IDA Pro plugin to aid with the analysis of native IIS modules.
Copy both iis_helper_plugin.py and iis_helper_classes.py to the plugins directory of your IDA Pro installation.
For example, if using IDA 8.3 on Windows, you can find this directory as %PROGRAMFILES%\IDA Pro 8.3\plugins.
To run the plugin, either go to Edit -> Plugins -> IISHelper, or use the shortcut CTRL+ALT+I. This plugin will then take the following actions:
- Loading in relevant classes/symbolic constants;
- Identifying and renaming the virtual methods of IIS classes;
- Applying function prototypes to the known implemented virtual methods; and,
- Attempting initial retyping of variables in these methods.
Once the script has finished running, you can locate the implemented methods to determine the ones of interest, and start reverse engineering them further.
Retyping the RegisterModule export:
Automatically renamed virtual methods for the IIS class:
Automatically retyped variables for a implemented method:
