FindFunc: IDA PRO plugin to find code functions
FindFunc: Advanced Filtering/Finding of Functions in IDA PRO
FindFunc is an IDA PRO plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.
Filtering with Rules
The main functionality of FindFunc is letting the user specify a set of “Rules” or constraints that a code function in IDA PRO has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be “inverted” to be negative matches. Such rules thus conform to “AND NOT”.
FF will schedule the rules in a smart order to minimize processing time. Feature overview:
- Currently, 6 Rules are available, see below
- Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
- Aware of function chunks
- Smart scheduling of rules for performance
- Saving/Loading rules from/to file in simple ascii format
- Several independent Tabs for experimentation
- Copying rules between Tabs via clipboard (same format as a file format)
- Advanced copying of instruction bytes (all, opcodes only, all except immediate)
Button “Search Functions” clears existing results and starts a fresh search, “Refine Results” considers only results of the previous search.
Advanced Binary Copying
A secondary feature of FF is the option to copy binary representation of instructions with the following options:
- copy all -> copy all bytes to the clipboard
- copy without immediate -> blank out (AA ?? BB) any immediate values in the instruction bytes
- opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)
