The third method to create a database with several PE files.
C. Change segment attributes in the debugger
We start the debugger and suspend the application as in the previous method. This time instead of using the ‘take memory snapshot’ command we will play with the segment attributes. Let’s open the program segmentation by using View, Open subviews, Segments (the window might be hidden by other ‘on top’ windows, please make it ‘on top’ as well):
Please note the D and L columns. They mean ‘debugger’ and ‘loader’ respectively.
A debugger segment is a segment created by the debugger.
A loader segment is a segment created by the input file loader.
When the debugger is inactive, the database has only ‘loader’ segments. The debugger adds ‘debugger’ segments to the database. These segments are ephemeral and will be destroyed when the debugger stops. So, in order to preserve them in the database, all we have to do is just to change these bits: remove D and add L.
We can do it from the ‘edit segment’ dialog box. If we try to edit a segment, IDA displays a warning:
We will hide this message and proceed.
We remove the D attribute and add the L attribute.
This method is very flexible and allows us to save any DLL or segment in the database. To save a DLL, we need to change the attributes of all segments with the DLL’s name (in other words, to save ADVAPI32.DLL we have to save all segments named advapi32.dll). The only inconvenience is that you have to edit each segment separately.
You can do it easily from the segmentation window by pressing Ctrl-E to edit the attributes of the selected line.
The segment attributes method can also be used to save an unpacked copy of a packed program to the database and continue the analysis without the debugger. Malware writers often choose to pack their creations, so this method can be used to analyze malware as well. We will discuss this topic more deeply in the near future…