Function call graph plugin sample
IDA Pro already has a function call graph facility, nonetheless it employs WinGraph32.
June 19, 2009
June 02, 2009
IDA Pro 5.5 goes alpha
After many months of work, IDA Pro 5.5 is now in alpha stage and this week the beta will be out for testing.
April 17, 2009
IDA v5.4 demo
Just a quick note for interested parties: we prepared the new demo version of IDA Pro. The new demo includes the bochs debugger. The debugger is fully functional with just one limitation: it will become inactive after a number of commands. I prefer to tell you this in advance rather than this limitation to be discovered in the middle of a heavy debugging session ;)
Here's the download link:
http://www.hex-rays.com/idapro/idadowndemo.htm
Enjoy!
February 19, 2009
Advanced Windows Kernel Debugging with VMWare and IDA's GDB debugger
We have already published short tutorial on Windows kernel debugging with IDA and VMWare on our site, but the debugging experience can still be improved.
VMWare's GDB stub is very basic, it doesn't know anything about processes or threads (for Windows guests), so for anything high-level we'll need to do some extra work. We will show how to get the loaded module list and load symbols for all them using IDAPython.
Continue reading "Advanced Windows Kernel Debugging with VMWare and IDA's GDB debugger" »
February 05, 2009
IDA Pro has 9 debugger modules
Since the number of debugger modules in IDA surpassed the magical number seven plus or minus two, we created a small table describing what is available and what is not:
http://www.hex-rays.com/idapro/debugger/index.htm
Direct links to tutorials are available here:
http://www.hex-rays.com/idapro/idasupport.htm
I know, I know - we need to add 64-bit support for all platforms, port the Bochs debugger module to Linux, and... any other suggestions? I personally would love to have source level debugging, yet it requires some substantial changes to the kernel. We probably will move in this direction, sooner or later...
January 30, 2009
Kernel debugging with IDA
When IDA introduced debugging facilities years ago, the task of analyzing hostile code became more enriched: no more looking at static code and figuring out what it does, instead just run the malware in a virtual machine and debug it remotely, even debug just a small code snippet from the database (Bochs based debugger plugin).
January 20, 2009
IDA v5.4 release is not that far away
I'm happy to inform you that we are entering the beta stage of IDA v5.4!
In addition to numerous small and not that small improvements, the new version will have three debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though ;))
- With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog: http://hexblog.com/2008/11/bochs_plugin_goes_alpha.html
- With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side.
- With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.
The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.
As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you'll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.
The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.
We will prepare the detailed list of improvements later this week.
November 21, 2008
IDA and MIPS
If you analyze MIPS binaries, you may find useful the following addition to IDA:
http://www.binary-art.net/?p=1002
This is MIPS emulator for Linux. It can generate an IDC script after emulation, which then can be applied to the database and make it more readable.
November 07, 2008
Bochs plugin goes alpha
Bochs debugger plugin is in alpha stage now, all of the 3 loaders mentioned in the previous blog entry, are now complete.
October 03, 2008
Bochs Emulator and IDA?
The next version of IDA will be released with a bochs debugger plugin, and what is nice about is that you will be able to use it easily by just downloading bochs executables and telling IDA where to find it.
August 26, 2008
The IDA Pro book
This is not the first book about IDA Pro. However, this is the first book I recommend to anyone using IDA Pro because of the following points:
- Comprehensive: it describes all major IDA features by starting at the beginning and going all the way to the end. Experienced users may be tempted to skip the first few chapters; resist this temptation and you will discover something new (I did :)
- Accurate: it is very difficult to be detailed and precise when describing such a complex product. Chris does it excellently well.
- Real: handles real world malware, packers, and obfuscated code
- No fillers: it is direct and concise
- Profound: this is not just a collection of recipes or tricks, but will give you a better understanding of the IDA architecture, thus saving you from unnecessary frustration. Knowing the limitations of your tool is just as important as knowing its capabilities.
If you want to use IDA efficiently, get your copy from No Starch Press!
UPD for numerologists: the book has exactly 640 pages, no less, no more!
August 21, 2008
Mr. Bachaalany joins Hex-Rays
I'm happy to tell you that Mr. Elias Bachaalany has joined our development team!
He is one of keenest and most knowledgeable IDA users. Elias bought his first copy of IDA long ago while he was a student. Immediately after that he contacted us with tons of questions, suggestions, ideas how to improve things, etc. While we addressed most his questions, we could not handle everything. Then he designed and implemented many free and open source scripts and plugins for IDA.
We are lucky to have him in our team. I'm sure that very soon we will see new nice features in IDA Pro created by Elias. Stay tuned!
July 23, 2008
IDA on iPhone
Good news for real iPhone fans: we ported IDA to iPhone! It can handle any application and provides the same analysis as on other platforms. It is funny to see IDA on a such small device:
July 17, 2008
Apple's variant of ptrace()
Have you ever tried to create a debugger for Mac OS X? It is an adventurous enterprise with lots of unexpected (should I say unforeseeable?) problems. This guy tried and described his adventures in this entertaining post:
His post reminded me of all problems we faced with the first version of the IDA debugger for iMac. They also reminded me of even more convoluted puzzles with the iPhone debugger because ptrace() is broken beyond any hope there (one simple rule: use only PT_TRACEME).
Anyway, if anyone wants to repeat our steps, we are giving away the source code of all debugger modules with the new IDA v5.3: iMac and iPhone debugger codes included. They can certainly help you to avoid some headache and frustration!
June 19, 2008
Recon2008
The last week I attended the Recon conference. It was a very enjoyable event, very nicely organized and handled, in a charming city (Montreal). Since I haven't seen many conferences yet, I can not really compare it to others but I think it was really great: real RE stuff with no superficial talks. You can find the slides and videos on the conference site. The following blogs describe the event in more detail:
http://dvlabs.tippingpoint.com/blog/
http://blog.trailofbits.com/2008/06/16/recon-2008-review/
There were quite a few interesting talks, I especially liked the ones about iMac and iPhone (other talks disclosed new ideas too, it is just that I'm currently working on Apple products ;))
Thanks to the conference organizers for making such an event possible! David, Hugo, Guillaume did an excellent job. Now waiting for the next recon, which will normally be held in 2010.
June 04, 2008
Testing debuggers
Software programs must be tested before put in use. When there is a single program, things are relatively simple. Running it on multiple platforms is more challenging because it requires testing all of them. But the real nightmare starts when there are multiple programs running on multiple platforms and going to a high abstract level is not an option.
This is the case with IDA debuggers. The current version supports five different variants: Win32/Win64/WinCE/Linux/iMac but the upcoming v5.3 adds Symbian and iPhone to the list.
We can not use a high level language for debuggers because the very nature of the information is low level: bits and bytes, registers and memory cells. The core of the debugger operates with some abstractions but this does not make it really impervious to low level details: each platform has its peculiarities. It is more of a disadvantage than a bonus: changing anything in debugger core could introduce a bug in any of the supported platforms, something hard to reproduce and fix.
Given all the above, we decided to spend some time on a test system. And here is the result: custom made, hardcore command line, user agnostic (or unfriendly?) but it does the job. It generates megabytes of logs and can check all debuggers: local or remote, 32 or 64 bit, single or multithreaded.
Below is a link to a short video. I'm sorry for the window size, it is really difficult to fit all windows into a small area.
One more thing I wanted to tell you: we have the iPhone debugger ready for beta testing. It was a hard job to create it, especially with the broken ptrace on iPhone. I'm still curious to know more about its implementation and limitations...
If you want to participate in beta testing of the iPhone debugger, just send us a message.
April 08, 2008
Symbian debugger
It works! There are lots of limitations but it is alive, handles breakpoints, exceptions, and even some limited tracing is available. It is possible to launch processes and attach to them. Here is just one screenshot:
Expect many limitations in the first version (no hardware bpts, limited multithread support, etc). One of the most annoying shortcomings is that the memory layout is not determined automatically - we had to introduce 'manual memory regions' window to overcome this.
Since it is a new beast and many aspects need polishing, beta testers are welcome!
March 29, 2008
Symbian AppTRK
Things are quite easy with the Symbian TRK! Today I decided to write a small program to interact with it and everything worked extremely smoothly. My driver program can download a SIS file to the phone, automatically install and run it. It reacts to debugging events and gracefully closes the connection when the application terminates. Below are just a few pictures for the curious.
March 26, 2008
Hello Symbian!
Yesterday I created my first Symbian program :) Sure enough, it was a "hello world" and to tell the truth I did not write it myself. But it still took me 3 (three) hours to get it running on Nokia E51. The good side is that I learned a lot about possible failures with Symbian applications (there are quite many of them, some of them with cryptic error messages like "install failed").
March 07, 2008
Pythonic way
A brilliant blog post by Ero Carrera: IDAPython in action:
http://blog.dkbza.org/2008/03/digging-up-system-call-ordinals.html
Just note how concise and powerful is the script!
March 04, 2008
Tricky jump tables
Just a quick post to announce that we have published a small plugin to specify jump table information. When IDA misses them, the flow charts are virtually useless - they fall apart into several loosely connected components and the logic is completely hidden. This plugin is especially useful for rarely used processors with unusual switch idioms.
The plugin and its source code can be found on our forum.
February 03, 2008
Debugger and process memory
Just a small note about the debugger plugins and events. Many users
who try to develop a plugin for the debugger notice that IDA
behaves slightly differently in the notification callbacks than anywhere else.
For example, IDA might claim that EIP points to an address without a segment, or none of exported names of a loaded DLL are available.
January 31, 2008
Jump tables
It is an endless story: regardless of how many different jump table types IDA supports, there will be a new unhandled twist. Be it the instruction scheduler, which rearranged the instructions in an unexpected manner, or the compiler, which learned a new optimization trick, it is the same for IDA: jump tables are missed and functions boundaries are wrong. What's worse, the graph view, so loved by IDA users, displays a trimmed graph without jump tables, virtually useless for any analysis.
That's why we strive to add support for new jump tables to IDA, and since it can not be done for all of them, we focus on compiler generated jump tables for popular processors. Take ARM, for example. The ARM processor module have been improved a lot in v5.2, but yet we received a report with a bunch of new patterns. So expect even better support for ARM in the near future :)
If you are interested in improving the jump table handling for a rarely used processor, here are the explanations how to do it.
October 15, 2007
IDA and Microcontrollers
If you ever used IDA to analyze embedded stuff, you would immediately notice its pc-centric nature. While any embedded SDK targets specific devices with real-world part numbers, IDA just provides you with a universal analysis framework. You are supposed to know how the device works, its idiosyncrasies, programming model, memory organization, and all other practical stuff. If there is an automatic way to determine the entry point or interrupt vectors, IDA will use it but in general you will have to find out the correct parameters yourself.
The following tutorial fills the gap for C166 (and explains many other things!):
http://andywhittaker.com/ECU/DisassemblingaBoschME755/tabid/96/Default.aspx
Thanks, Andy!
October 08, 2007
Negated structure offsets
A month ago I received a support request:
If I have an instruction like
mov eax, [edi-0ch]
and I know that that's really the sum of an offset to a structure not
at edi and the offset of a member within that structure, how do I get
IDA to display it as such without using a manual operand?
A legitimate question, which is somewhat hard to answer.
April 02, 2007
Very simple custom viewer
As promised, here is the
plugin which demonstrates how to create
a very simple custom viewer in IDA Pro. When run, it displays this text on the screen:
March 19, 2007
Dynamic coloring
IDA v5.1 introduces the notion of dynamic colors. Plugins can install a callback
which dynamically calculates colors and provides them to the user interface.
In the previous versions of IDA plugins were forced to change the item color
in the database thus overwriting any user-defined colors. The new IDA makes it possible
to calculate colors on the fly.
March 02, 2007
On batch analysis
Ever tried to run many instances of IDA simultaneously? I mean, not only one or two, but much more,
tens of them at the same time? Not everyone needs it but sometimes a whole directory must
be analyzed. Imagine you have created a plugin which finds something interesting
in binaries...
February 08, 2007
Adding cross references
Did you know that you can add your own cross-references to the listing? There are even several different methods for that:
- Open xrefs window and press Ins
- Write an IDC script
- Write a plugin
See a demo below the cut.
February 07, 2007
Does 'return' come back?
We all know that call invokes a function and ret returns to the caller. Alas, nothing is certain in the binary world. The ret instruction is quite often used for short jumps within a function. Among many other improvements in IDA v5.1 there will be a special logic to recognize and mark such pseudo-returns. I was surprised to see this graph and post it here for your amusement:
December 11, 2006
Heads and tails
Ero Carrera in his eye-catching blog talks about multi-chunk function related shortcomings in IDA Pro:
This results in that, from the disassembler point of view, one has to allow for those chunks and also for those chunks to be assigned to an arbitrary number of "owning" or parent functions.
October 24, 2006
Loop colorizer
Sometimes I need to know if the current instruction sequence belongs to a loop or not.
If it does, I'd like to know the loop boundaries. It would be nice to have the current
loop highlighted. If the highlight changes as I navigate in the listing, it would be just
great.
June 23, 2006
Simplex method in IDA Pro
In May a contest was open on Datarescue's forum:
http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/375.html
There were some nice tries but nobody guessed it right. It seems Datarescue will have to repeat the contest with another question :)
If you are curious to learn the correct answer, please read on.
May 12, 2006
Linear algebra
After spending several days with a naive approach to linear algebra I can tell you: it doesn't work. Will use a third party implementation because my implementation is way too slow. My very short and elegant implementation (only 500 lines) works well for smal problems but miseralby fails with anything of substantial size. The failure means that the soluion is obtained after a noticeable period of time (1-2 seconds) which is not acceptable for a pleasant interactive experience.
If you wonder why I would need such a beast in IDA, ask yourself how it can be used. There is a chance to win a contest:
http://www.datarescue.com/ubb/ultimatebb.php?/topic/4/375.html
April 13, 2006
Sainte Ida
Apparently she was someone very pious and spiritual :)
http://nominis.cef.fr/contenus/saints_966.html
Today is her day.
IDA Pro started as a simple abbreviation but we quickly got used to the image of this nice lady (in fact the person depicted on the image is just a certain medieval lady, not a saint; not named Ida neither...).
April 11, 2006
Improving IDA analysis
For a typical MS Windows executable IDA does quite good job of recognizing code and creating functions and usually the result is eye-pleasing and easy to decipher. The analysis is quite good but not perfect - there are cases when it takes data for code or wrongly determines the function boundaries.
The good news are that there are easy methods to improve the situation.
April 02, 2006
IDA graph mode
The new IDA Pro introduces the graph mode. The disassembly of the current function is displayed as a graph: each basic block is represented as a node and cross references are represented as edges. It is easy to zoom, move, and modify the graph using the mouse, I'm sure you will just use the new interface without much difficulty. However, there are some unexpected commands which may render your life easier.
For example, the keyboard arrows can be used to move around the graph. This is something expected. But if you hold the Ctrl arrow and press the Up or Down keys, IDA will display the list of all predecessors or successors of the current node.
Double clicking on an edge with the Ctrl key pressed will jump to its destination. Alt will jump to its source.
Pressing '5' on the keypad will center the current node. If you prefer to use the mouse, try to click with the mouse wheel on a node - the clicked node will be centered.
There are many tricks like this. All this is described in minute detail in the help. It won't take long to read the graph-related pages and you will become really fast and comfortable with the graph view. I urge you to spend some 10-15 minutes reading it and playing with graphs.
IDA has more graph layout algorithms than you might think. See some of them in Dennis' blog. You can create your own layouts too (and even your own graphs of absolutely anything). Just take a look at the sample plugin in the SDK.
March 27, 2006
Coverage analyzer
Sometimes we want to perform the coverage analysis of the input file: to find areas of the program not exercised by a set of test cases. These test cases may come from a test suit or you could be trying to to find a vulnerability in the program by 'fuzzing' it. A nice feedback in the form of a list of 'not-yet-executed' instructions would be a nice addition to blind fuzzing.
February 21, 2006
Nice dynamic graph
A nice dynamic graph: relation browser.
Something similar could be used in IDA Pro for inter-function navigation. The graph nodes would be functions and static data variables, the edges would represent function calls and data accesses...
February 07, 2006
FindCrypt2
I realized that it is quite easy to make FindCrypt work with big endian programs. For that we just need to know the size of each constant array element and swap them if required. So here is the second version of FindCrypt. It introduces the following improvements:
- it works with both little and big endian programs
- it knows to reuse old slots in the bookmarks if run repeatedly
- it is fully automatic and scans each new created database. manual scan is still available
Future possible improvement: a tool which would extract constant arrays from the source code of any project. This tool can be written on perl or python and will be quite simple (we only have to handle constant array definitions in C). More sophisticated tool could also take care of type definitions like "typedef long LONG"...
For your convenience, here are links to both versions: findcrypt.zip and findcrypt2.zip
Compare them to see the differences, there aren't many!
January 30, 2006
FindCrypt
While analyzing a program quite often we want to know if it uses any crypto algorithm. Knowing the algorithm name would be useful too. Here is the plugin which can help us answer these questions.
December 20, 2005
Tracing exception handlers
Suppose our goal is to dissect a new program. The ultimate method of analysis is single stepping the program of interest. Each executed instruction must be single stepped at least once so we won't miss anything important.
December 11, 2005
The unispector
How do you spell "I love you" in Greek?...
November 27, 2005
The highlighter
Today I'll present you a pretty small yet useful plugin.
November 20, 2005
The ultimate stealth method
The last described method does not work if the application uses an "unsupported" antidebugging trick. For example, if the application directly checks the PEB field instead of calling the IsDebuggerPresent function, the method will fail. Or the application could use something else, something from the future...
November 04, 2005
Simple trick to hide IDA debugger
Quite often IDA users ask for a plugin or feature to hide the debugger
from the application. In fact there are many anti-debugging tricks and
each of them requires an appropriate reaction from the debugger, let's
start with something simple: we will make the IsDebuggerPresent
function call always return zero.
October 30, 2005
Several files in one IDB, part 4
Final method of loading several files into a database
October 25, 2005
TLS callbacks
I promised to tell you about the TLS callbacks.
Here is the discussion.
Several files in one IDB, part 3
The third method to create a database with several PE files.
October 22, 2005
Several files in one IDB, part 2
The second method to create a database with several PE files.
October 19, 2005
Several files in one IDB
IDA Pro can load one PE file into a database and analyze it. Some users assume this is the maximum. Let's take a closer look at the situation...
The IDA Pro book