BETA SUPPORT ONLY - MAC OS SUPPORT ONLY - CROSS PLATFORM RELEASES WIP
The Heimdallr client is registered as a system wide URI handler. This means that anywhere a URL can be invoked we can link to a location in IDA.
- Install heimdallr-ida
- Install heimdallr-client with pip
- You may need poetry depending on your python version
pip3 install poetry - Using git directly
pip3 install -e git+https://[email protected]/interruptlabs/heimdallr-client.git#egg=heimdallr_client - From a cloned repo
pip3 install -e .
- You may need poetry depending on your python version
- Verify
settings.jsonhas been created in the relevant application directory- MacOS/Linux -
$HOME/.config/heimdallr/ - Windows -
%APPDATA%/heimdallr/
- MacOS/Linux -
- Modify
settings.jsonto be accurate for your systemida_locationis the location of your IDA Installation (should be automatically filled)idb_pathis an array of locations for the heimdallr client to search for corosponding idbs
The wonderful people over at Foundry Zero have created a Ghidra plugin which offers the same functionality. You can get it here
The plugins are compatible, meaning links created with their plugin can be opened in IDA with this client, and vice versa. This allows you to collaborate with other researchers regardless of the disassembler you use!
In MacOS we can use AppleScript to act as a stub to forward URI requestst to our python client script. To configure this:
- Locate path to
heimdallr_clientscript
roberts@RobertS-IL-Mac heimdallr_client % whereis heimdallr_client
heimdallr_client: /opt/homebrew/bin/heimdallr_client
- Open
./macos-stub/heimdallrd.scptin Script Editor (double click)
- Change the
heimdallr_clientpath to be valid for your system - Export it as an Application (File -> Export...)
a. Ensure "File Format" is "Application"
- Modify the
Info.plistfile to add the following text between it's first set of dictionary tags
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLName</key>
<string>IDA URL</string>
<key>CFBundleURLSchemes</key>
<array>
<string>ida</string>
<string>disas</string>
</array>
</dict>
</array>
(an example Info.plist is in ./macos-stub/Info.plist)
- Move the Application Bundle to /Applications/ and resign it:
codesign --force -s - /Applications/heimdallrd.app - Run the Application bundle (double click) to register it with the system as a URI handler.
You should now be able to open dias:// URIs from anywhere in the system. This could be a Slack DM, a Confluence page, or a Obsidian note. The format is as follows (these):
disas://a.out.i64?offset=0x100003f10&hash=fea074789acc4a748d2ba0c6d82a0f8f&view=pseudo
These are automatically generated by creating a note with the heimdallr-ida plugin.
This client is backwards compatible with the legacy ida:// URI format.
The search behaviour for a matching IDB is as follows:
- Search for an open IDA instance with this database already open
- Search IDA recently open files for the location of the database
- Search your
idb_pathfor matching files
The search pattern is used to ensure links can be used easily within a team - so long as you have a database based on the same source file and is named the same.
IDBs are matched by both the database name and source file hash. As such changing the database name will cause URIs to no longer be valid.
You can make notes by highlighting the area of text in IDA you want to copy and pressing "Ctrl+Shift+N". The text will be added to a code block with a link back to where it came from and added to your clipboard.
This currently only works for the Disassembly and Pseudocode views.