When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).

With IDA 5.4 release, in addition to the Bochs and GDB plugins, we also introduced a debugger plugin based on Microsoft's Debugger Engine (the same engine used by Windbg, cdb and kd). With this addition to IDA you can now debug live kernel targets as well.

For user mode debugging the Windbg debugger plugin beats the win32 debugger plugin, by providing you access to a wide range of extensions that ship with the debugging tools from Microsoft.
For kernel debugging, you can use Bochs/Disk Image loader or GDB plugin to debug the whole operating system from Bios code and on.
However when Windbg plugin is used, you get the raw power of the debugging engine (extensions / built-in commands, symbols, ...).

We prepared a video showing how to debug kernel mode and user mode at the same time with full symbolic information (provided from the PDB files).
The video also demonstrates how to set breakpoints on user mode APIs and see them get triggered when any application in the system uses those APIs.

Before viewing the video, for those willing to experiment with the Windbg debugger plugin to debug kernel mode and user mode at the same time, here is how to prepare a database:

1. If you never used the Windbg debugger plugin before please visit the Windbg plugin tutorial page
2. Setup a process server inside the VM and attach to it from IDA to debug just any user mode application
3. Once attached, go to desired segments (kernel32, user32, advapi32, gdi32, etc...) and convert them to loader segments
4. If symbol retrieval mechanism was properly configured then most system DLLs will have symbol information, otherwise only exported names will available
5. Now we have a database with all user mode components we wish to inspect from the live kernel debugging session
6. Using the same database, change the connection string so that it connects to the same VM for the purpose of live kernel debugging this time
7. Once attached to the kernel, IDA will present loaded drivers and kernel mode modules in the debugger / modules list
8. It is possible to convert to loader segments the kernel mode components of interest
9. That's it! The database is now suited for kernel debugging, yet contains names and addresses of user mode components

The video will put everything into perspective!

Posted by Elias Bachaalany at 02:02 PM | Permalink | Comments (4)

I'm happy to inform you that we are entering the beta stage of IDA v5.4!

In addition to numerous small and not that small improvements, the new version will have three debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though ;))

• With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
  
• With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side.
  
• With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.
  

The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.

As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you'll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.

The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.

We will prepare the detailed list of improvements later this week.

Posted by Ilfak Guilfanov at 01:29 AM | Permalink | Comments (8)