As everyone knows, Google and some other companies were under a targeted attack a few days ago. A vulnerability in the Internet Explorer was used to penetrate the computers.
An IDA user very kindly sent us the following link
Continue reading Hex-Rays against Aurora
Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it’s implemented and describe some of the uses of Appcall in various scenarios.
How Appcall works
Given a function with a correct prototype, the Appcall mechanism works like this:
- Save the current thread context
- Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee’s stack)
- Modify the input registers in question
- Set the instruction pointer to the beginning of the function to be called
- Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
- Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
- Deserialize back the input (only for parameters passed by reference) and save the return value
In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:
you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.
Continue reading Practical Appcall examples
In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6.
Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you’ve used GDB (call command), VS (Immediate window), or Borland C++ Builder then you’re already familiar with such functionality.
(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)
Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.
Continue reading Introducing the Appcall feature in IDA Pro 5.6
IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code snippets directly from the database.
In this tutorial we will show how to dynamically run code that can be difficult to analyze statically.
As an example we will use shellcode from the article “Alphanumeric RISC ARM Shellcode” in Phrack 66.
It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. So we will use the debugging feature to decode it.
Continue reading Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator
One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.
Continue reading PDF file loader to extract and analyse shellcode