Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse (https://forum.exetools.com/showthread.php?t=19818)

jonwil 03-21-2021 12:56

unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse
 
Just under 5 years ago (in 2016) I wrote a tool called Unlinker that can extract functions and data members from a win32 PE file and produce a Visual Studio compatible COFF obj file you can link into your own code.

See https://forum.exetools.com/showthread.php?t=18018 for details about that.

What I have now done is produced an IDA plugin that can do the same thing.
Its designed to allow you to unlink code and data from whatever 32-bit windows application you are working on and spit out a Visual Studio compatible COFF obj file you can link into your own code.

Its written to work with requires IDA Pro 7.5 and tested against 7.5.201028.
Source code is here https://github.com/jonwil/unlinkerida and you will need the IDA 7.5 SDK along with Visual Studio 2019 to compile it (edit the compiler settings to point to the correct include and lib paths for where you have put the SDK).

If anyone wants binaries, let me know and I can provide some.

To use it, you go to a function or data item, right click and select either "unlink" or "unlink extern". "unlink extern" is if you will be providing the definition of that item (code or data) in another file and want the .obj file to reference that. When you select it, it will ask you which module (i.e. which of the different output .obj files) you want to unlink into.

edit-plugins-unlinker will display all the items you have selected to unlink. You can click on one and hit delete to remove it from the list. The data about what you are unlinking is saved in the idb file.

Then when you choose "file-produce file-export unlinked objects" it will spit out the .obj files containing the unlinked items.

Right now it doesn't support unlinking functions that contain jump tables (i.e. for switch statements etc), uninitialized data or data items where some of the members are pointers to something and some are not (it does however support unlinking those 3 things with "unlink extern") It also currently only supports unlinking from segments named .text, .rdata and .data.

If you have feedback, suggestions, feature requests, bugs, patches to contribute etc, please share here or on github (e.g. github issues).

The code is licensed under the GNU Lesser GPL 3.0 (in simple terms if you are shipping binaries of the plugin you also have to ship the corresponding source code that you changed) with cvconst.h, cvinfo.h and vcver.h being copyrighted by Microsoft and released under the terms of the MIT license.

RamMerLabs 03-21-2021 17:20

Hi, jonwil!
Let me complement your list of @feat symbol values with a few values I know of:
- Report_Dev11 = 0x10,
actually, this is not a flag but an encoded 3-bit value: 000 - legacy, 001 - Dev11 (i.e. vs2012), other values are still reserved;
- C_CppModule = 0x80, // i.e. not MASM, not CVTRES
- ControlFlowGuardFIDs = 0x800, //CFG-aware
- KernelAware = 0x80000000
I don’t have a github account, so I can’t make a pull request.

jonwil 03-22-2021 03:00

Thanks, that's great, I have added those.
Looks like the only remaining unknown is Unknown3 = 0x10000,
It also looks like the c2.dll from Visual C++ 2019 latest version forces 0x80010090 as the base value for @feat.00 (so KernelAware | Unknown3 | C_CppModule | Report_Dev11)

More features comming soon.

jonwil 03-22-2021 04:12

Changes have been made:
Fixed @feat.00 flags using the new information
Implemented support for unlinking symbols from .idata (i.e. import) and .bss segments.
Fixed handling of instructions with o_displ operand type (i.e. instructions that contain a memory address indexed by the value of a register)
Support exporting uninitialized data from the .data and .bss segments.

jonwil 03-22-2021 08:54

Fixed some bugs in the code for exporting data items that contain pointers to other things (it was incorrectly generating the relocation entries for those) and fixed an off-by-one error in the code that calculated which symbol a given address matches to.

jonwil 03-22-2021 17:51

Made some more fixes and jump tables are now supported (go to the end of the function where the jump table is and press "e" to move the function end past the jump table and then when you unlink it will emit the correct data for that jump table)

Doesn't do indirect jump tables yet though.
One limitation though, if you have something like this in IDA
jmp short loc_401220
align 10h
i.e. any case where there is an "align" statement inside a function) you need to go to that statement and press "code" to convert it to code otherwise it wont unlink properly,.

jonwil 03-25-2021 12:51

Updated it so that names in the unlinker dialog get demangled the same way they would in the names dialog.


All times are GMT +8. The time now is 02:51.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX