IDB Store

Collaborative Environment for IDB Storage & Sharing


Brief

idb-store is a set of IDAPro scripts written in IDAPython, and an accompanying web application that can be used to store, share, and index IDAPro IDB files and analyst specified information relating to that IDB. Too many times reverse engineers on the same team will, potentially unknowingly, analyze the same malware family in IDA for days or weeks only to have another team mate say "Oh, you've been looking into Vawtrak? I have the latest version fully reversed in this IDB I can send you!". Well, no more!

Using the IDAPython scripts from idb-store, analysts are able to upload an IDB directly from IDAPro to a local or remote idb-store webserver. Users can also manually upload the IDB by using the web UI or REST API. From there, information is extracted from the IDB file and indexed within a MongoDB instance for searching and retrieval purposes. Users are able to search for specific key:value pairs to find IDB files or visit the "Index" page will list the last 50 uploaded IDB files. Once viewing a specific IDB, they are able to download the IDB, view additional information extracted from it, pivot to other potentially interesting IDB's by searching the extracted fields or user tags.

Access to the idb-store web UI requires that users login so they are able to make comments and add notes on the IDB such as any identifying comments or interesting information about the sample they analyzed, as well as add user defined tags and source information.

Project In Progress 75%

Analysts are able to add the following information when uploading a new IDB file

  • - Malware family name
  • - Original MD5, SHA1, or SHA256 hash
  • - Platform
  • - Identifying comments (e.g., "Kovter.B Unpacked DLL")
  • - Arbitrary tags
  • - Analyst notes
  • - Source or reference information

Once the IDB is uploaded to the web application, the back-end will extract the following information for viewing and pivoting

  • - General IDB Information
  • - Program Segmentation Information
  • - Structures
  • - Function Names & CRC32 Hashes
  • - Strings & Addresses
  • - Import Names & Addresses
  • - Export Names & Addresses
  • - Comments

Key Features

  • Web Interface with REST API
  • Easily Share IDB Files
  • Add Comments & User Tags
  • Pivot to Other IDBs
  • Central Storagefor Reverse Engineering Teams