“The attack surface is the vulnerability.

Finding a bug there is just a detail.”

— Mark Dowd

A previous version of this article was published on the HN Security blog in February 2025. This is an updated and revised version.

About the guest author

Marco Ivaldi (raptor) is a seasoned security researcher and tech leader with over 25 years in offensive security. He is the technical director and co-founder of HN Security, a boutique firm specializing in tailored security assessments. Known as a prolific exploit writer, Marco is also a Phrack author and a core developer of the OSSTMM, the international standard for security testing. He has been recognized as a Microsoft Most Valuable Security Researcher and has competed as a Zero Day Quest hacker. His journey began in the 1990s, when he co-founded Linux&C, the first Italian magazine dedicated to Linux and open source.

TL;DR

Following the release of IDA Pro 9.2, I updated my tools that were built to assist with reverse engineering and vulnerability research against binary targets:

• rhabdomancer: a headless IDA Pro plugin that locates calls to potentially insecure API functions in a binary file. Auditors can backtrace from these points to find pathways allowing access from untrusted input.
• haruspex: a headless IDA Pro plugin that extracts pseudocode generated by IDA Pro’s decompiler in a format suitable for import into an IDE or to be parsed by static analysis tools such as Semgrep or weggli.
• augur: a headless IDA Pro plugin that extracts strings and related pseudocode from a binary file. It stores pseudocode of functions that reference strings in an organized directory tree.
  
  

These plugins are based on my previous work and leverage Hex-Rays’ idalib alongside Binarly’s idiomatic Rust bindings for the IDA SDK to achieve a blazing fast, headless user experience. They have assisted me in finding real-world vulnerabilities at scale.

Introducing the award-winning idalib Rust bindings

Last year, after approaching Rust and having explored some basic offensive applications, I decided it was time for my first serious Rust project. When idalib v0.1.0 was announced, I had an idea: port to IDA Pro some of my original Ghidra scripts that aim to streamline vulnerability research, using Rust! 🦀💡

Binarly’s idalib Rust bindings allow IDA Pro 9.x users to develop standalone analysis tools with the IDA SDK, using Rust in an idiomatic way and fitting Rust's ownership model, type system, and API conventions. Tool authors can leverage the entire Rust ecosystem, so IDA Pro can be easily combined with existing Rust libraries and tools.

The availability of idalib marked the start of a new chapter in my Rust journey that saw me publish new vulnerability research tools built on top of it, and contribute a number of new features to idalib itself. And I learned a lot in the process!

My main idalib contributions to date are:

• Support for the comments API.
• Support for the (mostly undocumented) bookmarks APIs.
• Support for searching text and immediate values, which incidentally led me to discover a curious bug in IDA Pro.
• Support for working with the list of strings present in a binary file.
• Various improvements and bug reports.

Fast-forward to last February, the idalib Rust bindings were awarded third place in the annual Hex-Rays Plugin Contest. 🎊 It was a well-deserved recognition, and I am happy to have been a humble contributor.

The maintainers of idalib are wonderful people, and I encourage you to contribute to its development. In particular, Sam has published related repositories worth exploring:

• parascope: a weggli ruleset scanner for source code and binaries.
• weggli-ruleset: a utility crate to manage weggli patterns, such as those I published last year.
• wegglix: a modified fork of weggli designed for a more pleasant library experience.

It's now time to take a look at my tools and see how they fare against some real-world targets!

Spinning rhabdomancer against a legendary target

Rhabdomancer
/răb′də-măn″sər/
Someone who uses a divining rod to find underground water.

Rhabdomancer is the Rust port of one of my original Ghidra scripts, previously described in the article Automating binary vulnerability discovery with Ghidra and Semgrep.

It is an IDA Pro headless plugin that locates calls to potentially insecure API functions in a binary file. Auditors can backtrace from these candidate points to find pathways allowing access from untrusted input. Its main features are:

• Blazing fast, headless user experience courtesy of IDA Pro 9.x and Binarly’s idalib Rust bindings.
• Support for C/C++ binary targets compiled for any architecture supported by IDA Pro.
• Bad API function call locations are printed to stdout and marked in the IDB.
• Known bad API functions are grouped into tiers of severity to help prioritize auditing:
  • [BAD 0] High priority — functions that are generally considered insecure.
  • [BAD 1] Medium priority — interesting functions that should be checked for insecure use cases.
  • [BAD 2] Low priority — code paths involving these functions should be carefully reviewed.
• The list of known bad API functions can be easily customized by editing conf/rhabdomancer.toml.
  
  

Additional information on rhabdomancer’s features and usage are available on crates.io and in the official documentation.

Let’s install and take it for a spin!

Since the release of IDA Pro 9.2 and its freshly open-sourced SDK, installation has become much simpler:

1. Download, install, and configure IDA Pro (https://hex-rays.com/ida-pro).
2. Install LLVM/Clang (https://rust-lang.github.io/rust-bindgen/requirements.html).

On Linux/macOS, install as follows:

export IDADIR=/path/to/ida # if not set, the build script checks common locations

cargo install rhabdomancer

On Windows, instead use the following commands:

$env:LIBCLANG_PATH="\path\to\clang+llvm\bin"

$env:PATH="\path\to\ida;$env:PATH"

$env:IDADIR="\path\to\ida" # if not set, the build script checks common locations

cargo install rhabdomancer

To use rhabdomancer

1. Ensure IDA Pro is properly configured with a valid license.
2. Customize the list of known bad API functions in conf/rhabdomancer.toml if needed.
3. Run the tool:  rhabdomancer <binary_file>. Any existing .i64 IDB file will be updated; otherwise, a new IDB file will be created.
4. Open the resulting .i64 file in IDA Pro.
5. Select View > Open subviews > Bookmarks (comments are also added at marked call locations).
6. Enjoy your results conveniently collected into an IDA Pro window.

Now let's run rhabdomancer against a real-world binary file 

Our target of choice is the legendary dtprintinfo SPARC binary, which was featured in countless advisories, exploits, talks, and articles (including Phrack) by yours truly and other old-school hackers over the years… Here's to CDE! So long, and thanks for all the shells! 🥂 #️

To run rhabdomancer against our target binary, simply specify its path as the only argument:

Rhabdomancer is blazing fast! It took less than 3 seconds to fully analyze and process a 350 KB binary file:

Bad API function call locations are bookmarked in the IDB. Enjoy your results conveniently collected into an IDA Pro window:

Can you spot the vulnerability? Hint: this is a vulnerability class from another era that should've gone extinct a long time ago. Yet, here it is. Find out the answer in my Phrack article, or watch my RomHack keynote if you're so inclined.

Automating binary vulnerability discovery with haruspex and augur

Haruspex
/hə-rŭs′pĕks″/
A priest in ancient Rome who practiced divination by inspecting animal entrails.

Augur
/ô′gər/
One who foretells events by omens.

Haruspex is the Rust port of another Ghidra script of mine. It is an IDA Pro headless plugin that extracts pseudocode generated by IDA Pro's decompiler in a format that should be suitable for import into an IDE or to be parsed by static analysis tools such as Semgrep and weggli.

Its main features include:

• Fast, headless user experience courtesy of IDA Pro 9.x and Binarly's idalib Rust bindings.
• Support for binary targets for any architectures supported by IDA Pro’s decompiler.
• Pseudocode of each function is stored in a separate file in the output directory for easy inspection.
• External crates can invoke decompile_to_file to decompile a function and save its pseudocode to disk.
  
  

Additional information on haruspex's features and usage is available at crates.io and in the official documentation.

Installation and usage are akin to what I have described earlier for rhabdomancer. The most notable difference is that haruspex can also be used as a library by third-party crates to decompile specific functions and save pseudocode to disk. An example of this is augur, another IDA Pro headless plugin I wrote that extracts strings and related pseudocode from a binary file. I encourage you to check it out.

Example run for haruspex

Coming back to haruspex, let's try it out against a sample binary. This time, our target is an ARM aarch64 setuid binary distributed with the latest Zyxel appliances, in which I recently discovered some vulnerabilities.

Again, to run haruspex against our target binary, simply specify its path as the only argument:

Haruspex is blazing fast! It took slightly more than 1 second to fully analyze and process a 43 KB binary file:

Enjoy decompiled pseudocode and Semgrep scan results conveniently loaded in your favorite IDE, courtesy of the SARIF Explorer extension for VS code.

Unsurprisingly, the vulnerability lies at the highlighted line marked with Vuln 🙄. The binary running with elevated privileges can be tricked into following a symbolic link placed in /tmp/register_status by a local low-privileged user. This can be exploited to overwrite arbitrary files or escalate privileges to root.

The full advisory and proof-of-concept exploit are available on GitHub. Here's a screenshot of the exploit in action for your viewing pleasure:

For additional information on my vulnerability research tools and workflow, please refer to the following articles:

• https://hnsecurity.it/blog/semgrep-ruleset-for-c-c-vulnerability-research
• https://hnsecurity.it/blog/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/
• https://hnsecurity.it/blog/big-update-to-my-semgrep-c-cpp-ruleset
• https://hnsecurity.it/blog/a-collection-of-weggli-patterns-for-c-cpp-vulnerability-research

Conclusion

The award-winning idalib Rust bindings open endless possibilities. Developers can leverage the entire Rust ecosystem to combine IDA Pro with existing Rust libraries and tools, such as weggli, or use it as part of larger static/dynamic analysis pipelines alongside, for example, libafl.

I hope this article has served as a useful introduction to idalib, and that you'll consider contributing to this powerful Rust library and building your own tools on top of it. Meanwhile, you can download my updated vulnerability research tools from Hex-Rays community plugins, lib.rs, crates.io, or GitHub.

I would like to thank idalib's maintainers at Binarly and especially Sam L. Thomas (@xorpse), who made me feel welcome since my first pull request. You are awesome ✊

Finally, huge thanks to Chris Hernandez for inviting me to write on the Hex-Rays blog. It's been an honor. Until next time!