book

The IDA Pro Book, 2nd Edition

Name: The IDA Pro Book, 2nd Edition
Author: Chris Eagle
ISBN: 9781593272890

by Chris Eagle

June 2011

Intermediate to advanced

672 pages

21h 10m

English

No Starch Press

Read now

Unlock full access

The IDA Pro Book
PRAISE FOR THE FIRST EDITION OF THE IDA PRO BOOK
Acknowledgments
Introduction
I. Introduction to IDA
1. Introduction to Disassembly
Disassembly Theory
The What of Disassembly
The Why of Disassembly
Malware AnalysisVulnerability AnalysisSoftware InteroperabilityCompiler ValidationDebugging Displays
The How of Disassembly
A Basic Disassembly AlgorithmLinear Sweep DisassemblyRecursive Descent DisassemblySequential Flow InstructionsConditional Branching InstructionsUnconditional Branching InstructionsFunction Call InstructionsReturn Instructions
Summary

2. Reversing and Disassembly Tools
Classification ToolsfilePE ToolsPEiD
Summary Tools
nmlddobjdumpotooldumpbinc++filt
Deep Inspection Tools
stringsDisassemblers
Summary
3. IDA Pro Background
Hex-Rays’ Stance on Piracy
Obtaining IDA Pro
IDA VersionsIDA LicensesPurchasing IDAUpgrading IDA
IDA Support Resources
Your IDA Installation
Windows InstallationOS X and Linux InstallationIDA and SELinux32-bit vs. 64-bit IDAThe IDA Directory Layout
Thoughts on IDA’s User Interface
Summary
II. Basic IDA Usage
4. Getting Started with IDA
Launching IDAIDA File LoadingUsing the Binary File Loader
IDA Database Files
IDA Database CreationClosing IDA DatabasesReopening a Database
Introduction to the IDA Desktop
Desktop Behavior During Initial Analysis
IDA Desktop Tips and Tricks
Reporting Bugs
Summary
5. IDA Data Displays
The Principal IDA DisplaysThe Disassembly WindowIDA Graph ViewIDA Text ViewThe Functions WindowThe Output Window
Secondary IDA Displays
The Hex View WindowThe Exports WindowThe Imports WindowThe Structures WindowThe Enums Window
Tertiary IDA Displays
The Strings WindowThe Names WindowThe Segments WindowThe Signatures WindowThe Type Libraries WindowThe Function Calls WindowThe Problems Window
Summary
6. Disassembly Navigation
Basic IDA NavigationDouble-Click NavigationJump to AddressNavigation History
Stack Frames
Calling ConventionsThe C Calling ConventionThe Standard Calling ConventionThe fastcall Convention for x86C++ Calling ConventionsOther Calling ConventionsLocal Variable LayoutStack Frame ExamplesIDA Stack Views
Searching the Database
Text SearchesBinary Searches
Summary
7. Disassembly Manipulation
Names and NamingParameters and Local VariablesNamed LocationsRegister Names
Commenting in IDA
Regular CommentsRepeatable CommentsAnterior and Posterior LinesFunction Comments
Basic Code Transformations
Code Display OptionsFormatting Instruction OperandsManipulating FunctionsCreating New FunctionsDeleting FunctionsFunction ChunksFunction AttributesStack Pointer AdjustmentsConverting Data to Code (and Vice Versa)
Basic Data Transformations
Specifying Data SizesWorking with StringsSpecifying Arrays
Summary
8. Datatypes and Data Structures
Recognizing Data Structure UseArray Member AccessGlobally Allocated ArraysStack-Allocated ArraysHeap-Allocated ArraysStructure Member AccessGlobally Allocated StructuresStack-Allocated StructuresHeap-Allocated StructuresArrays of Structures
Creating IDA Structures
Creating a New Structure (or Union)Editing Structure MembersStack Frames as Specialized Structures
Using Structure Templates
Importing New Structures
Parsing C Structure DeclarationsParsing C Header Files
Using Standard Structures
IDA TIL Files
Loading New TIL FilesSharing TIL Files
C++ Reversing Primer
The this PointerVirtual Functions and VtablesThe Object Life CycleName ManglingRuntime Type IdentificationInheritance RelationshipsC++ Reverse Engineering References
Summary
9. Cross-References and Graphing
Cross-ReferencesCode Cross-ReferencesData Cross-ReferencesCross-Reference ListsFunction Calls
IDA Graphing
IDA External (Third-Party) GraphingExternal FlowchartsExternal Call GraphsExternal Cross-Reference GraphsCustom Cross-Reference GraphsIDA’s Integrated Graph View
Summary
10. The Many Faces of IDA
Console Mode IDACommon Features of Console ModeWindows Console SpecificsLinux Console SpecificsOS X Console Specifics
Using IDA’s Batch Mode
Summary
III. Advanced IDA Usage
11. Customizing IDA
Configuration FilesThe Main Configuration File: ida.cfgThe GUI Configuration File: idagui.cfgThe Console Configuration File: idatui.cfg
Additional IDA Configuration Options
IDA ColorsCustomizing IDA Toolbars
Summary
12. Library Recognition Using FLIRT Signatures
Fast Library Identification and Recognition Technology
Applying FLIRT Signatures
Creating FLIRT Signature Files
Signature-Creation OverviewIdentifying and Acquiring Static LibrariesCreating Pattern FilesCreating Signature FilesStartup Signatures
Summary
13. Extending IDA’s Knowledge
Augmenting Function InformationIDS FilesCreating IDS Files
Augmenting Predefined Comments with loadint
Summary
14. Patching Binaries and Other IDA Limitations
The Infamous Patch Program MenuChanging Individual Database BytesChanging a Word in the DatabaseUsing the Assemble Dialog
IDA Output Files and Patch Generation
IDA-Generated MAP FilesIDA-Generated ASM FilesIDA-Generated INC FilesIDA-Generated LST FilesIDA-Generated EXE FilesIDA-Generated DIF FilesIDA-Generated HTML Files
Summary
IV. Extending IDA’s Capabilities
15. IDA Scripting
Basic Script Execution
The IDC Language
IDC VariablesIDC ExpressionsIDC StatementsIDC FunctionsIDC ObjectsIDC ProgramsError Handling in IDCPersistent Data Storage in IDC
Associating IDC Scripts with Hotkeys
Useful IDC Functions
Functions for Reading and Modifying DataUser Interaction FunctionsString-Manipulation FunctionsFile Input/Output FunctionsManipulating Database NamesFunctions Dealing with FunctionsCode Cross-Reference FunctionsData Cross-Reference FunctionsDatabase Manipulation FunctionsDatabase Search FunctionsDisassembly Line Components
IDC Scripting Examples
Enumerating FunctionsEnumerating InstructionsEnumerating Cross-ReferencesEnumerating Exported FunctionsFinding and Labeling Function ArgumentsEmulating Assembly Language Behavior
IDAPython
Using IDAPython
IDAPython Scripting Examples
Enumerating FunctionsEnumerating InstructionsEnumerating Cross-ReferencesEnumerating Exported Functions
Summary
16. The IDA Software Development Kit
SDK IntroductionSDK InstallationSDK LayoutConfiguring a Build Environment
The IDA Application Programming Interface
Header Files OverviewNetnodesCreating NetnodesData Storage in NetnodesDeleting Netnodes and Netnode DataUseful SDK DatatypesCommonly Used SDK FunctionsBasic Database AccessUser Interface FunctionsManipulating Database NamesFunction ManipulationStructure ManipulationSegment ManipulationCode Cross-ReferencesData Cross-ReferencesIteration Techniques Using the IDA APIEnumerating FunctionsEnumerating Structure MembersEnumerating Cross-References
Summary
17. The IDA Plug-in Architecture
Writing a Plug-inThe Plug-in Life CyclePlug-in InitializationEvent NotificationPlug-in Execution
Building Your Plug-ins
Installing Plug-ins
Configuring Plug-ins
Extending IDC
Plug-in User Interface Options
Using the SDK’s Chooser DialogsCreating Customized Forms with the SDKWindows-Only User Interface–Generation TechniquesUser Interface Generation with Qt
Scripted Plug-ins
Summary
18. Binary Files and IDA Loader Modules
Unknown File Analysis
Manually Loading a Windows PE File
IDA Loader Modules
Writing an IDA Loader Using the SDK
The Simpleton LoaderBuilding an IDA Loader ModuleA pcap Loader for IDA
Alternative Loader Strategies
Writing a Scripted Loader
Summary
19. IDA Processor Modules
Python Byte Code
The Python Interpreter
Writing a Processor Module Using the SDK
The processor_t StructBasic Initialization of the LPH StructureThe AnalyzerThe EmulatorThe OutputterProcessor NotificationsOther processor_t Members
Building Processor Modules
Customizing Existing Processors
Processor Module Architecture
Scripting a Processor Module
Summary
V. Real-World Applications
20. Compiler Personalities
Jump Tables and Switch Statements
RTTI Implementations
Locating main
Debug vs. Release Binaries
Alternative Calling Conventions
Summary
21. Obfuscated Code Analysis
Anti–Static Analysis TechniquesDisassembly DesynchronizationDynamically Computed Target AddressesOpcode ObfuscationImported Function ObfuscationTargeted Attacks on Analysis Tools
Anti–Dynamic Analysis Techniques
Detecting VirtualizationDetecting InstrumentationDetecting DebuggersPreventing Debugging
Static De-obfuscation of Binaries Using IDA
Script-Oriented De-obfuscationEmulation-Oriented De-obfuscationx86emu InitializationBasic x86emu OperationEmulator-Assisted De-obfuscationAdditional x86emu Featuresx86emu and Anti-debugging
Virtual Machine-Based Obfuscation
Summary
22. Vulnerability Analysis
Discovering New Vulnerabilities with IDA
After-the-Fact Vulnerability Discovery with IDA
IDA and the Exploit-Development Process
Stack Frame BreakdownLocating Instruction SequencesFinding Useful Virtual Addresses
Analyzing Shellcode
Summary
23. Real-World IDA Plug-ins
Hex-Rays
IDAPython
collabREate
ida-x86emu
Class Informer
MyNav
IdaPdf
Summary
VI. The IDA Debugger
24. The IDA Debugger
Launching the Debugger
Basic Debugger Displays
Process Control
BreakpointsTracingStack TracesWatches
Automating Debugger Tasks
Scripting Debugger ActionsAutomating Debugger Actions with IDA Plug-ins
Summary
25. Disassembler/Debugger Integration
Background
IDA Databases and the IDA Debugger
Debugging Obfuscated Code
Launching the ProcessSimple Decryption and Decompression LoopsImport Table ReconstructionHiding the Debugger
IdaStealth
Dealing with Exceptions
Summary
26. Additional Debugger Features
Remote Debugging with IDAUsing a Hex-Rays Debugging ServerAttaching to a Remote ProcessException Handling During Remote DebuggingUsing Scripts and Plug-ins During Remote Debugging
Debugging with Bochs
Bochs IDB ModeBochs PE ModeBochs Disk Image Mode
Appcall
Summary
A. Using IDA Freeware 5.0
Restrictions on IDA Freeware
Using IDA Freeware
B. IDC/SDK Cross-Reference
Index
About the Author

Content preview from The IDA Pro Book, 2nd Edition

Debugging Obfuscated Code

We have mentioned a number of times that loading an obfuscated program in a debugger, allowing it to run until the de-obfuscation is complete, and then taking a memory snapshot of the program in its de-obfuscated state seems like a good strategy for obtaining a de-obfuscated version of a program. Controlled execution is probably a better way of thinking about this process than debugging, because all we are really doing is observing the code in operation and then taking a memory snapshot at the appropriate moment. A debugger simply happens to be the tool that allows us to accomplish this task. At least that is what we are hoping for. In Chapter 21 we discussed several anti-disassembly and anti-debugging techniques that ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781593273750Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The IDA Pro Book, 2nd Edition

by Chris Eagle

Debugging Obfuscated Code

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Upgrading and Repairing Servers

What Successful Project Managers Do

How to Overcome a Power Deficit

Tips for Designing Effective Presentation Slide Decks

Publisher Resources