MyNav, a python plugin for IDA Pro

MyNav is an Open Source IDAPython plugin for the commercial disassembler IDA Pro to be released on July 2010. The plugin adds a lot of new features only available in other products like in the well known Zynamics BinNavi or HB Gary‘s Inspector. In this blog post I will show you some of the features available in the current version with some examples.

Function’s browser

The navigator is good to get an idea about what a function does as we can see and browse in a user-friendly GUI all the functions executed from one specific point. For example, open the typical windows binary calc.exe in IDA Pro, wait until the initial analysis ends, run the script mynav.py in IDA and jump to the function “?CalcWndProc@@YGJPAUHWND__@@IIJ@Z” (at address 0x01006118 in Windows XP SP 3). Now, select Edit->Plugins->MyNav – Browse Function. A new dialog box will appear asking for the maximum recursion level, enter the number 1 and click OK. The following (browseable) graph will appear:

Depending on the selected maximum recursion level, some child nodes will be hidden like, for example, the childs nodes of the function “?SetRadix@@YGXK@Z”. To see the hidden nodes simply double clik in the node with text “(8 more nodes)”. The following graph will appear:

In this graph we can see what functions are executed from the “SetRadix” one. We can continue browsing the graph entering and leaving in some other functions but, what if I want to see what API calls are executed from an specific function? To open a browseable graph showing API calls select in the IDA’s disassembly view the desired function (for example, the function at address 0x010022F9 in Windows XP SP3 -?CIO_vConvertToString@@YGXPAPAGPAUCALCINPUTOBJ@@H@Z-) and select Edit->Plugins->MyNav – Browse functions (show APIs), leave the default maximum recursion level and click OK. The browseable graph bellow will appear:

Taking a look to this graph we can “abstractly” see what the function ConvertToString does.

Code path searching

One of the most typical tasks when looking for vulnerabilities is to find a code path between data entry points (functions where you can insert data) and some target functions (vulnerable ones). With MyNav we can search automatically for code paths between 2 functions with just a few clicks. For example, continuing with the Windows calculator, we will search code paths from “WinMain” and “EverythingResettingNumberSetup” so, select Edit->Plugins->MyNav – Show code paths between 2 functions. A dialog box showing all the binary’s functions will be shown:

In this dialog box select the starting point (WinMain) and click OK, the same dialog will appear again asking for the target function, select “EverythingResettingNumberSetup” and click OK. The following graph will appear:

Differential debugging usage example: notepad

In this example we will discover and analyze the code responsible for opening a file in notepad. Run IDA Pro and open the notepad.exe binary. Wait until the initial analysis finishes and, after it, run the script mynav.py in IDA. A lot of new menus will be added under Edit->Plugins as shown bellow:

Now, select a debugger from the debugger dropdown list and select from Edit->Plugins menu the option called “MyNav – New session”. A dialog box asking for a session’s name will appear. Enter a meaningfull name like “GuiNoise” or something like this as we will be recording the code responsible of GUI painting, uninteresting for our goal (discover the code executed when we open a file inside notepad).

Press OK and a message box saying that there is no breakpoint set will appear. Answer “Yes” and MyNav will set a breakpoint in every function and start the debuggger. While the application is running move the window, minimize, maximize, restore it, popup the contextual menus and close the application when done. When debugging stops, a graph showing all the executed functions will appear:

This callgraph shows all the functions executed and the relationships between them. All the breakpoints sets in a function that was executed in this session were removed after the first hit so we will not stop again in the GUI related code. Now, record another session, select Edit->Plugin->MyNav – New session and enter the name “FileOpenDialog”. When the debugger starts select in notepad “File->Open” and cancel the dialog box. Select again in notepad “File->Open” but this time select a file to open. When done, close the application and the following callgraph will appear:

This time only 7 functions appeared, those responsible of showing the file open dialog box and opening the file. The notepad.exe binary contains 88 functions and we discovered in a few seconds the interesting functions. Now, it’s time to discover the exact code executed when I cancel the dialog box and when I select a file to open so, select Edit->Plugins->MyNav – Trace in session and a dialog box will appear showing all the recorded session. Select the session named “FileOpen” in the dialog shown bellow:


After it, the typical dialog box asking for a sessions name will appear. Enter the name “TraceFileOpenCancel”, click OK and the debugger starts. When notepad is opened, select File->Open, cancel the dialog box and close the application.

The colored basic blocks are those executed when we cancelled the dialog box. Now, we will trace again the same session but this time opening a file so, select Edit->Plugins->MyNav – Trace in session, select the session named “FileOpen” and enter the name “TraceFileOpen”. When debugger starts the application select File->Open and open a file. When done, close notepad and the following code will be shown:

The new color shows the basic blocks executed this time. If we want, we can see the differences between the 2 sessions. Select Edit->Plugins->MyNav – Show step trace session and a dialog box showing a list of all the recorded trace sessions will appear. Select the trace session called “TraceFileOpenCancel” and click OK. Notice the change in the graph:

In about 5 minutes we discovered the functions and the instructions executed when we cancel the file open dialog box and when we open a file. It was easy, wasn’t it? ;)

Final Notes

MyNav will be released in July 2010 and the code will be uploaded to the project page at Google Code.

42 thoughts on “MyNav, a python plugin for IDA Pro

  1. Pingback: Tweets that mention MyNav, a python plugin for IDA Pro « Unintended Results -- Topsy.com

  2. beist

    Awesome, I’ve made scripts myself for code-coverage using idapython. But seems i’ll take your plugin from the release day to do that. ;)

  3. phn1x

    “Now, select a debugger from the debugger dropdown list and select from Edit->Plugins menu the option called “MyNav – New session”.”

    When you say select a debugger is this going to have the ability to interact with all Debuggers that IDA Supports, or being that it is in python only the Native Debugger which is supported in IdaPython?

  4. joxean Post author

    It supports any IDA’s supported debugger ;) So, you can debug either a router with the remote GDB server, a complete Windows OS with WinDbg or whatever IDA supports.

  5. dan

    hi!
    There is no code on code.google
    my clone, clones nothing, and when searching for files, there are non on the server…

  6. Pingback: Explota al máximo tu IDA Pro | It should work...

  7. phn1x

    Is there a specific date you’ll be pushing this out? It’s July and you’ve kept me waiting oh so long!

  8. joxean Post author

    @Rafael Rivera Yes, the plugin supports attaching. I use it a lot and, well, except with the WinDBG debugger, it works OK as far as I know.

  9. TRNL

    O.K. I figured it out. Was actually very easy; just run the script file inside IDA.

    But how do automate this so you don’t have to manually load the script file very time you close and restart IDA?

  10. wx

    Hello, whenever i try to run the mynav.py i end up with an error “Unexpected EOF while parsing.” does anyone know why? thanks

  11. joxean Post author

    Uhm… This is the first time I see this error and I have various users. Did you modified the source by yourself?

  12. narf

    I always get the error

    “***Error, main unable to open database file”

    I copied all files to C:\Program Files (x86)\IDA\mynav and started the script via

    execfile(r”C:\Program Files (x86)\IDA\mynav\mynav.py”).

    I’m using Win7 X64 and the directory in question is writable

  13. narf

    Solved it by copying the scripts to the python dir and making it writable. Imho you should write the database to the users directory and not to some subdirectory of %PROGRAM FILES%

  14. joxean Post author

    It doesn’t work this way. MyNav tries to create the .sqlite database in the same path where your IDB is stored.

  15. narf

    Hi, thanks for your answer. However, I still get this error:

    Python>execfile(r”C:\Program Files (x86)\IDA\python\mynav.py”)
    ***Error, main unable to open database file

    The error appears if you have an IDB which has a filename such as “myidbfile.dll.idb” and this gives the error outlined above.

  16. mael15

    after a session, i always get “No data to save”. what might be wrong?!
    i have ida pro 6.1 and mynav 1.1

  17. Joel Eriksson

    Seems neat. :) Just downloaded it (from the mercurial-repo), and started looking through the source. Think I found a bug though.

    On line 536, in deselectCodePathsBetweenPoints, I assume DelBpt(p) should be DelBpt(x)? :) Anyway, nice work.

  18. ZaQ

    I have the same issue as “mael15″, i receive “No data to save” each time.

    Got the same versions too, IDA 6.1.1100421 & MyNav 1.1.

  19. joxean Post author

    The issue with the message “No data to save” is typically a mistake. First, you need to select a debugger: If no debugger is selected MyNav can’t trace anything. Second: You have to set your breakpoints or remove all of them and let MyNav set a breakpoint in every function found in the database.

    Another possibility is that you’re using and old version of MyNav. Please, use the version available in the Mercurial repository as it workarounds a bug in the IDAPython version supplied with IDA 6.1.

  20. ZaQ

    Used the version 0x01020200 this time, breakpoints are okay. When the debugger start: error message “oops! internal error 40038″.

    The process is working correctly in the debugger without MyNav.

  21. joxean Post author

    What debugger module are you using? What operating system (Windows, Linux or OSX)? Can you say what’s is your target so I can test it?

  22. Vizus

    I cannot get this to work with the latest ida, whenever i try to start the script i end up with the error: “ImportError: No module named _sqlite3″,
    can someone help out here? thanks

  23. joxean Post author

    Uhm… Are you using IDAQ for Linux in a 64 bits distro? It seems you’re missing the sqlite3 module which is, BTW, always distributed with Python since 2.5. Did you compiled your own version of Python?

  24. Vizus

    Thanks for the quick response didn’t see it! Yes I compiled it myself, everything working fine now, thanks again for this brilliant plug-in

  25. chantak

    Hello, first of all….
    Your plugin is AMAZING, WONDERFUL…
    And, I have used it a while… to experiment how it works…
    Works well, spite the fact that I think its options are all cluttered…
    It could be much more simple… For example… The first time I execute, it is to get “noise” functions… Then, there could be an option that I just do 1 click, and it will start a session and will mark all app functions to debug… Then, the second try, would be to find a specific app function, then I do a second click and it would subtract the functions that are not what I want… the idea is to do less work, less steps to get the same thing… and free more time to do important tasks… I mean, concentrate in the problem of the code itself. Thanks…

  26. Dennis

    Hi joxean,

    MyNav 1.1 doesn’t work correctly with IDA 6.2 since it it insufficiently sets breakpoint flags. Changing line 658 of mynav.py as follows fixes the issue:

    SetBptAttr(f, BPTATTR_FLAGS, BPT_TRACE | BPT_ENABLED)

    Cheers,
    Dennis

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>