Book review: IDA Pro Book, 2nd Edition

A few weeks ago we received an electronic copy of the “IDA Pro Book, 2nd Edition”. In the second edition of his 26 chapters book, Chris Eagle did a good job updating the book and covering the latest changes in IDA Pro 6.1: the IDA Qt graphical interface is illustrated in this edition (all screenshots are up to date), some chapters are slightly updated whereas some have new sections that cover topics such as IDAPython, various debugger plugins and other features.

Continue reading Book review: IDA Pro Book, 2nd Edition

IDA Pro 6.2 with database snapshots support

The most frequently asked question we get during the IDA Pro trainings, on the support forum or via support emails is: “When will IDA Pro support the undo feature?” or “How can I undo an operation in IDA Pro”.

Our answer has always been: “Sorry, it is not possible to undo in IDA Pro” or “This feature will eventually be implemented sometime in the future”.

In this blog post, we introduce the new database snapshots feature that will be present in IDA Pro 6.2:

snap_man

Continue reading IDA Pro 6.2 with database snapshots support

Unpacking mpress’ed PE+ DLLs with the Bochs plugin

In IDA Pro 6.1 we extended the Bochs debugger plugin to support debugging of 64bit code snippets. With IDA Pro 6.2 it will be possible to debug PE+ executables as well. Since the execution will be emulated inside Bochs, a 64bit operating system is not required and one could be equally running a 32 or 64bit Linux, Mac OS or Windows operating system and still be able to debug 64bit PE files from IDA Pro.

To illustrate this new feature, we are going to unpack and briefly analyze a PE+ trojan that is compressed with MPRESS from MATCODE Software.We will illustrate how to unpack the DLL, recover the import table and cleanup the database to get it ready for analysis.

bochs_options

Continue reading Unpacking mpress’ed PE+ DLLs with the Bochs plugin

Precompiled PySide binaries for IDA Pro

In a previous blog post we mentioned that it is possible to use IDA Pro with PySide (Python + Qt) after applying some minor code patches to PySide.

For convenience purposes, we precompiled the PySide libraries that work with IDA Pro 6.0+ and Python 2.6/2.7. Below is a brief explanation on how to install and use those binaries.

Edit: 2012-06-29 updated links for IDA 6.3/Python 2.7

Continue reading Precompiled PySide binaries for IDA Pro

VirusTotal plugin for IDA Pro

In this blog post, we are going to illustrate how to use some of the new UI features introduced in IDA Pro 6.1 (embedded choosers, custom icons, etc…) by writing a VirusTotal reporting and file submission plugin for IDA Pro. The plugin will allow you to get reports from VirusTotal based on the input file MD5 or a file of your choice. The plugin will offer to upload the file if the file was not analyzed before.

vt_ui_dlg

Continue reading VirusTotal plugin for IDA Pro

Calculating API hashes with IDA Pro

Many times when debugging malware you discover that the malware does not import any function, replaces API names by hashes and tries to resolve the addresses by looking up which API name has the desired hash!

In this blog post we are going to demonstrate how to use IDA Pro to solve this problem and uncover all API hashes.

hash_calc

Continue reading Calculating API hashes with IDA Pro