Run IDA Pro by Hex Rays disassembler in Docker containers. Ideal for automating, scaling and distributing the use of IDAPython scripts to perform large-scale reverse engineering tasks.
Our blog: http://www.intezer.com/blog/
- Machine with Docker installed. Install Docker
- IDA Pro Linux version installation file (.run) and a valid license for running multiple instances. Get IDA Pro
-
Clone
docker-ida
repository:$ git clone https://github.com/intezer/docker-ida
-
Copy IDA Pro installation file to the repository's
ida
directory:$ cp <ida-installation-file-path> docker-ida/ida/ida.run
-
Build IDA docker image:
$ sudo docker build -t ida --build-arg IDA_PASSWORD=<password> docker-ida/ida
Note: It is recommended to push the built image to a private Docker Hub repository (Pushing a repository to Docker Hub). Otherwise you have to build the image on every machine
IDA service container receives remote IDA commands over HTTP and executes them. To start a container, run this command:
$ sudo docker run -v <host_shared>:/shared -p <host_port>:4000 -it ida -c <cores> -t <timeout>
-
<host_shared>
is a local directory on the host containing the files you want IDA to work with. Scripts, files to disassemble, etc.Note: If you use Docker Toolbox on Windows, you might experience some issues parsing paths. Use
//
in the beginning of the paths (see discussion on stackoverflow) -
<host_port>
is the port you tell the host you would like to use to connect to the specific docker container. (see Publish port) -
<cores>
is the number of IDA worker processes. This number should be up to 4 workers per core in the host. Default is 8. -
<timeout>
is the server timeout for each request. Default is 30.
Note: In order to run multiple containers on the same host, publish each container to a different host port
On The server:
-
Start two IDA containers as daemon:
$ sudo docker run -v /path/to/current/folder/docker-ida/example_volume:/shared -p 4001:4000 -d ida -c 4 $ sudo docker run -v /path/to/current/folder/docker-ida/example_volume:/shared -p 4002:4000 -d ida -c 4
On The client:
-
Install
ida_client
Python library:On Windows:
$ pip install "git+https://github.com/intezer/docker-ida#egg=ida_client&subdirectory=ida_client"
On Linux / Mac OS X:
$ pip install 'git+https://github.com/intezer/docker-ida#egg=ida_client&subdirectory=ida_client'
Note: pip version must be 8.1.1 or higher
-
Send commands to the containers using the Python library:
>>> import ida_client >>> >>> client = ida_client.Client(['http://localhost:4001', 'http://localhost:4002']) >>> >>> client.send_command('idal -Sextract_file_functions.py -A zlib.dll.sample', timeout=600) True >>> >>> files = ['zlib.dll.sample', 'Win32OpenSSL.sample'] >>> >>> # Building list of commands to send at once >>> commands = ['idal -Sextract_file_functions.py -A %s' % file for file in files] >>> >>> client.send_multiple_commands(commands, timeout=600) [True, True]
-
Add additional python libraries to the repository's
ida/requirements.txt
before building the image.The Sark library is already installed for rapid IDAPython scripting.
-
For IDA 64 bit files:
>>> client.send_command('idal64 -Sida_python_script.py -A sample_x64.exe', timeout=600) True
-
You can use any of the IDA command line arguments (except for GUI-related switches)
If the script doesn't run correctly:
- Examine the log files in the volume
<host_shared>/logs/
. Each container has a different log file named<container-name>-ida-service.log
- Make sure the IDAPython script is Python 2.7 compatible, Python 3.x is not supported in IDAPython.
- Make sure to add Python libraries to the
requirements.txt
before building the docker image. Whenrequirements.txt
changes, the docker image and containers can always be rebuilt. - Make sure the paths to the IDAPython scripts and files to disassemble in the send command are relative to the
<host_shared>
volume.
- Tested with IDA 6.9
- You are required to read the IDA License Agreement prior to using this project.
- More information on our blog post: http://blog.intezer.com/docker-ida