Sunday, February 24, 2008

Building IDC on the fly

IDC is a c-like scripting language that IDA uses. It was originally hacked in as a way to automate certain tasks within IDA.

There are two ways to execute an IDC script, one is by using the 'Quick IDC' (Shift-F2) text box and either copy/pasting the code in, or writing it from scratch. The other is to create a *.idc file and execute that (File->IDC File).

As a language, IDC is very poor. and it is laced with numerous inconsistencies and hacks.

To name a few I've come across:

- You cannot use c-style comments from within Quick IDC scripts (though when loading via file, you can)
- The IDC reference (Help->Help Index : Index of IDC functions) is one of the worst language references I've seen, most elements are either described sparsely or not at all.
- There is no example usage
- There are no types (everything is a variant or 'auto' variable)
- Contains a mixture of three different coding styles in the IDC reference alone (which are case-sensitive), e.g:
  1. loadfile
  2. isCode
  3. DelFunction
- The functionality offered is very basic
- The list goes on...

All is not lost! There exists another way to automate IDA - by writing plugins. Plugins are binaries that are loaded dynamically by IDA and have much greater control over the data and interface than scripts via IDC, however due to the sloppy and poorly documented SDK that comes with IDA (marginally better than IDC - but only marginally), it makes writing them a lesson in tedium and will sorely test the patience of any seasoned coder.

So what do you do if you need to do simple tasks that IDC aren't up to, but that don't warrant a full-blown plugin? In some circumstances this can be done by using a separate language to build up IDC scripts on the fly, it requires an extra step in the process but in some cases can be much better that either a plugin or by using IDC solely.

It is at these times that I use Lua. I write a Lua script does the processing and builds an IDC file on the fly, which I then load into IDA manually. I used this exact method to parse an otx output file into an IDA database. Not only did it work well but I only had to look up two IDC methods, rather than code the whole thing in IDC and spend all my time working around its base inadequacies.

The code and instructions for using it will follow...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)