{"id":17977015,"url":"https://github.com/0xdea/rhabdomancer","last_synced_at":"2026-05-31T11:00:51.666Z","repository":{"id":259896703,"uuid":"875775721","full_name":"0xdea/rhabdomancer","owner":"0xdea","description":"Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file.","archived":false,"fork":false,"pushed_at":"2026-05-27T08:15:47.000Z","size":241819,"stargazers_count":114,"open_issues_count":1,"forks_count":11,"subscribers_count":3,"default_branch":"master","last_synced_at":"2026-05-27T10:13:33.130Z","etag":null,"topics":["ida-plugin","ida-pro","idalib","reverse-engineering","vulnerability-research"],"latest_commit_sha":null,"homepage":"https://hex-rays.com/ida-pro","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xdea.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":3562}},"created_at":"2024-10-20T19:48:22.000Z","updated_at":"2026-05-27T08:15:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"df554359-2275-4f40-8a30-677c8653916e","html_url":"https://github.com/0xdea/rhabdomancer","commit_stats":null,"previous_names":["0xdea/rhabdomancer"],"tags_count":35,"template":false,"template_full_name":null,"purl":"pkg:github/0xdea/rhabdomancer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Frhabdomancer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Frhabdomancer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Frhabdomancer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Frhabdomancer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xdea","download_url":"https://codeload.github.com/0xdea/rhabdomancer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdea%2Frhabdomancer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33728391,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ida-plugin","ida-pro","idalib","reverse-engineering","vulnerability-research"],"created_at":"2024-10-29T17:26:02.957Z","updated_at":"2026-05-31T11:00:51.661Z","avatar_url":"https://github.com/0xdea.png","language":"Rust","funding_links":["https://github.com/sponsors/3562"],"categories":["Applications","Recently Updated","IDA Plugins"],"sub_categories":["Security tools","[Who Wants to Be a Millionare](https://www.boardgamecapital.com/who-wants-to-be-a-millionaire-rules.htm)"],"readme":"# rhabdomancer\n\n[![](https://img.shields.io/github/stars/0xdea/rhabdomancer.svg?style=flat\u0026color=yellow)](https://github.com/0xdea/rhabdomancer)\n[![](https://img.shields.io/crates/v/rhabdomancer?style=flat\u0026color=green)](https://crates.io/crates/rhabdomancer)\n[![](https://img.shields.io/crates/d/rhabdomancer?style=flat\u0026color=red)](https://crates.io/crates/rhabdomancer)\n[![](https://img.shields.io/badge/ida-9.3-violet)](https://hex-rays.com/ida-pro)\n[![](https://img.shields.io/badge/twitter-%400xdea-blue.svg)](https://twitter.com/0xdea)\n[![](https://img.shields.io/badge/mastodon-%40raptor-purple.svg)](https://infosec.exchange/@raptor)\n[![build](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml/badge.svg)](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml)\n[![doc](https://github.com/0xdea/rhabdomancer/actions/workflows/doc.yml/badge.svg)](https://github.com/0xdea/rhabdomancer/actions/workflows/doc.yml)\n\n\u003e \"The road to exploitable bugs is paved with unexploitable bugs.\"\n\u003e\n\u003e -- Mark Dowd\n\nRhabdomancer is a blazing fast IDA Pro headless plugin that locates calls to potentially insecure API functions in\na binary file. Auditors can backtrace from these candidate points to find pathways allowing access to untrusted input.\n\n![](https://raw.githubusercontent.com/0xdea/rhabdomancer/master/.img/screen01.png)\n\n## Features\n\n- Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly's idalib Rust bindings.\n- Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.\n- Bad API function call locations are printed to stdout and marked in the IDB.\n- Known bad API functions are grouped in tiers of badness to help prioritize the audit work.\n  - [BAD 0] High priority - Functions that are generally considered insecure.\n  - [BAD 1] Medium priority - Interesting functions that should be checked for insecure use cases.\n  - [BAD 2] Low priority - Code paths involving these functions should be carefully checked.\n- The list of known bad API functions can be easily customized by editing `conf/rhabdomancer.toml`.\n\n## Blog posts\n\n- \u003chttps://hex-rays.com/blog/streamlining-vulnerability-research-idalib-rust-bindings\u003e\n- \u003chttps://hnsecurity.it/blog/streamlining-vulnerability-research-with-ida-pro-and-rust\u003e\n\n## See also\n\n- \u003chttps://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java\u003e\n- \u003chttps://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib\u003e\n- \u003chttps://github.com/idalib-rs/idalib\u003e\n- \u003chttps://books.google.it/books/about/The_Art_of_Software_Security_Assessment.html\u003e\n\n## Installing\n\nThe easiest way to get the latest release is via [crates.io](https://crates.io/crates/rhabdomancer):\n\n1. Download, install, and configure IDA Pro (see \u003chttps://hex-rays.com/ida-pro\u003e).\n2. Install LLVM/Clang (see \u003chttps://rust-lang.github.io/rust-bindgen/requirements.html\u003e).\n3. On Linux/macOS, install as follows:\n   ```sh\n   export IDADIR=/path/to/ida # if not set, the build script will check common locations\n   cargo install rhabdomancer\n   ```\n   On Windows, instead, use the following commands:\n   ```powershell\n   $env:LIBCLANG_PATH=\"\\path\\to\\clang+llvm\\bin\"\n   $env:PATH=\"\\path\\to\\ida;$env:PATH\"\n   $env:IDADIR=\"\\path\\to\\ida\" # if not set, the build script will check common locations\n   cargo install rhabdomancer\n   ```\n\n## Compiling\n\nAlternatively, you can build from [source](https://github.com/0xdea/rhabdomancer):\n\n1. Download, install, and configure IDA Pro (see \u003chttps://hex-rays.com/ida-pro\u003e).\n2. Install LLVM/Clang (see \u003chttps://rust-lang.github.io/rust-bindgen/requirements.html\u003e).\n3. On Linux/macOS, compile as follows:\n   ```sh\n   git clone --depth 1 https://github.com/0xdea/rhabdomancer\n   cd rhabdomancer\n   export IDADIR=/path/to/ida # if not set, the build script will check common locations\n   cargo build --release\n   ```\n   On Windows, instead, use the following commands:\n   ```powershell\n   git clone --depth 1 https://github.com/0xdea/rhabdomancer\n   cd rhabdomancer\n   $env:LIBCLANG_PATH=\"\\path\\to\\clang+llvm\\bin\"\n   $env:PATH=\"\\path\\to\\ida;$env:PATH\"\n   $env:IDADIR=\"\\path\\to\\ida\" # if not set, the build script will check common locations\n   cargo build --release\n   ```\n\n## Usage\n\n1. Make sure IDA Pro is properly configured with a valid license.\n2. Customize the list of known bad API functions in `conf/rhabdomancer.toml` if needed. You can override the default\n   configuration file location by setting the `RHABDOMANCER_CONFIG` environment variable.\n3. Make sure the `IDADIR` environment variable is set if your IDA Pro installation is in a non-standard location.\n4. Run as follows:\n   ```sh\n   rhabdomancer \u003cbinary_file\u003e\n   ```\n   Any existing `.i64` IDB file will be updated; otherwise, a new IDB file will be created.\n5. Open the resulting `.i64` IDB file with IDA Pro.\n6. Select `View` \u003e `Open subviews` \u003e `Bookmarks`\n7. Enjoy your results conveniently collected into an IDA Pro window.\n\n\u003e [!NOTE]\n\u003e Rhabdomancer also adds comments at marked call locations.\n\n## Compatibility\n\nOnly the latest IDA Pro release is officially supported, but older versions may work as well. The following table\nsummarizes the latest compatible release for each IDA Pro version:\n\n| IDA Pro version | Latest compatible release |\n| --------------- | ------------------------- |\n| v9.0.240925     | v0.2.4                    |\n| v9.0.241217     | v0.3.5                    |\n| v9.1.250226     | v0.6.2                    |\n| v9.2.250908     | v0.7.6                    |\n| v9.3.260213     | v0.8.1                    |\n| v9.3.260327     | v0.9.0                    |\n| v9.3.260421     | current release           |\n\n\u003e [!NOTE]\n\u003e Check the [idalib](https://github.com/idalib-rs/idalib) documentation for additional information.\n\n## Changelog\n\n- [CHANGELOG.md](https://github.com/0xdea/rhabdomancer/blob/master/CHANGELOG.md)\n\n## TODO\n\n- Enrich the known bad API function list (see \u003chttps://github.com/0xdea/semgrep-rules\u003e).\n- Consider converting `traverse_xrefs` to an iterative walk to avoid potential stack overflows and infinite loops.\n- Consider broadening the scope of normalization in `normalize_name` to account for more cases.\n- Implement a basic ruleset in the style of [VulFi](https://github.com/Accenture/VulFi)\n  and [VulnFanatic](https://github.com/Martyx00/VulnFanatic).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xdea%2Frhabdomancer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xdea%2Frhabdomancer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xdea%2Frhabdomancer/lists"}