Windows Right-Click Menu Shortcuts: Open with IDA…

For many years I’ve been using custom Windows right-click menu entries to speed up common analysis tasks such as:

  • calculate hash sums
  • open a file in IDA Pro (ida.exe or ida64.exe)
  • zip a file (with password-protection “infected”)
  • unzip a file (using password “infected”)

The result looks like this:

Recently, I set up a new analysis environment and very quickly missed these. So here they go for doing this more quickly in the future.

Continue reading “Windows Right-Click Menu Shortcuts: Open with IDA…”

IDA Pro structs for networking protocols: IP, TCP, UDP, ARP

I’ve recently analyzed a malware sample that parsed and modified raw network packet data. That means I had to deal with many register relative offsets in IDA Pro. The most practical way for this is to define and apply structs.

Defined and applied struct for TCP data packet
Defined and applied struct for TCP data packet

While IDA’s type libraries contain some of the packet structures (i.e., ETHERNET_FRAME, IP, TCP, and UDP_HEADER), other protocols (i.e., ARP) are missing. Additionally, I did not find structures encompassing multiple communication layers – for example ETHERNET_FRAME, IP, and TCP grouped in one structure.

Continue reading “IDA Pro structs for networking protocols: IP, TCP, UDP, ARP”

Inlined functions and stack variables in IDA Pro

As an optimization, compilers inline functions. In general, this makes reverse engineering a disassembled program more cumbersome. And often times its confusing to novice reverse engineers. Frequently, compilers inline the functions memset and memcpy. Due to this IDA Pro may produce multiple stack variables when in reality there should only be one. In this post I am going to share a script that will help you to automatically modify stack variable sizes and definitions for a function’s stack frame. This will make the disassembled code easier to understand. Moreover, it can improve code decompilation.

Continue reading “Inlined functions and stack variables in IDA Pro”

Unique strings in executable files

When performing basic static analysis of malware, the file’s strings can provide helpful indicators, including filenames, registry keys, and URLs. The strings can additionally hint at a program’s capabilities and its intended use. Identifying unique strings in malware is also a great way to pivot to related samples. Searching private and public databases for unique strings may lead you to existing analysis results and (leaked) source code. In this blog post I define the term unique string, explain how to leverage unique strings, look at common issues when dealing with unique strings, and provide a solution to automatically extract them.

Continue reading “Unique strings in executable files”

Integrating FLOSS deobfuscated strings into IDA Pro and x64dbg

The FireEye Labs Obfuscated String Solver (FLOSS) automatically extracts obfuscated strings from Windows executables and shellcode. The tool integrates with various reverse engineering tools including IDA Pro, radare2, and x64dbg. In this post, I will show how to leverage strings that FLOSS decoded when reverse engineering malware using IDA Pro and debugging it using x64dbg.
Continue reading “Integrating FLOSS deobfuscated strings into IDA Pro and x64dbg”

Tutorial: How to use remote_lookup to resolve remote symbols

Introduction

Reverse engineering and tool development expert David Zimmer (dzzie, http://sandsprite.com) recently released remote_lookup, “a small tool which can scan a 32bit process and build an export name/address map which can be queried”. The tool is available on FireEye’s GitHub page at https://github.com/fireeye/remote_lookup.

remote_lookup can significantly speed up the analysis of malware that obfuscates its access to Windows API functions. David covers common malware techniques for such obfuscations in the blog post available at https://www.fireeye.com/blog/threat-research/2017/06/remote-symbol-resolution.html. The post also talks about the motivation of remote_lookup, common analysis techniques (and their shortcomings), the tool’s functionalities and how it can accelerate reverse engineering of obfuscated malware. I highly recommend reading his post – especially if you are going to continue reading this tutorial.

Continue reading “Tutorial: How to use remote_lookup to resolve remote symbols”

Identifying string decoding functions in IDA Pro

Motivation and background

When triaging malicious executable files I always try the FireEye Labs Obfuscated String Solver (FLOSS) to quickly decode obfuscated strings. In short, FLOSS uses heuristics to identify decoding routine candidates and emulates them using vivisect’s disassembly and emulation modules.

While vivisect is an awesome tool, it sometimes is not as robust as IDA Pro in parsing and disassembling binaries. In addition, IDA Pro provides the Fast Library Identification and Recognition Technology (FLIRT) that helps to distinguish standard library functions and functions written by the program’s author.

Continue reading “Identifying string decoding functions in IDA Pro”

Malware Analysis Tools

While it is a lot of fun to parse structures from a hex dump or disassemble opcodes in my head, I rely on many tools to reverse engineer software efficiently. In general, it does not matter which tools you use. It only matters that you know how to use them. However, finding the right tool for the task at hand is not always easy.

Below is a non-exhaustive list of tools I use regularly during malware analysis. Many of these tools have been recommended to me by very talented and experienced colleagues. Others I found while reading blogs or malware analysis reports. I hope this list inspires you to incorporate some of these tools into your analysis process.

Continue reading “Malware Analysis Tools”

IDA Pro Anti-Disassembly, Basic Blocks, and IDAPython

In this blog post I am going to discuss how you can interact with basic blocks in IDAPython. Before we jump into the technical details, I want to provide some context and show why I became interested in exploring this feature of IDA Pro.

Background and Motivation

The other day I reverse engineered a backdoor that was heavily armored with two classic anti-disassembly techniques. The first technique substitutes jmp instructions with sequences of push and retn instructions. Figure 1 shows how this hinders the program’s control flow analysis. First, IDA Pro interprets the retn instruction to mark a function’s end. Second, IDA Pro is not able to identify the target addresses as code and hence does not disassemble them.

.text:00564A90 sub_564A90      proc near               ; CODE XREF: ___tmainCRTStartup+10Dp
.text:00564A90                 push    564C87h
.text:00564A95                 retn
.text:00564A95 sub_564A90      endp
Figure 1

Figure 2 shows the same disassembly after I changed the push operand type to offset.

.text:00564A90 sub_564A90      proc near               ; CODE XREF: ___tmainCRTStartup+10Dp
.text:00564A90                 push    (offset loc_564C83+4)
.text:00564A95                 retn
.text:00564A95 sub_564A90      endp
Figure 2

Continue reading “IDA Pro Anti-Disassembly, Basic Blocks, and IDAPython”