We have already published short tutorial on Windows kernel debugging
with IDA and VMWare on our site, but the debugging experience can
still be improved.
VMWare’s GDB stub is very basic, it doesn’t know anything about processes or
threads (for Windows guests), so for anything high-level we’ll need
to do some extra work. We will show how to get the loaded module list
and load symbols for all them using IDAPython.
Continue reading Advanced Windows Kernel Debugging with VMWare and IDA’s GDB debugger
Since the number of debugger modules in IDA surpassed the magical number seven plus or minus two, we created a small table describing what is available and what is not:
Direct links to tutorials are available here:
I know, I know – we need to add 64-bit support for all platforms, port the Bochs debugger module to Linux, and… any other suggestions? I personally would love to have source level debugging, yet it requires some substantial changes to the kernel. We probably will move in this direction, sooner or later…
When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).
Continue reading Kernel debugging with IDA
I’m happy to inform you that we are entering the beta stage of IDA v5.4!
In addition to numerous small and not that small improvements, the new version will have three debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though ;))
- With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
- With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side.
- With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.
The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.
As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you’ll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.
The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.
We will prepare the detailed list of improvements later this week.
If you analyze MIPS binaries, you may find useful the following addition to IDA:
This is MIPS emulator for Linux. It can generate an IDC script after emulation, which then can be applied to the database and make it more readable.
Bochs debugger plugin is in alpha stage now, all of the 3 loaders mentioned in the previous blog entry, are now complete.
Continue reading Bochs plugin goes alpha
The last week Elias ran a sample malware in the Bochs emulator and I was curious to see what it exactly does. So I took the unpacked version of the malware and fed it into the decompiler. It turned out to be a pretty short downloadler (different AV vendors give it different names: Lighty after the compression method, or FraudLoad, or FakeAlert, etc). Such simple code is very easy to decompile. I renamed some functions and added some
comments to it. The final text looks like this:
Continue reading From simple to complex
The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.
Continue reading Bochs Emulator and IDA?
This is not the first book about IDA Pro. However, this is the first
book I recommend to anyone using IDA Pro because of the following points:
- Comprehensive: it describes all major IDA features
by starting at the beginning and going all the way to the end.
Experienced users may be tempted to skip the first few chapters; resist this
temptation and you will discover something new (I did 🙂
- Accurate: it is very difficult to be detailed and precise when describing
such a complex product. Chris does it excellently well.
- Real: handles real world malware, packers, and obfuscated code
- No fillers: it is direct and concise
- Profound: this is not just a collection of recipes or tricks, but will give
you a better understanding of the IDA architecture, thus saving you
from unnecessary frustration. Knowing the limitations of your tool is just as
important as knowing its capabilities.
It comes tons of code snippets, scripts, and sample modules. Programming for IDA Pro is covered
too: from simple plugins to processor modules.
If you want to use IDA efficiently, get your copy from No Starch Press!
UPD for numerologists: the book has exactly 640 pages, no less, no more!