Practical Malware Analysis: Ch 5: IDA Pro
Download as PPTX, PDF6 likes3,129 views
IDA Pro is a disassembler that supports interactive disassembly and analysis of executable files. It has both graph and text modes and uses color-coded arrows to indicate jump instructions. It contains useful windows like Functions, Names, Strings, Imports/Exports, and Cross-References to aid analysis. Functions can be analyzed by examining parameters, calls, and cross references. The disassembly can be enhanced through renaming locations, adding comments, and using named constants. IDA supports plugins for extended functionality.
Practical Malware Analysis: Ch 5: IDA Pro
- 1. Practical Malware Analysis Ch 5: IDA Pro
- 2. IDA Pro Versions • Full-featured pay version • Old free version – Both support x86 – Pay version supports x64 and other processors, such as cell phone processors • Both have code signatures for common library code in FLIRT (Fast Library identification and Recognition Technology)
- 3. Graph and Text Mode • Spacebar switches mode
- 4. Default Graph Mode Display
- 6. Better Graph Mode View
- 7. Arrows • Colors – Red Conditional jump not taken – Green Conditional jump taken – Blue Unconditional jump • Direction – Up Loop
- 9. Highlighting • Highlighting text in graph mode highlights every instance of that text
- 10. Text ModeArrows Solid = Unconditional Dashed = Conditional Up = Loop Section Address Comment Generated by IDA Pro
- 11. Options, General
- 12. Adds Comments to Each Instruction
- 13. Useful Windows for Analysis
- 14. Functions • Shows each function, length, and flags – L = Library functions • Sortable – Large functions usually more important
- 15. Names Window • Every address with a name – Functions, named code, named data, strings
- 16. Strings
- 18. Structures • All active data structures – Hover to see yellow pop-up window
- 19. Cross- Reference • Double- click function • Jump to code in other views
- 20. Function Call • Parameters pushed onto stack • CALL to start function
- 21. Returning to the Default View • Windows, Reset Desktop • Windows, Save Desktop – To save a new view
- 23. Imports or Strings • Double-click any entry to display it in the disassembly window
- 24. Using Links • Double-click any address in the disassembly window to display that location
- 25. History • Forward and Back buttons work like a Web browser
- 26. Navigation Band • Light blue: Library code • Red: Compiler-generated code • Dark blue: User-written code – Analyze this
- 27. Jump to Location • Press G • Can jump to address or named location
- 28. Searching • Many options • Search, Text is handy
- 30. Code Cross-References • XREF comment shows where this function is called • But it only shows a couple of cross-references by default
- 31. To See All Cross-References • Click function name and press X
- 32. Data Cross-References • Demo: – Start with strings – Double-click an interesting string – Hover over DATA XREF to see where that string is used – X shows all references
- 34. Function and Argument Recognition • IDA Pro identifies a function, names it, and also names the local variables • It's not always correct
- 37. Graphing Options • These are "Legacy Graphs" and cannot be manipulated with IDA • The first two seem obsolete – Flow chart • Create flow chart of current function – Function calls • Graph function calls for entire program
- 38. Graphing Options • Xrefs to – Graphs XREFs to get to selected XREF – Can show all the paths that get to a function
- 39. Windows Genuine Status in Calc.exe
- 40. Graphing Options • Xrefs from – Graphs XREFs from selected XREF – Can show all the paths that exit from a function
- 41. Graphing Options • User xrefs chart... – Customize graph's recursive depth, symbols used, to or from symbol, etc. – The only way to modify legacy graphs
- 43. Warning • There's no Undo, so if you make changes and mess them up, you may be sorry
- 44. Renaming Locations • You can change a name like sub_401000 to ReverseBackdoorThread • Change it in one place, IDA will change it everywhere else
- 46. Comments • Press colon (:) to add a single comment • Press semicolon (;) to echo this comment to all Xrefs
- 47. Formatting Operands • Hexadecimal by default • Right-click to use other formats
- 48. Using Named Constants • Makes Windows API arguments clearer
- 49. Extending IDA with Plug-ins • IDC (IDA's scripting language) and Python scripts available (link Ch 6a)