The Axion ret-sync plugin enables the synchronization of IDA/GHIDRA instances with the
currently selected instruction of an Axion instance. It is basically a wrapper
ret-sync, which is a tool written by Alexandre Gazet.
In order to use the synchronization working, you must:
- have the OSSI for your scenario activated on the REVEN server.
- ensure network connectivity between the Axion and IDA/GHIDRA hosts. In particular, if a firewall is activated, it must allow to open a socket on the selected host and port.
To use the plugin, you have to download ret-sync from Github and go to the latest known working git commit.
git clone https://github.com/bootleg/ret-sync cd ret-sync git checkout 98698a5705dac4e5ffe834002017a7a339eeb2bc
ret-sync allows remote setup, that is having IDA/GHIDRA on a different host than Axion. To allow this kind of configuration, the ret-sync IDA/GHIDRA plugins handles debugger events through a network socket and dispatches them to the right IDA/GHIDRA window. More information can be found the Github repository.
The figure below describes how ret-sync is deployed between Axion and IDA/GHIDRA.
By default, ret-sync will work on a local configuration where IDA/GHIDRA and Axion are on the same host (ret-sync will listen on 127.0.0.1). If it is your case you can skip this part.
To allow remote usage of ret-sync, a configuration file must be placed on the
IDA/GHIDRA host. The configuration file should be named exactly
.sync and can be
located either in the IDB or in the Home directories. The
.sync file follows
.ini syntax and allows setting the host and port the ret-sync will listen
[INTERFACE] host=192.168.1.16 port=9100
host option is the IDA/GHIDRA host machine address, which can be retrieved by
ipconfig command on Windows or
ip addr on Linux.
retsync folder from
ret-sync/ext_ida to IDA plugins directory, for example:
C:\Program Files\IDA Pro 7.4\plugins
- Go to the
cd <ret-sync dir> git fetch git checkout ida6.9x
- Follow the installation step from the README file
From Ghidra projects manager:
Install Extensions..., click on the
+sign and select the
ext_ghidra/dist/ghidra_*_retsync.zipand click OK. This will effectively extract the
retsyncfolder from the zip into
Restart Ghidra as requested
After reloading Ghidra, open a module in CodeBrowser. It should tell you a new extension plugin has been detected. Select "yes" to configure it. Then tick "RetSyncPlugin" and click OK. The console should show something like:
[*] retsync init [>] programOpened: tm.sys imageBase: 0x1c0000000
The latest known working version of Ghidra for synchronization with Axion is 9.2.2.
To synchronize an IDA/GHIDRA instance with Axion, you obviously need to load a binary used in the scenario. If you do not already have this binary, you can extract it from the light filesystem of your scenario, in:
SCENARIO_REPLAY_DIRECTORY is the "replay directory" of your scenario, as indicated in the "Scenario details"
page of your scenario in the Project Manager.
Start the plugin in IDA using the shortcut
Alt+Shift+S or via the menu
Load the file
<ret-sync dir>/ext_ida/SyncPlugin.py using the
File > Script File menu.
This will create a ret-sync process listening for debugger events.
Once loaded, the plugin will create a new tab in IDA and allow you to change the binary name. IDA-Sync enables the synchronization only when the correct binary is being debugged so you must ensure that the IDA and REVEN binary names are perfectly matching.
Enable the plugin in the GHIDRA codebrowser using shortcuts
- Open the Axion ret-sync plugin from the Axion menu
View > ret-sync.
- Fill the host and port fields using the machine address and port of the machine where IDA/GHIDRA is running on.
NOTE: If the base address of the studied binary is different between Axion and IDA/GHIDRA (because of ASLR for example), the synchronisation will still work correctly but the displayed addresses will not match between Axion and IDA/GHIDRA. To have the same addresses, the binary in must be rebased to the base address used in Axion. To do that you can use in
- IDA: the menu
Edit > Segments > Rebase Program.
- GHIDRA: the menu
Window > Memory Mapthen click on the top right house button.
Then you must restart the plugins in IDA/GHIDRA and Axion.