Thank you very much for reading and taking the time to provide guidance
I’m sorry for this long post. I’m very thankful for any input if you have time
You say “all you need to do is generate the TIL files for your libraries” … and it’s not incorrect, if I had decent TILs for each and loaded them all, that would completely solve the “accurate prototypes for imported functions” aspect (but not the “jump into the function” part - see the end of this post for how I’ll try to do that…)
This is not a technical challenge, it’s just a bit cumbersome to automate. Automating it is critical though as it’s not uncommon for me to work on more than a dozen collections or executables+libraries, with many cases an ELF has imports from 10-20 proprietary libraries
Creating TILs for the libraries is not too far from what I currently do mostly manually. Get list of imported library names from the ELF header, then find each library in the directory tree, load, export to C header, idaclang (in the past, tilib) to produce the TILs
It works, but the glue is not already there, so I need to script it, which will take some time. If it’s the best way to go, I’ll invest the time in automating this approach
If you have any advice or criticism on the process as described below, I’m thankful to hear it!
Generating TIL from ELF
To generate a TIL from a stripped dynamically linked library, there are a few approaches I’m aware of. I’ve used each at one time or another but haven’t actually made any of them part of an automated and repeatable solution…
Step 1 is always load the lib to IDA, auto analyze, optionally do additional improvements (sig, recursive decompile, manual analysis of any remarkable “problems”, …)
From there, a few approaches I know of:
Method 1: produce C header file, build TIL from header with idaclang (or tilib)
Method 2: Export a TIL directly from IDA. I don’t think this is supported in the GUI, but I have used plugins to do it before. I’m still getting used to the new type interfaces in the 9.x API so it can be slow for me to write this even though it’s probably not much code
Method 3: Save the IDB in an unpacked form, use the TIL on the filesystem. (Is this safe/recommended? I avoid doing it for some reason, it seems easiest though…)
Which is the best approach? Are there better alternatives to generate TILs from a proprietary ELF shared library?
Second part: Quickly analyzing the code of the imported function
The other part or what I need - to quickly jump to the actual code of an imported function - is also just a bunch of glue. Not a technical challenge, just finding the right API interfaces to use:
- right click on function name, present a “jump to implementation”
- extract the NEEDED entries from the ELF, effectively a lost of shared library dependencies for the exe
- find the filesystem location for each library (checking ../lib ../usr/lib, …, or even embedded elf runpath entries)
- parse each library to find the implementation of the imported function
- present to user the path to the library and an option to open an additional ida instance loading that library
Any better ideas for this?
Thank you again!