February 05, 2010

New IDC improvement in IDA Pro 5.6

Scripting with IDA Pro has always been a very handy feature, not only when used in scripts but also in expressions, breakpoint conditions, form fields, etc...
In IDA Pro 5.6 we improved the IDC language and made it more convenient to use by adding objects, exceptions, support for strings with embedded zeroes, string slicing and references.

Continue reading "New IDC improvement in IDA Pro 5.6" »

Posted by Elias Bachaalany at 08:31 PM | | Comments (1)

January 20, 2010

Hex-Rays against Aurora

As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.

An IDA user very kindly sent us the following link

http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

Continue reading "Hex-Rays against Aurora" »

Posted by Ilfak Guilfanov at 01:30 PM | | Comments (2)

January 16, 2010

Practical Appcall examples

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it's implemented and describe some of the uses of Appcall in various scenarios.

How Appcall works

Given a function with a correct prototype, the Appcall mechanism works like this:
  1. Save the current thread context
  2. Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee's stack)
  3. Modify the input registers in question
  4. Set the instruction pointer to the beginning of the function to be called
  5. Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
  6. Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
  7. Deserialize back the input (only for parameters passed by reference) and save the return value
In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:

you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.

Continue reading "Practical Appcall examples" »

Posted by Elias Bachaalany at 05:00 PM | | Comments (0)

January 12, 2010

Introducing the Appcall feature in IDA Pro 5.6

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6. Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you've used GDB (call command), VS (Immediate window), or Borland C++ Builder then you're already familiar with such functionality.

(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)

Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.

Continue reading "Introducing the Appcall feature in IDA Pro 5.6" »

Posted by Elias Bachaalany at 05:04 PM |

January 08, 2010

Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator

Introduction

IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code snippets directly from the database. In this tutorial we will show how to dynamically run code that can be difficult to analyze statically.

Target

As an example we will use shellcode from the article "Alphanumeric RISC ARM Shellcode" in Phrack 66. It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. So we will use the debugging feature to decode it.

Continue reading "Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator" »

Posted by Igor Skochinsky at 06:46 PM | | Comments (0)

January 06, 2010

PDF file loader to extract and analyse shellcode

One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.

Continue reading "PDF file loader to extract and analyse shellcode" »

Posted by Elias Bachaalany at 10:58 AM | | Comments (7)

November 20, 2009

Hex-Rays Plugin Contest

We are glad to announce the results of our first plugin contest! For the contest rules, please check this page:

http://www.hex-rays.com/contest.shtml

Or you may directly go to the contest results and check out some cool plugins:

http://www.hex-rays.com/contest2009

It was our first contest, but we are happy with the results and will repeat it in the near future.
Have fun!

Posted by Ilfak Guilfanov at 03:42 PM | | Comments (4)