Security tools > 0xdea/haruspex
Vulnerability research assistant that extracts pseudo-code from the IDA Hex-Rays decompiler
haruspex
"Hacking is the discipline of questioning all your assumptions all of the time."
-- Dave Aitel
Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudocode generated by IDA Pro's decompiler in a format that should be suitable to be imported into an IDE, or parsed by static analysis tools such as Semgrep, weggli, or oneiromancer.
Features
- Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly's idalib Rust bindings.
- Support for binary targets for any architecture implemented by IDA Pro's Hex-Rays decompiler.
- Pseudocode of each function is stored in a separated file in the output directory for easy inspection.
- External crates can invoke [
decompile_to_file] to decompile a function and save its pseudocode to disk.
Blog posts
- https://hex-rays.com/blog/streamlining-vulnerability-research-idalib-rust-bindings
- https://hnsecurity.it/blog/streamlining-vulnerability-research-with-ida-pro-and-rust
See also
- https://github.com/0xdea/ghidra-scripts/blob/main/Haruspex.java
- https://github.com/0xdea/semgrep-rules
- https://github.com/0xdea/weggli-patterns
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/idalib-rs/idalib
- https://github.com/xorpse/parascope
- https://hnsecurity.it/blog/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep
Installing
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, install as follows:
On Windows, instead, use the following commands:export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo install haruspex$env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo install haruspex
Compiling
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, compile as follows:
On Windows, instead, use the following commands:git clone --depth 1 https://github.com/0xdea/haruspex cd haruspex export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo build --releasegit clone --depth 1 https://github.com/0xdea/haruspex cd haruspex $env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo build --release
Usage
- Make sure IDA Pro is properly configured with a valid license.
- Run as follows:
haruspex <binary_file> - Find the extracted pseudocode of each decompiled function in the
binary_file.decdirectory:vim <binary_file>.dec code <binary_file>.dec
Compatibility
Only the latest IDA Pro release is officially supported, but older versions may work as well. The following table summarizes the latest compatible release for each IDA Pro version:
| IDA Pro version | Latest compatible release |
|---|---|
| v9.0.240925 | v0.2.4 |
| v9.0.241217 | v0.3.5 |
| v9.1.250226 | v0.6.2 |
| v9.2.250908 | v0.7.5 |
| v9.3.260213 | v0.8.1 |
| v9.3.260327 | v0.9.0 |
| v9.3.260421 | current release |
[!NOTE] Check the idalib documentation for additional information.
Changelog
TODO
- Use the
.cppextension instead of.cto output pseudocode (see this issue)? - Integrate with Semgrep scanning (see https://github.com/0xdea/semgrep-rules).
- Integrate with weggli scanning (see https://github.com/0xdea/weggli-patterns).
- Improve decompiler output in the style of HexRaysPyTools and abyss.
- Implement parallel analysis (see https://github.com/fugue-re/fugue-mptp).