Hex blog

Preview of the new cross-platform IDA Pro GUI

2010-03-10T11:33:17Z

In order to provide our customers with the best user experience and in order to target many different platforms, the IDA Pro graphical user interface is currently being rewritten using the Qt technology.

Qt (pronounced "cute") is a cross-platform application and UI framework and the Win32 VCL-based IDA Pro interface is being ported to it. The goal is to provide all the features available in the current GUI while maintaining the maximum compatibility with plugins and other external modules.

Here is a screenshot of the current build of idaqt running on Ubuntu:

You can click on the images to enlarge them.

]]> From the first version idaqt will include a fully functional graphing, which is, as it is possible to notice from the screenshot, already implemented. The same is true for hints, navigation band and all other advanced IDA Pro features.

This is idaqt on Windows 7. The text view looks exactly the same and all other features like choosers and forms will be available with no exception on all supported platforms.

The full range of options and customizations which the Win32 interface provides will be available as well.

As you can see, apart from the still to be implemented docking, the new interface looks pretty much the same as the Win32 one.

Not only will it be possible to deploy the same native graphical interface to Windows, OS X, Linux and other platforms which in the future may become popular, but the quality of the user experience and the further development capabilities will be hugely increased thanks to an advanced framework such as Qt.

Although idaqt is going to replace the current GUI completely, for some time they will be deployed together in order to fix any incompatibility issues and to give third party developers the necessary time to thoroughly test their products against the new interface.

Custom data types and formats

2010-02-25T17:48:44Z

Another new feature that will be available in the upcoming version of IDA Pro is the ability to create and render custom data types and formats.

(Embedded instructions disassembled and rendered along side with x86 code)
]]>

What are custom types and formats

Custom data type: A custom type is basically just a way to tag some bytes for later display with custom format, when the built-in IDA types (dt_byte, dt_word, etc) are not enough. For example: an XMM vector, a Pascal string, a half-precision (16 bits) floating-point number, a 16:32 far pointer (fword), uleb128 number and so on. To define a custom type, you need to provide its name, size (fixed or dynamically calculated), keyword for disassembly and a few other attributes.
Custom data format: The custom data format allows you do display a custom or built-in data type in any way you like. You can register several formats for each type and switch the representation. For example, you might want to switch the display of the same 16-byte XMM vector between four floats or two doubles. A format definition includes callback for printing (to display) and scanning (used during debugging to change the register values).

For example, here is a custom MAKE_DWORD format applied to the built-in dword type:

Its implementation is very simple:

Next we illustrate some possible usages of custom types and formats. Other uses are also possible too, it is up to your imagination.

Decoding embedded bytecodes

Imagine you are debugging an x86 program that implements its own VM and embeddes them in the program.
The classical solution for this problem can be:

Write a dedicated processor module and then load the extracted bytecodes separately
Or define the bytecodes as bytes and then use comments to describe the real meaning of those bytecodes.

With this new addition, one can just write a custom data type to handle the situation:

And if you happen to have a situation where the bytecodes are operands to instructions (as means of obfuscation), you can still apply the custom format on those operands:

The previous blog entry showed how to write processor modules using Python. What if one simply uses the "import" statement to import a full-blown processor module script and use it in the custom data types/formats? ;)

Displaying resource strings

When reversing MS Windows applications, one can encounter string IDs, but then how to easily and nicely go fetch the data and display it in the disassembly listing?
Normally, one would have to use a resource editor to extract the string value corresponding to the string id, then to create an enum in IDA for each string ID with a repeatable comment:

That works, but what about writing your own custom format instead:

And then applying it directly without having to use a resource editor to extract the string value, have the custom format do that programmatically for you :

This is how a resource string custom format handler can look like:

To take a closer look at it, you can download the custom data type handler script along with the source code of the simplevm assembler/disassembler and the C program that was used in this article.

Scriptable Processor modules

2010-02-16T17:38:51Z

One of the new features we are preparing for the next version of IDA is the ability to write processor modules using your favorite scripting language.
After realizing how handy it is to write file loaders using scripting languages, we set out to making the same thing for processor modules. As an exercise for this new feature, we implemented a processor module for the EFI bytecode.

]]> Background In IDA Pro, a processor module implementation is usually split into four parts:

Processor, assembler, instructions and registers definitions (ins.cpp/.hpp, reg.cpp)
Decoder (ana.cpp): decodes an instruction into an insn_t structure (the 'cmd' global variable)
Emulation (emu.cpp): emulates instructions, creates appropriate cross references, traces the stack, recognizes code patterns, etc...
Output (out.cpp): outputs the result to the screen

The processor module is described using the processor_t structure. It holds pointers to registers, instructions, processor module name and other callbacks (ana, emu, out, notify, ...).
The assembler is described using the asm_t structure. It holds pointers to the assembler syntax and other callbacks.
For more information about structures and functions used in IDA API and processor modules (e.g. insn_t), see this great tutorial by Steve Micallef.

Writing a processor module in Python

To write a processor module in Python, we follow similar logic.

Write the get_idp_desc() function. It simply tells IDA what processors the module can handle.
```
def get_idp_desc():
    return "EFI Byte code:ebc"
```
The return value means that this processor is named "EFI Byte code" and its shortname is "ebc". Thus a subsequent call to set_processor_type('ebc') from the part of a file loader will succeed.
In case of the pc processor module, which can handle many variations of x86 architecture, the string looks like this:
```
Intel 80x86 processors:8086:80286r:80286p:80386r:80386p:...
```

Define the registers and instructions:

# Registers definition
  proc_Registers = [
      # General purpose registers
      "R0",
      "R1",
      ...,
      "R10",
      ...
  ]

  # Instructions definition
  proc_Instructions = [
      {'name': 'INSN1', 'feature': CF_USE1},
      {'name': 'INSN2', 'feature': CF_USE1 | CF_CHG1}
      ...
  ]

Write the get_idp_def() function. It should return a dictionary similar to the processor_t structure with the processor, assembler, instructions and registers definitions.

# This function returns the processor module definition
def get_idp_def():
    return {
        'version': IDP_INTERFACE_VERSION,

        # IDP id
        'id' : 0x8000 + 1,

        # Processor features
        'flag' : PR_USE32 | PRN_HEX | PR_RNAMESOK,

        # short processor names
        # Each name should be shorter than 9 characters
        'psnames': ['ebc'],

        # long processor names
        # No restriction on name lengthes.
        'plnames': ['EFI Byte code'],

        # number of registers
        'regsNum': len(proc_Registers),

        # register names
        'regNames': proc_Registers,
      
        # Array of instructions
        'instruc': proc_Instructions,
        ....
        'assembler': \
        {
                # flag
                'flag' : ASH_HEXF3 | AS_UNEQU | AS_COLON | ASB_BINF4 | AS_N2CHR,

                # Assembler name (displayed in menus)
                'name': "EFI bytecode assembler",
                ...
                # byte directive
                'a_byte': "db",

                # word directive
                'a_word': "dw",

                # remove if not allowed
                'a_dword': "dd",
                ...

        } # Assembler
    }

Now that we finished all the declarations, we can implement the decoder (or analyzer), emulator and the output callbacks.

The analyzer looks like this:

def ph_ana():
    """
    Decodes an instruction into the global variable 'cmd'
    Current address is pre-filled in cmd.ea
    """
    cmd = idaapi.cmd

    # take opcode byte
    b = ua_next_byte()
    # decode and fill cmd.Operands etc...
    # ...

    # Return decoded instruction size or zero
    return cmd.size

And decoding one instruction/filling the 'cmd' variable may look like this:

def decode_JMP8(opbyte, cmd):
    conditional   = (opbyte & 0x80) != 0
    cs            = (opbyte & 0x40) != 0
    cmd.Op1.type  = o_near
    cmd.Op1.dtyp  = dt_byte
    addr          = ua_next_byte()
    cmd.Op1.addr  = (as_signed(addr, 8) * 2) + cmd.size + cmd.ea

    if conditional:
        cmd.auxpref = FL_CS if cs else FL_NCS

    return True

The emulator:

# Emulate instruction, create cross-references, plan to analyze
# subsequent instructions, modify flags etc. Upon entrance to this function
# all information about the instruction is in 'cmd' structure.
# If zero is returned, the kernel will delete the instruction.
def ph_emu():
    aux = cmd.auxpref
    Feature = cmd.get_canon_feature()

    if Feature & CF_USE1:
        handle_operand(cmd.Op1, 1)
    if Feature & CF_CHG1:
        handle_operand(cmd.Op1, 0)
    if Feature & CF_USE2:
        handle_operand(cmd.Op2, 1)
    if Feature & CF_CHG2:
        handle_operand(cmd.Op2, 0)
    if Feature & CF_JUMP:
        QueueMark(Q_jumps, cmd.ea)

    # add flow xref
    if Feature & CF_STOP == 0:
        ua_add_cref(0, cmd.ea + cmd.size, fl_F)

    return 1

The output callback:

# Generate text representation of an instruction in 'cmd' structure.
# This function shouldn't change the database, flags or anything else.
# All these actions should be performed only by ph_emu() function.
def ph_out():
    cmd = idaapi.cmd
    # Init output buffer
    buf = idaapi.init_output_buffer(1024)

    # First, output the instruction mnemonic
    OutMnem()

    # Output the first operand if present (this invokes the ph_outop callback)
    out_one_operand( 0 )

    # Output the rest of the operands
    for i in xrange(1, 3):
        op = cmd[i]

        if op.type == o_void:
            break

        out_symbol(',')
        OutChar(' ')
        out_one_operand(i)

    # Terminate the output buffer
    term_output_buffer()

    # Emit the line
    cvar.gl_comm = 1
    MakeLine(buf)

Note that the previous callbacks are very similar to their C language counterparts.

Although this feature will not work with the current version of IDA Pro, you can download the EBC script sample for a preview of how a module would look.

If you like this feature, make sure to apply for the beta testing of next version when we announce it!

New IDC improvement in IDA Pro 5.6

2010-02-05T19:31:30Z

Scripting with IDA Pro has always been a very handy feature, not only when used in scripts but also in expressions, breakpoint conditions, form fields, etc...
In IDA Pro 5.6 we improved the IDC language and made it more convenient to use by adding objects, exceptions, support for strings with embedded zeroes, string slicing and references.
]]> General language improvements Local variables can now be declared and initialized anywhere within a function:

static func1()
{
  Message("Hello world\n");
  auto s = AskStr("Enter new name", "noname00");
  // ...
  auto i = 0;
  // ....
}

Global variables can be declared (in a function or in the global scope) with the extern keyword:

// Global scope
extern g_count; // Global variables cannot be initialized during declaration

static main()
{
  extern g_another_var;
  g_another_var = 123;
  g_count = 1;
}

Functions can be passed around and used as callbacks:

static my_func(a,b)
{
  Message("a=%d, b=%d\n", a, b);
}
static main()
{
  auto f = my_func;

  f(1, 2);
}

Strings can now contain the zero character thus allowing you to use IDC strings like buffers. This is extremely useful when used with Appcall to call functions that expect buffers:

auto s = "\x83\xF9\x00\x74\x10";
Message("len=%d\n", strlen(s));
// Construct a buffer with strfill()
s = strfill('!', 100);
Message("len=%d\n", strlen(s));

Strings can be easily manipulated with slices (Python style):

#define QASSERT(x) if (!(x)) { Warning("ASSERT: " #x); }
auto x = "abcdefgh";
// get string slice
QASSERT(x[1] == "b");
QASSERT(x[2:] == "cdefgh");
QASSERT(x[:3] == "abc");
QASSERT(x[4:6] == "ef");

// set string slice
x[0]   = "A";           QASSERT(x == "Abcdefgh");
x[1:3] = "BC";          QASSERT(x == "ABCdefgh");
// delete part of a string
x[4:5] = "";            QASSERT(x == "ABCdfgh");

// patch part of the string with numbers
x[0:4] = 0x11223344;

Strings and numbers are always passed by value in IDC, but now it is possible to pass variables by reference (using the ampersand operator):

static incr(a)
{
  a++;
}

static main()
{
  auto i = 1;

  incr(&i);

  Message("i=%d\n", i);
}

Note that objects (described below) are always passed by reference.

IDC classes

Classes can now be declared in IDC. All classes derive from the built-in base class object:

auto o = object();
o.ea = here;
o.flag = 0;

User objects can be defined with the class keyword:

class testclass
{
  testclass(name)
  {
    Message("constructing: %s\n", name);
    this.name = name;
  }
  ~testclass()
  {
    Message("destructing: %s\n", this.name);
  }
  set_name(n)
  {
    Message("testclass.set_name -> old=%s new=%s\n", this.name, n);
    this.name = n;
  }

  get_name()
  {
    return this.name;
  }
}

static f1(n)
{
  auto o1 = testclass("object in f1()");
  o1.set_name(n);
}

static main()
{
  auto o2 = testclass("object2 in main()");
  Message("calling f1()\n");
  f1("new object1 name");
  Message("returned from f1()\n");
}

Which outputs the following when executed:

constructing: object2 in main()
calling f1()
constructing: object in f1()
testclass.set_name -> old=object in f1() new=new object1 name
destructing: new object1 name
returned from f1()
destructing: object2 in main()

To enumerate all the attributes in an object:

auto attr_name;
auto o = object();
o.attr1 = "value1";
o.attr2 = "value2";
for ( attr_name=firstattr(o); attr_name != 0; attr_name=nextattr(o, attr_name) )
  Message("->%s: %s\n", attr_name, getattr(o, attr_name));

If object attribute names are numbers then they can be accessed with the subscript operator:

auto o = object();
o[0] = "zero";
o[1] = "one";

With this knowledge, we can write a simple IDC list class:

class list
{
  list()
  {
    this.__count = 0;
  }
  size()
  {
    return this.__count;
  }
  add(e)
  {
    this[this.__count++] = e;
  }
}

static main()
{
  auto a = list();
  a.add("hello");
  a.add("world");
  a.add(5);

  auto i;
  for (i=a.size()-1;i>=0;i--)
    print(a[i]);
}

IDC classes also support inheritance:

class testclass_extender: testclass
{
  testclass_extender(id): testclass('asdf')
  {
    this.id = id;
  }
  // Override a method and then call the base version
  set_name(n)
  {
    Message("testclass_extender-> %s\n", n);
    testclass::set_name(this, n);
  }
}

They also support getattr/setattr hooking like in Python:

class attr_hook
{
  attr_hook()
  {
    this.id = 1;
  }
  // setattr will trigger for every attribute assignment
  __setattr__(attr, value)
  {
    Message("setattr: %s->", attr);
    print(value);
    setattr(this, attr, value);
  }
  // getattr will only trigger for non-existing attributes
  __getattr__(attr)
  {
    Message("getattr: '%s'\n", attr);
    if ( attr == "magic" )
      return 0x5f8103;
    // Ofcourse this will cause an exception since 
    // we try to fetch a non-existing attribute
    return getattr(this, attr);
  }
}

Exceptions

Normally when a runtime error occurs, the script will abort and the interpret will display the runtime error message. With the use of exception handling, one can catch runtime errors:

static test_exceptions()
{
  // variable to hold the exception information
  auto e;
  try
  {
    auto a = object();

    // Try to read an invalid attribute:
    Message("a.name=%s\n", a.name);
  }
  catch ( e )
  {
    Message("Exception occured. Exception dump follows:\n");
    print(e);
  }
}

Resulting in the following output:

Executing function 'main'...
Exception occured. Exception dump follows:
object
  description: "No such attribute: object.name"
  file: "C:\\Temp\\ida56.idc"
  func: "test_exceptions"
  line:          91.       5Bh
  pc:          31.       1Fh  
  qerrno:        1538.      602h

IDC debugging tips

Last but not least, we would like to mention two useful IDC debugging tips.

The first (we used it previously) involves the print() function:

// Print variables in the message window
// This function print text representation of all its arguments to the output window.
// This function can be used to debug IDC scripts
void    print           (...);

This function can be very handy when used to print a variable of any type especially objects and all their nested attributes.

And the second tip involves the use of the command window to evaluate commands. The trick is to type an IDC statement without a terminating semicolon.
To illustrate, we will first use the DecodeInstruction() with a semicolon:

And now the same thing, repeated, without a semicolon would automatically invoke the print() against the returned result, thus:

Although we said two debugging tips, but here's the third: you can use the peroid key (".") to jump from an IDA View to the command window and the escape key to return to the IDA View.
The script snippets used in this blog entry can be downloaded from here.

Hex-Rays against Aurora

2010-01-20T12:30:17Z

As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.

An IDA user very kindly sent us the following link

http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

]]> As it is visible from the screenshots, the code is somewhat nasty to analysis, because it consists of very short blocks like this:

Even displayed in the graph mode, the output is still lengthy and messy:

We were pleasantly surprised to see how the decompiler handles this code:

I renamed some variables and specified their types, but even without this, the output was very readable.

Just one more example. Virtually all functions are obfuscated with this quite simple technique:

Yet the decompiler output is pleasing to the eye:

I'm very impressed by the results :)

We are currently completing support for intrinsic functions in the decompiler (it turned out that there are literally hundreds and hundreds of them). Also, SEE based scalar floating point computations will be mapped to high level constructs. It will probably take a few more weeks before the code stabilizes, it won't be long. Thanks for being patient :)

Practical Appcall examples

2010-01-16T16:00:31Z

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it's implemented and describe some of the uses of Appcall in various scenarios.

How Appcall works

Given a function with a correct prototype, the Appcall mechanism works like this:

Save the current thread context
Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee's stack)
Modify the input registers in question
Set the instruction pointer to the beginning of the function to be called
Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
Deserialize back the input (only for parameters passed by reference) and save the return value

In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:

you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.]]> Using the debuggee functions Sometimes it is useful to call certain functions from inside your debuggee's context:

Functions that you identified as cryptographic functions: encrypt/decrypt/hashing functions
Explicitly call not-so-popular functions: instead of waiting the program to call a certain function, simply call it directly
Change the program logic: by calling certain debuggee functions it is possible to change the logic and the internal state of the program
Extend your program: since Appcall can be used inside the condition expression of a conditional breakpoint, it is possible to extend applications that way
Fuzzing applications: easily fuzz your program on a function level
...

Let's take a program that contains a decryption routine that we want to use:

In IDC, you can do something like:

auto s_in = "SomeEncryptedBuffer", s_out = strfill(SizeOfBuffer);
decrypt_buffer(&s_in, &s_out, SizeOfBuffer);

Or in Python:

# Explicitly create the buffer as a byref object
s_in = Appcall.byref("SomeEncryptedBuffer")
# Buffers are always returned byref
s_out = Appcall.buffer(" ", SizeOfBuffer)
# Call the debuggee
Appcall.decrypt_buffer(s_in, s_out, SizeOfBuffer)
# Print the result
print "decrypted=", s_out.value

Function level fuzzing

Instead of generating input strings and passing them to the application as command line arguments, input files, etc...it is also possible to test the application on a function level using Appcall.
It is sufficient to find the functions we want to test, give them appropriate prototypes and Appcall each one of these functions with the desired set of (malformed) input.

def fuzz_func1():
  """
  Finds functions with one parameter that take a string buffer and tries to see if one
  of these functions will crash if a malformed input was passed
  """
  
  # prepare functions search criteria
  tps  = ['LPCWSTR', 'LPCSTR', 'char *', 'const char *', 'wchar_t *']
  tpsf = [1    , 0     , 0     , 0       , 1]
  pat  = r'\((%s)\s*\w*\)' % "|".join(tps).replace('*', r'\*')

  # set Appcall options
  old_opt = Appcall.set_appcall_options(Appcall.APPCALL_DEBEV)

  # Enumerate all functions
  for x in Functions():
    # Get the type string
    t = GetType(x)
    if not t:
      continue
    # Try to parse its declaration
    t = re.search(pat, t)
    if not t:
      continue

    # Check if the parameter is a unicode string or not
    is_unicode = tpsf[tps.index(t.group(1))]

    
    # Form the input string: here we can generate mutated input
    # and keep on looping until our input pool for this function is exhausted.
    # For demonstration purposes only one string is passed to the Appcalled functions
    s = "A" * 1000
    # Do the Appcall but protect it with try/catch to receive the exceptions
    try:
      # Create the buffer appropriately
      if is_unicode:
        buf = Appcall.unicode(s)
      else:
        buf = Appcall.buffer(s)
      print "%x: calling. unicode=%d" % (x, is_unicode)
      # Call the function in question
      r = Appcall[x](buf)
    except OSError, e:
      exc_code = idaapi.as_uint32(e.args[0].code)
      print "%X: Exception %X occurred @ %X. Info: <%s>\n" % (x, 
        exc_code, e.args[0].ea, e.args[0].info)
      # stop the test
      break
    except Exception, e:
      print "%x: Appcall failed!" % x
      break
  # Restore Appcall options
  Appcall.set_appcall_options(old_opt)

It is important to enable the APPCALL_DEBEV Appcall option in order to retrieve the last exception that occurred during the Appcall.

Injecting Libraries in the Debuggee

To inject libraries in the debuggee simply Appcall LoadLibrary():

loadlib = Appcall.proto("kernel32_LoadLibraryA", "int __stdcall loadlib(const char *fn);")
hmod = loadlib("dll_to_inject.dll")

Set/Get the last error

To retrieve the last error value we can either parse it manually from the TIB or Appcall the GetLastError() API:

getlasterror = Appcall.proto("kernel32_GetLastError", "DWORD __stdcall GetLastError();")
print "lasterror=", getlasterror()

Similarly we can do the same to set the last error code value:

setlasterror = Appcall.proto("kernel32_SetLastError", "void __stdcall SetLastError(int dwErrCode);")
setlasterror(5)

Retrieving the command line value

To retrieve the command line of your program we can either parse it from the PEB or Appcall the GetCommandLineA() API:

getcmdline = Appcall.proto("kernel32_GetCommandLineA", "const char *__stdcall getcmdline();")
print "command line:", getcmdline()

Setting/Resetting events

Sometimes the debugged program may deadlock while waiting on a semaphore or an event. You can manually release the semaphore or signal the event. Killing a thread is possible too:

releasesem = Appcall.proto("kernel32_ReleaseSemaphore", 
  "BOOL __stdcall ReleaseSemaphore(HANDLE hSemaphore, LONG lReleaseCount, LPLONG lpPreviousCount);")

resetevent = Appcall.proto("kernel32_SetEvent", 
  "BOOL __stdcall SetEvent(HANDLE hEvent);")

termthread = Appcall.proto("kernel32_TerminateThread", 
  "BOOL __stdcall TerminateThread(HANDLE hThread, DWORD dwExitCode);")

Change the debuggee's virtual memory configuration

It is possible to change a memory page's protection. In the following example we will change the PE header page protection to execute/read/write (normally it is read-only):

virtprot = Appcall.proto("kernel32_VirtualProtect", 
  "BOOL __stdcall VirtualProtect(LPVOID addr, DWORD sz, DWORD newprot, PDWORD oldprot);")
r = virtprot(0x400000, 0x1000, Appcall.Consts.PAGE_EXECUTE_READWRITE, Appcall.byref(0));
print "VirtualProtect returned:", r
RefreshDebuggerMemory()

And if you need to allocate a new memory page:

virtalloc = Appcall.proto("kernel32_VirtualAlloc", 
  "int __stdcall VirtualAlloc(int addr, SIZE_T sz, DWORD alloctype, DWORD protect);")
m = virtualalloc(0, Appcall.Consts.MEM_COMMIT, 0x1000, Appcall.Consts.PAGE_EXECUTE_READWRITE)
RefreshDebuggerMemory()

Load a library and call an exported function

With Appcall it is also possible to load a library, resolve a function address and call it. Let us illustrate with an example:

def get_appdata():
    hshell32 = loadlib("shell32.dll")
    if hshell32 == 0:
        print "failed to load shell32.dll"
        return False
    print "%x: shell32 loaded" % hshell32

    # make sure to refresh the debugger memory after loading a new library
    RefreshDebuggerMemory()

    # resolve the function address
    p = getprocaddr(hshell32, "SHGetSpecialFolderPathA")
    if p == 0:
        print "shell32.SHGetSpecialFolderPathA() not found!"
        return False

    # create a prototype
    shgetspecialfolder = Appcall.proto(p, 
      "BOOL SHGetSpecialFolderPath(HWND hwndOwner, LPSTR lpszPath, int nFolder, BOOL fCreate);")
    print "%x: SHGetSpecialFolderPath() resolved..."

    # create a buffer
    buf = Appcall.buffer("\x00" * 260)

    # CSIDL_APPDATA  = 0x1A
    if not shgetspecialfolder(0, buf, 0x1A, 0):
        print "SHGetSpecialFolderPath() failed!"
    else:
        print "AppData Path: >%s<" % Appcall.cstr(buf.value)
    return True

Closing words

Appcall has a variety of applications, hopefully it will be handy while solving your day to day reversing problems. For your convenience, please download this script containing the prototypes of the API functions used in this blog entry.

Please send your suggestions/questions to support@hex-rays.com

Introducing the Appcall feature in IDA Pro 5.6

2010-01-12T16:04:46Z

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6. Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you've used GDB (call command), VS (Immediate window), or Borland C++ Builder then you're already familiar with such functionality.

(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)

Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.

]]>

Quick start

To start with, we explain the basic concepts of Appcall using the IDC command line:

It can be called by simply typing:

As you notice, we invoked an Appcall by simply treating _printf as if it were a built-in IDC function.
If you have a function with a mangled name or containing characters that cannot be used as an identifier name in the IDC language:

then issue the Appcall with this syntax:

We use the LocByName function to get the address of the function given its name, then using the address (which is callable) we issue the Appcall. In two steps this can be achieved with:

auto myfunc = LocByName("_my_func@8");
myfunc("hello", "world");

Please note that Appcalls take place in the context of the current thread. If you want to execute in a different thread then switch to the desired thread first.

Appcall and IDC

The Appcall mechanism can be used from IDC through the following function:

// Call application function
//      ea - address to call
//      type - type of the function to call. can be specified as:
//              - declaration string. example: "int func(void);"
//              - typeinfo object. example: GetTinfo(ea)
//              - zero: the type will be retrieved from the idb
//      ... - arguments of the function to call
// Returns: the result of the function call
// If the call fails because of an access violation or other exception,
// a runtime error will be generated (it can be caught with try/catch)
// In fact there is rarely any need to call this function explicitly.
// IDC tries to resolve any unknown function name using the application labels
// and in the case of success, will call the function. For example:
//      _printf("hello\n")
// will call the application function _printf provided that there is
// no IDC function with the same name.

anyvalue Appcall(ea, type, ...);

The Appcall IDC function requires you to pass a function address, function type information and the parameters (if any):

auto p = LocByName("_printf");
auto ret = Appcall(p, GetTinfo(p), "Hello %s\n", "world");

We've seen so far how to call a function if it already has type information, now suppose we have a function that does not:

Before calling this function with Appcall() we need first to get the type information (stored in a typeinfo object) by calling ParseType() and then pass the function ea and type to Appcall():

auto p = ParseType("long __stdcall FindWindow(const char *cls, const char *wndname)", 0);
Appcall(LocByName("user32_FindWindowA"), p, 0, "Untitled - Notepad");

Note that we used ParseType() function to construct a typeinfo object that we can pass to Appcall(), however it is possible to permanently set the prototype of a function, thus:

SetType(LocByName("user32_FindWindowA"), 
  "long __stdcall FindWindow(const char *cls, const char *wndname)");

Passing arguments by reference

To pass function arguments by reference, it suffices to use the & symbol as in the C language.

For example to call this function:

void ref1(int *a)
{
  if (a == NULL)
    return;
  int o = *a;
  int n = o + 1;
  *a = n;
  printf("called with %d and returning %d\n", o, n);
}

We can use this code from IDC:

auto a = 5;
Message("a=%d", a);
ref1(&a);
Message(", after the call=%d\n", a);

To call a C function that takes a string buffer and modifies it:

/* C code */
int ref2(char *buf)
{
  if (buf == NULL)
    return -1;

  printf("called with: %s\n", buf);
  char *p = buf + strlen(buf);
  *p++ = '.';
  *p = '\0';
  printf("returned with: %s\n", buf);
  int n=0;
  for (;p!=buf;p--)
    n += *p;
  return n;
}

We need to create a buffer and pass it, thus:

auto s = strfill('\x00', 20); // create a buffer of 20 characters
s[0:5] = "hello"; // initialize the buffer
ref2(&s); // call the function and pass the string by reference
if (s[5] != ".")
  Message("not dot\n");
else
  Message("dot\n");

__usercall calling convention

It is possible to Appcall functions with non standard calling conventions, such as routines written in assembler that expect parameters in various registers and so on. One way is to describe your function with the __usercall calling convention.

Consider this function:

/* C code */
// eax = esi - edi
int __declspec(naked) asm1()
{
  __asm
  {
    mov eax, esi
    sub eax, edi
    ret
  }
}

And from IDC:

auto p = ParseType("int __usercall asm1(int a, int b);", 0);
auto r = Appcall(LocByName("_asm1"), p, 5, 2);
Message("The result is: %d\n", r);

Variable argument functions

In C:

int va_altsum(int n1, ...)
{
  va_list va;
  va_start(va, n1);

  int r = n1;
  int alt = 1;
  while ( (n1 = va_arg(va, int)) != 0 )
  {
    r += n1*alt;
    alt *= -1;
  }

  va_end(va);
  return r;
}

And in IDC:

auto result = va_altsum(5, 4, 2, 1, 6, 9, 0);

Calling functions that can cause exceptions

Exceptions may occur during an Appcall. To capture them, you can use the try/catch in IDC:

auto e;
try
{
  AppCall(some_func_addr, func_type, arg1, arg2);
  // Or equally:
  // some_func_name(arg1, arg2);
}
catch (e)
{
  // Exception occured .....
}

The exception object "e" will be populated with the following fields:

description: description text generated by the debugger module while it was executing the Appcall
func: The IDC function name where the exception happened.
line: The line number in the script
qerrno: The internal code of last error occured

For example, you could get something like this:

  description: "Appcall: The instruction at 0x401F93 referenced memory at 0x5. 
The memory could not be read"
  file: ""
  func: "___idc0"
  line: 4
  qerrno: 92

In some cases the exception object will contain more information.

Specifying Appcall options

Appcall can be configured with SetAppcallOptions(), by passing the following option(s):

APPCALL_MANUAL: Only set up the appcall, do not run it (you should call CleanupAppcall() when finished). Please Refer to Manual Appcall section for more information.
APPCALL_DEBEV: If this bit is set, exceptions during appcall will generate IDC exceptions with full information about the exception. Please refer to Capturing exception debug events section for more information.

It is possible to retrieve the Appcall options, change them and then restore them back. To retrieve the options use the GetAppcallOptions().
Please note that Appcall option is saved in the database so if you set it once it will retain its value as you save and load the database.

Manual Appcall

So far we've seen how to issue an Appcall and capture the result from the script, but what if we only want to setup the environment and manually step through a function?
This can be achieved with manual Appcall. The manual Appcall mechanism can be used to save the current execution context, execute another function in another context and then pop back the previous context and continue debugging from that point. Let us directly illustrate manual Appcall with a real life scenario:

You are debugging your application
You discover a buggy function (foo()) that misbehaves when called with certain arguments: foo(0xdeadbeef)
Instead of waiting until the application calls foo() with the desired arguments that can cause foo() to misbehave, you can manually call foo() with the desired arguments, trace the function
Finally, one calls CleanupAppcall() to restore the execution context

To illustrate, let us take the ref1 function and call it with an invalid pointer:

SetAppcallOptions(APPCALL_MANUAL); // Set manual Appcall mode
ref1(6); // call the function with an invalid pointer

Directly after doing that, IDA will switch to the function and from that point on we can debug:

When we reach the end of the function:

and trace beyond the return instruction, we expect to see something like this:

This is the control code that we use to determine the end of an Appcall. It is at this point that one should call CleanupAppcall() to return to the previous execution context:

Capturing exception debug events

We previously illustrated that we can capture exceptions that occur during an Appcall, but that is not enough if we want to learn more about the nature of the exception from the operating system point of view.
It would be better if we could somehow get the last debug_event_t that occured inside the debugger module. This is possible if we use the APPCALL_DEBEV option. Let us repeat the previous example but with the APPCALL_DEBEV option enabled:

auto e;
try
{
  SetAppcallOptions(APPCALL_DEBEV); // Enable debug event capturing
  ref1(6);
}
catch (e)
{
  // Exception occured. This time "e" is populated with debug_event_t fields (check idd.hpp)
}

And in this case, if we dump the exception object's contents, we get these attributes:

can_cont: 1
code:  C0000005h
ea:    401F93h
eid:    40h (from idd.hpp: EXCEPTION = 0x00000040 Exception)
file: ""
func: "___idc0"
handled: 1
info: "The instruction at 0x401F93 referenced memory at 0x6. The memory could not be read"
line: 4h
pid:  123Ch
ref:  6h
tid:  1164h

Appcall and Python

The Appcall concept remains the same between IDC and Python, nonetheless Appcall/Python has a different syntax (using references, unicode strings, etc, etc...)

The Appcall mechanism is provided by idaapi module through the Appcall variable. To issue an Appcall:

Appcall.printf("Hello world!\n");

One can take a reference to an Appcall:

printf = Appcall.printf
# ...later...
printf("Hello world!\n");

If you have a function with a mangled name or with characters that cannot be used as an identifier name in the Python language:

findclose     = Appcall["__imp__FindClose@4"]
getlasterror  = Appcall["__imp__GetLastError@0"]
setcurdir     = Appcall["__imp__SetCurrentDirectoryA@4"]

In case you want to redefine the prototype of a given function, then use the Appcall.proto(func_name or func_ea, prototype_string):

# pass an address name and Appcall.proto() will resolve it
loadlib = Appcall.proto("__imp__LoadLibraryA@4", 
  "int (__stdcall *LoadLibraryA)(const char *lpLibFileName);")
# Pass an EA instead of a name
freelib = Appcall.proto( LocByName("__imp__FreeLibrary@4"),
   "int (__stdcall *FreeLibrary)(int hLibModule);")

To pass unicode strings you need to use the Appcall.unicode() function:

    getmodulehandlew    = Appcall.proto("__imp__GetModuleHandleW@4", 
  "int (__stdcall *GetModuleHandleW)(LPCWSTR lpModuleName);")
    hmod = getmodulehandlew(Appcall.unicode("kernel32.dll"))

To define a prototype and then later assign an address so you can issue an Appcall:

# Create a typed object (no address is associated yet)
virtualalloc = Appcall.typedobj(
  "int __stdcall VirtualAlloc(int lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);")
# Later we have an address, so we pass it:
virtualalloc.ea = LocByName("kernel32_VirtualAlloc")
# Now we can Appcall:
ptr = virtualalloc(0, Appcall.Consts.MEM_COMMIT, 0x1000, Appcall.Consts.PAGE_EXECUTE_READWRITE)

Before we conclude (if you read so far;)), here's a small script that can be used to initiate and terminate Appcalls using hotkeys. If you want to have this script load everytime you start IDA then put its contents in idc\ida.idc file.

Here's a simple scenario where manual Appcalls can be handy:

You're debugging a program and then you require to debug another function then continue debugging the current function
You press Ctrl-Alt-F9 to initiate a manual Appcall and you type the desired function name and arguments
The debugger will switch to the new function and you start tracing the new function
Once you're done to return to your previous function you terminate the Appcall by pressing Ctrl-Alt-F10

If you want to temporary start tracing from the current cursor location then use Ctrl-Alt-F4 to start a manual Appcall. Use then Ctrl-Alt-F10 to return to previous execution context.

Remember, Appcall can do more than what is illustrated in this blog entry, make sure you refer to the Appcall manual for other advanced topics.

Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator

2010-01-08T17:46:43Z

Introduction

IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code snippets directly from the database. In this tutorial we will show how to dynamically run code that can be difficult to analyze statically.

Target

As an example we will use shellcode from the article "Alphanumeric RISC ARM Shellcode" in Phrack 66. It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. So we will use the debugging feature to decode it.

]]> The sample code is at the bottom of the article but here it is repeated:

80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR80AR
80AR80AR80AR80AR80AR80AR80AR80AR80AR00OB00OR00SU00SE9PSB9PSR0pMB80SBcACP
daDPqAGYyPDReaOPeaFPeaFPeaFPeaFPeaFPeaFPd0FU803R9pCRPP7R0P5BcPFE6PCBePFE
BP3BlP5RYPFUVP3RAP5RWPFUXpFUx0GRcaFPaP7RAP5BIPFE8p4B0PMRGA5X9pWRAAAO8P4B
gaOP000QxFd0i8QCa129ATQC61BTQC0119OBQCA169OCQCa02800271execme22727

Copy this text to a new text file, remove all line breaks (i.e. make it a single long line) and save. Then load it into IDA.

Loading binary files into IDA

IDA displays the following dialog when it doesn't recognize the file format (as in this case):

Since we know that the code is for ARM processor, choose ARM in the "Processor type" dropdown and click Set. Then click OK. The following dialog appears:

When you analyze a real firmware dumped from address 0, these settings are good. However, since our shellcode is not address-dependent, we can choose any address. For example, enter 0x10000 in "ROM start address" and "Loading address" fields.

IDA doesn't know anything about this file so it didn't create any code. Press C to start disassembly.

Configuring QEMU

Before starting debug session, we need to set up automatic running of QEMU.

Download a recent version of QEMU with ARM support (e.g. from http://homepage3.nifty.com/takeda-toshiya/qemu/index.html). If qemu-system-arm.exe is in a subdirectory, move it next to qemu.exe and all DLLs.
Note: if you're running Windows 7 or Vista, it's recommended to use QEMU 0.11 or 0.10.50 ("Snapshot" on Takeda Toshiya's page), as the older versions listen for GDB connections only over IPv6 and IDA can't connect to it.
Edit cfg/gdb_arch.cfg and change "set QEMUPATH" line to point to the directory where you unpacked QEMU. Change "set QEMUFLAGS" if you're using an older version.

In IDA, go to Debug-Debugger options..., Set specific options.
Enable "Run a program before starting debugging".
Click "Choose a configuration". Choose Versatile or Integrator board. The command line and Initial SP fields will be filled in.

Memory map will be filled from the config file too. You can edit it by clicking the "Memory map" button, or from the Debugger-Manual memory regions menu item.

Now on every start of debugging session QEMU will be started automatically.

Executing the code

By default, initial execution point is the entry point of the database. If you want to execute some other part of it, there are two ways:

Select the code range that you want to execute, or
Rename starting point ENTRY and ending point EXIT (convention similar to Bochs debugger)

In our case we do want to start at the entry point so we don't need to do anything. If you press F9 now, IDA will write the database contents to an ELF file (database.elfimg) and start QEMU, passing the ELF file name as the "kernel" parameter. QEMU will load it, and stop at the initial point.

Now you can step through the code and inspect what it does. Most of the instructions "just work", however, there is a syscall at 0x0010118:

ROM:00010118 SVCMI 0x414141

Since the QEMU configuration we use is "bare metal", without any operating system, this syscall won't be handled. So we need to skip it.

Navigate to 010118 and press F4 (Run to cursor). Notice that the code was changed (patched by preceding instructions):

Right-click next line (0001011C) and choose Set IP.
Press F7 three times. Once you're on BXPL R6 line, IDA will detect the mode switch and add a change point to Thumb code:

Go to 01012C and press U (Undefine).
Press Alt-G (Change Segment Register Value) and set value of T to 1. The erroneous CODE32 will disappear.
Go back to 00010128 and press C (Make code). Nice Thumb code will appear:

In Thumb code, there is another syscall at 00010152. If you trace or run until it, you can see that R7 becomes 0xB (sys_execve) and R0 points to 00010156.

Hint: if the code you're investigating has many syscalls and you don't want to handle them one by one, put a breakpoint at the address 0000000C (ARM's vector for syscalls). Return address will be in LR.

Saving results to database

If you want to keep the modified code or data for later analysis, you'll need to copy it to the database. For that:

Edit segment attributes (Alt-S) and make sure that segments with the data you need have the "Loader segment" attribute set.

Choose Debugger-Take memory snapshot and answer "Loader segments".

Note

Now you can stop the debugging and inspect the new data.
Note: this will update your database with the new data and discard the old. Repeated execution probably will not be correct.

This concludes our short tutorial. You can get an offline PDF version with a slightly more complex example and more background info here.

Happy debugging!
Please send any comments or questions to support@hex-rays.com

PDF file loader to extract and analyse shellcode

2010-01-06T09:58:07Z

One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.
]]> Writing a loader script for BIOS images Before writing file loaders we need to understand the file format in question. For demonstration purposes we chose to write a loader for BIOS image files statisfying these conditions:

Should be no more than 64kb in size
Contain the far jump instruction at 0xFFF0
Contain a date string at 0xFFF5

Each file loader should define at least the two functions: accept_file() and load_file(). The former decides whether the file format is supported and the latter loads the previously accepted file and populates the database.

// Verify the input file format
//      li - loader_input_t object. it is positioned at the file start
//      n  - invocation number. if the loader can handle only one format,
//           it should return failure on n != 0
// Returns: if the input file is not recognized
//              return 0
//          else
//              return object with 2 attributes:
//                 format: description of the file format
//                 options:1 or ACCEPT_FIRST. it is ok not to set this attribute.
static accept_file(li, n)
{
  if ( n )
    return 0; // this loader supports only one format

  // we support max 64K images
  if ( li.size() > 0x10000 )
    return 0;

  li.seek(-16, SEEK_END);
  if ( li.getc() != 0xEA ) // jmp?
    return 0;

  li.seek(-2, SEEK_END);
  // reasonable computer type?
  if ( (li.getc() & 0xF0) != 0xF0 ) 
    return 0;

  auto buf;
  li.seek(-11, SEEK_END);
  li.read(&buf, 9);
  // 06/03/08
  if ( buf[2] != "/" || buf[5] != "/" || buf[8] != "\x00" )
    return 0;

  // accept the file
  return "BIOS Image"; // description of the file format
}

The accept_file() will be called many times by IDA kernel starting with n=0, n=1, n=2, ... until it returns zero. This allows you to handle multiple formats present in the same input file.
For example, PE files can be loaded as MS-DOS MZ EXE files or as PE files. The PE file loader plugin does something like this:

if (n == 0)
  return "MZ executable";
else if (n == 1)
{
  // check if it is a PE file
  // ....

  return "PE executable";
}
else
  return 0;

The li parameter is an instance of loader_input_t described in idc.idc (for IDC) and idaapi.py (for IDAPython). This class allows you to seek and read from the input file.

The load_file() will receive a loader_input_t instance, the format name previously returned by the accept_file() and the loading flags in neflags. This flag can be tested against the NEF_MAN constant to detect whether the user checked the "Manual Load" option while loading the new file.
These are the main responsibilities of load_file():

Set the processor corresponding to the input file
Create segments
Add entry points
Add fixups
Create import/export segments
etc...

// Load the file into the database
//      li      - loader_input_t object. it is positioned at the file start
//      neflags - combination of NEF_... bits describing how to load the file
//                probably NEF_MAN is the most interesting flag that can
//                be used to select manual loading
//      format  - description of the file format
// Returns: 1 - means success, 0 - failure
static load_file(li, neflags, format)
{
  auto base = 0xF000;
  auto start = base << 4;
  auto size = li.size();

  SetProcessorType("metapc", SETPROC_ALL);

  // copy bytes to the database
  loadfile(li, 0, base<<4, size);

  // create a segment
  AddSeg(start, start+size, base, 0, saRelPara, scPub);

  // set the entry registers
  SetLongPrm(INF_START_IP, size-16);
  SetLongPrm(INF_START_CS, base);
  return 1;
}

This script (bios_image.idc) is installed with IDA Pro 5.6 in the loaders directory.

Now that we know how to write a simple file loader using a scripting language, let us write a real life file loader that assists us in extracting shellcode from malicious PDF files.

PDF shellcode extractor

The purpose of this article is not to explain how PDF exploits work, however we will explain the general idea as we write the file loader. If you need more information please check Didier Steven's site and this blog entry, also check Jon Paterson and Dennis Elser blog entry showing how they extracted the shellcode manually and loaded it into IDA for analysis.

In this section we are going to write a very basic shellcode extractor that handles a couple of simple cases.

The first case is when the PDF document contains an embedded JavaScript:
And the second case when an object refers to another object containing the compressed script:

Object 31 refers to object 32 (compressed with DEFLATE algorithm) and contains the actual script that exploits a given vulnerability in the PDF reader.
After taking everything between stream/endstream inside object 32 and passing it to gzip.decompress() we get:

In both cases the shellcode is passed to the unescape() and we can use that as a very basic mechanism to extract the shellcode.
Before writing the code let us summarize what we need to do:

Find potential JavaScript:
- Scan the PDF document for objects that reference compressed JS streams:
  1. Find the referencing object
  2. Find the referred object
  3. Take the stream and decompress it
- Or scan the PDF document for objects that contains embedded JS and take the JS as-is
Find all calls to unescape() and extract its parameters. These parameters could be potential shellcode
Decode the unescape parameter into a byte string
Create a segment and load the shellcode into the segment

Extracting JS scripts from the PDF

To look for embedded JS scripts we call find_embedded_js() that employs a regular expression:

def find_embedded_js(str):
    js = re.finditer('\/S\s*\/JavaScript\s*\/JS \((.+?)>>', str, re.MULTILINE | re.DOTALL)

Once we have a match we remember it without further processing.

To look for compressed JavaScript objects we first call find_js_ref_streams() that also employs a regular expression to locate all objects that refer to another JavaScript object:

def find_js_ref_streams(str):
    js_ref_streams = re.finditer('\/S\s*\/JavaScript\/JS (\d+) (\d+) R', str)

We then use the find_obj() to find the body of the refered object (that contains the compressed JavaScript):

def find_obj(str, id, ver):
    stream = re.search('%d %d obj(.*?)endobj' % (id, ver), str, re.MULTILINE | re.DOTALL)
    if not stream:
        return None
    return str[stream.start(1):stream.end(1)]

And finally we call decompress_stream() to decompress the referred stream:

def decompress_stream(str):
    if str.find('Filter[/FlateDecode]') == -1:
        return None
    m = re.search('stream\s*(.+?)\s*endstream', str, re.DOTALL | re.MULTILINE)
    if not m:
        return None
    # Decompress and return
    return zlib.decompress(m.group(1))

Extracting potential shellcode in the JS scripts

Since this article is for demonstration purposes only, we will assume that the shellcode is always enclosed in the unescape() call. For this we simply convert back the %uXXYY or %XX format strings back to the corresponding byte characters:

def extract_shellcode(lines):
    p = 0
    shellcode = [] # accumulate shellcode
    while True:
        p = lines.find('unescape("', p)
        if p == -1:
            break
        e = lines.find(')', p)
        if e == -1:
            break
        expr = lines[p+9:e]
        data = []
        for i in xrange(0, len(expr)):
            if expr[i:i+2] == "%u":
                i += 2
                data.extend([chr(int(expr[i+2:i+4], 16)), chr(int(expr[i:i+2], 16))])
                i += 4
            elif expr[i] == "%":
                i += 1
                data.append(int(expr[i:i+2], 16))
                i += 2
        # advance the match pos
        p += 8
        shellcode.append("".join(data))
    
    # That's it
    return shellcode

Now we can glue all those helper functions to create one function that returns the shellcode:

def extract_pdf_shellcode(buf):
    ret = []

    # find all JS stream references
    r = find_js_ref_streams(buf)
    for id, ver in r:
        # extract the JS stream object
        obj = find_obj(buf, id, ver)

        # decode the stream
        stream = decompress_stream(obj)

        # extract shell code
        scs = extract_shellcode(stream)
        i = 0
        for sc in scs:
            i += 1
            ret.append([id, ver, i, sc])

    # find all embedded JS
    r = find_embedded_js(buf)
    if r:
        ret.extend(r)

    return ret

Writing the file loader

Now that we have all the needed functions to open a PDF and extract all shellcode, let us write a file loader so that we can use IDA to open a malicious PDF file. First we start with the accept_file():

def accept_file(li, n):
    # we support only one format per file
    if n > 0:
        return 0

    li.seek(0)
    if li.read(5) != '%PDF-':
        return 0

    buf = read_whole_file(li)
    r = extract_pdf_shellcode(buf)
    if not r:
        return 0

    return 'PDF with shellcode'

As you can see, there is nothing special about this function: (1) check PDF file signature (2) check if we found at least one shellcode

And the load_file() will populate all the extracted shellcode into the database:

def load_file(li, neflags, format):
    # Select the PC processor module
    idaapi.set_processor_type("metapc", SETPROC_ALL|SETPROC_FATAL)

    buf = read_whole_file(li)
    r = extract_pdf_shellcode(buf)
    if not r:
        return 0

    # Load all shellcode into different segments
    start = 0x10000
    seg = idaapi.segment_t()
    for id, ver, n, sc in r:
        size = len(sc)
        end  = start + size
        
        # Create the segment
        seg.startEA = start
        seg.endEA   = end
        seg.bitness = 1 # 32-bit
        idaapi.add_segm_ex(seg, "obj_%d_%d_%d" % (id, ver, n), "CODE", 0)

        # Copy the bytes
        idaapi.mem2base(sc, start, end)

        # Mark for analysis
        AutoMark(start, AU_CODE)

        # Compute next loading address
        start = ((end / 0x1000) + 1) * 0x1000

    # Select the bochs debugger
    LoadDebugger("bochs", 0)

    return 1

Testing the script

Let us copy the PDF loader script to IDA / loaders directory and open a malicious PDF file:
After the file is loaded we can directly see the shellcode:

And for the other malware sample, after we load it with IDA:
We notice that it contains a decoder that decodes the rest of the shellcode:
To uncover the code we can use the Bochs debugger in the IDB operation mode by selecting the range of code we want to emulate and pressing F9:

After the decoding is finished we can take a memory snapshot to save the decoded shellcode.

Please download the code from here

Special thanks to Didier Stevens for his free PDF tools and for providing some samples.

Hex-Rays Plugin Contest

2009-11-20T14:42:45Z

We are glad to announce the results of our first plugin contest! For the contest rules, please check this page:

http://www.hex-rays.com/contest.shtml

Or you may directly go to the contest results and check out some cool plugins:

http://www.hex-rays.com/contest2009

It was our first contest, but we are happy with the results and will repeat it in the near future.
Have fun!

Hex-Rays is hiring

2009-10-21T12:22:43Z

We are looking for someone to join our team and participate in the development of unique software security tools. The candidates must know low-level details of modern software as well as high-level data structures and algorithms.

Requirements:

* strong knowledge of C/C++
* experience with Qt and GUI development is a big PLUS
* knowledge of x86 assembler and unwillingness to use it in development
* cross platform development (Windows/Linux/Mac) is a plus
* knowing the graph theory and how compilers work is a plus
* ability and willingness to write secure yet fast code
* good problem solving and communication skills

To apply, please send your resume to info@hex-rays.com
Code samples and links to implemented projects are welcome.

Hex-Rays Decompiler primer

2009-10-15T12:36:32Z

The Hex-Rays Decompiler 1.0 was released more than two years ago. Since then it has improved a lot and does a great job decompiling real-life code, but sometimes there are additional things that you might wish to do with its output. For that purpose we have released the Hex-Rays Decompiler SDK and several sample plugins. However, the header files alone do not give a complete picture and it can be difficult to see where to start.

In this post we will outline the architecture of the Hex-Rays Decompiler SDK, cover some principles and finally wrap everything we discussed and write a small plugin.]]>

Background information
The citem_t class
The cexpr_t, cinsn_t and their subclasses
The cfunc_t class
The tree visitor class
A sample plugin

Background information

If you're already familiar with abstract syntax trees (aka ASTs), you can skip this section. Otherwise, some basic information is available at Wikipedia. It can also be useful to read Ilfak's post "Decompiler output ctree".

We will provide some examples to show how ASTs are used in the decompiler. Consider this C code:

int func(int a)
{
  int result;

  if ( a == 1 )
  {
    result = 5;
  }
  else
  {
    result = 6;
  }
  return result;
}

It can be represented with this AST:

From the start node, we see a "{2}" node that denotes a block of two statements. The first statement in the block is an if and the second statement is a return.
If we take the first statement (if) we notice that it has 3 nodes attached to it: (1) the condition node (2) the then-branch node and (3) the else-branch node (optional).
Looking further down in the tree we notice that the condition node is an equals to node which also links to two other expression nodes x and y.
If we take the then-branch we see how the result = 5 got translated into an assignment node x = y with the x node being a variable and the y node being a numeric constant.

Let us take another code snippet:

int func1(int n)
{
  return (n | 291) & 4011;
}

And see its AST:

Again we have a block containing one statement: the return statement. The return statement has an expression of type binary AND, and this expression takes two operands x and y. The x operand is another expression (binary OR) and the y operand is a numeric constant (value = 291).

The citem_t class

Hex-Rays decompiler SDK refers to the AST as ctree and each node within the tree is represented by either a cinsn_t or a cexpr_t class instance. Both those classes are descendants of the citem_t base class:

struct citem_t
{
  ea_t ea; // address that corresponds to the item
  ctype_t op;// element type
  ...
}

One of the most important fields in a citem_t is its op field value which is of type ctype_t. ctype_t is an enum with constants identifying the type of the node.
Hex-Rays defines two types of constants: cot_xxxx and cit_xxxx. The former denote expression items while the latter denote statements (or instructions in Hex-Rays jargon).

Let us take a look at some of the ctype_t constants:

enum ctype_t
{
  cot_empty    = 0,
  cot_asg      = 2,   //  x = y
  cot_bor      = 19,  //  x | y (binary OR)
  cot_band     = 21,  //  x & y (binary AND)
  cot_eq       = 22,  //  x == y 
  cot_add      = 35,  //  x + y
  cot_call     = 57,  //  x(...)
  cot_num      = 61,  //  n
  cot_fnum     = 62,  //  fpc
  ...
  cot_last     = cot_helper, 

  // The statements
  cit_block    = 70,  //  block-statement: { ... }
  cit_if       = 72,  //  if-statement
  cit_return   = 79,  //  return-statement
  ...
}

Now given a citem_t instance we can check its op value and see whether to treat that citem_t as a cexpr_t or a cinsn_t.

The cexpr_t class

Let us illustrate how a cexpr_t class instance can represent items with cot_xxxx type values. Below we outline the class members that are relevant to our discussion:

// Ctree element: expression.
// Depending on the exact expression item type, 
// various fields of this structure are used.
struct cexpr_t : public citem_t
{
  ...
  union
  {
    //  used for cot_num
    cnumber_t *n;
    //  used for cot_fnum
    fnumber_t *fpc;
    struct
    {
      union
      {
        var_ref_t v;  //  used for cot_var
        ea_t obj_ea;  //  used for cot_obj
      };
      //  how many bytes are accessed? (-1: none)
      int refwidth;
    };
    struct
    {
      //  the first operand of the expression
      cexpr_t *x;
      union
      {
        //  the second operand of the expression
        cexpr_t *y; 
        //  argument list (used for cot_call)
        carglist_t *a;
        //  member offset (used for cot_memptr, cot_memref)
        uint32 m;     
      };
      union
      {
        //  the third operand of the expression
        cexpr_t *z;   
        //  memory access size (used for cot_ptr, cot_memptr)
        int ptrsize;  
      };
    };
    //  an embedded statement, they are             
    //  prohibited at the final maturity stage      
    cinsn_t *insn;    
    //  helper name (used for cot_helper) 
    //  string constant (used for cot_str)
    char *helper;     
    char *string;     
  ...
  };
  ...
};

As you notice, cexpr_t employs unions, thus the contained information depends on the op field.
For example if cexpr.op == cot_num then we can safely access cexpr.n field to get a cnumber_t instance and extract the constant number.
If the expression has two operands (e.g. cot_add, cot_sub, cot_bor and so on....), then we have two sub-expressions: cexpr.x is the left-hand side operand and cexpr.y is the right-hand side operand.
In the case of a function call (denoted by op == cot_call) the address of the called function is accessible via cexpr.x.obj_ea field and the arguments are in the a field (which is a carglist_t instance).

Bottom line: first check the op value and then extract the fields from a cexpr_t instance accordingly.

The cinsn_t class

This class represents statements supported by Hex-Rays (cit_for, cit_if, cit_return, etc...). An excerpt from the class definition:

// Ctree element: statement.
// Depending on the exact statement type, 
// various fields of the union are used.
struct cinsn_t : public citem_t
{
  ...
  union
  {
    //  details of block-statement
    cblock_t *cblock;   
    //  details of expression-statement
    cexpr_t *cexpr;     
    //  details of if-statement
    cif_t *cif;         
    //  details of for-statement
    cfor_t *cfor;       
    //  details of while-statement
    cwhile_t *cwhile;   
    //  details of do-statement
    cdo_t *cdo;         
    //  details of switch-statement
    cswitch_t *cswitch; 
    //  details of return-statement
    creturn_t *creturn; 
    //  details of goto-statement
    cgoto_t *cgoto;     
    //  details of asm-statement
    casm_t *casm;       
  };
  ...
};

Just as we could tell what kind of cexpr_t we have by looking at the op field, here we check the op field against the cit_xxxx constants and extract data accordingly.
For example, if op == cit_if, we can extract a cif_t instance from the cif field. Similarly for op == cit_return the corresponding field is creturn.

The class cblock_t is used to describe a sequence of statements. It is defined as a list of cinsn_t:

// Compound statement (curly braces)
// we need list to be able to manipulate
// its elements freely
struct cblock_t : public qlist 
{                                       
  ...
  iterator find(const cinsn_t *insn);
};

When Hex-Rays creates a ctree, the root of the tree is a cblock_t that contains all the subsequent instructions (or expressions) present in the decompiled function.

The ceinsn_t class

ceinsn_t is used whenever we need to describe a statement that contains an expression. For example, "x = 1;" is a statement containing expression "x = 1".

// Statement with an expression.
// This is a base class for various statements
// with expressions.
struct ceinsn_t
{
  //  Expression of the statement
  cexpr_t expr;         
};

The if statement is a statement with an expression where the expression is the condition of the if:

// If statement
struct cif_t : public ceinsn_t
{
  ...
  //  Then-branch of the if-statement
  cinsn_t *ithen;       
  //  Else-branch of the if-statement. May be NULL.
  cinsn_t *ielse;       
  ...
};

Given a cif_t instance, we can extract its condition by accessing cif_t.expr field, the then-branch from cif_t.ithen (a cinsn_t, which in turn could be a cblock_t holding many other cinsn_t instances), and the else-branch can be accessed through cif_t.ielse, if present.

Before illustrating other statements with expressions (such as the for statement), let us talk about the cloop_t class which is used to represent repetition structures: for, while, do.

// Base class for loop statements
struct cloop_t : public ceinsn_t
{
  cinsn_t *body;
  ...
};

As you notice, cloop_t is ceinsn_t (a statement with expression) with an instruction (the body member).
The cloop_t class (as is) can be used to define a do/while statement where the expr field is the while's condition and the body field is the body of the do/while statement:

// Do-loop
struct cdo_t : public cloop_t
{
  DECLARE_COMPARISONS(cdo_t);
};

A for loop statement has four components: (1) initialization expression, (2) condition expression, (3) step expression and (4) the body:

// For-loop
struct cfor_t : public cloop_t
{
  cexpr_t init;   //  Initialization expression
  cexpr_t step;   //  Step expression
  ...
};

The initialization expression is stored in the init field, the condition in the base class' expr field, the step expression in the step field and the body of the loop in the body field.

The cfunc_t class

Now that we covered the basic tree elements, let us talk about the cfunc_t class, which is used to hold a decompiled function:

// Decompiled function. Decompilation result is kept here.
struct cfunc_t
{
  //  function entry address
  ea_t entry_ea;             
  //  function body, must be a block
  cinsn_t body;              
  //  maturity level
  ctree_maturity_t maturity; 
  // The following maps must be accessed 
  // using helper functions.
  // Example: for user_labels_t, 
  // see functions starting with "user_labels_".

  //  user-defined labels.
  user_labels_t *user_labels;
  //  user-defined comments.
  user_cmts_t *user_cmts;    
  //  user-defined number formats.
  user_numforms_t *numforms; 
  //  user-defined item flags
  user_iflags_t *user_iflags;
  ...
}

When Hex-Rays is asked to decompile a function it returns a cfunc_t instance. The following is an excerpt from the example #1 found at the examples page:

  func_t *pfn = get_func(get_screen_ea());
  if ( pfn == NULL )
  {
    warning("Please position the cursor within a function");
    return;
  }
  hexrays_failure_t hf;
  cfunc_t *cfunc = decompile(pfn, &hf);
  if ( cfunc == NULL )
  {
    warning("#error \"%a: %s", hf.errea, hf.desc().c_str());
    return;
  }
  msg("%a: successfully decompiled\n", pfn->startEA);
  qstring bodytext;
  qstring_printer_t sp(cfunc, bodytext, false);
  cfunc->print_func(sp);
  msg("%s\n", bodytext.c_str());
  delete cfunc;

Among the fields in cfunc_t, body is the most important to us because it points to the root of the ctree. It can be used to traverse the tree manually, but the visitor utility classes provided by the Hex-Rays SDK make that task simpler.

The tree visitor class

The tree visitor class is a utility class that can be used to traverse the tree, find ctree items, and (if desired) modify the tree along the way.

// A generic helper class that is used for ctree traversal
struct ctree_visitor_t
{
  ...
  // Traverse ctree.
  int hexapi apply_to(citem_t *item, citem_t *parent);

  // Visit a statement.
  virtual int idaapi visit_insn(cinsn_t *) { return 0; }

  // Visit an expression.
  virtual int idaapi visit_expr(cexpr_t *) { return 0; }
  ...
};

Hex-Rays provides other visitors as well: ctree_parentee_t, user_lvar_visitor_t, ...

To use the class, inherit from ctree_visitor_t and override virtual methods as necessary. For example, here's how to use it to report all called functions:

void traverse(cfunc_t *cfunc)
{
  struct sample_visitor_t : public ctree_visitor_t
  {
  public:
    sample_visitor_t() : ctree_visitor_t(CV_FAST) { }

    int idaapi visit_expr(cexpr_t *expr)
    {
      if ( expr->op != cot_call )
        return 0;

      char buf[MAXSTR];
      if (get_func_name(expr->x->obj_ea, buf, sizeof(buf)) == NULL)
        qsnprintf(buf, sizeof(buf), "sub_%a", expr->x->obj_ea);

      msg("%a: a call to %s with %d argument(s)\n", expr->ea, buf, expr->a->size());
      return 0; // continue enumeration
    }
  };
  sample_visitor_t tm;
  tm.apply_to(&cfunc->body, NULL);
}

The traverse() function can be called manually with a cfunc_t * obtained from a decompiled function, or automatically by installing a callback:

// This callback handles various Hex-Rays events.
static int idaapi callback(void *, hexrays_event_t event, va_list va)
{
  switch ( event )
  {
  case hxe_maturity:
    {
      cfunc_t *cfunc = va_arg(va, cfunc_t *);
      ctree_maturity_t new_maturity = va_argi(va, ctree_maturity_t);
      if ( new_maturity == CMAT_FINAL ) // ctree is ready
      {
        traverse(cfunc);
      }
    }
    break;
  }
  return 0;
}

int idaapi init(void)
{
  ...
  install_hexrays_callback(callback, NULL);
  ...
}

Writing a plugin

Now that we covered the basics, let us put our knowledge into practice and write a small plugin. Consider this C code:

int func3(int n, char *s)
{
  int b;

  if ( strcmp(s, "hello") == 0 )
  {
    b = 100;
  }
  else if ( strcmp(s, "hello1") == 0 )
  {
    b = 200;
  }
  else if ( strcmp(s, "hello2") == 0 )
  {
    b = 4;
  }
  else if ( strcmp(s, "hello3") == 0 )
  {
    b = 300;
  }
  else if ( strcmp("hello4", s) == 0 )
  {
    b = 400;
  }
  else if ( strcmp("hello5", s) == 6 )
  {
    b = 500;
  }
  else
  {
    b = 600;
  }
  return b + n;
}

If we compile it and decompile back with Hex-Rays decompiler, we get:

int __cdecl func3(int n, char *s)
{
  signed int v2; // eax@2

  if ( strcmp(s, "hello") )
  {
    if ( strcmp(s, "hello1") )
    {
      if ( strcmp(s, "hello2") )
      {
        if ( strcmp(s, "hello3") )
        {
          if ( strcmp("hello4", s) )
          {
            if ( strcmp("hello5", s) == 6 )
              v2 = 500;
            else
              v2 = 600;
          }
          else
          {
            v2 = 400;
          }
        }
        else
        {
          v2 = 300;
        }
      }
      else
      {
        v2 = 4;
      }
    }
    else
    {
      v2 = 200;
    }
  }
  else
  {
    v2 = 100;
  }
  return n + v2;
}

With the following AST:

No doubt that Hex-Rays did an excellent job and the decompiled result is equivalent to the original function. Nonetheless, we can write a small plugin to automatically replace if (strcmp()) with if (strcmp() == 0) and swap the then/else branches:

if ( strcmp(a, b) )
{
  if ( strcmp(a, c) )
  {
    // something if a != c
  }
  else
  {
    // something if a == c
  }
}
else
{
  // something if a == b
}

Becomes:

if ( strcmp(a, b) == 0 )
{
  // something if a == b
}
else
{
  if ( strcmp(a, c) == 0 )
  {
    // something if a == c
  }
  else
  {
    // something if a != c
  }
}

To find such pattern, we need to match if statements with the following conditions:

The if statement should have an else
The if condition should be a function call to strcmp(a, b)

After we find such a statement, we need to replace its condition expression (which is a cot_call) with another expression (cot_eq), where the first operand (x) is the original condition and the second operand (y) is the number zero. Essentially we modify the tree from:

To:

Notice how the modified tree has the if condition changed from a call to strcmp() to an expression x == y (where y is the number zero).

The code to do that should be easy to understand now, especially that we explained all the logic behind it:

struct strcmp_inverter_t : public ctree_visitor_t
{
private:
  cfunc_t *cfunc;
public:
  strcmp_inverter_t(cfunc_t *cf) : ctree_visitor_t(CV_FAST), cfunc(cf) { }

  bool is_strcmp_expr(cexpr_t *expr)
  {
    // the expression should be a function call
    if ( expr->op != cot_call )
      return false;

    // should have two arguments
    carglist_t &a = *expr->a;
    if (a.size() != 2)
      return false;

    // should contain the string str[i]cmp
    char buf[MAXSTR];
    if ( get_func_name(expr->x->obj_ea, buf, sizeof(buf)) == NULL )
      return false;

    if ( stristr(buf, "strcmp") == NULL && 
        stristr(buf, "stricmp") == NULL )
      return false;

    return true;
  }

  int idaapi visit_insn(cinsn_t *ins)
  {
    // only interested in IF statements
    if ( ins->op != cit_if )
      return 0;

    // now take the instance
    cif_t *cif = ins->cif;

    // must have an ELSE
    if ( cif->ielse == NULL )
      return 0;

    // check if it's an strcmp()
    if ( !is_strcmp_expr(&cif->expr) )
      return 0;

    // create a zero expression
    cexpr_t *y = new cexpr_t();
    y->put_number(cfunc, 0, inf.cc.size_i);

    // create a new empty expression
    cexpr_t *x = new cexpr_t();
    // now the if's expr (condition) is moved to this new condition
    x->swap(cif->expr);

    // now that the if's expr is an empty expression, 
    // let us properly populate it
    cif->expr.ea = x->ea;
    cif->expr.op = cot_eq;
    cif->expr.x = x;
    cif->expr.y = y;
    cif->expr.calc_type(false);
    // we changed the condition, so we 
    // should swap the THEN/ELSE branches too!
    qswap(cif->ithen, cif->ielse);
    return 0; // continue enumeration
  }
};

Now if we use the plugin on the previously decompiled function, we get this result:

int __cdecl func3(int n, char *s)
{
  signed int v2; // eax@2

  if ( strcmp(s, "hello") == 0 )
  {
    v2 = 100;
  }
  else
  {
    if ( strcmp(s, "hello1") == 0 )
    {
      v2 = 200;
    }
    else
    {
      if ( strcmp(s, "hello2") == 0 )
      {
        v2 = 4;
      }
      else
      {
        if ( strcmp(s, "hello3") == 0 )
        {
          v2 = 300;
        }
        else
        {
          if ( strcmp("hello4", s) == 0 )
          {
            v2 = 400;
          }
          else
          {
            if ( strcmp("hello5", s) == 6 )
              v2 = 500;
            else
              v2 = 600;
          }
        }
      }
    }
  }
  return n + v2;
}

Looks much closer to the original.

Closing words

The source code of the plugin can be downloaded from here. To use it, simply right-click anywhere in a decompiled function and select "Enable auto if (strcmp()) inversion.

Last but not least, we would like to remind you that the plugin contest deadline is just one month away. If you have nice ideas, participate and show us your creativity!

SEH Graph

2009-10-05T16:08:45Z

It is said that a picture is worth a thousand words, and similarly many reversers would agree that a graph is worth a thousand lists! ;)

Recently, we added graphing support into IDAPython and now Python scripts can build interactive graphs.
To demonstrate this new addition, we will write a small script that graphs the structured exception handlers of a given process.

]]> Writing the script The steps needed to write the script:

For each thread in the process:
1. Retrieve the linear address of FS:[0]
2. Walk the exception registration record list and save the handler
Build the graph:
1. Allocate one node for each unique exception handler address
2. Add edges between the last exception handler and the current exception handler (so to create the chain visually)
Display the graph

Walking the exception registration records

In Win32, a new SEH is installed by filling an EXCEPTION_REGISTRATION_RECORD entry and linking it to the SEH chain (at FS:[0]).

typedef struct _EXCEPTION_REGISTRATION_RECORD
{
  struct _EXCEPTION_REGISTRATION_RECORD *Prev;
  PEXCEPTION_HANDLER       Handler;
} EXCEPTION_REGISTRATION_RECORD;

Before walking the exception registration records, we need to get the base address of the FS selector.
Fortunately, each debugger module provides a special callback in its debugger_t structure:

// Get information about the base of a segment register
//   tid        - thread id
//   sreg_value - value of the segment register
//   answer     - pointer to the answer. can't be NULL.
// 1-ok, 0-failed, -1-network error
int (idaapi *thread_get_sreg_base)(
  thid_t tid, 
  int sreg_value, 
  ea_t *answer);

To use this callback, we will pass the FS selector value:

def GetFsBase(tid):
    idc.SelectThread(tid)
    return idaapi.dbg_get_thread_sreg_base(tid, cpu.fs)

or in C:

ea_t fs_base;
dbg->thread_get_sreg_base(tid, fs_sel_value, &fs_base);

Now that we have the base, we can compute the linear address of the exception registration record list head by adding the base (fs_base) to the offset (which happens to be zero), thus: fs_base + 0
With this knowledge, we can write a small loop to walk this list and extract the handlers:

def GetExceptionChain(tid):
    fs_base = GetFsBase(tid)
    exc_rr = Dword(fs_base)
    result = []
    while exc_rr != 0xffffffff:
        prev    = Dword(exc_rr)
        handler = Dword(exc_rr + 4)
        exc_rr  = prev
        result.append(handler)
    return result

We do that for each thread:

    # Iterate through all function instructions and take only call instructions
    result = {}
    for tid in idautils.Threads():
        result[tid] = GetExceptionChain(tid)

Building the graph

Building the graph is even simpler and can be done by subclassing the GraphViewer class and implementing the OnRefresh() and OnGetText() events.
Here's the simplified version of the graph building loop:

def OnRefresh(self):
  self.Clear() # clear previous nodes
  addr_id = {}

  for (tid, chain) in self.result.items():
    # Add the thread node
    id_parent = self.AddNode("Thread %X" % tid)

    # Add each handler
    for handler in chain:
      # Get the node id given the handler address
      # We use an addr -> id dictionary 
      # so that similar addresses get similar node id
      if not addr_id.has_key(handler):
        id = self.AddNode( hex(handler) )
        addr_id[handler] = id # add this ID
      else:
        id = addr_id[handler]

      # Link handlers to each other
      self.AddEdge(id_parent, id)
      # Now the parent node is this handler
      id_parent = id

  return True

Putting it all together

The script will display the thread nodes and the handlers in different colors. Double clicking on a handler node will jump to it in an IDA-View and double clicking on a thread node will display the exception handlers in the message window. Here are some SEH graphs:

IDA/Graphical version (idag.exe):

Visual Studio 2008 (devenv.exe):

Please download the script from here (you need IDAPython r242 and above).
All comments and suggestions are welcome. You are also encouraged to share screenshots of interesting SEH graphs you run into.

Finding instructions

2009-09-22T15:47:42Z

Searching for instructions and opcodes is a basic necessity for security researchers, therefore to address this issue IDA Pro provides many search facilities, among them we list:

Text search: Used to search the listing for text patterns (regular expressions are allowed). One can write a regular expression to find any assignment to the eax register (with the mov instruction)
Binary search: Allows you to search for binary patterns with wildcard support. It is also possible to search for strings alongside with the binary patterns.
Immediate search: Very useful to find constants and magic numbers used in the program.
Please refer to the search menu for other search facilities

None of the existing search facilities allow us to readily search for instructions and opcodes. In order to do that, one has to assemble the instruction in question then use the Binary Search to find the pattern.

Each processor module in IDA can implement the assemble notification callback:

assemble,               // Assemble an instruction
                        // (display a warning if an error is found)
                        // args:
                        //  ea_t ea -  linear address of instruction
                        //  ea_t cs -  cs of instruction
                        //  ea_t ip -  ip of instruction
                        //  bool use32 - is 32bit segment?
                        //  const char *line - line to assemble
                        //  uchar *bin - pointer to output opcode buffer
                        // returns size of the instruction in bytes

Once this callback is implemented by the processor module one can then assemble instructions by calling the ph.notify() with the assemble notification code (please check this forum discussion here).
Currently, only the pc processor module implements this callback and provides a very basic assembler.
We wrote a script that allows you to search for opcodes and assembly statements, so for example to find the "33 c0" (xor eax, eax), followed by "pop ebp" and followed by "ret" we could search like this:

find("33 c0;pop ebp;ret")

That's the script operation in brief:

Do some input initial validation
Split the patterns
Loop:
1. Determine if the pattern is an assembly instruction or opcode list (using a simple regular expression)
2. If pattern is an instruction then assemble it
3. Accumulate the assembled (or converted opcodes) into a single buffer
Now that we have one single binary buffer we can search for it with FindBinary()
Display the result

The script uses the Assemble() function (available in IdaPython r233 and above). Comments and suggestions are welcome.

An attempt to reconstruct the call stack

2009-09-18T11:13:42Z

Walking the stack and trying to reconstruct the call stack is a challenge (especially if no or little symbolic information is present) and there are many questions to be answered in order to have a correct call stack:

Determining return address
Determining the boundary of the caller function
Distinguishing between pointers to callbacks and return addresses
Determining stack frames
...

In this post, we are going to implement the method entitled "Manually Walking a Stack" described in the MSDN.
While this approach does not always give accurate results, it is still possible to get a fairly correct call stack.
]]>

Start by retrieving the stack pointer register value (for the current thread) and its associated segment

From the stack pointer to the upper limit of the stack segment:

Take a Dword
Check if it belongs to an executable segment, if so then it is probably a code pointer (exception handler, callback pointer, or return address)
Try to determine if the value at the stack pointer is a return address (we try to find the beginning of the previous instruction and we decode it to see if it is a CALL instruction)
Once we have a CALL instruction we will try to build a nice expression to represent the call stack:
- If it belongs to a function then use the following name: function name+offset
- Otherwise try to check nearest debug name (exported names) and use the following name: nearest_debug_name+offset
Save the address (for later use)

Finally render the results (in a chooser, message window, etc...)

Retrieving pointers from the stack

First we need to retrieve the value of the ESP register:

esp = cpu.Esp

Now we dereference the stack pointer, fetch the associated segment and check the segment protection attributes:

    ptr = idc.Dword(sp)
    seg = idaapi.getseg(ptr)
    # only accept executable segments
    if (not seg) or ((seg.perm & idaapi.SEGPERM_EXEC) == 0):
        SKIP !

Determining the return address

From the previous step we managed to filter out any pointer that does not belong to an executable segment, but that's not enough: we need to determine whether it is a return address or not. In compiler generated code scenarios most calls are carried out with a CALL instruction (be it direct or indirect call), and for that reason we will not take into consideration any other code pattern that could act like a CALL (for instance the push/ret sequence).
To get the address of the previous instruction:

prev_ea = idc.PrevHead(current_ea, idc.MinEA())

This works only if IDA already analyzed the area in question and items were already defined there. We could analyze (AnalyzeArea()) the area surrounding the pointer we retrieved from the stack, but that would be an overkill.
Since we are looking for the previous instruction and specifically a CALL instruction, we shall use a pattern table:

CallPattern = \
[
    [-2, [0xFF] ],
    [-3, [0xFF] ],
    [-5, [0xE8] ],               
    [-6, [0xFF] ]
]

Each item in this table is defined as a list where the first element is the distance from the return address to the beginning of the CALL instruction and the second element is a list of values denoting the CALL opcode(s).
Matching the pattern alone is also not enough since other instructions can contain 0xFF or 0xE8, so we will ask the processor module to decode what we think is a CALL instruction:

    cmd = idautils.DecodeInstruction(some_address_ea)
    if (cmd.itype == idaapi.NN_call): 
        print "found a call"

After the instruction is decoded, we can inspect its opcode number.
In case you did not know, a list of opcodes for various processors is available in the SDK (check the allins.hpp file), similarly these opcode constants are defined in the idaapi python module.

    (...from allins.hpp...)
    NN_call,                // Call Procedure
    NN_callfi,              // Indirect Call Far Procedure
    NN_callni,              // Indirect Call Near Procedure
    (...)

We notice that the pc processor module can report three different opcode numbers for a CALL instruction, so our previous code snippet is not quite correct because we did not check for NN_callfi and NN_callni as well. For this reason, using is_call_insn() function is more correct:

def IsPrevInsnCall(ea):
global CallPattern
for p in CallPattern:
    # assume caller's ea
    caller = ea + p[0]
    # get the bytes
    bytes = [x for x in GetDataList(caller, len(p[1]), 1)]
    # do we have a match? is it a call instruction?
    if bytes == p[1] and idaapi.is_call_insn(caller):
        return caller
return False

Putting it all together

We wrote a small python script to implement this logic and we tested it by attaching to a running notepad with WinDbg debugger module (symbols configured):

As you noticed, the call stack boils down to RtlUserThreadStart(). One can use this call stack information to try to locate the original entry point of packed executables!
Download the script from here. Please note that the script will use debug names only if IdaPython r232 and above is detected.