ebook img

rapid reversing with ida pro debugger andrzej dereszowski PDF

15 Pages·2014·0.52 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview rapid reversing with ida pro debugger andrzej dereszowski

FunCap RAPID REVERSING WITH IDA PRO DEBUGGER ANDRZEJ DERESZOWSKI Who am I ? Security consultant with focus on incident handling, forensics and malware analysis Not a dedicated reverser – RE is just part of my job => I avoid RE as much as possible as it is just too time consuming Tools we use IDA Pro for static analysis OllyDbg for debugging (other tools used by real reversing gurus like PIN, metasm etc. are out of scope here) Problem => Olly gives a lot of good info during debugging … but this won’t be visible in IDA => Unpacked code – needs rebuilding to load in IDA, not always easy IN SHORT: No automatic connection between the two tools Idea Why not connect both worlds and provide automated solution ? First I wanted to use IDA Pro tracer but realized it is too slow and generating not easily-readable data with too much noise The inspiration: PaiMei Stalker by Pedram Amini - old and not developed any more, with only win32 userland support (uses PyDbg) Places breakpoints at each function start based on imported IDB from IDA Exports a script to load comments from the debugger to IDA’s listing Let’s implement a solution by using IDA debugger ! Introducing FunCap IDApython script/plugin Aims to combine runtime info and feeds it into the static listing IN SHORT: you can run some code in the sandbox VM and it will add useful comments to your IDA listing based on the recorded code execution RESULT: you understand some functions without even looking at them  SAVES TIME! Funcap – how it works Places breakpoints on function call instructions (alternatively breakpoints can be places on function start and end) Runs IDA debugger When a breakpoint is hit it captures the arguments and function address and tries to dereference them and guess their type (currently only string, int and pointers) Places a breakpoint directly after the call instruction When the call returns they are dereferenced again to see how the memory was changed This information is dumped to a text file and inserted into the IDA listing Funcap – features (1) Supports ia-32, ia-64 and ARM – more can easily be added Supports Win32, Win64, Linux32, Linux64, Android. No MacOS or iOS yet. Supports almost any IDA debugger connector, even PIN tracer connector  Funcap – features (2) Builds a runtime call graph code_discovery mode to automatically deal with packers Python> code_discovery = True … 0x9c299a: new code section detected: [0x9c1000, 0x9c3000] hooking function: sub_9C299A() Function call: sub_1000156E+147 to sub_9C299A (0x9c299a) Funcap – features (3) Resolves indirect calls API calls can be captured as well Full context is dumped to the file, subset of the context is pasted into IDAs’ listing annotations Hexdump or ASCII capture format Python> hexdump = True

Description:
Tools we use. IDA Pro for static analysis. OllyDbg for debugging. (other tools used by real reversing gurus like PIN, metasm etc. are out of scope here)
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.