Filename: proxy.py

A plugin used to speed up development and deployment of plugins.

Instead of deploying the actual plugin files to the IDA plugins directory, this file acts as a proxy. When loading IDA, it will load the desired plugins from any directory you choose.

1. Set the sarkPlugins environment variable to point to your Sark plugins directory

   if not set, the path will default to sarkPackagePath/../plugins;

2. Place a copy of proxy.py in the IDA plugins directory;
3. Rename the copy to the name of the plugin you want;
4. Repeat steps 2 and 3 as needed.

Filename: function_strings.py

Hotkey: Alt + 9 Hotkey: Ctrl + Alt + 9

Quickly see all strings referenced by the current function or highlighted function.

1. Position the cursor inside the desired function;

2. Press Alt+9;

3. Check the output window:

   String References in ??0CDateTime@@QAE@XZ:0x0044C057
   From          To            String
   0x0044C06B    0x0044C10C    'k'
   0x0044C07E    0x0044C128    'AdjustCalendarDate'
   0x0044C089    0x0044C13C    'ConvertCalDateTimeToSystemTime'
   0x0044C095    0x0044C15C    'ConvertSystemTimeToCalDateTime'
   0x0044C0A2    0x0044C17C    'GetCalendarMonthsInYear'
   0x0044C0AF    0x0044C194    'GetCalendarDaysInMonth'
   0x0044C0BC    0x0044C1AC    'GetCalendarDifferenceInDays'
   0x0044C0C9    0x0044C1C8    'CompareCalendarDates'
   

4. To show the strings for a highlighted function (the function name is under the cursor),

   use Ctrl + Alt + 9.

Filename: lca.py

IDA Version: >=6.7

Menu: View/LCA Graph

Shows a lowest-common-ancestor graph for selected addresses in the code.

Helps in finding core-functions in complex flows.

1. Start the viewer (View/LCA Graph);
2. Press Space to add a function using the function selector;
3. Press Shift + Space to add an address manually;
4. When lowest common ancestors exist, a graph will be displayed;
5. Right click ancestors to disable / enable them;
6. Right click targets to remote them;
7. Click on sources or targets to highlight paths.

Filename: autostruct.py

Hotkey: Shift + T

Automatically generate structs from the IDA view.

No more going back and forth between the IDA-view and the Structures-view. With this plugin, you can do it without leaving IDA-view!

1. Select the desired code (highlight it):

   # IDA-view
   mov     eax, [ebx]
   mov     cx, [ebx+4]
   mov     dl, [ebx+6]
   mov     dh, [ebx+7]
   mov     esi, [ebx+8]
   

2. Press Shift + T;

3. Set the struct name (can be existing struct);

4. Choose the register (the most likely register will be suggested to you);

5. Enjoy your new struct:

   # IDA-view
   mov     eax, [ebx+my_struct.offset_0]
   mov     cx, [ebx+my_struct.offset_4]
   mov     dl, [ebx+my_struct.offset_6]
   mov     dh, [ebx+my_struct.offset_7]
   mov     esi, [ebx+my_struct.offset_8]
   
   # Structure-view
            my_struct       struc ; (sizeof=0xC)
   00000000 offset_0        dd ?                    ; XREF: .text:_createnum(ulong)/r
   00000004 offset_4        dw ?                    ; XREF: .text:004044E5/r
   00000006 offset_6        db ?                    ; XREF: .text:004044E9/r
   00000007 offset_7        db ?                    ; XREF: .text:004044EC/r
   00000008 offset_8        dd ?                    ; XREF: .text:004044EF/r
   0000000C my_struct       ends
   

Filename: function_flow.py

Visualize code flow in functions.

1. Go to graph-view;
2. Right-click the desired block (you may have to left-click it first to set the cursor to it);
3. Click Mark->Reachable to mark all nodes reachable by the block;
4. Click Mark->Clear to remove the marks.

1. Go to graph-view;
2. Left-click the desired block;
3. Click View->Mark->Reachable to mark all nodes reachable by the block;
4. Click View->Mark->Clear to remove the marks.

Filename: quick_copy.py

Copy addresses and instruction bytes from IDA.

1. Place your cursor or mark a selection;
2. Press Ctrl + Alt + C to copy the marked address;
3. Press Ctrl + Shift + C to copy the selected bytes (instruction bytes).