https://github.com/eset/delphihelper
DelphiHelper is a python IDA Pro plugin aiming to help the analysis of x86/x86_64 binaries written in Delphi programming language.
https://github.com/eset/delphihelper
delphi ida ida-plugin ida-pro idapro idapython python
Last synced: 4 months ago
JSON representation
DelphiHelper is a python IDA Pro plugin aiming to help the analysis of x86/x86_64 binaries written in Delphi programming language.
- Host: GitHub
- URL: https://github.com/eset/delphihelper
- Owner: eset
- License: other
- Created: 2024-12-19T19:42:04.000Z (10 months ago)
- Default Branch: github
- Last Pushed: 2025-04-08T13:19:03.000Z (6 months ago)
- Last Synced: 2025-04-08T14:27:03.259Z (6 months ago)
- Topics: delphi, ida, ida-plugin, ida-pro, idapro, idapython, python
- Language: Python
- Homepage:
- Size: 436 KB
- Stars: 86
- Watchers: 8
- Forks: 21
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# DelphiHelper
DelphiHelper is a python IDA Pro plugin aiming to help the analysis of
x86/x86_64 binaries written in
[Delphi](https://www.embarcadero.com/products/delphi) programming language.
## Table of Contents
## Features
* Displays an interactive tree view of Delphi's DFM (Delphi Form Modules)
resource (Delphi Form description)
* Parses Delphi's RTTI data structures
* Extracts useful information from Delphi's RTTI data structures
* Extracts binary files embedded in Delphi's DFM resources
* Searches for the Entry Point (EP) function
* Loads Delphi's FLIRT signatures automatically
* Loads Interactive Delphi Reconstructor (IDR) Knowledge Base (KB) function
signatures
## Installation
1. Copy `DelphiHelper` directory and `DelphiHelper.py` inside the IDA plugin
directory:
* on Windows: `%APPDATA%\Hex-Rays\IDA Pro\plugins\`
* on macOS/Linux: `$HOME/.idapro/plugins/`
2. Download IDR Knowledge Base files manually by following
[instructions](#download-instructions) given below or run the script
`setup_IDRKB.py`.
> **_NOTE_**: `py7zr` installation is required to run the setup script:
`pip install py7zr`
**DelphiHelper** should be compatible with IDA 8.4 and later on Windows, macOS
and GNU/Linux.
## Usage
In order to use the DelphiHelper plugin, the resource section has to be loaded
in IDA. This can be achieved by checking the box **Load resources** or with the
option `-R` in the command line switch.
> **_NOTE_**: IDA autoanalysis must be completed before using the plugin.
### Hotkeys
* ``: Print Help
* ``: Run [VMT Parser](#vmt-parser)
* ``: Run [DFM Finder](#dfm-finder) (show Delphi Form Viewer window)
* ``: Run [Entry Point Function Finder](#entry-point-function-finder)
* ``: Run [IDR Knowledge Base Loader](#idr-knowledge-base-loader) for `SysInit` and `System` unit
* ``: Run [IDR Knowledge Base Loader](#idr-knowledge-base-loader)
for selected units
### VMT Parser
**Hotkey**: ``
The **Virtual Method Table (VMT) Parser** must be executed with the cursor on
the starting address of a VMT structure. This structure can be located by
searching the functions named `CreateForm`, `CreateObject`, etc.; once the
function is found, the last argument should be the VMT structure.
In most cases there is a sequence of two instructions:
```
mov ,
call CreateForm
```
For example:
Once on the structure (VMTStructureOffset e.g. `off_664A8C`), press ``:
Press the hotkey ``. The result looks like below:
The VMT structure contains a lot of useful information stored in various RTTI
tables. The most interesting ones are:
* [Field Table](#field-table)
* [Virtual Method Table (VMT)](#virtual-method-table-(vmt))
* [Method Table](#method-table)
The **VMT Parser** automatically extracts data from those tables and stores it
into IDA enums and structures.
#### Field Table
The Field Table stores a name, a type and an offset of each published field.
The **VMT Parser** extracts and saves all these entries for each VMT structure
into IDA Enums:
The enums created by the **VMT Parser** have following format:
`%ObjectName%_Fields`. The names of enum entries have this format:
`%ObjectName%_%FieldType%_%FieldName%`:
The entries from enums created by the **VMT Parser** can be then named by
pressing built-in IDA shortcut ``, used for naming symbolic constants.
**Before**
**After**
#### Virtual Method Table (VMT)
The Virtual Method Table stores pointers to all virtual methods declared for a
class and its base classes:
The **VMT Parser** extracts pointers from the VMT and saves them into an IDA
structure named by the parsed VMT structure. The names of structure entries
have the following format: `%MethodName%_%MethodOffset%`:
The entries from structures created by the **VMT Parser** can be then named by
pressing the built-in IDA shortcut ``, used for naming structure offsets.
**Before**
**After**
#### Method Table
The Method Table stores names and pointers of published methods. The Method
Table also contains pointers of Delphi Event handlers that can be found and
accessed from the **Delphi Form Viewer** (for more info see [DFM
Finder](#dfm-finder))
### DFM Finder
**Hotkey**: ``
**Entry Point Function Finder** tries to find possible entry point functions by
searching for references to `CreateFrom`, `InitExe` and `InitLib` calls.
Results are presented in IDA's output window, e.g.:
### IDR Knowledge Base Loader
**Hotkeys**: `` and ``
**IDR Knowledge Base Loader** loads IDR KB signatures from KB files. The plugin
expects to have the KB files stored in the following location:
* on Windows: `%APPDATA%\Hex-Rays\IDA Pro\plugins\DelphiHelper\IDR_KB\`
* on macOS/Linux: `$HOME/.idapro/plugins/DelphiHelper/IDR_KB/`
`` loads function signatures for only `SysInit` and `System`.
`` tries to load function signatures for all units selected from a
list of imported units.
> **_NOTE_**: The KB files are downloaded from the IDR project:
> https://github.com/crypto2011/IDR
> https://github.com/crypto2011/IDR64
The IDR project is licensed under the MIT license:
```
MIT License
Copyright (c) 2006-2018 crypto
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
```
#### Download instructions
Download and copy following KB files into `DelphiHelper\IDR_KB\IDR64\`
directory:
https://github.com/crypto2011/IDR64/blob/master/syskb2012.bin
https://github.com/crypto2011/IDR64/blob/master/syskb2013.bin
https://github.com/crypto2011/IDR64/blob/master/syskb2014.bin
Download and **extract** following KB files into `DelphiHelper\IDR_KB\IDR\`
directory:
https://github.com/crypto2011/IDR/blob/master/kb2005.7z
https://github.com/crypto2011/IDR/blob/master/kb2006.7z
https://github.com/crypto2011/IDR/blob/master/kb2007.7z
https://github.com/crypto2011/IDR/blob/master/kb2009.7z
https://github.com/crypto2011/IDR/blob/master/kb2010.7z
https://github.com/crypto2011/IDR/blob/master/kb2011.7z
https://github.com/crypto2011/IDR/blob/master/kb2012.7z
https://github.com/crypto2011/IDR/blob/master/kb2013.7z
https://github.com/crypto2011/IDR/blob/master/kb2014.7z