bug or I am doing something wrong because when I run Class Informer it works perfect and the subview comes up perfect but when I save the decompiled program (packed) and close IDA the next time I open IDA the Class Informer subview is gone. Now I don’t know if there is some way to bring the view back up or if I have to run class informer all over again. Any help would be greatly appreciated.

    And again thank you for your hard work and great plug-ings,
    David

  2. Thanks, I got around to fixing that now (broke in the last phpBB update).
    You should be able to register an account now.

    Feel free to post in the thread so others can see it Class Informer.

    Yea I understand this. It’s how the plug-in works currently.
    It doesn’t do any persistent storage. I think this should be possible to add it to an IDB’s “nodes” but haven’t gotten around to R&D and implementing it.

    You’ll just have to run the plug-in again. It shouldn’t be a problem because for example it will skip existing comments, etc.

  3. First I would like to say thank you, I love your plug-ins and can’t thank you enough for them. I don’t know if you check your blog comments regularly but hopefully you do. I have run into a bug or I am doing something wrong because when I run Class Informer it works perfect and the subview comes up perfect but when I save the decompiled program (packed) and close IDA the next time I open IDA the Class Informer subview is gone. Now I don’t know if there is some way to bring the view back up or if I have to run class informer all over again. Any help would be greatly appreciated.
    +1

Leave a Reply