Bincat : Binary Code Static Analyser With IDA Integration

BinCAT is a static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA or using Python for automation.

It features:

• value analysis (registers and memory)
• taint analysis
• type reconstruction and propagation
• backward and forward analysis
• use-after-free and double-free detection

Also Read : LOLBAS – Living Off The Land Binaries And Scripts

Quick FAQ

Supported host platforms:

• IDA plugin: all, version 7.0 or later (BinCAT uses PyQt, not PySide)
• analyzer (local or remote): Linux, Windows, macOS (maybe)

Supported CPU for analysis (for now):

• x86-32
• x86-64
• ARMv7
• ARMv8
• PowerPC

Installation

Only IDA v7 or later is supported

v6.9 may work, but we won’t support it.

Binary distribution install (recommended)

The binary distribution includes everything needed:

• the analyzer
• the IDA plugin

Install steps:

• Extract the binary distribution of BinCAT (not the git repo)
• In IDA, click on “File -> Script File…” menu (or type ALT-F7)
• Select install_plugin.py
• BinCAT is now installed in your IDA user dir
• Restart IDA

Manual installation

Analyser

The analyzer can be used locally or through a Web service.

On Linux:

• Using Docker: Docker installation instructions
• Manual: build and installation instructions

On Windows:

• build instructions

IDA Plugin

• Windows manual install.
• Linux manual install

BinCAT should work with IDA on Wine, once pip is installed:

• download https://bootstrap.pypa.io/get-pip.py (verify it’s good 😉
• ~/.wine/drive_c/Python27/python.exe get-pip.py

Using BinCAT

Quick start

• Load the plugin by using the Ctrl-Shift-B shortcut, or using the Edit -> Plugins -> BinCAT menu
• Go to the instruction where you want to start the analysis
• Select the BinCAT Configuration pane, click <-- Current to define the start address
• Launch the analysis

Configuration

Global options can be configured through the Edit/BinCAT/Options menu.

Default config and options are stored in $IDAUSR/idabincat/conf.

Options

• “Use remote bincat”: select if you are running docker in a Docker container
• “Remote URL”: http://localhost:5000 (or the URL of a remote BinCAT server)
• “Autostart”: autoload BinCAT at IDA startup
• “Save to IDB”: default state for the save to idb checkbox