Release IDAScope v1.1: YARA scanning fixed for ida 6.1 python 2.7

[Storm Shadow]

I downloaded the new IDASCOPE and there was some small errors , just minors

Unpack into plugins folder.

Its important that you set up your config.py file proberly or it wont run.
its located
C:\Users\yourfolder\Downloads\ida\ida\plugins\IDAscope\idascope\config.py

edit the lines where it says "yourfolder"

configuration = {
    "config_path_sep": "\\",
    "plugin_only": False,
    "paths": {
        # "idascope_root_dir": "C:\\Users\\yourfolder\\Downloads\\ida\\ida\\plugins",
        "idascope_root_dir": "C:\\Users\\yourfolder\\Downloads\\ida\\ida\\plugins\\IDAscope",
        "semantics_file": "idascope\\data\\semantics.json",
        "semantics_folder": "idascope\\data\\semantics",
        "winapi_keywords_file": "idascope\\data\\winapi_keywords.json",
        "winapi_rootdir": "C:\\WinAPI\\"
        },
    "winapi": {
        "search_hotkey": "ctrl+y",
        "load_keyword_database": True,
        "online_enabled": True
        },
    "inspection": {
        "default_semantics": "win-ring3"
        },
    "yara": {
        "yara_sigs": ["C:\\yara"]
        }
}

you can read a small guide here.

http://pnx-tf.blogspot.no/2014/02/idascope-v11-yara-scanning.html

If you want to use it, make sure to install YARA Python first and adjust the paths specified in ./idacope/config.py to your local collection of signature files.
https://googledrive.com/host/0BznOMqZ9f3VUek8yN3VvSGdhRFU/yara-python-2.0.0.win32-py2.7.exe

also get and unpack sigs into C:\yara\*.yara

https://github.com/cabrel/yarasigs.

#############################################
  ___ ____    _                       
|_ _|  _ \  / \  ___  ___ ___  _ __  ___
  | || | | |/ _ \ / __|/ __/ _ \| '_ \ / _ \
  | || |_| / ___ \\__ \ (_| (_) | |_) |  __/
|___|____/_/  \_\___/\___\___/| .__/ \___|
                                |_|   
#############################################
by Daniel Plohmann and Alexander Hanel 
#############################################
 
[+] Loading simpliFiRE.IDAscope
[/] setting up shared modules...
[|] loading DocumentationHelper
[|] loading SemanticIdentifier
  [/] SemanticIdentifier: Starting (fast) scan by references of function semantics.
  [\] Analysis took 0.10 seconds.
[|] Loading WinApiProvider
[|] loading CryptoIdentifier
[|] loading PatternManager
[|] loading YaraScanner
[\] this took 2.66 seconds.
 
[/] setting up widgets...
[|] loading FunctionInspectionWidget
[|] loading WinApiWidget
[|] loading CryptoIdentificationWidget
[|] loading YaraScannerWidget
[\] this took 0.20 seconds.
 
Using FLIRT signature: Microsoft VisualC 2-10/net runtime
loading rules from file: C:\yara\apt.yar (72)
loading rules from file: C:\yara\APT_NGO_wuaclt.yar (1)
loading rules from file: C:\yara\APT_NGO_wuaclt_PDF.yar (1)
loading rules from file: C:\yara\avdetect.yar (1)
[!] Could not load yara rules from file: C:\yara\cve.yar
loading rules from file: C:\yara\dbgdetect.yar (3)
loading rules from file: C:\yara\GeorBotBinary.yara (1)
loading rules from file: C:\yara\GeorBotMemory.yara (1)
loading rules from file: C:\yara\hangover.yar (16)
[!] Could not load yara rules from file: C:\yara\index.yar
loading rules from file: C:\yara\sandboxdetect.yar (1)
loading rules from file: C:\yara\vmdetect.yar (1)
loading rules from file: C:\yara\xplug.yar (2)
 
 
[!] Performing YARA scan...

download
http://www.filedropper.com/idascope
THX to Computer line for the PySide patch

update!! download more yara sigs and put in C:\yara folder
https://raw.github.com/jaimeblasco/AlienvaultLabs/master/malware_analysis/CommentCrew/apt1.yara

 

[steve007iii]

Someone had this problem, and have solution? :depressed.png:

C:/IDAscope/IDAscope.py

--------------------------------------------------------------------------------------
Python 2.7.8 (default, Jun 30 2014, 16:03:49) [MSC v.1500 32 bit (Intel)]
IDAPython v1.5.3 final (serial 3) (c) The IDAPython Team <idapython@googlegroups.com>
--------------------------------------------------------------------------------------
[!] IDAscope.py is not present in root directory specified in "config.py", trying to resolve path...
[+] IDAscope root directory successfully resolved.
type object 'PluginForm' has no attribute 'FORM_CLOSE_LATER'
Traceback (most recent call last):
  File "C:\Program Files (x86)\Ida6.1\python\idaapi.py", line 400, in IDAPython_ExecScript
	execfile(script, g)
  File "C:/IDAscope/IDAscope.py", line 261, in <module>
	main()
  File "C:/IDAscope/IDAscope.py", line 257, in main
	IDASCOPE.Show()
  File "C:/IDAscope/IDAscope.py", line 168, in Show
	options=(PluginForm.FORM_CLOSE_LATER | PluginForm.FORM_RESTORE | PluginForm.FORM_SAVE))
AttributeError: type object 'PluginForm' has no attribute 'FORM_CLOSE_LATER'

IDAscope/testing/idascope_tests.py

--------------------------------------------------------------------------------------
Python 2.7.8 (default, Jun 30 2014, 16:03:49) [MSC v.1500 32 bit (Intel)]
IDAPython v1.5.3 final (serial 3) (c) The IDAPython Team <idapython@googlegroups.com>
--------------------------------------------------------------------------------------
No module named idascope.core.helpers.GraphHelper
Traceback (most recent call last):
  File "C:\Program Files (x86)\Ida6.1\python\idaapi.py", line 400, in IDAPython_ExecScript
	execfile(script, g)
  File "C:/IDAscope/testing/idascope_tests.py", line 36, in <module>
	from idascope.core.helpers.GraphHelper import GraphHelper
ImportError: No module named idascope.core.helpers.GraphHelper

 

[Storm Shadow]

did you edit the idacope/config.py and set the path proberly.

config.py

"paths": {
"idascope_root_dir": "C:\\Users\\zadow\\Downloads\\ida\\ida\\plugins\\IDAscope",

remeber to set yara dir also

i have mine in ida folder\plugins\IDAscope\Idascope.py

 

[steve007iii]

Yes I did but I have the same error
in my dir : C:\Program Files (x86)\Ida6.1\plugins\IDAscope\idascope\config.py

configuration = {
  "config_path_sep": "\\",
  "plugin_only": False,
  "paths": {
  # "idascope_root_dir": "C:\\Program Files (x86)\\Ida6.1\\plugins\\IDAscope",
  "idascope_root_dir": "C:\\Program Files (x86)\\Ida6.1\\plugins\\IDAscope",
  "semantics_file": "idascope\\data\\semantics.json",
  "semantics_folder": "idascope\\data\\semantics",
  "winapi_keywords_file": "idascope\\data\\winapi_keywords.json",
  "winapi_rootdir": "C:\\WinAPI\\"
  },
  "winapi": {
  "search_hotkey": "ctrl+y",
  "load_keyword_database": True,
  "online_enabled": True
  },
  "inspection": {
  "default_semantics": "win-ring3"
  },
  "yara": {
  "yara_sigs": ["C:\\yara"]
  }
}

 

[Storm Shadow]

the

PluginForm.FORM_CLOSE_LATER

is a PyQt4 error it cant create the QT forms
Have you tried the exampels from idapython especially the PyQtexampel and pyside

 

[steve007iii]

the

PluginForm.FORM_CLOSE_LATER

is a PyQt4 error it cant create the QT forms
Have you tried the exampels from idapython especially the PyQtexampel and pyside

Thanks friend a question which version of "PyQt4" you recommend for IDA 6.1 and Python 2.7.8
Another question, need I copy some dlls from "PyQt4" to IDA directory?

 

[Storm Shadow]

the build by @computerline works great
http://techbliss.org/threads/settin...-it-makes-big-difference.211/page-3#post-1244
and PySide
http://techbliss.org/threads/settin...-it-makes-big-difference.211/page-4#post-1319

and if it dosent work you can extract these dll into ida folder
https://www.firedrive.com/file/2F21AF99229D5FB2

 

[Storm Shadow]

Fix

IDAscope: fixed online MSDN lookup!

https://bitbucket.org/daniel_plohmann/simplifire.idascope/