You are previewing The IDA Pro Book.
O'Reilly logo
The IDA Pro Book

Book Description

No source code? No problem. With IDA Pro, you live in a source code-optional world. IDA can automatically analyze the millions of opcodes that make up an executable and present you with a disassembly. But at that point, your work is just beginning. With The IDA Pro Book, you'll learn how to turn that mountain of mnemonics into something you can actually use.

Hailed by the creator of IDA Pro as the "long-awaited" and "information-packed" guide to IDA, The IDA Pro Book covers everything from the very first steps to advanced automation techniques. While other disassemblers slow your analysis with inflexibility, IDA invites you to customize its output for improved readability and usefulness. You'll save time and effort as you learn to:

  • Identify known library routines, so you can focus your analysis on other areas of the code

  • Extend IDA to support new processors and filetypes, making disassembly possible for new or obscure architectures

  • Explore popular plug-ins that make writing IDA scripts easier, allow collaborative reverse engineering, and much more

  • Utilize IDA's built-in debugger to tackle obfuscated code that would defeat a stand-alone disassembler

You'll still need serious assembly skills to tackle the toughest executables, but IDA makes things a lot easier. Whether you're analyzing the software on a black box or conducting hard-core vulnerability research, a mastery of IDA Pro is crucial to your success. Take your skills to the next level with The IDA Pro Book.

Table of Contents

  1. THE IDA PRO BOOK
  2. Dedication
  3. FOREWORD
  4. ACKNOWLEDGMENTS
  5. INTRODUCTION
  6. I. INTRODUCTION TO IDA
    1. 1. INTRODUCTION TO DISASSEMBLY
      1. Disassembly Theory
      2. The What of Disassembly
      3. The Why of Disassembly
        1. Malware Analysis
        2. Vulnerability Analysis
        3. Software Interoperability
        4. Compiler Validation
        5. Debugging Displays
      4. The How of Disassembly
        1. A Basic Disassembly Algorithm
        2. Linear Sweep Disassembly
        3. Recursive Descent Disassembly
          1. Sequential Flow Instructions
          2. Conditional Branching Instructions
          3. Unconditional Branching Instructions
          4. Function Call Instructions
          5. Return Instructions
      5. Summary
    2. 2. REVERSING AND DISASSEMBLY TOOLS
      1. Classification Tools
        1. file
        2. PE Tools
        3. PEiD
      2. Summary Tools
        1. nm
        2. ldd
        3. objdump
        4. otool
        5. dumpbin
        6. c++filt
      3. Deep Inspection Tools
        1. strings
        2. Disassemblers
      4. Summary
    3. 3. IDA PRO BACKGROUND
      1. Hex-Rays’ Stance on Piracy
      2. Obtaining IDA Pro
        1. IDA Versions
        2. IDA Licenses
        3. Purchasing IDA
        4. Upgrading IDA
      3. IDA Support Resources
      4. Your IDA Installation
        1. Windows Installation
        2. OS X and Linux Installation
        3. The IDA Directory Layout
      5. Thoughts on IDA’s User Interface
      6. Summary
  7. II. BASIC IDA USAGE
    1. 4. GETTING STARTED WITH IDA
      1. Launching IDA
        1. IDA File Loading
        2. Using the Binary File Loader
      2. IDA Database Files
        1. IDA Database Creation
        2. Closing IDA Databases
        3. Reopening a Database
      3. Introduction to the IDA Desktop
      4. Desktop Behavior During Initial Analysis
      5. IDA Desktop Tips and Tricks
      6. Reporting Bugs
      7. Summary
    2. 5. IDA DATA DISPLAYS
      1. The Principal IDA Displays
        1. The Disassembly Window
          1. IDA Graph View
          2. IDA Text View
        2. The Names Window
        3. The Message Window
        4. The Strings Window
      2. Secondary IDA Displays
        1. The Hex View Window
        2. The Exports Window
        3. The Imports Window
        4. The Functions Window
        5. The Structures Window
        6. The Enums Window
      3. Tertiary IDA Displays
        1. The Segments Window
        2. The Signatures Window
        3. The Type Libraries Window
        4. The Function Calls Window
        5. The Problems Window
      4. Summary
    3. 6. DISASSEMBLY NAVIGATION
      1. Basic IDA Navigation
        1. Double-Click Navigation
        2. Jump to Address
        3. Navigation History
      2. Stack Frames
        1. Calling Conventions
          1. The C Calling Convention
          2. The Standard Calling Convention
          3. The fastcall Convention for x86
          4. C++ Calling Conventions
          5. Other Calling Conventions
        2. Local Variable Layout
        3. Stack Frame Examples
        4. IDA Stack Views
      3. Searching the Database
        1. Text Searches
        2. Binary Searches
      4. Summary
    4. 7. DISASSEMBLY MANIPULATION
      1. Names and Naming
        1. Parameters and Local Variables
        2. Named Locations
        3. Register Names
      2. Commenting in IDA
        1. Regular Comments
        2. Repeatable Comments
        3. Anterior and Posterior Lines
        4. Function Comments
      3. Basic Code Transformations
        1. Code Display Options
        2. Formatting Instruction Operands
        3. Manipulating Functions
          1. Creating New Functions
          2. Deleting Functions
          3. Function Chunks
          4. Function Attributes
          5. Stack Pointer Adjustments
        4. Converting Data to Code (and Vice Versa)
      4. Basic Data Transformations
        1. Specifying Data Sizes
        2. Working with Strings
        3. Specifying Arrays
      5. Summary
    5. 8. DATATYPES AND DATA STRUCTURES
      1. Recognizing Data Structure Use
        1. Array Member Access
          1. Globally Allocated Arrays
          2. Stack-Allocated Arrays
          3. Heap-Allocated Arrays
        2. Structure Member Access
          1. Globally Allocated Structures
          2. Stack-Allocated Structures
          3. Heap-Allocated Structures
          4. Arrays of Structures
      2. Creating IDA Structures
        1. Manual Structure Layout
          1. Creating a New Structure (or Union)
          2. Editing Structure Members
          3. Stack Frames as Specialized Structures
      3. Using Structure Templates
      4. Importing New Structures
        1. Parsing C Structure Declarations
        2. Parsing C Header Files
      5. Using Standard Structures
      6. IDA TIL Files
        1. Loading New TIL Files
        2. Sharing TIL Files
      7. C++ Reversing Primer
        1. The this Pointer
        2. Virtual Functions and Vtables
        3. The Object Life Cycle
        4. Name Mangling
        5. Runtime Type Identification
        6. Inheritance Relationships
        7. C++ Reverse Engineering References
      8. Summary
    6. 9. CROSS-REFERENCES AND GRAPHING
      1. Cross-References
        1. Code Cross-References
        2. Data Cross-References
        3. Cross-Reference Lists
        4. Function Calls
      2. IDA Graphing
        1. Legacy IDA Graphing
          1. Legacy Flowcharts
          2. Legacy Call Graphs
          3. Legacy Cross-Reference Graphs
          4. Custom Cross-Reference Graphs
        2. IDA’s Integrated Graph View
      3. Summary
    7. 10. THE MANY FACES OF IDA
      1. Console Mode IDA
        1. Common Features of Console Mode
        2. Windows Console Specifics
        3. Linux Console Specifics
        4. OS X Console Specifics
      2. Using IDA’s Batch Mode
      3. GUI IDA on Non-Windows Platforms
      4. Summary
  8. III. ADVANCED IDA USAGE
    1. 11. CUSTOMIZING IDA
      1. Configuration Files
        1. The Main Configuration File: ida.cfg
        2. The GUI Configuration File: idagui.cfg
        3. The Console Configuration File: idatui.cfg
      2. Additional IDA Configuration Options
        1. IDA Colors
        2. Customizing IDA Toolbars
      3. Summary
    2. 12. Library Recognition Using FLIRT Signatures
      1. Fast Library Identification and Recognition Technology
      2. Applying FLIRT Signatures
      3. Creating FLIRT Signature Files
        1. Signature-Creation Overview
        2. Identifying and Acquiring Static Libraries
        3. Creating Pattern Files
        4. Creating Signature Files
        5. Startup Signatures
      4. Summary
    3. 13. Extending IDA’s Knowledge
      1. Augmenting Function Information
        1. IDS Files
        2. Creating IDS Files
      2. Augmenting Predefined Comments with loadint
      3. Summary
    4. 14. PATCHING BINARIES AND OTHER IDA LIMITATIONS
      1. The Infamous Patch Program Menu
        1. Changing Individual Database Bytes
        2. Changing a Word in the Database
        3. Using the Assemble Dialog
      2. IDA Output Files and Patch Generation
        1. IDA-Generated MAP Files
        2. IDA-Generated ASM Files
        3. IDA-Generated INC Files
        4. IDA-Generated LST Files
        5. IDA-Generated EXE Files
        6. IDA-Generated DIF Files
        7. IDA-Generated HTML Files
      3. Summary
  9. IV. EXTENDING IDA’S CAPABILITIES
    1. 15. SCRIPTING WITH IDC
      1. Basic Script Execution
      2. The IDC Language
        1. IDC Variables
        2. IDC Expressions
        3. IDC Statements
        4. IDC Functions
        5. IDC Programs
        6. Error Handling in IDC
        7. Persistent Data Storage in IDC
      3. Associating IDC Scripts with Hotkeys
      4. Useful IDC Functions
        1. Functions for Reading and Modifying Data
        2. User Interaction Functions
        3. String-Manipulation Functions
        4. File Input/Output Functions
        5. Manipulating Database Names
        6. Functions Dealing with Functions
        7. Code Cross-Reference Functions
        8. Data Cross-Reference Functions
        9. Database Manipulation Functions
        10. Database Search Functions
        11. Disassembly Line Components
      5. IDC Scripting Examples
        1. Enumerating Functions
        2. Enumerating Instructions
        3. Enumerating Cross-References
        4. Enumerating Exported Functions
        5. Finding and Labeling Function Arguments
        6. Emulating Assembly Language Behavior
      6. Summary
    2. 16. THE IDA SOFTWARE DEVELOPMENT KIT
      1. SDK Introduction
        1. SDK Installation
        2. SDK Layout
        3. Configuring a Build Environment
      2. The IDA Application Programming Interface
        1. Header Files Overview
        2. Netnodes
          1. Creating Netnodes
          2. Data Storage in Netnodes
          3. Deleting Netnodes and Netnode Data
        3. Useful SDK Datatypes
        4. Commonly Used SDK Functions
          1. Basic Database Access
          2. User Interface Functions
          3. Manipulating Database Names
          4. Function Manipulation
          5. Structure Manipulation
          6. Segment Manipulation
          7. Code Cross-References
          8. Data Cross-References
        5. Iteration Techniques Using the IDA API
          1. Enumerating Functions
          2. Enumerating Structure Members
          3. Enumerating Cross-References
      3. Summary
    3. 17. THE IDA PLUG-IN ARCHITECTURE
      1. Writing a Plug-in
        1. The Plug-in Life Cycle
        2. Plug-in Initialization
        3. Event Notification
        4. Plug-in Execution
      2. Building Your Plug-ins
      3. Plug-in Installation
      4. Plug-in Configuration
      5. Extending IDC
      6. Plug-in User Interface Options
        1. Building Interface Elements with the SDK
          1. Using the SDK’s Chooser Dialogs
          2. Creating Customized Forms with the SDK
          3. Additional User Interface-Generation Techniques
      7. Summary
    4. 18. BINARY FILES AND IDA LOADER MODULES
      1. Unknown File Analysis
      2. Manually Loading a Windows PE File
      3. IDA Loader Modules
      4. Writing an IDA Loader
        1. The Simpleton Loader
        2. Building an IDA Loader Module
        3. A pcap Loader for IDA
      5. Alternative Loader Strategies
      6. Summary
    5. 19. IDA PROCESSOR MODULES
      1. Python Byte Code
      2. The Python Interpreter
      3. Writing a Processor Module
        1. The processor_t Struct
        2. Basic Initialization of the LPH Structure
        3. The Analyzer
        4. The Emulator
        5. The Outputter
        6. Processor Notifications
        7. Other processor_t Members
      4. Building Processor Modules
      5. Customizing Existing Processors
      6. Processor Module Architecture
      7. Summary
  10. V. REAL-WORLD APPLICATIONS
    1. 20. COMPILER VARIATIONS
      1. Jump Tables and Switch Statements
      2. RTTI Implementations
      3. Locating main
      4. Debug vs. Release Binaries
      5. Alternative Calling Conventions
      6. Summary
    2. 21. OBFUSCATED CODE ANALYSIS
      1. Anti–Static Analysis Techniques
        1. Disassembly Desynchronization
        2. Dynamically Computed Target Addresses
          1. Opcode Obfuscation
        3. Imported Function Obfuscation
        4. Targeted Attacks on Analysis Tools
      2. Anti–Dynamic Analysis Techniques
        1. Detecting Virtualization
        2. Detecting Instrumentation
        3. Detecting Debuggers
        4. Preventing Debugging
      3. Static De-obfuscation of Binaries Using IDA
        1. Script-Oriented De-obfuscation
        2. Emulation-Oriented De-obfuscation
          1. x86emu Initialization
          2. Basic x86emu Operation
          3. Emulator-Assisted De-obfuscation
          4. Additional x86emu Features
          5. x86emu and Anti-debugging
      4. Summary
    3. 22. VULNERABILITY ANALYSIS
      1. Discovering New Vulnerabilities with IDA
      2. After-the-Fact Vulnerability Discovery with IDA
      3. IDA and the Exploit-Development Process
        1. Stack Frame Breakdown
        2. Locating Instruction Sequences
        3. Finding Useful Virtual Addresses
      4. Analyzing Shellcode
      5. Summary
    4. 23. REAL-WORLD IDA PLUG-INS
      1. Hex-Rays
      2. IDAPython
      3. IDARub
      4. IDA Sync
      5. collabREate
      6. ida-x86emu
      7. mIDA
      8. Summary
  11. VI. THE IDA DEBUGGER
    1. 24. THE IDA DEBUGGER
      1. Launching the Debugger
      2. Basic Debugger Displays
      3. Process Control
        1. Breakpoints
        2. Tracing
        3. Stack Traces
        4. Watches
      4. Automating Debugger Tasks
        1. Scripting Debugger Actions with IDC
        2. Automating Debugger Actions with IDA Plug-ins
      5. Summary
    2. 25. DISASSEMBLER/DEBUGGER INTEGRATION
      1. Background
      2. IDA Databases and the IDA Debugger
      3. Debugging Obfuscated Code
        1. Simple Decryption and Decompression Loops
        2. Import Table Reconstruction
        3. Hiding the Debugger
        4. Dealing with Exceptions
      4. Summary
    3. 26. LINUX, OS X, AND REMOTE DEBUGGING WITH IDA
      1. Console-Mode Debugging
      2. Remote Debugging with IDA
        1. Exception Handling During Remote Debugging
        2. Using Scripts and Plug-ins During Remote Debugging
      3. Summary
    4. A. USING IDA FREEWARE 4.9
      1. Restrictions on IDA Freeware
      2. Using IDA Freeware
    5. B. IDC/SDK CROSS-REFERENCE
    6. C. WHAT’S NEW IN IDA 5.3
      1. Redesigned Debugger
      2. Type Library Support
      3. New IDC Functions
      4. New API/SDK Functionality
      5. Summary
  12. Index
  13. About the Author
  14. COLOPHON
  15. Copyright