Skip to content
/ ida-msdn-annotator Public
forked from twelveand0/ida-msdn-annotator

Add MSDN annotations to IDA imported functions and structures

0 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nsxz/ida-msdn-annotator

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits

msdn-annotator

msdn-annotator

 
 

msdn-crawler

msdn-crawler

 
 

README.md

README.md

 
 

Repository files navigation

ida-msdn-annotators

Add MSDN annotations to IDA imported functions and structures

This work is almost based on Moritz Raabe and William Ballenthin's work at Fireeye.

I strongly recommend you to refer the original flare-ida project.

##The differences include:

  1. Add a new plugin responsible for adding annotations to structure types and members.
  2. Add a new script to parse windows sdk help-htmls to extract structures' annotations.
  3. Add new regrex rules to parse the imported functions' name in IDA.

##Usage Usage for script adding annotations to imported functions can be found at

  1. https://github.com/fireeye/flare-ida (MSDN Annotations Usage section)
  2. https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html

Usage for script adding annotations to structures is similar to the above

###NOTES about preparing sdk help files After you install standalone Windows SDK into your local drive (By default, it is located at 'C:\Program Files\Microsoft SDKs\Windows \v7.0\Help\1033'), you can find the installed help files in folder 'C:\Program Files\Microsoft SDKs\Windows \v7.0\Help \1033'. However, these files (endwith '.hxs') are compiled files and not human readable. You have to do something before running msdn_crawer.py.

  1. Prepare hxcomp.exe for decompiling Install Vistual Studio 2008 and VS 2008 SDK version 1.0 (MUST BE) or lower VS and VS SDK version. Or copy all the .hxs files to a machine where hxcom.exe has been installed.

  2. Demcopiling .hxs files Run hxcomp.exe (default location is 'C:\Program Files\Common Files\microsoft shared\Help 2.0 Compiler\hxcomp.exe') to decompile help files endwith '.hxs'. You can do it with the following command:

     for /R %x in (*.hxs) do hxcomp -u "%x"

By default, you can find the extracted .htm files in 'C:\Users%username%\AppData\Local\VirtualStore\Program Files\Microsoft SDKs\Windows\v7.0\Help\1033' (In Windows 7)

  1. Run msdn_crawer.py

     python msdn_crawler.py -t [function|structure] <path to extracted MSDN html documentation> <path to tilib.exe> <path to til files>

About

Add MSDN annotations to IDA imported functions and structures

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%