0% found this document useful (0 votes)
27 views55 pages

CH 5

This document discusses using IDA Pro for malware analysis. It covers IDA Pro versions and interfaces, navigating and analyzing disassembly, enhancing the disassembly with renaming, comments and other features, and extending IDA Pro with plugins.

Uploaded by

Marah Irshedat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
27 views55 pages

CH 5

This document discusses using IDA Pro for malware analysis. It covers IDA Pro versions and interfaces, navigating and analyzing disassembly, enhancing the disassembly with renaming, comments and other features, and extending IDA Pro with plugins.

Uploaded by

Marah Irshedat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 55

Practical Malware Analysis

Ch 5: IDA Pro
IDA Pro Versions
• Full-featured paid version (IDA Teams, Pro, Home)
• IDA Free (2023)
• Old Demo version
– Both support x64/x86
– Pay version supports ARM and other processors
– Linux, Windows and MacOS
• All have code signatures for common library code
in FLIRT (Fast Library identification and
Recognition Technology)
• https://hex-rays.com/ida-free/
Graph and
Text Mode
• Spacebar
switches
mode
Default Graph Mode Display
Options, General
Better Graph Mode View
Arrows
• Colors
– Red Conditional jump not taken
– Green Conditional jump taken
– Blue Unconditional jump
• Direction
– Up Loop
Arrow Color Example
Highlighting
• Highlighting text in graph mode highlights
every instance of that text
Arrows
Solid = Unconditional
Text Mode
Dashed = Conditional Comment
Up = Loop Generated by
IDA Pro
Section
Address
Options, General
Adds Comments to Each Instruction
Useful Windows for Analysis
Functions
• Shows each function, length, and flags
– L = Library functions
• Sortable
– Large functions usually more important
Names Window
• Every address with a name
– Functions, named code, named data, strings
Strings
Imports & Exports
Structures
• All active data structures
– Hover to see yellow pop-up window
Cross-
Reference
• Double-
click
function
• Jump to
code in
other
views
Function Call
• Parameters pushed onto stack
• CALL to start function
Returning to the Default View
• Windows, Reset Desktop
• Windows, Save Desktop
– To save a new view
Navigating IDA Pro
Imports or Strings
• Double-click any entry to display it in the
disassembly window
Using Links
• Double-click any address in the disassembly
window to display that location
History
• Forward and Back buttons work like a Web
browser
Navigation Band

• Light blue: Library code


• Red: Compiler-generated code
• Dark blue: User-written code – Analyze this
Jump to Location
• Press G
• Can jump to address or named location
Searching
• Many options
• Search, Text is
handy
Using Cross-References
Code Cross-References

• XREF comment shows where this function is


called
• But it only shows a couple of cross-references
by default
To See All Cross-References
• Click function name and press X
Data Cross-References
• Demo:
– Start with strings
– Double-click an interesting string
– Hover over DATA XREF to see where that string is
used
– X shows all references
BYTE | WORD | DWORD | QWORD

IDA Pro Data Notation


• IDA declares initialized data as follows
– db – BYTE - byte (8 bit integer)
– dw – WORD - word (16 bit integer)
– dd – DWORD - double word (32 bit integer)
– dq – QWORD - quad word (64 bit integer)
– ? denotes that this value is unknown and will only
be known at runtime.
• Example: an uninitialized data section.
• if you start a debug session with IDA, the address will
eventually contain some value
– DT, DO, DY and DZ for floating point data values.
Analyzing Functions
Function and Argument Recognition
• IDA Pro identifies a function, names it, and
also names the local variables
– Local variables labeled with (var_EBP-Offset)
– Parameters labeled with (arg_EBP-Offset)
– It's not always correct
Using Graphing Options
Navigating IDA Pro
Navigating IDA Pro
• Most windows are linked to the disassembly
window (text mode).
• Double click an entry in imports windows to
take you to that in entry in text mode
• Three most common link types
– Sub links to the start of functions sub_40110A0
– Loc Links to destination address loc_40107E
– Offset Links to memory offset
• XREF can also be used to jumping to the
referencing location
Graphing Options

+
Graphing
Options

• These are "Legacy Graphs" and cannot be


manipulated with IDA
• The first two seem obsolete
– Flow chart
• Create flow chart of current function
– Function calls
• Graph function calls for entire program
Graphing
Options

• Xrefs to
– Graphs XREFs to get to selected XREF
– Can show all the paths that get to a function
Windows Genuine Status in Calc.exe
Graphing
Options

• Xrefs from
– Graphs XREFs from selected XREF
– Can show all the paths that exit from a function
Graphing
Options

• User xrefs chart...


– Customize graph's recursive depth, symbols
used, to or from symbol, etc.
– The only way to modify legacy graphs
Enhancing Disassembly
Warning
• There's no Undo, so if you make changes and
mess them up, you may be sorry
Renaming Locations
• IDA gives discovered values Dummy names
which may not be very meaningful
• You can change a name like sub_401000 to
ReverseBackdoorThread
• Change it in one place, IDA will change it
everywhere else
Adding Comments
• Press colon (:) to add a single comment
• Press semicolon (;) to echo this comment to
all Xrefs
Formatting Operands
• Hexadecimal by default
• Right-click to use other formats
Using Named Constants
• Makes Windows API arguments clearer
Redefining Data and Code
• After disassembly IDA pro may categorize
bytes incorrectly either data or code!
• You may redefine raw data as follows.
– U used to undefine function, data or code
– C define raw bytes as code
– D define raw bytes as data
– A define raw bytes as ASCII
IDA Notation and Assembler Directives
• Size Directives
– The intended size of the data item at a given memory
address can be inferred from the assembly code
instruction in which it is referenced.
• E.g., the size of the memory regions could be inferred from the
size of the register operand.
• 32-bit register➔ the assembler could infer that the region of
memory we were referring to was 4 bytes wide.
– In some cases the size of a referred-to memory region is
ambiguous.
– mov [ebx], 2
– use <size> ptr <offset from stack base>
– mov dword ptr [ebp-4], 2
References
• x86 Assembly Guide
• NASM: Netwide x64/x86 Assembler
Extending IDA with Plug-ins
• IDC (IDA's scripting language) and Python
scripts available (link Ch 6a)

You might also like