quokka-project 0.6.2

Quokka: A Fast and Accurate Binary Exporter

Quokka

image generated by DALL-E

---

Table of Contents

• Introduction
• Installation
• Usage
• Building
• Documentation
• FAQ

Introduction

Quokka is a binary exporter: from the disassembly of a program, it generates an export file that can be used without the disassembler.

The main objective of Quokka is to enable to completely manipulate the binary without ever opening a disassembler after the initial step. Moreover, it abstracts the disassembler's API to expose a clean interface to the users.

Quokka is heavily inspired by BinExport, the binary exporter used by BinDiff.

Installation

Python plugin

The plugin is built in the CI and available in the registry.

It should be possible to install directly from PIP using this kind of commmand:

$ pip install quokka-project

IDA Plugin

Note: The IDA plugin is not needed to read a Quokka generated file. It is only used to generate them.

Quokka is currently compatible with IDA 7.3+

The plugin is built on the CI and available in the Release tab.

To download the plugin, get the file named quokka_plugin**.so.

Usage

Export a file

!!! note

This requires a working IDA installation.

• Either using command line:

$ idat64 -OQuokkaAuto:true -A /path/to/hello.i64

Note: We are using idat64 and not ida64 to increase the export speed because we don't need the graphical interface.

• Using the plugin shortcut inside IDA: (by default) Alt+A

Export a file in batch

One can write its own bash script run multiple idat64 in parallel. However, Quokka provides an utility tool to automatically export all executable files of a given directory in parallel. An example to automate the export using 8 threads:

$ quokka-cli -t 8 dir/

Load an export file

import quokka

# Directly from the binary (requires the IDA plugin to be installed)
ls = quokka.Program.from_binary("/bin/ls")

# From the exported file
ls = quokka.Program("ls.quokka",  # the exported file 
                    "/bin/ls")    # the original binary

Building

The process for building depends on which version of the IDA SDK you are using. These two modes are also referred as the new mode and the old mode.

IDA < 9.2 (The old way)

Since the IDA SDK is still proprietary code, you have to fetch it yourself and provide its path to cmake through the option -DIdaSdk_ROOT_DIR:STRING=path/to/sdk

NOTE: This will also work on newer versions but it requires more steps from the users as they will have to download the sdk themselves.

user@host:~/quokka$ cmake -B build \ # Where to build
                          -S . \ # Where are the sources
                          -DIdaSdk_ROOT_DIR:STRING=path/to/ida_sdk \ # Path to IDA SDK 
                          -DCMAKE_BUILD_TYPE:STRING=Release \ # Build Type

user@host:~/quokka$ cmake --build build --target quokka_plugin -- -j

IDA >= 9.2 (The new way)

Ida SDK has been finally open sourced so there is no need anymore to download it separately.

You can use the cmake option -DIDA_VERSION=<major>.<minor> to automatically sync it from github.

user@host:~/quokka$ cmake -B build \ # Where to build
                          -S . \ # Where are the sources
                          -DIDA_VERSION=9.2 \ # IDA SDK version
                          -DCMAKE_BUILD_TYPE:STRING=Release \ # Build Type

user@host:~/quokka$ cmake --build build --target quokka_plugin -- -j

Install

To install the plugin:

user@host:~/quokka$ cmake --install build

In any case, the plugin will also be in build/quokka-install. You can copy it to IDA's user plugin directory.

user@host:~/quokka$ cp build/quokka-install/quokka*64.so $HOME/.idapro/plugins/

For more detailed information about building, see Building

Documentation

Documentation is available online at documentation

FAQ

You can see a list of questions here FAQ