IDAPython coloring script

Motivation

Highlighting important and suspicious instructions helps me tremendously to understand and quickly navigate a disassembled binary. Every time I browse a freshly opened binary in IDA Pro I feel that something is missing. Reversing without colors is less fun!

Look at the two screenshots below. I’m having a much easier time navigating the highlighted disassembly on the right.

Raw and highlighted disassembly
Raw and highlighted disassembly

Idea and Existing Work

Willi introduced me to the idea to highlight call and push instructions. I used a script he gave to me for a very long time. Andrew Honig and Michael Sikorski also discuss highlighting of Anti-VM instructions in Practical Malware Analysis. Their website talks about decorating disassembly at https://practicalmalwareanalysis.com/2012/03/25/decorating-your-disassembly/ and contains links to an IDC script and an IDAPython script. Sebastian Eschweiler also talks about his highlighter script at http://malwaremuncher.blogspot.com/2012/10/enhancing-ida-pro-part-1-highlighting.html.

My IDA Pro highlighting script

While I’ve been using my own rudimentary coloring script for years now, I’ve decided to extend the script’s functionality and share it on my public GitHub repository at: https://github.com/mr-tz/idapython/blob/master/highlight_instructions.py. The script comes with a small GUI that lets you highlight instructions or clear all existing highlighting. The script supports the following features that can be enabled and disabled at the top of the script:

  • Highlight selected instructions
    • call
    • push
    • potential Anti-VM techniques
    • potential Anti-Debugging techniques
    • suspicious instructions, such as potential TEB and PEB access
  • Clear all colors

Here are two screenshots showing the GUI and an example of highlighted instructions and the supporting output after the script was executed.

Highlighter v1.0.0 GUI
Highlighter v1.0.0 GUI
Highlighted instructions and output
Highlighted instructions and output

In future I would like to add the following features:

  • Highlight function arguments for other calling conventions (AMD64, fastcall, etc.)
  • Highlight tight loop basic blocks
  • Distinguish between imported and internal calls
  • Highlight of suspicious XOR instructions (the current implementation is too noisy and disabled by default)
  • Make scrip configurable via GUI
  • Add a color picker

Please let me know what you think in the comments below, on social media or via GitHub’s issue tracker: https://github.com/mr-tz/idapython/issues.

Leave a Reply

Your email address will not be published.