Thread: unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse
View Single Post
  #1  
Old 03-21-2021, 12:56
jonwil jonwil is offline
VIP
  
Join Date: Feb 2004
Posts: 387
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 65 Times in 34 Posts
jonwil Reputation: 21
unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse
Just under 5 years ago (in 2016) I wrote a tool called Unlinker that can extract functions and data members from a win32 PE file and produce a Visual Studio compatible COFF obj file you can link into your own code.

See https://forum.exetools.com/showthread.php?t=18018 for details about that.

What I have now done is produced an IDA plugin that can do the same thing.
Its designed to allow you to unlink code and data from whatever 32-bit windows application you are working on and spit out a Visual Studio compatible COFF obj file you can link into your own code.

Its written to work with requires IDA Pro 7.5 and tested against 7.5.201028.
Source code is here https://github.com/jonwil/unlinkerida and you will need the IDA 7.5 SDK along with Visual Studio 2019 to compile it (edit the compiler settings to point to the correct include and lib paths for where you have put the SDK).

If anyone wants binaries, let me know and I can provide some.

To use it, you go to a function or data item, right click and select either "unlink" or "unlink extern". "unlink extern" is if you will be providing the definition of that item (code or data) in another file and want the .obj file to reference that. When you select it, it will ask you which module (i.e. which of the different output .obj files) you want to unlink into.

edit-plugins-unlinker will display all the items you have selected to unlink. You can click on one and hit delete to remove it from the list. The data about what you are unlinking is saved in the idb file.

Then when you choose "file-produce file-export unlinked objects" it will spit out the .obj files containing the unlinked items.

Right now it doesn't support unlinking functions that contain jump tables (i.e. for switch statements etc), uninitialized data or data items where some of the members are pointers to something and some are not (it does however support unlinking those 3 things with "unlink extern") It also currently only supports unlinking from segments named .text, .rdata and .data.

If you have feedback, suggestions, feature requests, bugs, patches to contribute etc, please share here or on github (e.g. github issues).

The code is licensed under the GNU Lesser GPL 3.0 (in simple terms if you are shipping binaries of the plugin you also have to ship the corresponding source code that you changed) with cvconst.h, cvinfo.h and vcver.h being copyrighted by Microsoft and released under the terms of the MIT license.
Reply With Quote
The Following User Gave Reputation+1 to jonwil For This Useful Post:
Git (03-23-2021)
The Following 8 Users Say Thank You to jonwil For This Useful Post:
Abaddon (03-21-2021), computerline (03-21-2021), N0P (12-25-2021), nimaarek (03-26-2021), sh3dow (06-06-2021), Stingered (02-27-2022), tonyweb (12-22-2021), winndy (03-21-2021)