GETTING STARTED WITH IDA : Différence entre versions

De Wiki expérimental
Ligne 67 : Ligne 67 :
 
Exemples of this errar and how ta deal with il will be covered in Chuinter 21.
 
Exemples of this errar and how ta deal with il will be covered in Chuinter 21.
  
It is important to understand that once a database bas been created for a given executable, IDA no longer requires access to that executable uniess you intend to use IDAs ïntegrated debugger to debug the executable ïtseif. From a security standpoint, this is a nice feature. For instance, when you are anaiyzing a nialware sampie, you can pass the associated database among
+
It is important to understand that once a database bas been created for a given executable, IDA no longer requires access to that executable uniess you intend to use IDAs ïntegrated debugger to debug the executable ïtseif. From a security standpoint, this is a nice feature. For instance, when you are anaiyzing a nialware sampie, you can pass the associated database among analysts without passing along the malicious executable itself. There are no known cases in which an IDA database bas been used as an attack vector for malicious software.
 +
 
 +
At its heart, IDA is nothing more than a database application. New databases are created and populated automatïcally from executable files. The varions displays that IDA offers are simply views into the database that reveal information in a format useful to the software reverse engineer. Any modifications that users make to the database are reflected in the views and saved with the database, but these changes have no effect on the original executable file. The power of IDA lies in the tools it contains to analyze and manipulate the data within the database.
 +
 
 +
IDA Database Creation
 +
 
 +
Once you have chosen a file to analyze and specïfied your options, IDA mitiates the creation of a database. For this process, IDA turcs control over to the selected loader module, whose job it is to load the file from disk, parse any file-header information that it may recognize, create varïous program sections containing either code or data as specïfïed in the files headers, and, finally, identïfy specific entry points into the code belote returning control to IDA. In this regard, IDA loader modules behave much as operating system loaders behave. The IDA loader will determine a virtual memory layout based on information contaïned in the program file headers and configure the database accordingly.
 +
 
 +
Once the loader bas finished, the disassembly engine within IDA takes over and begins passing one address at a time to the selected processor module. The processor modules job is to determine the type of instruction located at that address, the length of the instruction at that address, and the location (s) at which execution can continue from that address (e.g., is the current instruction sequential or branching?). When IDA is comfortable that it bas found ail of the instructions in the file, it makes a second pass through the list of instruction addresses and asks the processor module to generate the assembly language version of each instruction for display.
 +
 
 +
Following this disassembly, IDA automatically conducts additional analysis of the binary file to extract additional information likely to be useful to the analyst. Users can expect to find some or ail of the following information incorporated into the database once IDA completes its initial analysis:
 +
 
 +
Compiler identification
 +
 
 +
It is often useful to know what compiler was used to build a piece of software. Identïfyïng the compiler that was used can help us understand function-calling conventions used in a binary as well as determine what libraries the binary may be linked with. When a file is loaded, IDA attempts to ïdentify the compiler that was used to create the input file. If the compiler can be identified, the input file is scanned for sequences of boïlerplate code known to be used by that compiler. Such functions are color coded in an effort to reduce the amount of code that needs to be analyzed.

Version du 14 août 2019 à 02:48

It's about time we got down to actually using IDA. The remainder of this book is ledicated to varions features of IDA and how you can leverage them to best suit your reverse engineering needs. In this chapter we hegin by covering the options you are presented with when you launch IDA, and then we describe just what is happening when you open a binary file for analysis. Finaily, well present a quick overview of the user interface to lay the groundwork for the remaining chapters.

For the sake of standardization, examples in both this chapter and the remainder of the book will be presented with the Windows Qt GUI interface unless an example requires a specific, different version of IDA (such as an example of Linux debugging).

Launching IDA

Any time you launch IDA, you will be greeted briefly by a splash screen that displays a summary of your license information. Once the splash screen clears, IDA displays another dialog offering three ways to proceed toits desktop environment, as shown in Figure 4-1.

If you prefer not to sec the welcome message, feel free to uncheck the Dïsplay ai startup checkbox at the bottom of the dialog. If you check the box, future sessions will begin as if you had clicked the Go button, and you will be taken directly to an empty IDA workspace. If ai some point you find yourself ionging for the Welcome dialog (after ail, it convenientiy aliows you to return to recentiy used files), you will need to edit IDAs regïstry key to set the Displaywelcome value back to 1. Alternatively, selecting Windows > Reset hïdden messages will restore ail previously hidden messages. NOTE When installedon Windows, IDA creates the followingregistrykey: HKEY_CURRENT_USER\ Software\Hex-Rays\IDA.' Many options that canhe configured within IDA itself(as opposed to editing one o/'the configuration 111es) are stored within this registry key. Howevei; on otherplatforrns, IDA stores such values in a hinary data file ($HOME/ .idapro/idareg) that is not easily edited.

Each of the three options shown in Figure 4-1 offers a slïghtly different method to proceed to the IDA desktop. These three iaunch options are revïewed here:

New

Choosing New opens a standard File Open dialog to select the fie to be analyzed. Foilowing file selection, one or more additional dialogs are dispiayed that aliow you to choose specific file-analysis options before the file is loaded, anaiyzed, and displayed.

Go

The Go button terminales the ioad process and causes IDA to open with an empty workspace. At this point, if you want to open a file, you may drag and drop a binary flic onto your IDA desktop, or you may use one of the options [rom the File menu to open a file. The File > Open command results in a File Open dialog, as described previousiy. By default, IDA utïiizes a known extensions filter to lirait the view of the File dialog. Make sure that you modify or clear the filter (such as choosing Ail Files) so that the File dialog correctiy displays the file you are interested in opening.2 When you open a file this way, IDA attempts to automaticaiiy identify the selected files type; however, you should pay carefui attention to the Loading dialog to see which loaders have been selected to process the file.

Previous

You shouid utilize the Previous button when you wish to open one of the files in the iïst of recent files that is directly beiow the Previous button. The hst of recently used files is populated with values [rom the History subkey of IDAs Windows registry key (or ida reg on non-Windows piatforms). The maximum length of the history lïst is initially set to 10, but this lirait may be raised as high as 100 by editing the appropriate entry in idagui.c/'gor idatuLcfg (sec Chapter 11). Utiiïzing the history list is the most convenient option for resuming work on recently used database files.

filA File Loading

When choosing to open a new file using the File > Open command, you wilil be presented with the loading dialog shown in Figure 4-2. IDA generates a iïst of potentiai file types and dïsplays that hst ait the top of the dialog. This hst represents the IDA loaders that are best suïted for dealing with the selected file. The iïst is created by executing each of the file loaders in IDAs loaders directory in order to find any loaders that recognize the new file. Note that in Figure 4-2, both the Windows PE loader (pe.ldw) and the MS-DOS EXE loader (dos.ldw) ciaim to recognize the selected file. Readers familiar with the PE file format wiii not be surprised by this, as the PE file format is an extended form of the MS-DOS EXE file format. The iast entry in the iist, Binary File, wilil aiways be present since it is IDAs default for loading files that if dors not recognize, and this provides the lowest-level method for loading any file. When offered the choïce of severai loaders, if is not a bad initial strategy to sïmply accept the default selection unless you possess specific information that contradïcts IDAs determination.

At times, Binary File will be the only entry that appears in the loader list. In such cases, the implied message is that none of the loaders recognize the chosen file. If you opt to continue the loading process, make sure that you select the processor type in accordance with your understanding of the file contents.

The Processor Type drop-down menu allows you to specify which processor module (from IDAs pmcdirectory) should be used during the disassembly process. In most cases, IDA will choose the proper processor based on information that it reads [rom the executable files headers. When IDA cant properly determine the processor type associated with the flic being opened, you will need to manually select a processor type before continuing with the file-loading operation.

The Loading Segment and Loading Offset fields are active only when the Binary File input format is chosen in conjonction with an x86 family processor. Sirice the binary loader is unable to extract any memory layout information, the segment and offset values entered here are combined to form the base address for the loaded file content. Should you forget to specify a base address during the initial loading process, the base address of the IDA image can be modïfied at any time using the Edit > Segments > Rebase Program command.

The Kernel Options buttons provide access to configure the specific disassembly analysis options that IDA will utilize to enhance the recursive-descent process. In the overwhelming majorïty of cases, the default options provide the best possible disassembly. The IDA help files provide additional information on available kernel options.

The Processor Options button provides access to configuration options that apply to the selected processor module. However, processor options are not necessarily available for every processor module. Limited help is available for processor options as these options are very highly dependent on the selected processor module and the programming proflciency of the modules author. The remaining Options checkboxes are used to gain flner control over the file-loading process. Each of the options is descrïbed further in IDAs help file. The options are not applicable to ail input file types, and in most cases, you can rely on the default selections. Specïflc cases when you may need to modify these options will be covered in Chapter 21.

Using the Binary File Loader

When you opt to utilize the binary loader, you need to be prepared to do more than your usual share of the processing work. With no file header information to guide the analysis process, it is up to you to step in and perform tasks that more capable loaders often do automatïcally. Examples of situations that may caIl for the use of the binary loader include the analysis of ROM images and exploit payloads that may have been extracted front network packet captures or log flics. When the x86 processor module is paired with the binary loader, the dia-log shown in Figure 4-3 will be displayed. Wïth no recognizable file headers available to assist IDA, it is up to the user to specify whether code should be treated as 16-bit or 32-bit mode code. Other processors for which IDA can distinguïsh between 16- and 32-bit modes include ARM and MIPS.

Binary files contain no information concerning their memory layout (ai least no information that IDA knows how to recognize). When an x86 processor type bas been selected, base address information must be specifled in the loader dïalogs Loading Segment and Loading Offset fields, as mentioned earlier. For ail other processor types, IDA displays the memory layout dialog shown in Figure 4-4. As a convenience, you may create a RAM section, a ROM section, or both and designate the address range of each. The Input File options are used to specïfy which portion of the input file (the default is the entire file) should be loaded and to which address the file content should be mapped.

IDA Database Files

When you are happy wïth your loading options and click OK to close the dialog, the real work of loading the file begins. At this point, IDAs goal is to ioad the selected executabie file into memory and to analyze the relevant portions. This results in the creation of an IDA database whose components are stored in four files, each with a base name matching the selected executable and whose extensions are .ida kil, nain, and .fil. The .idû flic contains the content of a B-tree-style database, while the id] flic contains flags that describe each program byte. The .narn file contains index information related to named program locations as displayed in IDAs Names window (discussed further in Chapter 5). Finafly, the .tilfile is used to store information concerning local type definitions specific to a given database. The formats of each of these files are proprïetary to IDA, and they are not easily edïted outside of the IDA environment.

For convenience, these four flues are archived, and optionally compressed, into a single 1DB file whenever you close your current project. When people refer to an IDA database, they are typicaily referring to the 1DB file. An uncompressed database file is usually 10 times the size of the original input binary file. When the database is closed properly, you should never see files with 1d0, kil, .nain, or tu extensions in your workïng directories. Their presence often indicates that a database was not closed properiy (for example, when IDA crashes) and that the database may be corrupt.

LOADER WARNINGS

Once a loader begins ta analyze a file, it may encourent circumstances that recuire additional user input in arder ta complote the laading process. One exemple of this occurs with PE files that have been created with PDE3 debugging information. If IDA determines that a Program Database (PDB) file may exist, you will be asked whether you want IDA ta locale and to pracess the carresponding PDB file as shawn in this message:

IDA Pro has deterrnined that the input file was linked with debug inFormation. Do you want ta look for the corresponiding PDB File ai the local synibol store and the Microsoft Symbol Server? A second exemple of a loader-generated international message accurs with obfuscated programs such as malware. Obfuscation techniques often play fast and loose with file format specifications, which con cause prablems for laaders expecting well-structured files. Knowing this, the PE loader perfores sonne validation on import tables, and if the import tables do not seem to be farmatted according ta convention, IDA will display the following message:

The imports segment seems tu be destroyed. This MAY mean that the file was packed or otherwise niodified in coter ta niake il more difficult to analyze. IF you want ta sec te irnports segment in the original fora, Pieuse reload il with the niake imports section checkbox cleared. Exemples of this errar and how ta deal with il will be covered in Chuinter 21.

It is important to understand that once a database bas been created for a given executable, IDA no longer requires access to that executable uniess you intend to use IDAs ïntegrated debugger to debug the executable ïtseif. From a security standpoint, this is a nice feature. For instance, when you are anaiyzing a nialware sampie, you can pass the associated database among analysts without passing along the malicious executable itself. There are no known cases in which an IDA database bas been used as an attack vector for malicious software.

At its heart, IDA is nothing more than a database application. New databases are created and populated automatïcally from executable files. The varions displays that IDA offers are simply views into the database that reveal information in a format useful to the software reverse engineer. Any modifications that users make to the database are reflected in the views and saved with the database, but these changes have no effect on the original executable file. The power of IDA lies in the tools it contains to analyze and manipulate the data within the database.

IDA Database Creation

Once you have chosen a file to analyze and specïfied your options, IDA mitiates the creation of a database. For this process, IDA turcs control over to the selected loader module, whose job it is to load the file from disk, parse any file-header information that it may recognize, create varïous program sections containing either code or data as specïfïed in the files headers, and, finally, identïfy specific entry points into the code belote returning control to IDA. In this regard, IDA loader modules behave much as operating system loaders behave. The IDA loader will determine a virtual memory layout based on information contaïned in the program file headers and configure the database accordingly.

Once the loader bas finished, the disassembly engine within IDA takes over and begins passing one address at a time to the selected processor module. The processor modules job is to determine the type of instruction located at that address, the length of the instruction at that address, and the location (s) at which execution can continue from that address (e.g., is the current instruction sequential or branching?). When IDA is comfortable that it bas found ail of the instructions in the file, it makes a second pass through the list of instruction addresses and asks the processor module to generate the assembly language version of each instruction for display.

Following this disassembly, IDA automatically conducts additional analysis of the binary file to extract additional information likely to be useful to the analyst. Users can expect to find some or ail of the following information incorporated into the database once IDA completes its initial analysis:

Compiler identification

It is often useful to know what compiler was used to build a piece of software. Identïfyïng the compiler that was used can help us understand function-calling conventions used in a binary as well as determine what libraries the binary may be linked with. When a file is loaded, IDA attempts to ïdentify the compiler that was used to create the input file. If the compiler can be identified, the input file is scanned for sequences of boïlerplate code known to be used by that compiler. Such functions are color coded in an effort to reduce the amount of code that needs to be analyzed.