With the tools that we have covered thus far, you must have a good idea of the workflow toolchain required for a static analysis. Let us now introduce ourselves to IDA Pro (The Interactive Disassembler) from Hex-Rays. The IDA Pro Book by Chris Eagle is a solid reference and guide book towards building mastery in IDA Pro and reverse engineering in general. Since there would not be too much use of regurgitating all of the IDA Pro-specific material and given the space constraints, we will go over the often-used features in IDA Pro and build familiarity with this tool.
Upon opening a binary executable in IDA Pro (drag and drop in the Open menu), the Load a new file modal dialog pops up:
The binary format is parsed and identified by IDA Pro, and the correct loader is prompted as a Portable executable for 80836 (PE) [pe.ldw]. The binary file option can be used if you are working with a hex dump without a known header. IDA chooses to load only the code section, and if you need to work with the PE headers and resources, choose the manual load option and select Yes for every section that loads turn by turn.
IDA Pro has two main views for working with disassembly listings, namely Text Mode and Graph Mode, both of which can be toggled via the Spacebar key. Graph Overview is an eagle's eye view of the current graph block. The rest of the tabs of significance include the Imports and Exports (when working with DLLs or uncommon EXE files with Exports) view. The IDAView-A tab and the Hex View-A tab can be synchronized (right-click | Synchronize with IDA View-A) such that selecting a hex offset in the hex view will result in the corresponding disassembly in the IDA view and the converse. Additional IDA views can be created via View | Open subviews | Disassembly.
Strings will be listed in a separate view and can be invoked using Ctrl + F12 or via View | Open subviews | Strings. From the Options menu, the ASCII string style dialog (Alt + A) can be invoked, which provides various string interpretation settings.
You can comment the disassembly by pressing ; and typing the comment in the popup text box.
You can redefine the code in the disassembly by pressing U for undefining code, subroutines, or data. Press C for code representation and D for going back to data for the selected regions in the disassembly view to tell IDA Pro to analyze a particular byte sequence as code or as data. You can press A to mark the raw bytes as ASCII strings.
Right-clicking on an operand in the IDA view will enable you to swap the radix of a type from binary (B) to decimal or hexadecimal (H), and perform a NOT operation or a 2's complement operation on the value. The Use standard symbolic constant option opens a dialog where you can choose the named constants from the comprehensive collection available.
Quick view (Ctrl + 1) is a nice linear listing of available views in a pop-up dialog through which you can invoke additional views.
The Functions view provides a listing of all detected functions in the binary, along with the function name string, start offset, and length in bytes. A set of flags denotes the type of function call (R/F/L/S/B/T) with L being library functions, which can be either marked for a vulnerability analysis or skipped for a regular malware analysis as your primary goal is the malware payload(s). You can right-click and choose Edit function to open a dialog box with different editable parameters. You can manually set the function as a BP-based frame or an SP-based frame.
The frame pointer delta is for when the stack pointer is not aligned to its frame-based preparation value and is at an offset further from the original stack frame; while IDA Pro does its best to resolve such scenarios, you can amend any errant stack analysis on the basis of your knowledge and analysis of the stack delta value in hexadecimals.
A particular setting to do for a more informative disassembly is to set the number of opcodes for display in Options | General | IDA Options | Diassembly-Number of opcode bytes. 6 is an optimum value and covers most of the instruction opcode sequences for the x86/x64 Intel CPUs.
The File | Load File | Flirt Signature menu item provides a list of available compiler and library signatures that can be applied to the disassembly in order to sift through the boilerplate and standard known code and focus on the malware-specific code. FLIRT stands for Fast Library Identification and Recognition Technology, which is how IDA Pro nametags vendor-specific compiler assembly output and libraries and applies the templates as signatures to the loaded disassembly code.
You can choose any one of them at a time and press OK to have it loaded into IDA Pro.
File | Produce File | Create ASM and Create LST are two nice options for taking out paper printouts of the LST listings file and the ASM assembler dump from IDA Pro. The uses are myriad, from automation building to manual note taking. If you have ever had the privilege to work with earlier disassemblers such as W32Dasm, you will feel right at home with this text dump-based format.
Navigation is quite intuitive and mainly done using double-clicks and scrollbars using the left-mouse button or the mouse middle scroll wheel. Going back to the previously visited addresses requires pressing the Esc key. Links (subroutines and memory offsets such as the jxx/call destinations and the loc_XXXX destination labels) and Code XREF or Data XREF (also known as strings) (cross references for transporting to the cross-referencing item in the display) are the primary ways to navigate through code in IDA Pro by double-clicking on them.
You can navigate through the history by using the backward and forward buttons and view the available items in the buffer via drop-down arrows. Alternatively, if you want to go to a specific address, you can press G and type the virtual address or a named location in the box.
The navigation band is unique to IDA Pro as it is the only disassembler to implement this particular navigation control.
The yellow bar hanging from the top represents the current location in the IDA view. The teal-colored bands represent the FLIRT-recognized library code. Light pink denotes the imports section. Gray and brown indicate the defined and undefined data. Dark blue represents the user code.
Pressing F12 (Flow Chart) and Ctrl + F12 (Function Calls) produces graphs that give an overview of the call sequences via cross references and possible pathways.
From the Graph menu or the right-click context menu in a function in the disassembly, you get the Xrefs from menu item, which analyzes all cross references (function calls and library calls) branching out from the current function.
The following image shows the IDA Pro Plugins group under Edit | Plugins:
Quite a few plugins use a modifier to work within IDA, such as the x86 Emulator plugin (Alt + F8) and zynamics BinDiff (Ctrl + 6).
Hex-Rays is a decompiler that cooks up a C code-like source representation from the disassembly. You need to select the required region and press F5.
To use zynamics BinDiff, you will need to copy the installation plugins to the IDA Pro plugins folder. Thereafter, upon restarting IDA Pro, the plugin appears in the Plugin menu. Pressing Ctrl + 6 brings up a Diff database load dialog box for the secondary database to load in order to compare to the current one already loaded in IDA Pro. You get the statistics and listings for the matched and unmatched functions in new tabs.
Thereafter, to view the flow graph in the zynamics GUI from IDA Pro, press Ctrl + E, which will open the zynamics BinDiff GUI with the flow graphs loaded for a structural and semantic comparison.
In the preceding figure, the Matched Functions tab displays the various post analysis parameters such as the EA primary (Effective Addresses of the first file), EA secondary, similarity, and confidence; these are values that are normalized from 0.00 to 1.00 with higher values that reflect the degree of success of the matches. The other columns inform you of the matching algorithm used and the algorithm statistics such as the number of code instructions and edges in the detection algorithms (Edge flow graph MD Index/Hash matching/Call reference matching, Edge Callgraph MD Index, and Edges Proximity MD Index, among others).
The zynamics BinDiff GUI can be invoked from the IDA plugin interface, which displays a dual pane interface for side-by-side comparisons of the call graphs with a plethora of graph analysis options. It is highly recommended for complex malware analysis, pattern matching, signature creation, and generics analysis.
Chris Eagle's x86 Emulator is certainly worth having a look at. The Step, Skip, Run, Run To Cursor, and Jump to Cursor buttons and the registers pane have a functionality similar to that of a debugger. Heap memory and stack memory can be emulated, and dumping from an emulated memory is supported, which would be good for manual unpacking. Breakpoints can be added and removed with a real-time display in the IDA Pro view. Function return values can be emulated.
Threads can be switched. The Bochs debugger is a welcome addition to an emulated dynamic analysis, which can be found in the Debugger menu.
