book

The IDA Pro Book

Name: The IDA Pro Book
Author: Chris Eagle
ISBN: 9781593271787

by Chris Eagle

August 2008

Intermediate to advanced

640 pages

23h 10m

English

No Starch Press

Read now

Unlock full access

THE IDA PRO BOOK
Dedication
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
I. INTRODUCTION TO IDA
1. INTRODUCTION TO DISASSEMBLY
Disassembly TheoryThe What of DisassemblyThe Why of DisassemblyMalware AnalysisVulnerability AnalysisSoftware InteroperabilityCompiler ValidationDebugging DisplaysThe How of DisassemblyA Basic Disassembly AlgorithmLinear Sweep DisassemblyRecursive Descent DisassemblySequential Flow InstructionsConditional Branching InstructionsUnconditional Branching InstructionsFunction Call InstructionsReturn InstructionsSummary
2. REVERSING AND DISASSEMBLY TOOLS
Classification ToolsfilePE ToolsPEiDSummary Toolsnmlddobjdumpotooldumpbinc++filtDeep Inspection ToolsstringsDisassemblersSummary
3. IDA PRO BACKGROUND
Hex-Rays’ Stance on PiracyObtaining IDA ProIDA VersionsIDA LicensesPurchasing IDAUpgrading IDAIDA Support ResourcesYour IDA InstallationWindows InstallationOS X and Linux InstallationThe IDA Directory LayoutThoughts on IDA’s User InterfaceSummary
II. BASIC IDA USAGE

4. GETTING STARTED WITH IDA
Launching IDAIDA File LoadingUsing the Binary File LoaderIDA Database FilesIDA Database CreationClosing IDA DatabasesReopening a DatabaseIntroduction to the IDA DesktopDesktop Behavior During Initial AnalysisIDA Desktop Tips and TricksReporting BugsSummary
5. IDA DATA DISPLAYS
The Principal IDA DisplaysThe Disassembly WindowIDA Graph ViewIDA Text ViewThe Names WindowThe Message WindowThe Strings WindowSecondary IDA DisplaysThe Hex View WindowThe Exports WindowThe Imports WindowThe Functions WindowThe Structures WindowThe Enums WindowTertiary IDA DisplaysThe Segments WindowThe Signatures WindowThe Type Libraries WindowThe Function Calls WindowThe Problems WindowSummary
6. DISASSEMBLY NAVIGATION
Basic IDA NavigationDouble-Click NavigationJump to AddressNavigation HistoryStack FramesCalling ConventionsThe C Calling ConventionThe Standard Calling ConventionThe fastcall Convention for x86C++ Calling ConventionsOther Calling ConventionsLocal Variable LayoutStack Frame ExamplesIDA Stack ViewsSearching the DatabaseText SearchesBinary SearchesSummary
7. DISASSEMBLY MANIPULATION
Names and NamingParameters and Local VariablesNamed LocationsRegister NamesCommenting in IDARegular CommentsRepeatable CommentsAnterior and Posterior LinesFunction CommentsBasic Code TransformationsCode Display OptionsFormatting Instruction OperandsManipulating FunctionsCreating New FunctionsDeleting FunctionsFunction ChunksFunction AttributesStack Pointer AdjustmentsConverting Data to Code (and Vice Versa)Basic Data TransformationsSpecifying Data SizesWorking with StringsSpecifying ArraysSummary
8. DATATYPES AND DATA STRUCTURES
Recognizing Data Structure UseArray Member AccessGlobally Allocated ArraysStack-Allocated ArraysHeap-Allocated ArraysStructure Member AccessGlobally Allocated StructuresStack-Allocated StructuresHeap-Allocated StructuresArrays of StructuresCreating IDA StructuresManual Structure LayoutCreating a New Structure (or Union)Editing Structure MembersStack Frames as Specialized StructuresUsing Structure TemplatesImporting New StructuresParsing C Structure DeclarationsParsing C Header FilesUsing Standard StructuresIDA TIL FilesLoading New TIL FilesSharing TIL FilesC++ Reversing PrimerThe this PointerVirtual Functions and VtablesThe Object Life CycleName ManglingRuntime Type IdentificationInheritance RelationshipsC++ Reverse Engineering ReferencesSummary
9. CROSS-REFERENCES AND GRAPHING
Cross-ReferencesCode Cross-ReferencesData Cross-ReferencesCross-Reference ListsFunction CallsIDA GraphingLegacy IDA GraphingLegacy FlowchartsLegacy Call GraphsLegacy Cross-Reference GraphsCustom Cross-Reference GraphsIDA’s Integrated Graph ViewSummary
10. THE MANY FACES OF IDA
Console Mode IDACommon Features of Console ModeWindows Console SpecificsLinux Console SpecificsOS X Console SpecificsUsing IDA’s Batch ModeGUI IDA on Non-Windows PlatformsSummary
III. ADVANCED IDA USAGE
11. CUSTOMIZING IDA
Configuration FilesThe Main Configuration File: ida.cfgThe GUI Configuration File: idagui.cfgThe Console Configuration File: idatui.cfgAdditional IDA Configuration OptionsIDA ColorsCustomizing IDA ToolbarsSummary
12. Library Recognition Using FLIRT Signatures
Fast Library Identification and Recognition TechnologyApplying FLIRT SignaturesCreating FLIRT Signature FilesSignature-Creation OverviewIdentifying and Acquiring Static LibrariesCreating Pattern FilesCreating Signature FilesStartup SignaturesSummary
13. Extending IDA’s Knowledge
Augmenting Function InformationIDS FilesCreating IDS FilesAugmenting Predefined Comments with loadintSummary
14. PATCHING BINARIES AND OTHER IDA LIMITATIONS
The Infamous Patch Program MenuChanging Individual Database BytesChanging a Word in the DatabaseUsing the Assemble DialogIDA Output Files and Patch GenerationIDA-Generated MAP FilesIDA-Generated ASM FilesIDA-Generated INC FilesIDA-Generated LST FilesIDA-Generated EXE FilesIDA-Generated DIF FilesIDA-Generated HTML FilesSummary
IV. EXTENDING IDA’S CAPABILITIES
15. SCRIPTING WITH IDC
Basic Script ExecutionThe IDC LanguageIDC VariablesIDC ExpressionsIDC StatementsIDC FunctionsIDC ProgramsError Handling in IDCPersistent Data Storage in IDCAssociating IDC Scripts with HotkeysUseful IDC FunctionsFunctions for Reading and Modifying DataUser Interaction FunctionsString-Manipulation FunctionsFile Input/Output FunctionsManipulating Database NamesFunctions Dealing with FunctionsCode Cross-Reference FunctionsData Cross-Reference FunctionsDatabase Manipulation FunctionsDatabase Search FunctionsDisassembly Line ComponentsIDC Scripting ExamplesEnumerating FunctionsEnumerating InstructionsEnumerating Cross-ReferencesEnumerating Exported FunctionsFinding and Labeling Function ArgumentsEmulating Assembly Language BehaviorSummary
16. THE IDA SOFTWARE DEVELOPMENT KIT
SDK IntroductionSDK InstallationSDK LayoutConfiguring a Build EnvironmentThe IDA Application Programming InterfaceHeader Files OverviewNetnodesCreating NetnodesData Storage in NetnodesDeleting Netnodes and Netnode DataUseful SDK DatatypesCommonly Used SDK FunctionsBasic Database AccessUser Interface FunctionsManipulating Database NamesFunction ManipulationStructure ManipulationSegment ManipulationCode Cross-ReferencesData Cross-ReferencesIteration Techniques Using the IDA APIEnumerating FunctionsEnumerating Structure MembersEnumerating Cross-ReferencesSummary
17. THE IDA PLUG-IN ARCHITECTURE
Writing a Plug-inThe Plug-in Life CyclePlug-in InitializationEvent NotificationPlug-in ExecutionBuilding Your Plug-insPlug-in InstallationPlug-in ConfigurationExtending IDCPlug-in User Interface OptionsBuilding Interface Elements with the SDKUsing the SDK’s Chooser DialogsCreating Customized Forms with the SDKAdditional User Interface-Generation TechniquesSummary
18. BINARY FILES AND IDA LOADER MODULES
Unknown File AnalysisManually Loading a Windows PE FileIDA Loader ModulesWriting an IDA LoaderThe Simpleton LoaderBuilding an IDA Loader ModuleA pcap Loader for IDAAlternative Loader StrategiesSummary
19. IDA PROCESSOR MODULES
Python Byte CodeThe Python InterpreterWriting a Processor ModuleThe processor_t StructBasic Initialization of the LPH StructureThe AnalyzerThe EmulatorThe OutputterProcessor NotificationsOther processor_t MembersBuilding Processor ModulesCustomizing Existing ProcessorsProcessor Module ArchitectureSummary
V. REAL-WORLD APPLICATIONS
20. COMPILER VARIATIONS
Jump Tables and Switch StatementsRTTI ImplementationsLocating mainDebug vs. Release BinariesAlternative Calling ConventionsSummary
21. OBFUSCATED CODE ANALYSIS
Anti–Static Analysis TechniquesDisassembly DesynchronizationDynamically Computed Target AddressesOpcode ObfuscationImported Function ObfuscationTargeted Attacks on Analysis ToolsAnti–Dynamic Analysis TechniquesDetecting VirtualizationDetecting InstrumentationDetecting DebuggersPreventing DebuggingStatic De-obfuscation of Binaries Using IDAScript-Oriented De-obfuscationEmulation-Oriented De-obfuscationx86emu InitializationBasic x86emu OperationEmulator-Assisted De-obfuscationAdditional x86emu Featuresx86emu and Anti-debuggingSummary
22. VULNERABILITY ANALYSIS
Discovering New Vulnerabilities with IDAAfter-the-Fact Vulnerability Discovery with IDAIDA and the Exploit-Development ProcessStack Frame BreakdownLocating Instruction SequencesFinding Useful Virtual AddressesAnalyzing ShellcodeSummary
23. REAL-WORLD IDA PLUG-INS
Hex-RaysIDAPythonIDARubIDA SynccollabREateida-x86emumIDASummary
VI. THE IDA DEBUGGER
24. THE IDA DEBUGGER
Launching the DebuggerBasic Debugger DisplaysProcess ControlBreakpointsTracingStack TracesWatchesAutomating Debugger TasksScripting Debugger Actions with IDCAutomating Debugger Actions with IDA Plug-insSummary
25. DISASSEMBLER/DEBUGGER INTEGRATION
BackgroundIDA Databases and the IDA DebuggerDebugging Obfuscated CodeSimple Decryption and Decompression LoopsImport Table ReconstructionHiding the DebuggerDealing with ExceptionsSummary
26. LINUX, OS X, AND REMOTE DEBUGGING WITH IDA
Console-Mode DebuggingRemote Debugging with IDAException Handling During Remote DebuggingUsing Scripts and Plug-ins During Remote DebuggingSummary
A. USING IDA FREEWARE 4.9
Restrictions on IDA FreewareUsing IDA Freeware
B. IDC/SDK CROSS-REFERENCE
C. WHAT’S NEW IN IDA 5.3
Redesigned DebuggerType Library SupportNew IDC FunctionsNew API/SDK FunctionalitySummary
Index
About the Author
COLOPHON
Copyright

Content preview from The IDA Pro Book

Chapter 12. Library Recognition Using FLIRT Signatures

At this point it is time to start moving beyond IDA’s more obvious capabilities and begin our exploration of what to do after “The initial autoanalysis has been finished.”^[70] In this chapter we discuss techniques for recognizing standard code sequences such as the library code contained in statically linked binaries or standard initialization and helper functions inserted by compilers.

When you set out to reverse engineer any binary, the last thing that you want to do is waste time reverse engineering library functions whose behavior you could learn much more easily simply by reading a man ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781593271787Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The IDA Pro Book

by Chris Eagle

Chapter 12. Library Recognition Using FLIRT Signatures

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.