"Hacking is the discipline of questioning all your assumptions all of the time."
-- Dave Aitel
Haruspex is a blazing fast IDA Pro headless plugin that extracts pseudocode generated by IDA Pro's decompiler in a format that should be suitable to be imported into an IDE, or parsed by static analysis tools such as Semgrep, weggli, or oneiromancer.
- Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly's idalib Rust bindings.
- Support for binary targets for any architecture implemented by IDA Pro's Hex-Rays decompiler.
- Pseudocode of each function is stored in a separated file in the output directory for easy inspection.
- External crates can invoke [
decompile_to_file] to decompile a function and save its pseudocode to disk.
- https://hex-rays.com/blog/streamlining-vulnerability-research-idalib-rust-bindings
- https://hnsecurity.it/blog/streamlining-vulnerability-research-with-ida-pro-and-rust
- https://github.com/0xdea/ghidra-scripts/blob/main/Haruspex.java
- https://github.com/0xdea/semgrep-rules
- https://github.com/0xdea/weggli-patterns
- https://docs.hex-rays.com/release-notes/9_0#headless-processing-with-idalib
- https://github.com/idalib-rs/idalib
- https://github.com/xorpse/parascope
- https://hnsecurity.it/blog/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep
The easiest way to get the latest release is via crates.io:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, install as follows:
On Windows, instead, use the following commands:
export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo install haruspex
$env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo install haruspex
Alternatively, you can build from source:
- Download, install, and configure IDA Pro (see https://hex-rays.com/ida-pro).
- Install LLVM/Clang (see https://rust-lang.github.io/rust-bindgen/requirements.html).
- On Linux/macOS, compile as follows:
On Windows, instead, use the following commands:
git clone --depth 1 https://github.com/0xdea/haruspex cd haruspex export IDADIR=/path/to/ida # if not set, the build script will check common locations cargo build --release
git clone --depth 1 https://github.com/0xdea/haruspex cd haruspex $env:LIBCLANG_PATH="\path\to\clang+llvm\bin" $env:PATH="\path\to\ida;$env:PATH" $env:IDADIR="\path\to\ida" # if not set, the build script will check common locations cargo build --release
- Make sure IDA Pro is properly configured with a valid license.
- Run as follows:
haruspex <binary_file>
- Find the extracted pseudocode of each decompiled function in the
binary_file.decdirectory:vim <binary_file>.dec code <binary_file>.dec
| IDA Pro version | Latest compatible release |
|---|---|
| v9.0.240925 | v0.2.4 |
| v9.0.241217 | v0.3.5 |
| v9.1.250226 | v0.6.2 |
| v9.2.250908 | v0.7.5 |
| v9.3.260213 | current release |
Note
Check the idalib documentation for additional information.
- Use the
.cppextension instead of.cto output pseudocode (see this issue)? - Integrate with Semgrep scanning (see https://github.com/0xdea/semgrep-rules).
- Integrate with weggli scanning (see https://github.com/0xdea/weggli-patterns).
- Improve decompiler output in the style of HexRaysPyTools and abyss.
- Implement parallel analysis (see https://github.com/fugue-re/fugue-mptp).