Axion IDA Sync Plugin

Ret-Sync screenshot

The IDA-sync Axion plugin enables the synchronization of IDA instances with the currently selected instruction of an Axion instance. It is basically a wrapper around Ret-Sync, which is a tool written by Alexandre Gazet.

Setting up the plugin

Prerequisites

There are several prerequisites in order to use the plug-in:

  • OSSI for your scenario must be available in REVEN.
  • You must ensure network connectivity between the Axion and IDA hosts. In particular, if a firewall is activated, it must allow to open a socket on the selected host and port.

Installing Ret-Sync

To use the plugin, you have to download Ret-Sync first. We recommend fetching our forked project on Github as it is the REVEN-supported version.

$ git clone https://github.com/tetrane/ret-sync

Configuring Ret-Sync

Ret-Sync allows remote setup, that is having IDA on a different host than Axion. To allow this kind of configuration, the Ret-Sync IDA plugin handles debugger events through a network socket and dispatches them to the right IDA window. More information can be found our Github repository.

The figure below describes how Ret-Sync is deployed between Axion and IDA.

Ret-Sync deployment

By default, Ret-Sync will work on a local configuration where IDA and Axion are on the same host (Ret-Sync will listen on 127.0.0.1). If it is your case you can skip this part.

To allow remote usage of Ret-Sync, a configuration file must be placed on the IDA host. The configuration file should be named exactly .sync and can be located either in the IDB or in the Home directories. The .sync file follows the .ini syntax and allows setting the host and port the Ret-Sync will listen on. eg:

[INTERFACE]
host=192.168.1.16
port=9100

The host option is the IDA host machine address, which can be retrieved by issuing an ipconfig command on Windows or ifconfig / ip addr on Linux.

Using the plugin

Loading target binary in IDA

To synchronize an IDA instance with Axion, you obviously need to load a binary used in the scenario. If you do not already have this binary, you can extract it from the scenario archive on the Project Manager server, in:

QUASAR_ROOT/VMs/<your_vm>/Snapshots/<your_prepared_snapshot>/filesystem/

Loading Ret-Sync IDA plugin

We assume that you downloaded Ret-Sync from Tetrane's github forked project.

There are three IDA plugins in the Ret-Sync repository:

  • ext_ida/SyncPlugin-6.8-or-lower.py: must be used with IDA 6.8 or lower version.
  • ext_ida/SyncPlugin-6.9x.py: must be used with IDA 6.9.
  • ext_ida/SyncPlugin-7-or-higher.py: must be used with IDA 7 or higher version.

You can then load the Ret-Sync IDA plugin that matches your IDA version through the File > Script File menu. This will create a Ret-Sync process listening for debugger events.

Once loaded, the plugin will create a new tab in IDA and allow you to change the binary name. IDA-Sync enables the synchronization only when the correct binary is being debugged so you must ensure that the IDA and REVEN binary names are perfectly matching.

Connecting Axion to IDA

Finally, you can start the Axion IDA-sync plugin from the Axion menu Windows > Miscellaneous and connect to the previously loaded IDA plugin (using the machine address and port of the IDA host) to enable the synchronisation.

NOTE: If the base address of the studied binary is different between Axion and IDA (because of ASLR for example), the synchronisation will still work correctly but the displayed addresses will be different between Axion and IDA. To have the same addresses, the binary in IDA must be rebased to the right base address (using the Edit > Segments > Rebase Program menu) and the plugins in IDA and Axion must be restarded.

©2019 Tetrane