CIS 4615 meeting -*- Outline -*- * using IDA Pro (free version) Based on Part II (chapters 4-8 of The IDA Pro Book by Chris Eagle, No Starch press, 2011. Based on chapter 5 of the book Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig, No Starch Press, 2012. ** overview of use *** starting and stopping ------------------------------------------ STARTING IDA PRO Start it as an app (double click) Asks: New (disassemble new file) Go (work on your own) Previous (load an old disassembly) Examples... ------------------------------------------ Show several examples. *** conceptual view ------------------------------------------ IDA PRO IS A DATABASE PROGRAM The code is put into a database stored in an IDA Pro shows you ------------------------------------------ ... .idb file (e.g., swap.idb) ... views of the database ------------------------------------------ SAVING THE DATABASE You can return to your work if you Don't forget to ------------------------------------------ ... SAVE THE database! ... save often (there is no undo!) ------------------------------------------ VIEWS OF THE DATABASE Disassembly window (IDA-View) - as a control flow graph with basic blocks - as text Function names Strings Hex Exports Imports ... ------------------------------------------ Show graph view + overview window to navigate Show switching to text view and back ** declarations in IDA Pro's disassembly ------------------------------------------ DECLARATIONS Visible in the text view Example: .text:004011D7 ; Attributes: bp-based frame .text:004011D7 .text:004011D7 sub_4011D7 proc near .text:004011D7 .text:004011D7 var_10 = dword ptr -10h .text:004011D7 var_C = dword ptr -0Ch .text:004011D7 var_8 = dword ptr -8 .text:004011D7 var_4 = dword ptr -4 .text:004011D7 arg_0 = dword ptr 8 .text:004011D7 arg_4 = dword ptr 0Ch .text:004011D7 arg_8 = dword ptr 10h .text:004011D7 arg_C = dword ptr 14h .text:004011D7 arg_10 = dword ptr 18h .text:004011D7 arg_14 = dword ptr 1Ch .text:004011D7 .text:004011D7 push ebp .text:004011D8 mov ebp, esp Automatically generated names: var_N is arg_N is Very helpful to right click on a name and ------------------------------------------ ... local variable in a frame at offset N (below bp/ebp) ... argument at offset N (above bp/ebp) ... rename it to something useful Show an analysis of this along with renaming try decls.exe ** commenting lines ------------------------------------------ COMMENTING INSTRUCTIONS Put cursor on the line Type a colon (:) Enter text Click OK This is the way to edit comments also ------------------------------------------ Show a demo, on decls.exe ** examples Do disassembly of control.exe, swap.exe hmain.exe