# how to load two or more files into single IDA Pro database

a man asked me: is it possible to load two or more files into the same single IDA Pro database. for example, we have NOTEPAD.EXE and want to load two additional files: KERNEL32.DLL and NTDLL.DLL to see how they interact with each other.

as an author of “thinking in IDA Pro“, knowing her internals like my own pocket (IDA Pro is a female name and, yep, I don’t know what I might find in my pocket next time), I said: yep, it’s simple. no problem, man!

IDA Pro has linear address space emulates x86 CPU flat memory model (well, not only x86, it works with other CPUs too). the loader loads a file into virtual memory and does everything has to be done.

there is two solutions to load more files

first: we load the next file as an additional binary file (menu File, Load file, Additional binary file…). IDA Pro does nothing, just load the file, leaves us to parse all internal PE/ELF structures (I saw some IDC-scripts, written by Symantec team, but don’t remember the link). this is tedious job, so, thanks, but no thanks!

second: we use IDA Pro function: bool ida_export load_nonbinary_file (const char *original_file_name, const char *real_file_name, const char *sysdlldir, ushort _neflags, load_info_t *loader), where “loader” – result returned by load_info_t *ida_export build_loaders_list( const char *filename), – see \IDA\SDK\include\ loader.hpp. of course, we have to free the pointer with qfree function (see file pro.h).

this is all. well… since we have linear address space, we must avoid file overlapping, that means all files are supposed to have different base addresses. if they are match – we must to re-base one of them before loading (if files have relocations it’s very simple, otherwise, extremely tricky, however, it’s possible).

so, we come to plug-in, looking like this one:

void idaapi run(int arg)
{
load_info_t *ld;
warning(“plugin \”dual-load\” is called!”);

/* NOTE: KERNEL32.DLL and NTDLL.DLL has to be in the current directory!!! */
ld = build_loaders_list(“KERNEL32.DLL”);
load_nonbinary_file(“KERNEL32.DLL”, “KERNEL32.DLL”, “.”, NEF_SEGS | NEF_RSCS | NEF_NAME | NEF_IMPS | NEF_CODE, ld);
/* qfree(ld);

ld = build_loaders_list(“NTDLL.DLL”); */
load_nonbinary_file(“NTDLL.DLL”, “NTDLL.DLL”, “.”, NEF_SEGS | NEF_RSCS | NEF_NAME | NEF_IMPS | NEF_CODE, ld);
qfree(ld);
}

ok, we load notepad.exe into IDA Pro, call our plug-in and… have a fun!!! notepad.exe, kernel32.dll and ntdll.dll are loaded into the same idb-database! the only problem is: IDA Pro doesn’t create cross-references between them. I mean, if you analyze notepad.exe, move the cursor to call ds:GetModuleHandleA, press “enter” and… nothing happens! you’re into the import table of notepad.exe. and where is the export? somewhere… but, this is not a problem, really, since, we can find GetModuleHandleA in the “Names Windows” (called by Shift-F4) or write a simple IDC-script to create cross-reference between import and export, it’s like to build a bridge :-]

I think, we all have to ask Ilfak for this feature, why just don’t add it to user menu? it would be _very_ usefully.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: