{"id":28713481,"url":"https://github.com/eset/delphihelper","last_synced_at":"2025-06-15T00:10:33.914Z","repository":{"id":284254482,"uuid":"905920450","full_name":"eset/DelphiHelper","owner":"eset","description":"DelphiHelper is a python IDA Pro plugin aiming to help the analysis of x86/x86_64 binaries written in Delphi programming language.","archived":false,"fork":false,"pushed_at":"2025-04-08T13:19:03.000Z","size":446,"stargazers_count":86,"open_issues_count":0,"forks_count":21,"subscribers_count":8,"default_branch":"github","last_synced_at":"2025-04-08T14:27:03.259Z","etag":null,"topics":["delphi","ida","ida-plugin","ida-pro","idapro","idapython","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eset.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-19T19:42:04.000Z","updated_at":"2025-04-08T13:19:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"2872a85e-91f4-40f1-af84-5bc81c6540f6","html_url":"https://github.com/eset/DelphiHelper","commit_stats":null,"previous_names":["eset/delphihelper"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/eset/DelphiHelper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2FDelphiHelper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2FDelphiHelper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2FDelphiHelper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2FDelphiHelper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eset","download_url":"https://codeload.github.com/eset/DelphiHelper/tar.gz/refs/heads/github","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2FDelphiHelper/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259901390,"owners_count":22929227,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["delphi","ida","ida-plugin","ida-pro","idapro","idapython","python"],"created_at":"2025-06-15T00:10:33.365Z","updated_at":"2025-06-15T00:10:33.892Z","avatar_url":"https://github.com/eset.png","language":"Python","readme":"# DelphiHelper\n\nDelphiHelper is a python IDA Pro plugin aiming to help the analysis of\nx86/x86_64 binaries written in\n[Delphi](https://www.embarcadero.com/products/delphi) programming language.\n\n## Table of Contents\n\n\n## Features\n\n* Displays an interactive tree view of Delphi's DFM (Delphi Form Modules)\nresource (Delphi Form description)\n* Parses Delphi's RTTI data structures\n* Extracts useful information from Delphi's RTTI data structures\n* Extracts binary files embedded in Delphi's DFM resources\n* Searches for the Entry Point (EP) function\n* Loads Delphi's FLIRT signatures automatically\n* Loads Interactive Delphi Reconstructor (IDR) Knowledge Base (KB) function\nsignatures \n\n## Installation\n\n1. Copy `DelphiHelper` directory and `DelphiHelper.py` inside the IDA plugin\n   directory:\n   * on Windows: `%APPDATA%\\Hex-Rays\\IDA Pro\\plugins\\`\n   * on macOS/Linux: `$HOME/.idapro/plugins/`\n2. Download IDR Knowledge Base files manually by following \n   [instructions](#download-instructions) given below or run the script\n   `setup_IDRKB.py`.\n\n   \u003e **_NOTE_**: `py7zr` installation is required to run the setup script: \n   `pip install py7zr`\n\n**DelphiHelper** should be compatible with IDA 8.4 and later on Windows, macOS\nand GNU/Linux.\n\n## Usage\n\nIn order to use the DelphiHelper plugin, the resource section has to be loaded\nin IDA. This can be achieved by checking the box **Load resources** or with the\noption `-R` in the command line switch.\n\n![Loading a file in IDA Pro GUI.](img/LoadFile.PNG)\n\n\u003e **_NOTE_**: IDA autoanalysis must be completed before using the plugin.\n\n### Hotkeys\n\n* `\u003cAlt-Shift-H\u003e`: Print Help\n* `\u003cAlt-Shift-R\u003e`: Run [VMT Parser](#vmt-parser)\n* `\u003cAlt-Shift-F\u003e`: Run [DFM Finder](#dfm-finder) (show Delphi Form Viewer window)\n* `\u003cAlt-Shift-E\u003e`: Run [Entry Point Function Finder](#entry-point-function-finder)\n* `\u003cAlt-Shift-S\u003e`: Run [IDR Knowledge Base Loader](#idr-knowledge-base-loader) for `SysInit` and `System` unit\n* `\u003cAlt-Shift-A\u003e`: Run [IDR Knowledge Base Loader](#idr-knowledge-base-loader)\nfor selected units\n\n### VMT Parser\n\n**Hotkey**: `\u003cAlt-Shift-R\u003e`\n\nThe **Virtual Method Table (VMT) Parser** must be executed with the cursor on\nthe starting address of a VMT structure. This structure can be located by\nsearching the functions named `CreateForm`, `CreateObject`, etc.; once the\nfunction is found, the last argument should be the VMT structure.\n\nIn most cases there is a sequence of two instructions:\n```\nmov \u003cregister\u003e, \u003cVMTStructureOffset\u003e\ncall CreateForm\n```\n\nFor example:\n\n![Identifying of VMT structure offset.](img/CreateForm.PNG)\n\nOnce on the structure (VMTStructureOffset e.g. `off_664A8C`), press `\u003cEnter\u003e`:\n\n![VMT structure.](img/VMTStructure.PNG)\n\nPress the hotkey `\u003cAlt-Shift-R\u003e`. The result looks like below:\n\n![Parsed VMT structure.](img/VMTStructureParsed.PNG)\n\nThe VMT structure contains a lot of useful information stored in various RTTI\ntables. The most interesting ones are:\n* [Field Table](#field-table)\n* [Virtual Method Table (VMT)](#virtual-method-table-(vmt))\n* [Method Table](#method-table)\n\nThe **VMT Parser** automatically extracts data from those tables and stores it\ninto IDA enums and structures. \n\n#### Field Table\n\nThe Field Table stores a name, a type and an offset of each published field.\nThe **VMT Parser** extracts and saves all these entries for each VMT structure\ninto IDA Enums:\n\n![Field Table](img/FieldTable.PNG)\n\nThe enums created by the **VMT Parser** have following format:\n`%ObjectName%_Fields`. The names of enum entries have this format:\n`%ObjectName%_%FieldType%_%FieldName%`:\n\n![Field Table in IDA Enum](img/IDAEnum_FieldTable.PNG)\n\nThe entries from enums created by the **VMT Parser** can be then named by\npressing built-in IDA shortcut `\u003cM\u003e`, used for naming symbolic constants.\n\n**Before**\n\n![Resolving a field from Field Table](img/FieldInFunc_Before.PNG)\n\n**After**\n\n![Resolving a field from Field Table](img/FieldInFunc_After.PNG)\n\n#### Virtual Method Table (VMT)\n\nThe Virtual Method Table stores pointers to all virtual methods declared for a\nclass and its base classes:\n\n![VMT table](img/VMT.PNG)\n\nThe **VMT Parser** extracts pointers from the VMT and saves them into an IDA\nstructure named by the parsed VMT structure. The names of structure entries\nhave the following format: `%MethodName%_%MethodOffset%`:\n\n![VMT table in IDA Structure](img/IDAStruct_VMT.PNG)\n\nThe entries from structures created by the **VMT Parser** can be then named by\npressing the built-in IDA shortcut `\u003cT\u003e`, used for naming structure offsets.\n\n**Before**\n\n![Call VMT method by offset](img/CallVMTFunc_Before.PNG)\n\n**After**\n\n![Call VMT method by offset](img/CallVMTFunc_After.PNG)\n\n\n#### Method Table\n\nThe Method Table stores names and pointers of published methods. The Method\nTable also contains pointers of Delphi Event handlers that can be found and\naccessed from the **Delphi Form Viewer** (for more info see [DFM\nFinder](#dfm-finder))\n\n![Method Table](img/MethodTable.PNG)\n\n### DFM Finder\n\n**Hotkey**: `\u003cAlt-Shift-F`\n\nThe **DFM Finder** tries to find all DFMs stored in a resource section of the\nanalyzed Delphi binary and after that it runs the **VMT Parser** on all VMT\nstructures associated with found DMFs. After all VMT structures are processed,\na new interactive IDA subview (**Delphi Form Viewer**) is displayed. The\nsubview shows a tree view of Delphi Form descriptions extracted from DFM:\n\n![Delphi Form Viewer](img/DelphiFormViewer.PNG)\n\n**Bold** nodes represent components that have some Delphi Event defined.\nFollow such bold nodes deeper in a subtree until you spot bold `Properties`\nnode, where you can find a blue colored Delphi Event. By clicking on the Event\nitem, you are moved to a corresponding Event handler in the IDA Disassembly\nwindow.\n\n**Green** nodes represent components which have some binary file embedded.\nFollow such green nodes deeper in a subtree until you spot green `Properties`\nnode, where you can find a green colored item. The item shows a file path of\nthe embedded binary file dropped by **DFM Finder**. The destination\nsubdirectory for extracted files is located in current IDA working directory\nand has the following format:\n`%IDAWorkingDirectory%\\_extracted_%BinaryFileName%\\` \n\nClick on a root (Form's) node in Delphi Form Viewer window moves you to the\nForm's VMT structure in the IDA Disassembly window.\n\n### Entry Point Function Finder\n\n**Hotkey**: `\u003cAlt-Shift-E\u003e`\n\n**Entry Point Function Finder** tries to find possible entry point functions by\nsearching for references to `CreateFrom`, `InitExe` and `InitLib` calls.\nResults are presented in IDA's output window, e.g.:  \n\n![Ouput of EP Function Finder](img/EPFinder.PNG)\n\n### IDR Knowledge Base Loader\n\n**Hotkeys**: `\u003cAlt-Shift-S\u003e` and  `\u003cAlt-Shift-A\u003e`\n\n**IDR Knowledge Base Loader** loads IDR KB signatures from KB files. The plugin \nexpects to have the KB files stored in the following location:\n\n* on Windows: `%APPDATA%\\Hex-Rays\\IDA Pro\\plugins\\DelphiHelper\\IDR_KB\\`\n\n* on macOS/Linux: `$HOME/.idapro/plugins/DelphiHelper/IDR_KB/`\n\n`\u003cAlt-Shift-S\u003e` loads function signatures for only `SysInit` and `System`.\n\n`\u003cAlt-Shift-A\u003e` tries to load function signatures for all units selected from a\nlist of imported units.\n\n\u003e **_NOTE_**: The KB files are downloaded from the IDR project:\u003cbr\u003e\n\u003e https://github.com/crypto2011/IDR\u003cbr\u003e\n\u003e https://github.com/crypto2011/IDR64\n\nThe IDR project is licensed under the MIT license:\n``` \nMIT License\n\nCopyright (c) 2006-2018 crypto\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n```\n\n#### Download instructions\n\nDownload and copy following KB files into `DelphiHelper\\IDR_KB\\IDR64\\`\ndirectory:\u003cbr\u003e\nhttps://github.com/crypto2011/IDR64/blob/master/syskb2012.bin\u003cbr\u003e\nhttps://github.com/crypto2011/IDR64/blob/master/syskb2013.bin\u003cbr\u003e\nhttps://github.com/crypto2011/IDR64/blob/master/syskb2014.bin\u003cbr\u003e\n\nDownload and **extract** following KB files into `DelphiHelper\\IDR_KB\\IDR\\`\ndirectory:\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2005.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2006.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2007.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2009.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2010.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2011.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2012.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2013.7z\u003cbr\u003e\nhttps://github.com/crypto2011/IDR/blob/master/kb2014.7z\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feset%2Fdelphihelper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feset%2Fdelphihelper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feset%2Fdelphihelper/lists"}