Practical Malware Analysis: Ch 5: IDA Pro
Transcript of Practical Malware Analysis: Ch 5: IDA Pro
![Page 1: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/1.jpg)
Practical Malware AnalysisCh 5: IDA Pro
![Page 2: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/2.jpg)
IDA Pro Versions
• Full-featured pay version• Old free version – Both support x86– Pay version supports x64 and other processors,
such as cell phone processors• Both have code signatures for common library
code in FLIRT (Fast Library identification and Recognition Technology)
![Page 3: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/3.jpg)
Graph and Text Mode
• Spacebarswitchesmode
![Page 4: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/4.jpg)
Default Graph Mode Display
![Page 5: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/5.jpg)
Options, General
![Page 6: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/6.jpg)
Better Graph Mode View
![Page 7: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/7.jpg)
Arrows
• Colors– Red Conditional jump not taken– Green Conditional jump taken– Blue Unconditional jump
• Direction– Up Loop
![Page 8: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/8.jpg)
Arrow Color Example
![Page 9: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/9.jpg)
Highlighting
• Highlighting text in graph mode highlights every instance of that text
![Page 10: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/10.jpg)
Text ModeArrowsSolid = UnconditionalDashed = ConditionalUp = Loop
Section
Address
CommentGenerated by
IDA Pro
![Page 11: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/11.jpg)
Options, General
![Page 12: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/12.jpg)
Adds Comments to Each Instruction
![Page 13: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/13.jpg)
Useful Windows for Analysis
![Page 14: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/14.jpg)
Functions
• Shows each function, length, and flags– L = Library functions
• Sortable– Large functions usually more important
![Page 15: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/15.jpg)
Names Window
• Every address with a name– Functions, named code, named data, strings
![Page 16: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/16.jpg)
Strings
![Page 17: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/17.jpg)
Imports & Exports
![Page 18: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/18.jpg)
Structures
• All active data structures– Hover to see yellow pop-up window
![Page 19: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/19.jpg)
Cross-Reference• Double-
click function
• Jump to code in other views
![Page 20: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/20.jpg)
Function Call
• Parameters pushed onto stack• CALL to start function
![Page 21: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/21.jpg)
Returning to the Default View
• Windows, Reset Desktop• Windows, Save Desktop– To save a new view
![Page 22: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/22.jpg)
Navigating IDA Pro
![Page 23: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/23.jpg)
Imports or Strings
• Double-click any entry to display it in the disassembly window
![Page 24: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/24.jpg)
Using Links
• Double-click any address in the disassembly window to display that location
![Page 25: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/25.jpg)
History
• Forward and Back buttons work like a Web browser
![Page 26: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/26.jpg)
Navigation Band
• Light blue: Library code• Red: Compiler-generated code• Dark blue: User-written code – Analyze this
![Page 27: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/27.jpg)
Jump to Location
• Press G• Can jump to address or named location
![Page 28: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/28.jpg)
Searching
• Many options• Search, Text is
handy
![Page 29: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/29.jpg)
Using Cross-References
![Page 30: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/30.jpg)
Code Cross-References
• XREF comment shows where this function is called
• But it only shows a couple of cross-references by default
![Page 31: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/31.jpg)
To See All Cross-References
• Click function name and press X
![Page 32: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/32.jpg)
Data Cross-References
• Demo:– Start with strings– Double-click an interesting string– Hover over DATA XREF to see where that string is
used– X shows all references
![Page 33: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/33.jpg)
Analyzing Functions
![Page 34: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/34.jpg)
Function and Argument Recognition
• IDA Pro identifies a function, names it, and also names the local variables
• It's not always correct
![Page 35: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/35.jpg)
Using Graphing Options
![Page 36: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/36.jpg)
Graphing Options
+
![Page 37: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/37.jpg)
Graphing Options
• These are "Legacy Graphs" and cannot be manipulated with IDA
• The first two seem obsolete– Flow chart• Create flow chart of current function
– Function calls• Graph function calls for entire program
![Page 38: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/38.jpg)
Graphing Options
• Xrefs to– Graphs XREFs to get to selected XREF – Can show all the paths that get to a function
![Page 39: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/39.jpg)
Windows Genuine Status in Calc.exe
![Page 40: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/40.jpg)
Graphing Options
• Xrefs from– Graphs XREFs from selected XREF – Can show all the paths that exit from a function
![Page 41: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/41.jpg)
Graphing Options
• User xrefs chart...– Customize graph's recursive depth, symbols
used, to or from symbol, etc.– The only way to modify legacy graphs
![Page 42: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/42.jpg)
Enhancing Disassembly
![Page 43: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/43.jpg)
Warning
• There's no Undo, so if you make changes and mess them up, you may be sorry
![Page 44: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/44.jpg)
Renaming Locations
• You can change a name like sub_401000 to ReverseBackdoorThread
• Change it in one place, IDA will change it everywhere else
![Page 45: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/45.jpg)
![Page 46: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/46.jpg)
Comments
• Press colon (:) to add a single comment• Press semicolon (;) to echo this comment to
all Xrefs
![Page 47: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/47.jpg)
Formatting Operands
• Hexadecimal by default• Right-click to use other formats
![Page 48: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/48.jpg)
Using Named Constants
• Makes Windows API arguments clearer
![Page 49: Practical Malware Analysis: Ch 5: IDA Pro](https://reader036.fdocuments.in/reader036/viewer/2022081420/588370451a28ab536b8b6fdf/html5/thumbnails/49.jpg)
Extending IDA with Plug-ins
• IDC (IDA's scripting language) and Python scripts available (link Ch 6a)