Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IDA plugins helper functions & templates to script #1013

Merged
merged 4 commits into from
Apr 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/common.vm/common.vm.nuspec
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
<metadata>
<id>common.vm</id>
<version>0.0.0.20240423</version>
<version>0.0.0.20240424</version>
<description>Common libraries for VM-packages</description>
<authors>Mandiant</authors>
</metadata>
Expand Down
48 changes: 48 additions & 0 deletions packages/common.vm/tools/vm.common/vm.common.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,54 @@ function VM-Install-Shortcut{
}
}

function VM-Get-IDA-Plugins-Dir {
return New-Item "$Env:APPDATA\Hex-Rays\IDA Pro\plugins" -ItemType "directory" -Force
}

# Downloads an IDA plugin file to the plugins directory
function VM-Install-IDA-Plugin {
[CmdletBinding()]
[OutputType([System.Object[]])]
Param
(
[Parameter(Mandatory=$true)]
[string] $pluginName, # Example: capa_explorer.py
[Parameter(Mandatory=$true)]
[string] $pluginUrl,
[Parameter(Mandatory=$true)]
[string] $pluginSha256
)
try {
$pluginsDir = VM-Get-IDA-Plugins-Dir
$pluginPath = Join-Path $pluginsDir $pluginName
$packageArgs = @{
packageName = ${Env:ChocolateyPackageName}
url = $pluginUrl
checksum = $pluginSha256
checksumType = "sha256"
fileFullPath = $pluginPath
forceDownload = $true
}
Get-ChocolateyWebFile @packageArgs
VM-Assert-Path $pluginPath
} catch {
VM-Write-Log-Exception $_
}
}

# Removes an IDA plugin file from the plugins directory
function VM-Uninstall-IDA-Plugin {
[CmdletBinding()]
[OutputType([System.Object[]])]
Param
(
[Parameter(Mandatory=$true)]
[string] $pluginName # Example: capa_explorer.py
)
$pluginPath = Join-Path VM-Get-IDA-Plugins-Dir $pluginName
Remove-Item $pluginPath
}

# This functions returns $toolDir and $executablePath
function VM-Install-From-Zip {
[CmdletBinding()]
Expand Down
4 changes: 2 additions & 2 deletions packages/ida.plugin.capa.vm/ida.plugin.capa.vm.nuspec
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
<metadata>
<id>ida.plugin.capa.vm</id>
<version>7.0.1</version>
<version>7.0.1.20240424</version>
<description>capa explorer is an IDAPython plugin that integrates capa with IDA Pro.</description>
<authors>@mike-hunhoff, @williballenthin, @mr-tz</authors>
<dependencies>
<dependency id="common.vm" />
<dependency id="common.vm" version="0.0.0.20240424" />
<dependency id="libraries.python3.vm" version="0.0.0.20230927" />
</dependencies>
</metadata>
Expand Down
16 changes: 4 additions & 12 deletions packages/ida.plugin.capa.vm/tools/chocolateyinstall.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,14 @@ Import-Module vm.common -Force -DisableNameChecking

try {
# Install plugin
$pluginName = "capa_explorer.py"
$pluginUrl = "https://raw.githubusercontent.com/mandiant/capa/v7.0.1/capa/ida/plugin/capa_explorer.py"
$pluginSha256 = "a9a60d9066c170c4e18366eb442f215009433bcfe277d3c6d0c4c9860824a7d3"
$pluginsDir = New-Item "$Env:APPDATA\Hex-Rays\IDA Pro\plugins" -ItemType "directory" -Force
$pluginPath = Join-Path $pluginsDir "capa_explorer.py"
$packageArgs = @{
packageName = ${Env:ChocolateyPackageName}
url = $pluginUrl
checksum = $pluginSha256
checksumType = "sha256"
fileFullPath = $pluginPath
forceDownload = $true
}
Get-ChocolateyWebFile @packageArgs
VM-Assert-Path $pluginPath
VM-Install-IDA-Plugin -pluginName $pluginName -pluginUrl $pluginUrl -pluginSha256 $pluginSha256


# Download capa rules
$pluginsDir = VM-Get-IDA-Plugins-Dir
$rulesUrl = "https://github.com/mandiant/capa-rules/archive/refs/tags/v7.0.1.zip"
$rulesSha256 = "f4ed60bcf342007935215ea76175dddfbcbfb3f97d95387543858e0c1ecf8bcd"
$packageArgs = @{
Expand Down
2 changes: 1 addition & 1 deletion packages/ida.plugin.capa.vm/tools/chocolateyuninstall.ps1
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
$ErrorActionPreference = 'Continue'
Import-Module vm.common -Force -DisableNameChecking

$pluginsDir = "$Env:APPDATA\Hex-Rays\IDA Pro\plugins"
$pluginsDir = VM-Get-IDA-Plugins-Dir

# Uninstall plugin
$pluginPath = Join-Path $pluginsDir "capa_explorer.py"
Expand Down
12 changes: 12 additions & 0 deletions packages/ida.plugin.sigmaker.vm/ida.plugin.sigmaker.vm.nuspec
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<?xml version="1.0" encoding="utf-8"?>
<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
<metadata>
<id>ida.plugin.sigmaker.vm</id>
<version>1.0.2</version>
<authors>A200K</authors>
<description>Signature Maker Plugin for IDA Pro 8.3.</description>
<dependencies>
<dependency id="common.vm" version="0.0.0.20240424" />
</dependencies>
</metadata>
</package>
8 changes: 8 additions & 0 deletions packages/ida.plugin.sigmaker.vm/tools/chocolateyinstall.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
$ErrorActionPreference = 'Stop'
Import-Module vm.common -Force -DisableNameChecking

$pluginName = 'SigMaker64.dll'
$pluginUrl = 'https://github.com/A200K/IDA-Pro-SigMaker/releases/download/v1.0.2/SigMaker64.dll'
$pluginSha256 = '0b44921a2fc35f13a2987fcf8830685d58f9d18bca760a9706ec4efe8b0d5d2f'

VM-Install-IDA-Plugin -pluginName $pluginName -pluginUrl $pluginUrl -pluginSha256 $pluginSha256
6 changes: 6 additions & 0 deletions packages/ida.plugin.sigmaker.vm/tools/chocolateyuninstall.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
$ErrorActionPreference = 'Continue'
Import-Module vm.common -Force -DisableNameChecking

$pluginName = 'SigMaker64.dll'
VM-Uninstall-IDA-Plugin -pluginName $pluginName

2 changes: 1 addition & 1 deletion scripts/test/lint.py
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ class UsesInvalidCategory(Lint):
"debloat.vm",
"dokan.vm",
"googlechrome.vm",
"ida.plugin.capa.vm",
"ida.plugin",
"installer.vm",
"libraries.python2.vm",
"libraries.python3.vm",
Expand Down
63 changes: 57 additions & 6 deletions scripts/utils/create_package_template.py
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ def package_version(dependency_version):
<authors>{authors}</authors>
<description>{description}</description>
<dependencies>
<dependency id="common.vm" />
<dependency id="common.vm" version="0.0.0.20240424" />
</dependencies>
</metadata>
</package>
Expand All @@ -69,10 +69,6 @@ def package_version(dependency_version):
</package>
"""

"""
Needs the following format strings:
tool_name="...", category="...", target_url="...", target_hash="...", console_app="..."
"""
ZIP_EXE_TEMPLATE = r"""$ErrorActionPreference = 'Stop'
Import-Module vm.common -Force -DisableNameChecking

Expand Down Expand Up @@ -136,6 +132,20 @@ def package_version(dependency_version):
VM-Install-Single-Ps1 $toolName $category $ps1Url -ps1Sha256 $ps1Sha256
"""

"""
Needs the following format strings:
tool_name="...", target_url="...", target_hash="..."
"""
IDA_PLUGIN_TEMPLATE = r"""$ErrorActionPreference = 'Stop'
Import-Module vm.common -Force -DisableNameChecking

$pluginName = '{tool_name}'
$pluginUrl = '{target_url}'
$pluginSha256 = '{target_hash}'

VM-Install-IDA-Plugin -pluginName $pluginName -pluginUrl $pluginUrl -pluginSha256 $pluginSha256
"""

"""
Needs the following format strings:
tool_name="...", category="..."
Expand All @@ -162,6 +172,18 @@ def package_version(dependency_version):
VM-Remove-Tool-Shortcut $toolName $category
"""

"""
Needs the following format strings:
tool_name="..."
"""
IDA_PLUGIN_UNINSTALL_TEMPLATE = r"""$ErrorActionPreference = 'Continue'
Import-Module vm.common -Force -DisableNameChecking

$pluginName = '{tool_name}'
VM-Uninstall-IDA-Plugin -pluginName $pluginName

"""


def create_zip_exe_template(packages_path, **kwargs):
create_template(
Expand Down Expand Up @@ -228,6 +250,21 @@ def create_single_ps1_template(packages_path, **kwargs):
)


def create_ida_plugin_template(packages_path, **kwargs):
create_template(
IDA_PLUGIN_TEMPLATE,
uninstall_template=IDA_PLUGIN_UNINSTALL_TEMPLATE,
packages_path=packages_path,
pkg_name=kwargs.get("pkg_name"),
version=kwargs.get("version"),
authors=kwargs.get("authors"),
description=kwargs.get("description"),
tool_name=kwargs.get("tool_name"),
target_url=kwargs.get("target_url"),
target_hash=kwargs.get("target_hash"),
)


def create_template(
template="",
nuspec_template=NUSPEC_TEMPLATE,
Expand Down Expand Up @@ -297,6 +334,20 @@ def get_script_directory():

# dict[str, dict[str, any]]
TYPES = {
"IDA_PLUGIN": {
"cb": create_ida_plugin_template,
"doc": "An .py or .dll file that is downloaded to the plugins directory to install it as an IDA plugin",
"example": "<url>/plugin_file.dll",
"arguments": [
"pkg_name",
"version",
"authors",
"description",
"tool_name",
"target_url",
"target_hash",
],
},
"ZIP_EXE": {
"cb": create_zip_exe_template,
"doc": "An executable tool distributed in a ZIP file",
Expand Down Expand Up @@ -419,7 +470,7 @@ def main(argv=None):
parser.add_argument("--pkg_name", type=str.lower, default="", help="Package name without suffix (i.e., no '.vm' needed)")
parser.add_argument("--version", type=str, default="", help="Tool's version number")
parser.add_argument("--authors", type=str, default="", help="Comma separated list of authors for tool")
parser.add_argument("--tool_name", type=str, default="", help="Name of tool (usually the file name with the '.exe')")
parser.add_argument("--tool_name", type=str, default="", help="Name of tool (usually the file name with the '.exe') or plugin (the .py or .dll plugin file)")
parser.add_argument("--category", type=str, default="", choices=CATEGORIES, help="Category for tool")
parser.add_argument("--description", type=str, default="", help="Description for tool")
parser.add_argument("--dependency", type=str, default="", help="Metapackage dependency")
Expand Down
Loading