4/4/13

Making IDA Pretty, Pretty Quickly

Hello World,


Lately I've been spending more and more time staring at IDA Pro and have found the default color scheme somewhat lacking. I have also noticed that upon startup I am consistently setting a number of settings and running a script to colorize my disassembly. I had a little bit of trouble finding everything in one place, so I decided to write up a quick guide.

Changing Colors:

First off, changing colors in IDA is fairly straight forward. Go to "Options" -> "Colors". Most of the colors that you care about are in the first tab. I recommend resizing the window out so you can see everything at once. Additionally, I have noticed that you must click the element within the example view to edit its color, selecting from the drop down was simply not working while I was writing this up.



The four buttons under "Background Colors" may not be initially obvious.


  • Disassembly - the background color of the blocks in graph view
  • Selection - the highlight color when clicking and dragging to highlight text, ie. when you copy and paste
  • Highlight - the highlight color for items matching the currently selected element, ie. clicking on a register
  • Hint - the background color of the popup view when hovering over elements, ie. hovering over a jump


You will probably also want to visit the "Graph" tab as that is where the Main Background, Edge, and Node colors options are.


Exporting and Importing with Color Schemes:

First I know IDA 6.4 finally added this as a feature and doesn't require registry editing.

In short, Run -> Regedit -> HKCU -> Software -> Hex-Rays -> IDA, right click. Export.

Once you have saved registry key somewhere double clicking the .reg file will apply the changes.

*Note* this also will copy the history and license information contained within the sub-keys so you may want to delete those if you are sharing it. 

This is actually pretty well documented here along with the rather nice color scheme called "Consonance".

I am also making my color scheme available here.

It is a dark theme consisting of purples, green, orange, and gray.  

Highlighting Scripts:

You may have also noticed that lines that contain a call instruction are highlighed in my disassembly graph. This is accomplished with an IDA Python script similar to the one referenced in Practical Malware Analysis, available and explained here. For those of you who don't have IDA Pro, there is an IDC version of the original script here.

Making Scripts run when IDA Starts:

Unfortunately, I was having a hard time finding out exactly how to make it so that IDA would run this script on every binary I loaded. I found an interesting lead in Hex Rays Documentation that mentioned a "-S####" command line switch. Using this I came up with a quick solution that has been working well for me. 

*Note* Seems like this only works with IDA Python. So if you are using IDA Free this is probably not going to work.

Changes Made to ColorIDA.py:

So, ColorIDA.py uses the ScreenEA() function to specify start and end addresses for the location in which the script should loop through. Sadly this does not seem to work with auto started scripts. My work around was incredibly simple, "heads = Heads(0, 0xFFFFFFFF)". This may slow down things down, but I haven't noticed any negative side effects. 

The script now works with the -S option. I made some tweaks for readability and editied the colors so they work with my color scheme and I have made my version available here.

Adding Auto Start Scripts to Your Work Flow:

The best way that I have found to accomplish this is adding a right-click context menu item configured to load the script also.

Simply add an entry into HKEY_CLASSES_ROOT\*\shell\<NAME OF CONTEXT ITEM>



Then create a subkey called command and set the Default of this registry key to:
<PATH TO IDA> -S<PATH TO SCRIPT> %1

*Note* There is no space between -S and the path to the script. 
My Setup for example
If you set it up the same as me you should now be able to right-click a binary and select "Open With IDA32" and BAM, script runs automagically.

I also have a quick youtube video showing this setup.


This has saved me a ton of time and I hope it helps you out too.

Find Downloads Here:
https://code.google.com/p/making-malware-go-backwards/downloads/list




1 comment:

  1. Veeery helpful. Thanks for the writeup and the vid :-)

    ReplyDelete