Hex blog

New IDC improvement in IDA Pro 5.6

Fri, 05 Feb 2010 20:31:30 +0100

Scripting with IDA Pro has always been a very handy feature, not only when used in scripts but also in expressions, breakpoint conditions, form fields, etc...
In IDA Pro 5.6 we improved the IDC language and made it more convenient to use by adding objects, exceptions, support for strings with embedded zeroes, string slicing and references.

Hex-Rays against Aurora

Wed, 20 Jan 2010 13:30:17 +0100

As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.

An IDA user very kindly sent us the following link

http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/

Practical Appcall examples

Sat, 16 Jan 2010 17:00:31 +0100

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it's implemented and describe some of the uses of Appcall in various scenarios.

How Appcall works

Given a function with a correct prototype, the Appcall mechanism works like this:

Save the current thread context
Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee's stack)
Modify the input registers in question
Set the instruction pointer to the beginning of the function to be called
Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
Deserialize back the input (only for parameters passed by reference) and save the return value

In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:

you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.

Introducing the Appcall feature in IDA Pro 5.6

Tue, 12 Jan 2010 17:04:46 +0100

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6. Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you've used GDB (call command), VS (Immediate window), or Borland C++ Builder then you're already familiar with such functionality.

(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)

Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.

Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator

Fri, 08 Jan 2010 18:46:43 +0100

Introduction

IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code snippets directly from the database. In this tutorial we will show how to dynamically run code that can be difficult to analyze statically.

Target

As an example we will use shellcode from the article "Alphanumeric RISC ARM Shellcode" in Phrack 66. It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. So we will use the debugging feature to decode it.

PDF file loader to extract and analyse shellcode

Wed, 06 Jan 2010 10:58:07 +0100

One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.

Hex-Rays Plugin Contest

Fri, 20 Nov 2009 15:42:45 +0100

We are glad to announce the results of our first plugin contest! For the contest rules, please check this page:

http://www.hex-rays.com/contest.shtml

Or you may directly go to the contest results and check out some cool plugins:

http://www.hex-rays.com/contest2009

It was our first contest, but we are happy with the results and will repeat it in the near future.
Have fun!

Hex-Rays is hiring

Wed, 21 Oct 2009 13:22:43 +0100

We are looking for someone to join our team and participate in the development of unique software security tools. The candidates must know low-level details of modern software as well as high-level data structures and algorithms.

Requirements:

* strong knowledge of C/C++
* experience with Qt and GUI development is a big PLUS
* knowledge of x86 assembler and unwillingness to use it in development
* cross platform development (Windows/Linux/Mac) is a plus
* knowing the graph theory and how compilers work is a plus
* ability and willingness to write secure yet fast code
* good problem solving and communication skills

To apply, please send your resume to info@hex-rays.com
Code samples and links to implemented projects are welcome.

Hex-Rays Decompiler primer

Thu, 15 Oct 2009 13:36:32 +0100

The Hex-Rays Decompiler 1.0 was released more than two years ago. Since then it has improved a lot and does a great job decompiling real-life code, but sometimes there are additional things that you might wish to do with its output. For that purpose we have released the Hex-Rays Decompiler SDK and several sample plugins. However, the header files alone do not give a complete picture and it can be difficult to see where to start.

In this post we will outline the architecture of the Hex-Rays Decompiler SDK, cover some principles and finally wrap everything we discussed and write a small plugin.

SEH Graph

Mon, 05 Oct 2009 17:08:45 +0100

It is said that a picture is worth a thousand words, and similarly many reversers would agree that a graph is worth a thousand lists! ;)

Recently, we added graphing support into IDAPython and now Python scripts can build interactive graphs.
To demonstrate this new addition, we will write a small script that graphs the structured exception handlers of a given process.

Finding instructions

Tue, 22 Sep 2009 16:47:42 +0100

Searching for instructions and opcodes is a basic necessity for security researchers, therefore to address this issue IDA Pro provides many search facilities, among them we list:

Text search: Used to search the listing for text patterns (regular expressions are allowed). One can write a regular expression to find any assignment to the eax register (with the mov instruction)
Binary search: Allows you to search for binary patterns with wildcard support. It is also possible to search for strings alongside with the binary patterns.
Immediate search: Very useful to find constants and magic numbers used in the program.
Please refer to the search menu for other search facilities

None of the existing search facilities allow us to readily search for instructions and opcodes. In order to do that, one has to assemble the instruction in question then use the Binary Search to find the pattern.

Each processor module in IDA can implement the assemble notification callback:

assemble,               // Assemble an instruction
                        // (display a warning if an error is found)
                        // args:
                        //  ea_t ea -  linear address of instruction
                        //  ea_t cs -  cs of instruction
                        //  ea_t ip -  ip of instruction
                        //  bool use32 - is 32bit segment?
                        //  const char *line - line to assemble
                        //  uchar *bin - pointer to output opcode buffer
                        // returns size of the instruction in bytes

Once this callback is implemented by the processor module one can then assemble instructions by calling the ph.notify() with the assemble notification code (please check this forum discussion here).
Currently, only the pc processor module implements this callback and provides a very basic assembler.
We wrote a script that allows you to search for opcodes and assembly statements, so for example to find the "33 c0" (xor eax, eax), followed by "pop ebp" and followed by "ret" we could search like this:

find("33 c0;pop ebp;ret")

That's the script operation in brief:

Do some input initial validation
Split the patterns
Loop:
1. Determine if the pattern is an assembly instruction or opcode list (using a simple regular expression)
2. If pattern is an instruction then assemble it
3. Accumulate the assembled (or converted opcodes) into a single buffer
Now that we have one single binary buffer we can search for it with FindBinary()
Display the result

The script uses the Assemble() function (available in IdaPython r233 and above). Comments and suggestions are welcome.

An attempt to reconstruct the call stack

Fri, 18 Sep 2009 12:13:42 +0100

Walking the stack and trying to reconstruct the call stack is a challenge (especially if no or little symbolic information is present) and there are many questions to be answered in order to have a correct call stack:

Determining return address
Determining the boundary of the caller function
Distinguishing between pointers to callbacks and return addresses
Determining stack frames
...

In this post, we are going to implement the method entitled "Manually Walking a Stack" described in the MSDN.
While this approach does not always give accurate results, it is still possible to get a fairly correct call stack.

Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin

Thu, 10 Sep 2009 16:27:07 +0100

Writing boot code is useful for many reasons, whether you are:

Developing your own operating system
Developing disk encryption systems
Experimenting and researching
Or even writing a bootkit

Driver dispatch-table viewer

Fri, 04 Sep 2009 16:56:58 +0100

With IDA, one can use the command line interface (CLI) not only to type scripting related commands but also to send debugger specific commands to the current debugger plugin.
Although the topic mentions device drivers, you do not have to know much about drivers to learn something new from this post.

Javascript for IDA Pro

Fri, 07 Aug 2009 17:59:37 +0100

Just a quick post to share the joy of having more expressiveness and freedom in IDA Pro. A few days ago we implemented a JavaScript plugin. This means that there is yet one more languauge to write scripts in IDA, and a very powerful one.

All usual methods of accessing the language work: you may execute scripts, standalone statements, or even completely replace IDC with JavaScript.

All IDC functions are availalble in JavaScript (in fact, we just exported them one-to-one). In the future, we will export IDA objects into JavaScript and this will make programming it even easier.

Download the plugin here: http://hexblog.com/ida_pro/files/js.zip

If you notice anything unusual, send us a note, thank you!

Elias will blog more about the plugin in the coming days, and maybe present something handy, as he already did in the past ;)

P.S. I subscribed to twitter a few days ago - it is so dynamic. Will probably switch to it, at least partially