https://github.com/0xdea/rhabdomancer

Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file.
https://github.com/0xdea/rhabdomancer

ida-plugin ida-pro idalib reverse-engineering vulnerability-research

Last synced: 22 days ago
JSON representation

Vulnerability research assistant that locates calls to potentially insecure API functions in a binary file.

• Host: GitHub
• URL: https://github.com/0xdea/rhabdomancer
• Owner: 0xdea
• License: mit
• Created: 2024-10-20T19:48:22.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2026-05-27T08:15:47.000Z (26 days ago)
• Last Synced: 2026-05-27T10:13:33.130Z (26 days ago)
• Topics: ida-plugin, ida-pro, idalib, reverse-engineering, vulnerability-research
• Language: Rust
• Homepage: https://hex-rays.com/ida-pro
• Size: 231 MB
• Stars: 114
• Watchers: 3
• Forks: 11
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

• fucking-awesome-rust - 0xdea/rhabdomancer - Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file [](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml) (Applications / Security tools)
• awesome-rust - 0xdea/rhabdomancer - Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file [](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml) (Applications / Security tools)
• trackawesomelist - 0xdea/rhabdomancer (⭐15) - Vulnerability research assistant that locates all calls to potentially insecure API functions in a binary file [](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml) (Recently Updated / [Who Wants to Be a Millionare](https://www.boardgamecapital.com/who-wants-to-be-a-millionaire-rules.htm))
• awesome-ida-x64-olly-plugin - rhabdomancer
• awesome-rust-with-stars - 0xdea/rhabdomancer - 01-30 | (Applications / Security tools)

README

          
# rhabdomancer

[![](https://img.shields.io/github/stars/0xdea/rhabdomancer.svg?style=flat&color=yellow)](https://github.com/0xdea/rhabdomancer)

[![](https://img.shields.io/crates/v/rhabdomancer?style=flat&color=green)](https://crates.io/crates/rhabdomancer)

[![](https://img.shields.io/crates/d/rhabdomancer?style=flat&color=red)](https://crates.io/crates/rhabdomancer)

[![](https://img.shields.io/badge/ida-9.3-violet)](https://hex-rays.com/ida-pro)

[![](https://img.shields.io/badge/twitter-%400xdea-blue.svg)](https://twitter.com/0xdea)

[![](https://img.shields.io/badge/mastodon-%40raptor-purple.svg)](https://infosec.exchange/@raptor)

[![build](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml/badge.svg)](https://github.com/0xdea/rhabdomancer/actions/workflows/build.yml)

[![doc](https://github.com/0xdea/rhabdomancer/actions/workflows/doc.yml/badge.svg)](https://github.com/0xdea/rhabdomancer/actions/workflows/doc.yml)

> "The road to exploitable bugs is paved with unexploitable bugs."

>

> -- Mark Dowd

Rhabdomancer is a blazing fast IDA Pro headless plugin that locates calls to potentially insecure API functions in

a binary file. Auditors can backtrace from these candidate points to find pathways allowing access to untrusted input.

![](https://raw.githubusercontent.com/0xdea/rhabdomancer/master/.img/screen01.png)

## Features

- Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly's idalib Rust bindings.

- Support for C/C++ binary targets compiled for any architecture implemented by IDA Pro.

- Bad API function call locations are printed to stdout and marked in the IDB.

- Known bad API functions are grouped in tiers of badness to help prioritize the audit work.

  - [BAD 0] High priority - Functions that are generally considered insecure.

  - [BAD 1] Medium priority - Interesting functions that should be checked for insecure use cases.

  - [BAD 2] Low priority - Code paths involving these functions should be carefully checked.

- The list of known bad API functions can be easily customized by editing `conf/rhabdomancer.toml`.

## Blog posts

- 

- 

## See also

- 

- 

- 

- 

## Installing

The easiest way to get the latest release is via [crates.io](https://crates.io/crates/rhabdomancer):

1. Download, install, and configure IDA Pro (see ).

2. Install LLVM/Clang (see ).

3. On Linux/macOS, install as follows:

   ```sh

   export IDADIR=/path/to/ida # if not set, the build script will check common locations

   cargo install rhabdomancer

   ```

   On Windows, instead, use the following commands:

   ```powershell

   $env:LIBCLANG_PATH="\path\to\clang+llvm\bin"

   $env:PATH="\path\to\ida;$env:PATH"

   $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations

   cargo install rhabdomancer

   ```

## Compiling

Alternatively, you can build from [source](https://github.com/0xdea/rhabdomancer):

1. Download, install, and configure IDA Pro (see ).

2. Install LLVM/Clang (see ).

3. On Linux/macOS, compile as follows:

   ```sh

   git clone --depth 1 https://github.com/0xdea/rhabdomancer

   cd rhabdomancer

   export IDADIR=/path/to/ida # if not set, the build script will check common locations

   cargo build --release

   ```

   On Windows, instead, use the following commands:

   ```powershell

   git clone --depth 1 https://github.com/0xdea/rhabdomancer

   cd rhabdomancer

   $env:LIBCLANG_PATH="\path\to\clang+llvm\bin"

   $env:PATH="\path\to\ida;$env:PATH"

   $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations

   cargo build --release

   ```

## Usage

1. Make sure IDA Pro is properly configured with a valid license.

2. Customize the list of known bad API functions in `conf/rhabdomancer.toml` if needed. You can override the default

   configuration file location by setting the `RHABDOMANCER_CONFIG` environment variable.

3. Make sure the `IDADIR` environment variable is set if your IDA Pro installation is in a non-standard location.

4. Run as follows:

   ```sh

   rhabdomancer 

   ```

   Any existing `.i64` IDB file will be updated; otherwise, a new IDB file will be created.

5. Open the resulting `.i64` IDB file with IDA Pro.

6. Select `View` > `Open subviews` > `Bookmarks`

7. Enjoy your results conveniently collected into an IDA Pro window.

> [!NOTE]

> Rhabdomancer also adds comments at marked call locations.

## Compatibility

Only the latest IDA Pro release is officially supported, but older versions may work as well. The following table

summarizes the latest compatible release for each IDA Pro version:

| IDA Pro version | Latest compatible release |

| --------------- | ------------------------- |

| v9.0.240925     | v0.2.4                    |

| v9.0.241217     | v0.3.5                    |

| v9.1.250226     | v0.6.2                    |

| v9.2.250908     | v0.7.6                    |

| v9.3.260213     | v0.8.1                    |

| v9.3.260327     | v0.9.0                    |

| v9.3.260421     | current release           |

> [!NOTE]

> Check the [idalib](https://github.com/idalib-rs/idalib) documentation for additional information.

## Changelog

- [CHANGELOG.md](https://github.com/0xdea/rhabdomancer/blob/master/CHANGELOG.md)

## TODO

- Enrich the known bad API function list (see ).

- Consider converting `traverse_xrefs` to an iterative walk to avoid potential stack overflows and infinite loops.

- Consider broadening the scope of normalization in `normalize_name` to account for more cases.

- Implement a basic ruleset in the style of [VulFi](https://github.com/Accenture/VulFi)

  and [VulnFanatic](https://github.com/Martyx00/VulnFanatic).