New feature in IDA 6.2: The proximity browser

Posted on August 8, 2011 by joxean

The new IDA Pro 6.2 release will be featuring a new view called the “proximity browser” (only available in the Qt version).

Proximity view

The proximity view

Continue reading

Posted in IDA Pro | 2 Comments

Book review: IDA Pro Book, 2nd Edition

Posted on August 3, 2011 by Elias Bachaalany

A few weeks ago we received an electronic copy of the “IDA Pro Book, 2nd Edition”. In the second edition of his 26 chapters book, Chris Eagle did a good job updating the book and covering the latest changes in IDA Pro 6.1: the IDA Qt graphical interface is illustrated in this edition (all screenshots are up to date), some chapters are slightly updated whereas some have new sections that cover topics such as IDAPython, various debugger plugins and other features.

Continue reading

Posted in IDA Pro | Comments Off

Recon 2011: Practical C++ Decompilation

Posted on August 2, 2011 by Igor Skochinsky

Last month I visited the Recon conference and had a great time again. I gave a talk on C++ decompilation and how to handle it in IDA and Hex-Rays decompiler. You can get the slides here, and download the recorded talk here.

Edit: for some reason the streaming version does not show anything after the intro, please download the Quicktime version until it’s fixed.

 

Posted in Decompilation, IDA Pro, Uncategorized | 3 Comments

IDA Pro 6.2 with database snapshots support

Posted on July 29, 2011 by Elias Bachaalany

The most frequently asked question we get during the IDA Pro trainings, on the support forum or via support emails is: “When will IDA Pro support the undo feature?” or “How can I undo an operation in IDA Pro”.

Our answer has always been: “Sorry, it is not possible to undo in IDA Pro” or “This feature will eventually be implemented sometime in the future”.

In this blog post, we introduce the new database snapshots feature that will be present in IDA Pro 6.2:

snap_man

Continue reading

Posted in IDA Pro | 9 Comments

Unpacking mpress’ed PE+ DLLs with the Bochs plugin

Posted on July 1, 2011 by Elias Bachaalany

In IDA Pro 6.1 we extended the Bochs debugger plugin to support debugging of 64bit code snippets. With IDA Pro 6.2 it will be possible to debug PE+ executables as well. Since the execution will be emulated inside Bochs, a 64bit operating system is not required and one could be equally running a 32 or 64bit Linux, Mac OS or Windows operating system and still be able to debug 64bit PE files from IDA Pro.

To illustrate this new feature, we are going to unpack and briefly analyze a PE+ trojan that is compressed with MPRESS from MATCODE Software.We will illustrate how to unpack the DLL, recover the import table and cleanup the database to get it ready for analysis.

bochs_options

Continue reading

Posted in IDA Pro | 4 Comments

Precompiled PySide binaries for IDA Pro

Posted on May 18, 2011 by Elias Bachaalany

In a previous blog post we mentioned that it is possible to use IDA Pro with PySide (Python + Qt) after applying some minor code patches to PySide.

For convenience purposes, we precompiled the PySide libraries that work with IDA Pro 6.0+ and Python 2.6/2.7. Below is a brief explanation on how to install and use those binaries.

Edit: 2012-06-29 updated links for IDA 6.3/Python 2.7

Continue reading

Posted in IDA Pro, IDAPython | 2 Comments

VirusTotal plugin for IDA Pro

Posted on April 21, 2011 by Elias Bachaalany

In this blog post, we are going to illustrate how to use some of the new UI features introduced in IDA Pro 6.1 (embedded choosers, custom icons, etc…) by writing a VirusTotal reporting and file submission plugin for IDA Pro. The plugin will allow you to get reports from VirusTotal based on the input file MD5 or a file of your choice. The plugin will offer to upload the file if the file was not analyzed before.

vt_ui_dlg

Continue reading

Posted in IDA Pro, IDAPython | Tagged , , | 5 Comments

Challenging job for software developers

Posted on April 20, 2011 by Ilfak Guilfanov

We should permanently and prominently publish this ad on our site :)

We are looking for strong software engineers to join our team and participate in the development of unique software security tools. The candidates must know low-level details of modern software as well as high-level data structures and algorithms.

Requirements:

  • strong knowledge of C/C++
  • knowledge of the x86 assembler and unwillingness to use it in development
  • cross platform development (Windows/Linux/Mac) is a plus
  • knowing the graph theory and how compilers work is a plus
  • ability and willingness to write secure yet fast code
  • good problem solving and communication skills

If you want a challenging job in a friendly environment, please apply by sending your resume to info@hex-rays.com
Thanks!

Posted in Uncategorized | 5 Comments

When choosers invade forms

Posted on February 18, 2011 by Daniel Pistelli

With the upcoming IDA 6.1 it will be possible to create forms which host chooser controls. This feature will be available in the Qt and text version (not so in the VCL one).

Continue reading

Posted in IDA Pro, Programming | 2 Comments

IDA & Qt: Under the hood

Posted on January 4, 2011 by Daniel Pistelli

Generally speaking most plugins for IDA can be written by using only the provided SDK. The API environment provided by IDA is vast and gives the plugin writer the capability to display graphical elements such as colored text views, graphs, forms and choosers.

However, there are cases when this is not enough. In idag the developer could use the Windows/.NET environment to go beyond the limits of the IDA SDK. While this is still possible in idaq, it is not advised, as it binds the code of the plugin to Windows and forces idaq to switch from alien widgets to system windows (more about that later).

Since accessing Qt from C++ requires setting up a development environment on every platform the developer wishes to deploy his plugin, one might take into consideration using PySide to access the Qt environment. The advantages of this approach are many. The first one is that the code once written will work on every platform without additional work. Moreover, there’s no need to recompile a plugin for every major Qt release deployed with idaq.

That being said, there might be cases where the developer/company needs or prefers to access the Qt framework directly from C++ and that is what is going to be covered in this article.

Continue reading

Posted in IDA Pro, Programming | Tagged | 4 Comments