Watch & Learn

Debugwar Blog

Step in or Step over, this is a problem ...

Use Wine+IDA in the Linux environment and activate the Python plugin

2022-01-20 @ UTC+0

As a hardworking anti-virus personnel, IDA is an indispensable tool. Although IDA has a version for the Linux platform, its high price really makes me hesitate. Fortunately, there are quite a few available versions on the Windows platform ; )

As an anti-virus personnel who uses ArchLinux as the main system, I choose to run IDA with wine… And then, today’s story begins.

IDA Error

Starting from a certain version, IDA provides Python support ---- of course, this support is no problem on Windows. But on the Linux platform, due to the wine simulation environment, it will cause IDA to prompt that it cannot find the idapython3.dll module:


In order to use the powerful features of Python, this article was written…

Wine + IDA + Python

Install Python Environment

Although Linux itself comes with a Python environment, IDA under Wine cannot use it. We need a Python environment for Windows.

Download the Python3 green package from the official website.

  1. https://www.python.org/downloads  

Of course, you can also download the installation version. I chose the green version mainly because of its portable features and extremely simple directory structure.

I downloaded the current latest version:

  1. https://www.python.org/ftp/python/3.10.2/python-3.10.2-embed-amd64.zip  

Note: the newer the version, the better it is not necessarily true. IDA itself supports a limited version of Python. You can specifically go to the “python<python version>\PyQt5” directory under the IDA directory to check. Be sure to download the supported version (as of now, the latest available IDA 7.7, it is recommended to use Python version 3.10.x).

After the download is complete, unzip it to the corresponding directory:


Here, it is important to note the correspondence between the Linux path and the Windows path under Wine. It sounds a bit confusing, but an example will make it clear:

  • The path under Linux: /home/hacksign/.wine/drive_c/Program Files/Python3/
  • Corresponds to under Wine: C:\Program Files\Python3

OK, after unzipping to the Python3 directory, we have a Python environment for Windows. Next, for the convenience of subsequent calls, we need to set the PATH environment variable under Wine.

Set Environment Variable

Use the following command to open the registry:

  1. wine regedit  

Then modify the following location:

  1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment  

At the end of PATH, add the above Python3 environment (note to separate each path with a semicolon):


After configuring the above environment, we open a new command line and execute the following command: 


If you see the Python command line prompt, congratulations, you have succeeded halfway.

Next, we need to modify the location of IDA’s python3.dll, go to the following registry location (if it not exists, you need to run IDA first):

  1. HKEY_CURRENT_USER\Software\Hex-Rays  

Modify Python3TargetDLL to the absolute path of python3.dll in the Python directory above:


After completing the above settings, open a new IDA, you will find that the previous error message is gone, replaced by a new error message:


In fact, at this point, your IDA can already use ida-python. But as a perfectionist, we still need to eliminate this error.

Carefully observe the error message in the picture above, you can find that it is actually caused by the lack of installation of the yara module in Python. In general, when we encounter the error ModuleNotFoundError: No module named ‘xxx’, the first thing we think of is to use pip to install.

With the idea, let’s get started.

Install Pip for Python in the Wine Environment

First, get the pip installation script from the following address:

  1. https://bootstrap.pypa.io/get-pip.py  

Then proceed with the installation, as shown in the figure below:


After the installation is complete, we return to the Python directory and find that there is an additional folder called Lib. Looking further, we find that pip has been installed in the Libs\site-packages directory:


However, at this point, if you want to use it directly, it will still prompt that the pip module cannot be found. This is because we have not set the variable to let Python find the pip module.

Set the search path for the Python library

Note that if you are using the installed version of Python, you need to set the PYTHONPATH environment variable (refer to the above setting of the PATH variable).

If you are using the green version of Python, you will find a file called python310._pth in the directory (310 varies with the downloaded Python version). Open and edit this file, and write the site-packages path into the file:


Note that the path in this file is a relative path, that is, relative to the path of python.exe.

After saving and exiting, execute the following command:


If you see the version information of pip, then congratulations again, you have succeeded 80%.

Next, we need to install the yara module to solve the error that IDA cannot find yara above. The command is as follows:


At this time, open a new IDA again and casually decompile something, and find a new error:


This time it is that the libyara.dll file cannot be found. Look for this file in the Python directory:


Emmmm… I found that the location is a bit problematic. IDA tries to find this file in the C:\Program Files\Python3 directory, but the file is actually installed in the C:\Program Files\Python3\Lib\site-packages\Program Files\Python3\DLLs\libyara.dll directory. Manually move libyara.dll to the correct position, open a new IDA again and disassemble the file:


OK, all errors have been eliminated, and the function is preliminarily tested to be normal.

Extra things

Diaphora plugin error

In the subsequent use process, I found that diaphora will report an error:


The following records how to solve the error.

First, you need to install the PyQt5 package. Since I have already installed it, the following figure reports that it already exists. The installation command is the same:


Then I found that the script seems to still forcibly load python38.dll, but since we downloaded python 3.10 version, there is no python38.dll file, so we need to make a soft link:


After that, there is no problem with using diaphora. The following picture is a screenshot of comparing the true and false programs:


Ret-sync plugin cannot start

This plugin is immediately disabled after enabling, and the log looks like this:

  1. [sync] form create
  2. [sync] default idb name: ntoskrnl_en.exe
  3. [sync] found config file: user_conf(host='127.0.0.1', port=8844, alias=None, path='D:\\Windows10\\x64\\.sync')
  4. [sync] hint: pdb name ('ntkrnlmp.exe') differs from registered module name ('ntoskrnl_en.exe')
  5. [sync] sync enabled
  6. [sync] init_broker
  7. [sync] cmdline: "D:\Softwares\Python3\python.exe" -u "D:\Softwares\IDA Pro\plugins\retsync\broker.py" --idb "ntoskrnl_en.exe"
  8. [sync] module base 0x140000000
  9. [sync] hexrays #7.7.0.220118 found
  10. [sync] broker new state: Starting
  11. [sync] broker new state: Running
  12. [sync] broker started
  13. [sync] plugin loaded
  14. [sync] broker new state: Not running
  15. [sync] check tmp file retsync.<broker|dispatcher>.err if you think this is an error
  16. [sync] broker finished
  17. [sync] idb is disabled

This problem is mainly caused by Python’s lack of ret-sync library. The solution is to add the ret-sync library path in the python310._path file (310 is the version number):

  1. >> cat python310._pth
  2. D:\Softwares\IDA Pro\plugins\retsync

IDA crash problem

If you use idapyswitch.exe to switch the Python environment, IDA may crash. It is recommended to finally use this tool to set the environment variable, and then repair it, otherwise the PyQt5 package that comes with IDA may not be used.

This is because idapyswitch.exe set an incorrect Python3TargetDLL value. You only need to open the registry and modify the key value at the following location (see the above for details): HKEY_CURRENT_USER\Software\Hex-Rays


The go parsing ability that comes with IDA 7.6 is really cool to use~

Catalog
  • IDA Error
  • Wine + IDA + Python
  • Install Python Environment
  • Set Environment Variable
  • Install Pip for Python in the Wine Environment
  • Set the search path for the Python library
  • Extra things
  • Diaphora plugin error
  • Ret-sync plugin cannot start
  • IDA crash problem
  • CopyRight (c) 2020 - 2025 Debugwar.com

    Designed by Hacksign