https://github.com/0xdea/rhabdomancer
Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file.
https://github.com/0xdea/rhabdomancer
ida-plugin ida-pro idalib reverse-engineering vulnerability-research
Last synced: 20 days ago
JSON representation
Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file.
- Host: GitHub
- URL: https://github.com/0xdea/rhabdomancer
- Owner: 0xdea
- License: mit
- Created: 2024-10-20T19:48:22.000Z (6 months ago)
- Default Branch: master
- Last Pushed: 2025-03-24T13:30:10.000Z (21 days ago)
- Last Synced: 2025-03-24T14:31:27.465Z (21 days ago)
- Topics: ida-plugin, ida-pro, idalib, reverse-engineering, vulnerability-research
- Language: Rust
- Homepage: https://hex-rays.com/ida-pro
- Size: 130 MB
- Stars: 36
- Watchers: 4
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
- fucking-awesome-rust - 0xdea/rhabdomancer - Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file [](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml) (Applications / Security tools)
- awesome-rust - 0xdea/rhabdomancer - Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file [](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml) (Applications / Security tools)
- trackawesomelist - 0xdea/rhabdomancer (⭐15) - Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file [](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml) (Recently Updated / [Who Wants to Be a Millionare](https://www.boardgamecapital.com/who-wants-to-be-a-millionaire-rules.htm))
README
# rhabdomancer
[](https://github.com/0xdea/rhabdomancer)
[](https://crates.io/crates/rhabdomancer)
[](https://crates.io/crates/rhabdomancer)
[](https://twitter.com/0xdea)
[](https://infosec.exchange/@raptor)
[](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml)
[](https://github.com/0xdea/rhabdomancer/actions/workflows/doc.yml)
> "The road to exploitable bugs is paved with unexploitable bugs."
>
> -- Mark Dowd
Rhabdomancer is a blazing fast IDA Pro headless plugin that locates calls to potentially insecure API functions in
a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input.
## Features
* Blazing fast, headless user experience courtesy of IDA Pro 9 and Binarly's idalib Rust bindings.
* Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.
* Bad API function call locations are printed to stdout and marked in the IDB.
* Known bad API functions are grouped in tiers of badness to help prioritize the audit work.
* [BAD 0] High priority - Functions that are generally considered insecure
* [BAD 1] Medium priority - Interesting functions that should be checked for insecure use cases.
* [BAD 2] Low priority - Code paths involving these functions should be carefully checked.
* The list of known bad API functions can be easily customized by editing `conf/rhabdomancer.toml`.
## Blog post
*
## See also
*
*
*
*
## Installing
The easiest way to get the latest release is via [crates.io](https://crates.io/crates/rhabdomancer):
1. Download, install, and configure IDA Pro (see ).
2. Download and extract the IDA SDK (see ).
3. Install LLVM/Clang (see ).
4. On Linux/macOS, install as follows:
```sh
export IDASDKDIR=/path/to/idasdk
export IDADIR=/path/to/ida # if not set, the build script will check common locations
cargo install rhabdomancer
```
On Windows, instead, use the following commands:
```powershell
$env:LIBCLANG_PATH="\path\to\clang+llvm\bin"
$env:PATH="\path\to\ida;$env:PATH"
$env:IDASDKDIR="\path\to\idasdk"
$env:IDADIR="\path\to\ida" # if not set, the build script will check common locations
cargo install rhabdomancer
```
## Compiling
Alternatively, you can build from [source](https://github.com/0xdea/rhabdomancer):
1. Download, install, and configure IDA Pro (see ).
2. Download and extract the IDA SDK (see ).
3. Install LLVM/Clang (see ).
4. On Linux/macOS, compile as follows:
```sh
git clone --depth 1 https://github.com/0xdea/rhabdomancer
cd rhabdomancer
export IDASDKDIR=/path/to/idasdk # or edit .cargo/config.toml
export IDADIR=/path/to/ida # if not set, the build script will check common locations
cargo build --release
```
On Windows, instead, use the following commands:
```powershell
git clone --depth 1 https://github.com/0xdea/rhabdomancer
cd rhabdomancer
$env:LIBCLANG_PATH="\path\to\clang+llvm\bin"
$env:PATH="\path\to\ida;$env:PATH"
$env:IDASDKDIR="\path\to\idasdk"
$env:IDADIR="\path\to\ida" # if not set, the build script will check common locations
cargo build --release
```
## Usage
1. Make sure IDA Pro is properly configured with a valid license.
2. Customize the list of known bad API functions in `conf/rhabdomancer.toml` if needed.
3. Run as follows:
```sh
rhabdomancer
```
Any existing `.i64` IDB file will be updated; otherwise, a new IDB file will be created.
4. Open the resulting `.i64` IDB file with IDA Pro.
5. Select `View` > `Open subviews` > `Bookmarks`
6. Enjoy your results conveniently collected in an IDA Pro window.
*Note: rhabdomancer also adds comments at marked call locations.*
## Compatibility
* IDA Pro 9.0.240925 - Latest compatible: v0.2.4.
* IDA Pro 9.0.241217 - Latest compatible: v0.3.5.
* IDA Pro 9.1.250226 - Latest compatible: current version.
*Note: check [idalib](https://github.com/binarly-io/idalib) documentation for additional information.*
## Changelog
* [CHANGELOG.md](CHANGELOG.md)
## TODO
* Enrich the known bad API function list (see ).
* Implement a basic ruleset in the style of [VulFi](https://github.com/Accenture/VulFi)
and [VulnFanatic](https://github.com/Martyx00/VulnFanatic).