You are previewing Reverse Engineering Code with IDA Pro.
O'Reilly logo
Reverse Engineering Code with IDA Pro

Book Description

If you want to master the art and science of reverse engineering code with IDA Pro for security R&D or software debugging, this is the book for you. Highly organized and sophisticated criminal entities are constantly developing more complex, obfuscated, and armored viruses, worms, Trojans, and botnets. IDA Pro's interactive interface and programmable development language provide you with complete control over code disassembly and debugging. This is the only book which focuses exclusively on the world's most powerful and popular took for reverse engineering code.

*Reverse Engineer REAL Hostile Code
To follow along with this chapter, you must download a file called !DANGER!INFECTEDMALWARE!DANGER!... 'nuff said.
*Download the Code!
The companion Web site to this book offers up really evil code for you to reverse engineer and really nice code for you to automate tasks with the IDC Scripting Language.
*Portable Executable (PE) and Executable and Linking Formats (ELF)
Understand the physical layout of PE and ELF files, and analyze the components that are essential to reverse engineering.
*Break Hostile Code Armor and Write your own Exploits
Understand execution flow, trace functions, recover hard coded passwords, find vulnerable functions, backtrace execution, and craft a buffer overflow.
*Master Debugging
Debug in IDA Pro, use a debugger while reverse engineering, perform heap and stack access modification, and use other debuggers.
*Stop Anti-Reversing
Anti-reversing, like reverse engineering or coding in assembly, is an art form. The trick of course is to try to stop the person reversing the application. Find out how!
*Track a Protocol through a Binary and Recover its Message Structure
Trace execution flow from a read event, determine the structure of a protocol, determine if the protocol has any undocumented messages, and use IDA Pro to determine the functions that process a particular message.
*Develop IDA Scripts and Plug-ins
Learn the basics of IDA scripting and syntax, and write IDC scripts and plug-ins to automate even the most complex tasks.

Table of Contents

  1. Copyright
  2. Visit us at www.syngress.com
    1. Solutions Web Site
    2. Ultimate CDs
    3. Downloadable E-Books
    4. Syngress Outlet
    5. Site Licensing
    6. Custom Publishing
  3. About IOActive
  4. Contributing Authors
  5. 1. Introduction
    1. An Overview of Code Debuggers
    2. Summary
  6. 2. Assembly and Reverse Engineering Basics
    1. Introduction
    2. Assembly and the IA-32 Processor
    3. The Stack, the Heap and Other Sections of a Binary Executable
    4. IA-32 Instruction Set Refresher and Reference
    5. Summary
  7. 3. Portable Executable and Executable and Linking Formats
    1. Introduction
    2. Portable Executable Format
    3. Executable and Linking Format
    4. Summary
  8. 4. Walkthroughs One and Two
    1. Introduction
    2. Following Execution Flow
      1. Reversing What the Binary Does
        1. The Processing Subroutine
    3. Solutions Fast Track
      1. Understanding Execution Flow
      2. Recovering Hard Coded Password
    4. Frequently Asked Questions
  9. 5. Debugging
    1. Introduction
    2. Debugging Basics
      1. Breakpoints
        1. Hardware Breakpoints
        2. Software Breakpoints
        3. Using Breakpoints
      2. Single Stepping
      3. Watches
      4. Exceptions
      5. Tracing
    3. Debugging in IDA Pro
    4. Use of Debugging while Reverse Engineering
    5. Heap and Stack Access and Modification
    6. Other Debuggers
      1. Windbg
      2. Ollydbg
      3. Immunity Debugger (Immdbg)
      4. PaiMei/PyDbg
      5. GDB
    7. Summary
  10. 6. Anti-Reversing
    1. Introduction
    2. Debugging
    3. Example Overview
    4. Obfuscation
    5. Summary
  11. 7. Walkthrough Four
    1. The Protocol Problem
    2. Protocol Structure
      1. Framing and Reassembly
      2. Self Similarity
      3. Hit Marking
      4. Example Hitlist
  12. 8. Advanced Walkthrough
    1. Introduction
    2. Reversing Malware
  13. 9. IDA Scripting and Plug-ins
    1. Introduction
    2. Basics of IDA Scripting
    3. IDC Syntax
      1. Output
      2. Variables
      3. Conditionals
      4. Loops
      5. Functions
        1. Local and Global Scope
      6. Global Variables
    4. Simple Script Examples
    5. Writing IDC Scripts
      1. Problem solving with IDC
        1. The Problem
        2. Problem Background
        3. Proposed solution
        4. Possible Improvements
      2. New IDC Debugger Functionality
      3. Useful IDC Functions
        1. Reading and Writing Memory
        2. Cross References
          1. Code Xrefs
          2. Data Xrefs
        3. Data Representation
        4. Comments
        5. Code Traversal
        6. Input and Output
    6. Basics of IDA Plug-ins
      1. Module/Plug-in Resources
      2. Introducing the IDA Pro SDK
        1. SDK Layout
    7. Plug-in Syntax
    8. Setting up the Development Environment
    9. Simple Plug-in Examples
      1. The Hello World Plug-in
      2. The find memcpy Plug-in
        1. Collecting Data
        2. Displaying Data
        3. Conclusion
    10. The Indirect Call Plug-in
      1. Proposed Strategy
      2. Collecting Data
      3. User Interface
      4. Implementing the Callback
        1. dbg_bpt
        2. dbg_step_into
        3. dbg_process_exit
      5. Presenting Results
    11. Plug-in Development and Debugging Strategies
      1. Create a new IDA Development Directory
      2. Editing Configuration Files
        1. Using an Unpacked Database
        2. Enabling Exit without Saving
        3. Plug-in Arguments
        4. Scripting to Help Plug-in Development
    12. Loaders
    13. Processor Modules
    14. Third-party Scripting Plug-ins
      1. IDAPython
        1. Supported Platforms
      2. IDARub
    15. Frequently Asked Questions