Main

February 05, 2010

New IDC improvement in IDA Pro 5.6

Scripting with IDA Pro has always been a very handy feature, not only when used in scripts but also in expressions, breakpoint conditions, form fields, etc...
In IDA Pro 5.6 we improved the IDC language and made it more convenient to use by adding objects, exceptions, support for strings with embedded zeroes, string slicing and references.

Continue reading "New IDC improvement in IDA Pro 5.6" »

Posted by Elias Bachaalany at 08:31 PM | | Comments (1)

January 16, 2010

Practical Appcall examples

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it's implemented and describe some of the uses of Appcall in various scenarios.

How Appcall works

Given a function with a correct prototype, the Appcall mechanism works like this:
  1. Save the current thread context
  2. Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee's stack)
  3. Modify the input registers in question
  4. Set the instruction pointer to the beginning of the function to be called
  5. Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
  6. Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
  7. Deserialize back the input (only for parameters passed by reference) and save the return value
In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:

you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.

Continue reading "Practical Appcall examples" »

Posted by Elias Bachaalany at 05:00 PM | | Comments (0)

January 12, 2010

Introducing the Appcall feature in IDA Pro 5.6

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6. Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you've used GDB (call command), VS (Immediate window), or Borland C++ Builder then you're already familiar with such functionality.

(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)

Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.

Continue reading "Introducing the Appcall feature in IDA Pro 5.6" »

Posted by Elias Bachaalany at 05:04 PM |

January 08, 2010

Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator

Introduction

IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code snippets directly from the database. In this tutorial we will show how to dynamically run code that can be difficult to analyze statically.

Target

As an example we will use shellcode from the article "Alphanumeric RISC ARM Shellcode" in Phrack 66. It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. So we will use the debugging feature to decode it.

Continue reading "Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator" »

Posted by Igor Skochinsky at 06:46 PM | | Comments (0)

January 06, 2010

PDF file loader to extract and analyse shellcode

One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.

Continue reading "PDF file loader to extract and analyse shellcode" »

Posted by Elias Bachaalany at 10:58 AM | | Comments (7)

November 20, 2009

Hex-Rays Plugin Contest

We are glad to announce the results of our first plugin contest! For the contest rules, please check this page:

http://www.hex-rays.com/contest.shtml

Or you may directly go to the contest results and check out some cool plugins:

http://www.hex-rays.com/contest2009

It was our first contest, but we are happy with the results and will repeat it in the near future.
Have fun!

Posted by Ilfak Guilfanov at 03:42 PM | | Comments (4)

October 21, 2009

Hex-Rays is hiring

We are looking for someone to join our team and participate in the development of unique software security tools. The candidates must know low-level details of modern software as well as high-level data structures and algorithms.

Requirements:

* strong knowledge of C/C++
* experience with Qt and GUI development is a big PLUS
* knowledge of x86 assembler and unwillingness to use it in development
* cross platform development (Windows/Linux/Mac) is a plus
* knowing the graph theory and how compilers work is a plus
* ability and willingness to write secure yet fast code
* good problem solving and communication skills

To apply, please send your resume to info@hex-rays.com
Code samples and links to implemented projects are welcome.

Posted by Ilfak Guilfanov at 01:22 PM | | Comments (7)

October 05, 2009

SEH Graph

It is said that a picture is worth a thousand words, and similarly many reversers would agree that a graph is worth a thousand lists! ;)

Recently, we added graphing support into IDAPython and now Python scripts can build interactive graphs.
To demonstrate this new addition, we will write a small script that graphs the structured exception handlers of a given process.


sehgraph_small.png

Continue reading "SEH Graph" »

Posted by Elias Bachaalany at 05:08 PM | | Comments (3)

September 22, 2009

Finding instructions

Searching for instructions and opcodes is a basic necessity for security researchers, therefore to address this issue IDA Pro provides many search facilities, among them we list:
  • Text search: Used to search the listing for text patterns (regular expressions are allowed). One can write a regular expression to find any assignment to the eax register (with the mov instruction)

  • Binary search: Allows you to search for binary patterns with wildcard support. It is also possible to search for strings alongside with the binary patterns.

  • Immediate search: Very useful to find constants and magic numbers used in the program.
  • Please refer to the search menu for other search facilities
None of the existing search facilities allow us to readily search for instructions and opcodes. In order to do that, one has to assemble the instruction in question then use the Binary Search to find the pattern.

Each processor module in IDA can implement the assemble notification callback: 
assemble,               // Assemble an instruction
                        // (display a warning if an error is found)
                        // args:
                        //  ea_t ea -  linear address of instruction
                        //  ea_t cs -  cs of instruction
                        //  ea_t ip -  ip of instruction
                        //  bool use32 - is 32bit segment?
                        //  const char *line - line to assemble
                        //  uchar *bin - pointer to output opcode buffer
                        // returns size of the instruction in bytes
Once this callback is implemented by the processor module one can then assemble instructions by calling the ph.notify() with the assemble notification code (please check this forum discussion here).
Currently, only the pc processor module implements this callback and provides a very basic assembler.
We wrote a script that allows you to search for opcodes and assembly statements, so for example to find the "33 c0" (xor eax, eax), followed by "pop ebp" and followed by "ret" we could search like this: 
find("33 c0;pop ebp;ret")

That's the script operation in brief:
  1. Do some input initial validation
  2. Split the patterns
  3. Loop:
    1. Determine if the pattern is an assembly instruction or opcode list (using a simple regular expression)
    2. If pattern is an instruction then assemble it
    3. Accumulate the assembled (or converted opcodes) into a single buffer
  4. Now that we have one single binary buffer we can search for it with FindBinary()
  5. Display the result

The script uses the Assemble() function (available in IdaPython r233 and above). Comments and suggestions are welcome.

Posted by Elias Bachaalany at 04:47 PM |

September 18, 2009

An attempt to reconstruct the call stack

Walking the stack and trying to reconstruct the call stack is a challenge (especially if no or little symbolic information is present) and there are many questions to be answered in order to have a correct call stack:
  • Determining return address
  • Determining the boundary of the caller function
  • Distinguishing between pointers to callbacks and return addresses
  • Determining stack frames
  • ...
In this post, we are going to implement the method entitled "Manually Walking a Stack" described in the MSDN.
While this approach does not always give accurate results, it is still possible to get a fairly correct call stack.

Continue reading "An attempt to reconstruct the call stack" »

Posted by Elias Bachaalany at 12:13 PM | | Comments (1)

September 10, 2009

Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin

Writing boot code is useful for many reasons, whether you are:
  • Developing your own operating system
  • Developing disk encryption systems
  • Experimenting and researching
  • Or even writing a bootkit

Continue reading "Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin" »

Posted by Elias Bachaalany at 04:27 PM | | Comments (2)

September 04, 2009

Driver dispatch-table viewer

With IDA, one can use the command line interface (CLI) not only to type scripting related commands but also to send debugger specific commands to the current debugger plugin.
Although the topic mentions device drivers, you do not have to know much about drivers to learn something new from this post.

Continue reading "Driver dispatch-table viewer" »

Posted by Elias Bachaalany at 04:56 PM |

August 07, 2009

Javascript for IDA Pro

Just a quick post to share the joy of having more expressiveness and freedom in IDA Pro. A few days ago we implemented a JavaScript plugin. This means that there is yet one more languauge to write scripts in IDA, and a very powerful one.

All usual methods of accessing the language work: you may execute scripts, standalone statements, or even completely replace IDC with JavaScript.

All IDC functions are availalble in JavaScript (in fact, we just exported them one-to-one). In the future, we will export IDA objects into JavaScript and this will make programming it even easier.

Download the plugin here: http://hexblog.com/ida_pro/files/js.zip

If you notice anything unusual, send us a note, thank you!

Elias will blog more about the plugin in the coming days, and maybe present something handy, as he already did in the past ;)

P.S. I subscribed to twitter a few days ago - it is so dynamic. Will probably switch to it, at least partially

Posted by Ilfak Guilfanov at 05:59 PM | | Comments (5)

June 19, 2009

Function call graph plugin sample

IDA Pro already has a function call graph facility, nonetheless it employs WinGraph32.

Continue reading "Function call graph plugin sample" »

Posted by Elias Bachaalany at 09:02 PM | | Comments (2)

June 02, 2009

IDA Pro 5.5 goes alpha

After many months of work, IDA Pro 5.5 is now in alpha stage and this week the beta will be out for testing.

Continue reading "IDA Pro 5.5 goes alpha " »

Posted by Elias Bachaalany at 03:12 PM | | Comments (11)

April 17, 2009

IDA v5.4 demo

Just a quick note for interested parties: we prepared the new demo version of IDA Pro. The new demo includes the bochs debugger. The debugger is fully functional with just one limitation: it will become inactive after a number of commands. I prefer to tell you this in advance rather than this limitation to be discovered in the middle of a heavy debugging session ;)

Here's the download link:

http://www.hex-rays.com/idapro/idadowndemo.htm

Enjoy!

Posted by Ilfak Guilfanov at 05:01 PM | | Comments (5)

February 19, 2009

Advanced Windows Kernel Debugging with VMWare and IDA's GDB debugger

We have already published short tutorial on Windows kernel debugging with IDA and VMWare on our site, but the debugging experience can still be improved.

VMWare's GDB stub is very basic, it doesn't know anything about processes or threads (for Windows guests), so for anything high-level we'll need to do some extra work. We will show how to get the loaded module list and load symbols for all them using IDAPython.

Continue reading "Advanced Windows Kernel Debugging with VMWare and IDA's GDB debugger" »

Posted by Igor Skochinsky at 02:21 PM | | Comments (5)

February 05, 2009

IDA Pro has 9 debugger modules

Since the number of debugger modules in IDA surpassed the magical number seven plus or minus two, we created a small table describing what is available and what is not:

http://www.hex-rays.com/idapro/debugger/index.htm

Direct links to tutorials are available here:

http://www.hex-rays.com/idapro/idasupport.htm

I know, I know - we need to add 64-bit support for all platforms, port the Bochs debugger module to Linux, and... any other suggestions? I personally would love to have source level debugging, yet it requires some substantial changes to the kernel. We probably will move in this direction, sooner or later...

Posted by Ilfak Guilfanov at 07:43 PM | | Comments (15)

January 30, 2009

Kernel debugging with IDA

When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).

Continue reading "Kernel debugging with IDA" »

Posted by Elias Bachaalany at 02:02 PM | | Comments (4)

January 20, 2009

IDA v5.4 release is not that far away

I'm happy to inform you that we are entering the beta stage of IDA v5.4!

In addition to numerous small and not that small improvements, the new version will have three debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though ;))


  • With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
  • With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side.
  • With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.

The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.

As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you'll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.

The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.

We will prepare the detailed list of improvements later this week.

Posted by Ilfak Guilfanov at 01:29 AM | | Comments (8)

November 21, 2008

IDA and MIPS

If you analyze MIPS binaries, you may find useful the following addition to IDA:

http://www.binary-art.net/?p=1002

This is MIPS emulator for Linux. It can generate an IDC script after emulation, which then can be applied to the database and make it more readable.

Posted by Ilfak Guilfanov at 01:54 PM | | Comments (2)

November 07, 2008

Bochs plugin goes alpha

Bochs emulator
Bochs debugger plugin is in alpha stage now, all of the 3 loaders mentioned in the previous blog entry, are now complete.

Continue reading "Bochs plugin goes alpha" »

Posted by Elias Bachaalany at 12:51 PM | | Comments (6)

October 03, 2008

Bochs Emulator and IDA?

Bochs emulator
The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.

Continue reading "Bochs Emulator and IDA?" »

Posted by Elias Bachaalany at 12:11 AM | | Comments (10)

August 26, 2008

The IDA Pro book

This is not the first book about IDA Pro. However, this is the first book I recommend to anyone using IDA Pro because of the following points:

  • Comprehensive: it describes all major IDA features by starting at the beginning and going all the way to the end. Experienced users may be tempted to skip the first few chapters; resist this temptation and you will discover something new (I did :)
  • Accurate: it is very difficult to be detailed and precise when describing such a complex product. Chris does it excellently well.
  • Real: handles real world malware, packers, and obfuscated code
  • No fillers: it is direct and concise
  • Profound: this is not just a collection of recipes or tricks, but will give you a better understanding of the IDA architecture, thus saving you from unnecessary frustration. Knowing the limitations of your tool is just as important as knowing its capabilities.
It comes tons of code snippets, scripts, and sample modules. Programming for IDA Pro is covered too: from simple plugins to processor modules.

If you want to use IDA efficiently, get your copy from No Starch Press!

UPD for numerologists: the book has exactly 640 pages, no less, no more!

Posted by Ilfak Guilfanov at 06:53 PM | | Comments (3)

August 21, 2008

Mr. Bachaalany joins Hex-Rays

I'm happy to tell you that Mr. Elias Bachaalany has joined our development team!

He is one of keenest and most knowledgeable IDA users. Elias bought his first copy of IDA long ago while he was a student. Immediately after that he contacted us with tons of questions, suggestions, ideas how to improve things, etc. While we addressed most his questions, we could not handle everything. Then he designed and implemented many free and open source scripts and plugins for IDA.

We are lucky to have him in our team. I'm sure that very soon we will see new nice features in IDA Pro created by Elias. Stay tuned!

Posted by Ilfak Guilfanov at 03:25 PM | | Comments (5)

July 23, 2008

IDA on iPhone

Good news for real iPhone fans: we ported IDA to iPhone! It can handle any application and provides the same analysis as on other platforms. It is funny to see IDA on a such small device:

Continue reading "IDA on iPhone" »

Posted by Ilfak Guilfanov at 09:30 PM | | Comments (9)

July 17, 2008

Apple's variant of ptrace()

Have you ever tried to create a debugger for Mac OS X? It is an adventurous enterprise with lots of unexpected (should I say unforeseeable?) problems. This guy tried and described his adventures in this entertaining post:

http://www.matasano.com/log/1100/what-ive-been-doing-on-my-summer-vacation-or-it-has-to-work-otherwise-gdb-wouldnt/

His post reminded me of all problems we faced with the first version of the IDA debugger for iMac. They also reminded me of even more convoluted puzzles with the iPhone debugger because ptrace() is broken beyond any hope there (one simple rule: use only PT_TRACEME).

Anyway, if anyone wants to repeat our steps, we are giving away the source code of all debugger modules with the new IDA v5.3: iMac and iPhone debugger codes included. They can certainly help you to avoid some headache and frustration!

Posted by Ilfak Guilfanov at 02:45 PM | | Comments (3)

June 19, 2008

Recon2008

The last week I attended the Recon conference. It was a very enjoyable event, very nicely organized and handled, in a charming city (Montreal). Since I haven't seen many conferences yet, I can not really compare it to others but I think it was really great: real RE stuff with no superficial talks. You can find the slides and videos on the conference site. The following blogs describe the event in more detail:

http://dvlabs.tippingpoint.com/blog/
http://blog.trailofbits.com/2008/06/16/recon-2008-review/

There were quite a few interesting talks, I especially liked the ones about iMac and iPhone (other talks disclosed new ideas too, it is just that I'm currently working on Apple products ;))

Thanks to the conference organizers for making such an event possible! David, Hugo, Guillaume did an excellent job. Now waiting for the next recon, which will normally be held in 2010.

Posted by Ilfak Guilfanov at 02:48 AM |

June 04, 2008

Testing debuggers

Software programs must be tested before put in use. When there is a single program, things are relatively simple. Running it on multiple platforms is more challenging because it requires testing all of them. But the real nightmare starts when there are multiple programs running on multiple platforms and going to a high abstract level is not an option.

This is the case with IDA debuggers. The current version supports five different variants: Win32/Win64/WinCE/Linux/iMac but the upcoming v5.3 adds Symbian and iPhone to the list.

We can not use a high level language for debuggers because the very nature of the information is low level: bits and bytes, registers and memory cells. The core of the debugger operates with some abstractions but this does not make it really impervious to low level details: each platform has its peculiarities. It is more of a disadvantage than a bonus: changing anything in debugger core could introduce a bug in any of the supported platforms, something hard to reproduce and fix.

Given all the above, we decided to spend some time on a test system. And here is the result: custom made, hardcore command line, user agnostic (or unfriendly?) but it does the job. It generates megabytes of logs and can check all debuggers: local or remote, 32 or 64 bit, single or multithreaded.

Below is a link to a short video. I'm sorry for the window size, it is really difficult to fit all windows into a small area.

One more thing I wanted to tell you: we have the iPhone debugger ready for beta testing. It was a hard job to create it, especially with the broken ptrace on iPhone. I'm still curious to know more about its implementation and limitations...

If you want to participate in beta testing of the iPhone debugger, just send us a message.

Posted by Ilfak Guilfanov at 01:52 AM | | Comments (8)

April 08, 2008

Symbian debugger

It works! There are lots of limitations but it is alive, handles breakpoints, exceptions, and even some limited tracing is available. It is possible to launch processes and attach to them. Here is just one screenshot:

Expect many limitations in the first version (no hardware bpts, limited multithread support, etc). One of the most annoying shortcomings is that the memory layout is not determined automatically - we had to introduce 'manual memory regions' window to overcome this.

Since it is a new beast and many aspects need polishing, beta testers are welcome!

Posted by Ilfak Guilfanov at 07:02 PM | | Comments (4)

March 29, 2008

Symbian AppTRK

Things are quite easy with the Symbian TRK! Today I decided to write a small program to interact with it and everything worked extremely smoothly. My driver program can download a SIS file to the phone, automatically install and run it. It reacts to debugging events and gracefully closes the connection when the application terminates. Below are just a few pictures for the curious.

Continue reading "Symbian AppTRK" »

Posted by Ilfak Guilfanov at 02:06 AM | | Comments (3)

March 26, 2008

Hello Symbian!

Yesterday I created my first Symbian program :) Sure enough, it was a "hello world" and to tell the truth I did not write it myself. But it still took me 3 (three) hours to get it running on Nokia E51. The good side is that I learned a lot about possible failures with Symbian applications (there are quite many of them, some of them with cryptic error messages like "install failed").

Continue reading "Hello Symbian!" »

Posted by Ilfak Guilfanov at 11:30 AM | | Comments (1)

March 07, 2008

Pythonic way

A brilliant blog post by Ero Carrera: IDAPython in action:

http://blog.dkbza.org/2008/03/digging-up-system-call-ordinals.html

Just note how concise and powerful is the script!

Posted by Ilfak Guilfanov at 12:22 AM |

March 04, 2008

Tricky jump tables

Just a quick post to announce that we have published a small plugin to specify jump table information. When IDA misses them, the flow charts are virtually useless - they fall apart into several loosely connected components and the logic is completely hidden. This plugin is especially useful for rarely used processors with unusual switch idioms.

The plugin and its source code can be found on our forum.

Posted by Ilfak Guilfanov at 04:25 PM |

February 03, 2008

Debugger and process memory

Just a small note about the debugger plugins and events. Many users who try to develop a plugin for the debugger notice that IDA behaves slightly differently in the notification callbacks than anywhere else.

For example, IDA might claim that EIP points to an address without a segment, or none of exported names of a loaded DLL are available.

Continue reading "Debugger and process memory" »

Posted by Ilfak Guilfanov at 05:02 PM |

January 31, 2008

Jump tables

It is an endless story: regardless of how many different jump table types IDA supports, there will be a new unhandled twist. Be it the instruction scheduler, which rearranged the instructions in an unexpected manner, or the compiler, which learned a new optimization trick, it is the same for IDA: jump tables are missed and functions boundaries are wrong. What's worse, the graph view, so loved by IDA users, displays a trimmed graph without jump tables, virtually useless for any analysis.

That's why we strive to add support for new jump tables to IDA, and since it can not be done for all of them, we focus on compiler generated jump tables for popular processors. Take ARM, for example. The ARM processor module have been improved a lot in v5.2, but yet we received a report with a bunch of new patterns. So expect even better support for ARM in the near future :)

If you are interested in improving the jump table handling for a rarely used processor, here are the explanations how to do it.

Continue reading "Jump tables" »

Posted by Ilfak Guilfanov at 11:21 AM |

October 15, 2007

IDA and Microcontrollers

If you ever used IDA to analyze embedded stuff, you would immediately notice its pc-centric nature. While any embedded SDK targets specific devices with real-world part numbers, IDA just provides you with a universal analysis framework. You are supposed to know how the device works, its idiosyncrasies, programming model, memory organization, and all other practical stuff. If there is an automatic way to determine the entry point or interrupt vectors, IDA will use it but in general you will have to find out the correct parameters yourself.

The following tutorial fills the gap for C166 (and explains many other things!):

http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/Default.aspx

Thanks, Andy!

Posted by Ilfak Guilfanov at 02:52 PM | | Comments (3)

October 08, 2007

Negated structure offsets

A month ago I received a support request:
If I have an instruction like 
     mov eax, [edi-0ch]
and I know that that's really the sum of an offset to a structure not at edi and the offset of a member within that structure, how do I get IDA to display it as such without using a manual operand?
A legitimate question, which is somewhat hard to answer.

Continue reading "Negated structure offsets" »

Posted by Ilfak Guilfanov at 05:53 PM |

April 02, 2007

Very simple custom viewer

As promised, here is the plugin which demonstrates how to create a very simple custom viewer in IDA Pro. When run, it displays this text on the screen:

Continue reading "Very simple custom viewer" »

Posted by Ilfak Guilfanov at 01:42 AM |

March 19, 2007

Dynamic coloring

IDA v5.1 introduces the notion of dynamic colors. Plugins can install a callback which dynamically calculates colors and provides them to the user interface. In the previous versions of IDA plugins were forced to change the item color in the database thus overwriting any user-defined colors. The new IDA makes it possible to calculate colors on the fly.

Continue reading "Dynamic coloring" »

Posted by Ilfak Guilfanov at 07:02 PM | | Comments (7)

March 02, 2007

On batch analysis

Ever tried to run many instances of IDA simultaneously? I mean, not only one or two, but much more, tens of them at the same time? Not everyone needs it but sometimes a whole directory must be analyzed. Imagine you have created a plugin which finds something interesting in binaries...

Continue reading "On batch analysis" »

Posted by Ilfak Guilfanov at 09:52 PM | | Comments (6)

February 08, 2007

Adding cross references

Did you know that you can add your own cross-references to the listing? There are even several different methods for that:
  • Open xrefs window and press Ins
  • Write an IDC script
  • Write a plugin
Adding xrefs is very useful if IDA missed some of them and the graph looks ugly. Another benefit is replicated comments.

See a demo below the cut.

Continue reading "Adding cross references" »

Posted by Ilfak Guilfanov at 08:42 AM | | Comments (6)

February 07, 2007

Does 'return' come back?

We all know that call invokes a function and ret returns to the caller. Alas, nothing is certain in the binary world. The ret instruction is quite often used for short jumps within a function. Among many other improvements in IDA v5.1 there will be a special logic to recognize and mark such pseudo-returns. I was surprised to see this graph and post it here for your amusement:

Continue reading "Does 'return' come back?" »

Posted by Ilfak Guilfanov at 07:27 PM | | Comments (12)

December 11, 2006

Heads and tails

Ero Carrera in his eye-catching blog talks about multi-chunk function related shortcomings in IDA Pro:
This results in that, from the disassembler point of view, one has to allow for those chunks and also for those chunks to be assigned to an arbitrary number of "owning" or parent functions.

Continue reading "Heads and tails" »

Posted by Ilfak Guilfanov at 04:02 PM | | Comments (1)

October 24, 2006

Loop colorizer

Sometimes I need to know if the current instruction sequence belongs to a loop or not. If it does, I'd like to know the loop boundaries. It would be nice to have the current loop highlighted. If the highlight changes as I navigate in the listing, it would be just great.

Continue reading "Loop colorizer" »

Posted by Ilfak Guilfanov at 07:40 PM | | Comments (13)

June 23, 2006

Simplex method in IDA Pro

In May a contest was open on Datarescue's forum:

http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/375.html

There were some nice tries but nobody guessed it right. It seems Datarescue will have to repeat the contest with another question :)

If you are curious to learn the correct answer, please read on.

Continue reading "Simplex method in IDA Pro" »

Posted by Ilfak Guilfanov at 02:09 AM | | Comments (13)

May 12, 2006

Linear algebra

After spending several days with a naive approach to linear algebra I can tell you: it doesn't work. Will use a third party implementation because my implementation is way too slow. My very short and elegant implementation (only 500 lines) works well for smal problems but miseralby fails with anything of substantial size. The failure means that the soluion is obtained after a noticeable period of time (1-2 seconds) which is not acceptable for a pleasant interactive experience.

If you wonder why I would need such a beast in IDA, ask yourself how it can be used. There is a chance to win a contest:

http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/375.html

Posted by Ilfak Guilfanov at 02:04 AM |

April 13, 2006

Sainte Ida

Apparently she was someone very pious and spiritual :)

http://nominis.cef.fr/contenus/saints_966.html

Today is her day.

IDA Pro started as a simple abbreviation but we quickly got used to the image of this nice lady (in fact the person depicted on the image is just a certain medieval lady, not a saint; not named Ida neither...).

Posted by Ilfak Guilfanov at 12:13 AM | | Comments (1)

April 11, 2006

Improving IDA analysis

For a typical MS Windows executable IDA does quite good job of recognizing code and creating functions and usually the result is eye-pleasing and easy to decipher. The analysis is quite good but not perfect - there are cases when it takes data for code or wrongly determines the function boundaries.

The good news are that there are easy methods to improve the situation.

Continue reading "Improving IDA analysis" »

Posted by Ilfak Guilfanov at 02:57 AM | | Comments (2)

April 02, 2006

IDA graph mode

The new IDA Pro introduces the graph mode. The disassembly of the current function is displayed as a graph: each basic block is represented as a node and cross references are represented as edges. It is easy to zoom, move, and modify the graph using the mouse, I'm sure you will just use the new interface without much difficulty. However, there are some unexpected commands which may render your life easier.

For example, the keyboard arrows can be used to move around the graph. This is something expected. But if you hold the Ctrl arrow and press the Up or Down keys, IDA will display the list of all predecessors or successors of the current node.

Double clicking on an edge with the Ctrl key pressed will jump to its destination. Alt will jump to its source.

Pressing '5' on the keypad will center the current node. If you prefer to use the mouse, try to click with the mouse wheel on a node - the clicked node will be centered.

There are many tricks like this. All this is described in minute detail in the help. It won't take long to read the graph-related pages and you will become really fast and comfortable with the graph view. I urge you to spend some 10-15 minutes reading it and playing with graphs.

IDA has more graph layout algorithms than you might think. See some of them in Dennis' blog. You can create your own layouts too (and even your own graphs of absolutely anything). Just take a look at the sample plugin in the SDK.

Posted by Ilfak Guilfanov at 11:02 PM | | Comments (2)

March 27, 2006

Coverage analyzer

Sometimes we want to perform the coverage analysis of the input file: to find areas of the program not exercised by a set of test cases. These test cases may come from a test suit or you could be trying to to find a vulnerability in the program by 'fuzzing' it. A nice feedback in the form of a list of 'not-yet-executed' instructions would be a nice addition to blind fuzzing.

Continue reading "Coverage analyzer" »

Posted by Ilfak Guilfanov at 01:28 AM | | Comments (1)

February 21, 2006

Nice dynamic graph

A nice dynamic graph: relation browser.

Something similar could be used in IDA Pro for inter-function navigation. The graph nodes would be functions and static data variables, the edges would represent function calls and data accesses...

Posted by Ilfak Guilfanov at 12:00 AM | | Comments (3)

February 07, 2006

FindCrypt2

I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:

  1. it works with both little and big endian programs
  2. it knows to reuse old slots in the bookmarks if run repeatedly
  3. it is fully automatic and scans each new created database. manual scan is still available

Future possible improvement: a tool which would extract constant arrays from the source code of any project. This tool can be written on perl or python and will be quite simple (we only have to handle constant array definitions in C). More sophisticated tool could also take care of type definitions like "typedef long LONG"...


For your convenience, here are links to both versions: findcrypt.zip and findcrypt2.zip
Compare them to see the differences, there aren't many!

Posted by Ilfak Guilfanov at 02:27 AM | | Comments (1)

January 30, 2006

FindCrypt

While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.

Continue reading "FindCrypt" »

Posted by Ilfak Guilfanov at 12:38 AM | | Comments (14)

December 20, 2005

Tracing exception handlers

Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won't miss anything important.

Continue reading "Tracing exception handlers" »

Posted by Ilfak Guilfanov at 11:28 PM | | Comments (6)

December 11, 2005

The unispector

How do you spell "I love you" in Greek?...

Continue reading "The unispector" »

Posted by Ilfak Guilfanov at 01:54 PM | | Comments (9)

November 27, 2005

The highlighter

Today I'll present you a pretty small yet useful plugin.

Continue reading "The highlighter" »

Posted by Ilfak Guilfanov at 12:18 AM | | Comments (14)

November 20, 2005

The ultimate stealth method

The last described method does not work if the application uses an "unsupported" antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future...

Continue reading "The ultimate stealth method" »

Posted by Ilfak Guilfanov at 04:06 PM | | Comments (7)

November 04, 2005

Simple trick to hide IDA debugger

Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let's
start with something simple: we will make the IsDebuggerPresent
function call always return zero.

Continue reading "Simple trick to hide IDA debugger" »

Posted by Ilfak Guilfanov at 04:51 PM | | Comments (9) | TrackBacks (1)

October 30, 2005

Several files in one IDB, part 4

Final method of loading several files into a database

Continue reading "Several files in one IDB, part 4" »

Posted by Ilfak Guilfanov at 06:25 PM |

October 25, 2005

TLS callbacks

I promised to tell you about the TLS callbacks.
Here is the discussion.

Continue reading "TLS callbacks" »

Posted by Ilfak Guilfanov at 11:56 PM | | Comments (2)

Several files in one IDB, part 3

The third method to create a database with several PE files.

Continue reading "Several files in one IDB, part 3" »

Posted by Ilfak Guilfanov at 10:35 PM |

October 22, 2005

Several files in one IDB, part 2

The second method to create a database with several PE files.

Continue reading "Several files in one IDB, part 2" »

Posted by Ilfak Guilfanov at 08:38 PM |

October 19, 2005

Several files in one IDB

IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let's take a closer look at the situation...

Continue reading "Several files in one IDB" »

Posted by Ilfak Guilfanov at 12:18 AM | | Comments (2) | TrackBacks (1)