Archive for the IDA-Pro tips-n-tricks Category

# thinking in IDA Pro – how to obtain a copy

Posted in IDA-Pro tips-n-tricks on May 5, 2008 by souriz

wow! I see some ppl ask google for “thinking in IDA Pro” and feel obligations to say: this book was written in rus and never translated to eng. the exactly name is “образ мышления – IDA” (obraz mishleniya – IDA). it’s quite obsolete now, however, if you know rus and don’t mind to download less than a megabyte – welcome to

I’m going to write the new one, so… follow the news!

# other solutions: how to load two or more files into the same IDA-Pro database

Posted in IDA-Pro tips-n-tricks on May 1, 2008 by souriz

Ilfak describes three ways how to load several files in one IDB.

first solution: use pe_dlls.idc IDC-script, written by Atli Mar Gudmundsson (the original link is broken, was fixed, and then broken again. so, download it from OpenRCE). this is a really good script. guess what it does? well, it loads all dlls using by the main file and supporting recursive loading. wow! it’s easy-to-use and reliable. but… it works with PE files only and what if I want to load ELF or two NT-drivers or linux kernel modules?! my plug-in handles this, coz it uses IDA loaders, so it supports all formant supported by IDA. however, I recommend you pe_dlls.idc, since, I just love it.

second solution: Ilfak tell us: use the debugger and take the memory snapshot. very well! everyone knows about this trick and does it almost everyday. this is best way to analyze packed file – just run the program, dump it with your favorite dumper and disassemble the dump. don’t care about restoring import table or something like that. dumped program might be unable to run, but it’s quite enough to analyze it. however, this strategy doesn’t work with trickily protections as well as drivers

third solution: IDA Debugger are involved. what I can say?! theoretically, we can get accurate dump, including only those DLLs we need, however, IDA has _extremely_ “weak” debugger and almost any protection is able to defeat it. how we’re supposed to analyze malware packed with modern protectors?! I simple don’t know. this is not my way. this is very restricted way (is it possible to load drivers or something like that?!). the answer is no.

so, use my plug-in. it’s really simple, useful and supports every file-format, supported by IDA. it also allow to load user-land and kernel-land files at the same time

# how to load two or more files into single IDA Pro database

Posted in IDA-Pro tips-n-tricks on May 1, 2008 by souriz

a man asked me: is it possible to load two or more files into the same single IDA Pro database. for example, we have NOTEPAD.EXE and want to load two additional files: KERNEL32.DLL and NTDLL.DLL to see how they interact with each other.

as an author of “thinking in IDA Pro“, knowing her internals like my own pocket (IDA Pro is a female name and, yep, I don’t know what I might find in my pocket next time), I said: yep, it’s simple. no problem, man!

IDA Pro has linear address space emulates x86 CPU flat memory model (well, not only x86, it works with other CPUs too). the loader loads a file into virtual memory and does everything has to be done.

there is two solutions to load more files

first: we load the next file as an additional binary file (menu File, Load file, Additional binary file…). IDA Pro does nothing, just load the file, leaves us to parse all internal PE/ELF structures (I saw some IDC-scripts, written by Symantec team, but don’t remember the link). this is tedious job, so, thanks, but no thanks!

second: we use IDA Pro function: bool ida_export load_nonbinary_file (const char *original_file_name, const char *real_file_name, const char *sysdlldir, ushort _neflags, load_info_t *loader), where “loader” – result returned by load_info_t *ida_export build_loaders_list( const char *filename), – see \IDA\SDK\include\ loader.hpp. of course, we have to free the pointer with qfree function (see file pro.h).

this is all. well… since we have linear address space, we must avoid file overlapping, that means all files are supposed to have different base addresses. if they are match – we must to re-base one of them before loading (if files have relocations it’s very simple, otherwise, extremely tricky, however, it’s possible).

so, we come to plug-in, looking like this one:

void idaapi run(int arg)
load_info_t *ld;
warning(“plugin \”dual-load\” is called!”);

/* NOTE: KERNEL32.DLL and NTDLL.DLL has to be in the current directory!!! */
ld = build_loaders_list(“KERNEL32.DLL”);
load_nonbinary_file(“KERNEL32.DLL”, “KERNEL32.DLL”, “.”, NEF_SEGS | NEF_RSCS | NEF_NAME | NEF_IMPS | NEF_CODE, ld);
/* qfree(ld);

ld = build_loaders_list(“NTDLL.DLL”); */
load_nonbinary_file(“NTDLL.DLL”, “NTDLL.DLL”, “.”, NEF_SEGS | NEF_RSCS | NEF_NAME | NEF_IMPS | NEF_CODE, ld);

ok, we load notepad.exe into IDA Pro, call our plug-in and… have a fun!!! notepad.exe, kernel32.dll and ntdll.dll are loaded into the same idb-database! the only problem is: IDA Pro doesn’t create cross-references between them. I mean, if you analyze notepad.exe, move the cursor to call ds:GetModuleHandleA, press “enter” and… nothing happens! you’re into the import table of notepad.exe. and where is the export? somewhere… but, this is not a problem, really, since, we can find GetModuleHandleA in the “Names Windows” (called by Shift-F4) or write a simple IDC-script to create cross-reference between import and export, it’s like to build a bridge :-]

I think, we all have to ask Ilfak for this feature, why just don’t add it to user menu? it would be _very_ usefully.