Practical Appcall examples

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it’s implemented and describe some of the uses of Appcall in various scenarios.

How Appcall works

Given a function with a correct prototype, the Appcall mechanism works like this:

  1. Save the current thread context
  2. Serialize the parameters (we do not allocate memory for the parameters, we use the debuggee’s stack)
  3. Modify the input registers in question
  4. Set the instruction pointer to the beginning of the function to be called
  5. Adjust the return address so it points to a special area where we have a breakpoint (we refer to it as control breakpoint)
  6. Resume the program and wait until we get an exception or the control breakpoint (inserted in the previous step)
  7. Deserialize back the input (only for parameters passed by reference) and save the return value

In the case of a manual Appcall, the debugger module will do all but the last two steps, thus giving you a chance to debug interactively the function in question.
When you encounter the control breakpoint:

you can issue the CleanupAppcall() IDC command to restore the previously saved thread context and resume your debugging session.

Continue reading Practical Appcall examples

Introducing the Appcall feature in IDA Pro 5.6

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6.
Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you’ve used GDB (call command), VS (Immediate window), or Borland C++ Builder then you’re already familiar with such functionality.


(Screenshot showing how we called three functions (printf, MessageBoxA, GetDesktopWindow) using IDC syntax)

Before diving in, please keep in mind that this blog entry is a short version of the full Appcall reference found here.

Continue reading Introducing the Appcall feature in IDA Pro 5.6

Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator

Introduction

IDA Pro 5.6 has a new feature: automatic running of the QEMU emulator. It can be used to debug small code snippets directly from the database.
In this tutorial we will show how to dynamically run code that can be difficult to analyze statically.

Target

As an example we will use shellcode from the article “Alphanumeric RISC ARM Shellcode” in Phrack 66.
It is self-modifying and because of alphanumeric limitation can be quite hard to undestand. So we will use the debugging feature to decode it.

Continue reading Debugging ARM code snippets in IDA Pro 5.6 using QEMU emulator

PDF file loader to extract and analyse shellcode

One of the new features in IDA Pro 5.6 is the possibility to write file loaders using scripts such as IDC or Python.
To illustrate this new feature, we are going to explain how to write a file loader using IDC and then we will write a file loader (in Python) that can extract shell code from malicious PDF files.

Continue reading PDF file loader to extract and analyse shellcode