Axion ret-sync Plugin
The Axion ret-sync plugin enables the synchronization of IDA/Ghidra instances with the
currently selected instruction of an Axion instance. It is basically a wrapper
around ret-sync
, which is a tool written by Alexandre Gazet.
Setting up the plugin
Prerequisites
In order to use the synchronization working, you must:
- Have the OSSI for your scenario activated on the Reven server.
- Ensure network connectivity from esReven's host to the computer running IDA/Ghidra (in that direction). In particular, if a firewall is activated, it must allow to open a socket on the selected host and port.
Download the ret-sync tool
To use the plugin, you have to download ret-sync from its Github repository. The latest tested commit is 06567f9cdc7120bd063099c2ec65aedb4c27f167
.
Configuring the ret-sync tool
ret-sync allows remote setup, that is having IDA/Ghidra on a different host than Axion. To allow this kind of configuration, the ret-sync IDA/Ghidra plugins handles debugger events through a network socket and dispatches them to the right IDA/Ghidra window. More information can be found the Github repository.
The figure below describes how ret-sync is deployed between Axion and IDA/Ghidra.
By default, ret-sync will work on a local configuration where IDA/Ghidra and Axion are on the same host (ret-sync will listen on 127.0.0.1). If it is your case you can skip this part.
To allow remote usage of ret-sync, a configuration file must be placed on the
IDA/Ghidra host. The configuration file should be named exactly .sync
and can be
located either in the IDB or in the Home directories. The .sync
file follows
the .ini
syntax and allows setting the host and port the ret-sync will listen
on. eg:
[INTERFACE]
host=192.168.1.16
port=9100
The host
option is the IDA/Ghidra host machine address, which can be retrieved by
issuing an ipconfig
command on Windows or ifconfig
/ ip addr
on Linux.
Install the ret-sync IDA plugin
IDA7.x
Copy Syncplugin.py
and retsync
folder from
ret-sync/ext_ida
to IDA plugins directory, for example:
C:\Program Files\IDA Pro 7.4\plugins
%APPDATA%\Hex-Rays\IDA Pro\plugins
~/.idapro/plugins
IDA6.9x
- Go to the
ida6.9x
git tag:
cd <ret-sync dir>
git fetch
git checkout ida6.9x
- Follow the installation step from the README file
Install the ret-sync Ghidra plugin
-
From Ghidra projects manager:
File
->Install Extensions...
, click on the+
sign and select theext_ghidra/dist/ghidra_*_retsync.zip
and click OK. This will effectively extract theretsync
folder from the zip into$GHIDRA_DIR/Extensions/Ghidra/
-
Restart Ghidra as requested
-
After reloading Ghidra, open a module in CodeBrowser. It should tell you a new extension plugin has been detected. Select "yes" to configure it. Then tick "RetSyncPlugin" and click OK. The console should show something like:
[*] retsync init
[>] programOpened: tm.sys
imageBase: 0x1c0000000
The latest known working version of Ghidra for synchronization with Axion is 9.2.2.
Enable the synchronization
Loading target binary in IDA/Ghidra
To synchronize an IDA/Ghidra instance with Axion, you obviously need to load a binary used in the scenario. If you do not already have this binary, you can extract it from the light filesystem of your scenario, in:
$DATA/reven/SCENARIO_REPLAY_DIRECTORY/light_fs/
If the binary was uploaded to the VM via the CD-Rom, you can also search for it in:
$DATA/reven/SCENARIO_INPUT_DIRECTORY/
Where:
$DATA
is the main storage folder for esReven, as configured in the.env
file at the root of the esReven installation.SCENARIO_REPLAY_DIRECTORY
andSCENARIO_INPUT_DIRECTORY
are respectively the "Replay directory" and the "Input directory" of your scenario, as indicated in the "Scenario details" page of your scenario in the Project Manager.
Note: you need access to esReven's host filesystem to extract a file that way.
Running the ret-sync IDA/Ghidra plugin
IDA7.x
Start the plugin in IDA using the shortcut Alt+Shift+S
or via the menu Edit
-> Plugins
-> ret-sync
.
IDA6.9x
Load the file <ret-sync dir>/ext_ida/SyncPlugin.py
using the File > Script File
menu.
This will create a ret-sync process listening for debugger events.
Once loaded, the plugin will create a new tab in IDA and allow you to change the binary name. IDA-Sync enables the synchronization only when the correct binary is being debugged so you must ensure that the IDA and Reven binary names are perfectly matching.
Ghidra
Enable the plugin in the Ghidra codebrowser using shortcuts Alt+S
.
Running the Axion ret-sync plugin
- Open the Axion ret-sync plugin from the Axion menu
View > ret-sync
. - Fill the host and port fields using the machine address and port of the machine where IDA/Ghidra is running on.
NOTE: If the base address of the studied binary is different between Axion and IDA/Ghidra (because of ASLR for example), the synchronisation will still work correctly but the displayed addresses will not match between Axion and IDA/Ghidra. To have the same addresses, the binary in must be rebased to the base address used in Axion. To do that you can use in
- IDA: the menu
Edit > Segments > Rebase Program
. - Ghidra: the menu
Window > Memory Map
then click on the top right house button.
Then you must restart the plugins in IDA/Ghidra and Axion.