Kernel debugging with IDA Pro / Windbg plugin and VirtualKd

The other day we received an email support question asking if IDA Pro / Windbg debugger plugin works with VirtualKd, a tool that allows speeding up (up to 45x) Windows kernel module debugging using VMWare and VirtualBox virtual machines. After we installed and experimented with VirtualKd, our answer was “yes, certainly”. This blog entry aims … Continue reading Kernel debugging with IDA Pro / Windbg plugin and VirtualKd

Hex-Rays Microcode API vs. Obfuscating Compiler

This is a guest entry written by Rolf Rolles from Mobius Strip Reverse Engineering. His views and opinions are his own, and not those of Hex-Rays. Any technical or maintenance issues regarding the code herein should be directed to him. In this entry, we’ll investigate an in-the-wild malware sample that was compiled by an obfuscating … Continue reading Hex-Rays Microcode API vs. Obfuscating Compiler

IDAPython: wrappers are only wrappers

Intended audience IDAPython developers who enjoy the occasional headache, leaky abstraction enthousiasts, or simply the curious. TL;DR IDAPython wraps C++ types, and the lifecycle of C++ objects (and in particular members of larger objects) is not necessarily the same as that of the Python wrapper object that is wrapping it. The problem One of our … Continue reading IDAPython: wrappers are only wrappers

IDA Dalvik debugger: tips and tricks

One of the new features of IDA 6.6 is the Dalvik debugger, which allows us to debug Dalvik binaries on the bytecode level. Let us see how it can help when analysing Dalvik files. Encoded strings Let us consider the package with the encrypted strings: STRINGS:0001F143 unk_1F143:.byte 0x30 # 0 # DATA XREF: STR_IDS:off_70 STRINGS:0001F144 … Continue reading IDA Dalvik debugger: tips and tricks

IDA Pro 6.2 with database snapshots support

The most frequently asked question we get during the IDA Pro trainings, on the support forum or via support emails is: “When will IDA Pro support the undo feature?” or “How can I undo an operation in IDA Pro”. Our answer has always been: “Sorry, it is not possible to undo in IDA Pro” or … Continue reading IDA Pro 6.2 with database snapshots support

Practical Appcall examples

Last week we introduced the new Appcall feature in IDA Pro 5.6. Today we will talk a little about how it’s implemented and describe some of the uses of Appcall in various scenarios. How Appcall works Given a function with a correct prototype, the Appcall mechanism works like this: Save the current thread context Serialize … Continue reading Practical Appcall examples

Introducing the Appcall feature in IDA Pro 5.6

In this blog entry we are going to talk about the new Appcall feature that was introduced in IDA Pro 5.6. Briefly, Appcall is a mechanism used to call functions inside the debugged program from the debugger or your script as if it were a built-in function. If you’ve used GDB (call command), VS (Immediate … Continue reading Introducing the Appcall feature in IDA Pro 5.6

IDA Pro 5.5 and Hex-Rays 1.1 have been released!

IDA Pro 5.5 We are happy to announce a new version of IDA Pro! The major news is the new docking user interface. There are many other improvements: processor modules, file formats, analysis tweaks, well, the usual stuff. There is a new MS Windows Crash Dump Loader and improved Bochs debugger. The complete list of … Continue reading IDA Pro 5.5 and Hex-Rays 1.1 have been released!