Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-21-2021, 12:56
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 372
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 57 Times in 32 Posts
jonwil Reputation: 21
unlinker IDA - an IDA plugin for extracting functions from a PE file for later reuse

Just under 5 years ago (in 2016) I wrote a tool called Unlinker that can extract functions and data members from a win32 PE file and produce a Visual Studio compatible COFF obj file you can link into your own code.

See https://forum.exetools.com/showthread.php?t=18018 for details about that.

What I have now done is produced an IDA plugin that can do the same thing.
Its designed to allow you to unlink code and data from whatever 32-bit windows application you are working on and spit out a Visual Studio compatible COFF obj file you can link into your own code.

Its written to work with requires IDA Pro 7.5 and tested against 7.5.201028.
Source code is here https://github.com/jonwil/unlinkerida and you will need the IDA 7.5 SDK along with Visual Studio 2019 to compile it (edit the compiler settings to point to the correct include and lib paths for where you have put the SDK).

If anyone wants binaries, let me know and I can provide some.

To use it, you go to a function or data item, right click and select either "unlink" or "unlink extern". "unlink extern" is if you will be providing the definition of that item (code or data) in another file and want the .obj file to reference that. When you select it, it will ask you which module (i.e. which of the different output .obj files) you want to unlink into.

edit-plugins-unlinker will display all the items you have selected to unlink. You can click on one and hit delete to remove it from the list. The data about what you are unlinking is saved in the idb file.

Then when you choose "file-produce file-export unlinked objects" it will spit out the .obj files containing the unlinked items.

Right now it doesn't support unlinking functions that contain jump tables (i.e. for switch statements etc), uninitialized data or data items where some of the members are pointers to something and some are not (it does however support unlinking those 3 things with "unlink extern") It also currently only supports unlinking from segments named .text, .rdata and .data.

If you have feedback, suggestions, feature requests, bugs, patches to contribute etc, please share here or on github (e.g. github issues).

The code is licensed under the GNU Lesser GPL 3.0 (in simple terms if you are shipping binaries of the plugin you also have to ship the corresponding source code that you changed) with cvconst.h, cvinfo.h and vcver.h being copyrighted by Microsoft and released under the terms of the MIT license.
Reply With Quote
The Following User Gave Reputation+1 to jonwil For This Useful Post:
Git (03-23-2021)
The Following 5 Users Say Thank You to jonwil For This Useful Post:
Abaddon (03-21-2021), computerline (03-21-2021), nimaarek (03-26-2021), sh3dow (06-06-2021), winndy (03-21-2021)
  #2  
Old 03-21-2021, 17:20
RamMerLabs RamMerLabs is offline
Friend
 
Join Date: Feb 2020
Posts: 22
Rept. Given: 0
Rept. Rcvd 27 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 124 Times in 21 Posts
RamMerLabs Reputation: 27
Hi, jonwil!
Let me complement your list of @feat symbol values with a few values I know of:
- Report_Dev11 = 0x10,
actually, this is not a flag but an encoded 3-bit value: 000 - legacy, 001 - Dev11 (i.e. vs2012), other values are still reserved;
- C_CppModule = 0x80, // i.e. not MASM, not CVTRES
- ControlFlowGuardFIDs = 0x800, //CFG-aware
- KernelAware = 0x80000000
I don’t have a github account, so I can’t make a pull request.
Reply With Quote
The Following User Says Thank You to RamMerLabs For This Useful Post:
Abaddon (03-21-2021)
  #3  
Old 03-22-2021, 03:00
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 372
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 57 Times in 32 Posts
jonwil Reputation: 21
Thanks, that's great, I have added those.
Looks like the only remaining unknown is Unknown3 = 0x10000,
It also looks like the c2.dll from Visual C++ 2019 latest version forces 0x80010090 as the base value for @feat.00 (so KernelAware | Unknown3 | C_CppModule | Report_Dev11)

More features comming soon.
Reply With Quote
  #4  
Old 03-22-2021, 04:12
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 372
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 57 Times in 32 Posts
jonwil Reputation: 21
Changes have been made:
Fixed @feat.00 flags using the new information
Implemented support for unlinking symbols from .idata (i.e. import) and .bss segments.
Fixed handling of instructions with o_displ operand type (i.e. instructions that contain a memory address indexed by the value of a register)
Support exporting uninitialized data from the .data and .bss segments.
Reply With Quote
  #5  
Old 03-22-2021, 08:54
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 372
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 57 Times in 32 Posts
jonwil Reputation: 21
Fixed some bugs in the code for exporting data items that contain pointers to other things (it was incorrectly generating the relocation entries for those) and fixed an off-by-one error in the code that calculated which symbol a given address matches to.
Reply With Quote
The Following User Gave Reputation+1 to jonwil For This Useful Post:
TQN (03-22-2021)
  #6  
Old 03-22-2021, 17:51
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 372
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 57 Times in 32 Posts
jonwil Reputation: 21
Made some more fixes and jump tables are now supported (go to the end of the function where the jump table is and press "e" to move the function end past the jump table and then when you unlink it will emit the correct data for that jump table)

Doesn't do indirect jump tables yet though.
One limitation though, if you have something like this in IDA
jmp short loc_401220
align 10h
i.e. any case where there is an "align" statement inside a function) you need to go to that statement and press "code" to convert it to code otherwise it wont unlink properly,.
Reply With Quote
  #7  
Old 03-25-2021, 12:51
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 372
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 57 Times in 32 Posts
jonwil Reputation: 21
Updated it so that names in the unlinker dialog get demangled the same way they would in the names dialog.
Reply With Quote
The Following 3 Users Say Thank You to jonwil For This Useful Post:
nimaarek (03-26-2021), tonyweb (03-25-2021), toro (04-08-2021)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 20:57.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )