Just a simple combination of some existing projects :)
It can help you:
- Demangle the Rust function name
- Add some Rust type(like str, you can join more types by youself!)
- Identify Rust strlit and rename str struct
First, Install rust_demangler: pip install rust_demangler
And then, just copy the file IDARustHelperPlugin.py
and the folder IDARustHelper
to ${IDA_DIR}/plugins
.
Edit
-> Plugins
-> IDA Rust Helper
, and then wait a few seconds.
Just tested on IDA Pro 7.7, python3.8 and 64bit ELF. But it should work on Windows PE, Mach-O.
Also should work with IDA Pro 8.x.
Arm, RISC-V should be work well also, both 32bit and 64bit.
callregs_t.set
need aint const *
parm, but I really don't know how to pass it...
Before I start, I would like to sincerely thank teambi0s, timetravelthree, hex-rays for their work!
For the part of demangling, I combine the work of teambi0s and timetravelthree. Teambi0s's work can demangle most symbols, and timetravelthree's work was able to re-mangle the symbols to make them more friendly to display in IDA.
Re-mangle can't quite get the symbols to display perfectly in IDA, because IDA has a character limit for symbols, but I think it's enough. If you want full display, you can modify the character whitelist in ida.cfg
(like NameChars
variant) to bypass the restriction.
Just definde them in C declation and parse them! You can see RustType.py
to get implementation details.
For this part, I just simply ported the hex-rays plugin to idapython. It follows the following basic idea:
- Scan the entire read-only data segment to find long strings and initially split them based on xrefs.
- Depending on the location of the xrefs, they are categorised into data references and code references, and different methods are used to detect their legitimacy.
- For data references, some string literals are referenced in a form similar to golang's str structure, and we can find them in places like .data.rel.ro segments. Sometimes a literal is referenced by many str structures, and the length of the string literal is finally determined by traversing them and comparing them to the length of the initial division.
- For code references, some string literals and their lengths are reflected directly in the assignment of instructions, the actual form of which will vary depending on the machine. The final length of the string is found by pattern matching.
- Finally, all found str structures will be typed and renamed to make it easier to analyse in the code.