Name identifiers and comment encoding in IDA Pro

Introduction

One of IDA Pro’s most important features is that it allows us to interactively modify the disassembly – hence, the I in IDA. This includes renaming of function names, variable names, and names of addresses. IDA Pro refers to these names as identifiers and enforces a certain naming scheme on them. After working with IDA Pro for a couple of weeks most people develop a good understanding of valid names and what to avoid when renaming identifiers. However, I wanted to know how IDA Pro checks identifiers and describe my findings in this blog post. In addition to this, I discuss the character encoding used for comments in IDA Pro. Adding comments to a disassembled program is another useful feature many reverse engineers take advantage of. While users normally don’t have to worry about the comment encoding this information can be handy in certain situations – especially when dealing with comments in IDAPython scripts.

Continue reading “Name identifiers and comment encoding in IDA Pro”

Malware Analysis Tools

While it is a lot of fun to parse structures from a hex dump or disassemble opcodes in my head, I rely on many tools to reverse engineer software efficiently. In general, it does not matter which tools you use. It only matters that you know how to use them. However, finding the right tool for the task at hand is not always easy.

Below is a non-exhaustive list of tools I use regularly during malware analysis. Many of these tools have been recommended to me by very talented and experienced colleagues. Others I found while reading blogs or malware analysis reports. I hope this list inspires you to incorporate some of these tools into your analysis process.

Continue reading “Malware Analysis Tools”

IDA Pro Anti-Disassembly, Basic Blocks, and IDAPython

In this blog post I am going to discuss how you can interact with basic blocks in IDAPython. Before we jump into the technical details, I want to provide some context and show why I became interested in exploring this feature of IDA Pro.

Background and Motivation

The other day I reverse engineered a backdoor that was heavily armored with two classic anti-disassembly techniques. The first technique substitutes jmp instructions with sequences of push and retn instructions. Figure 1 shows how this hinders the program’s control flow analysis. First, IDA Pro interprets the retn instruction to mark a function’s end. Second, IDA Pro is not able to identify the target addresses as code and hence does not disassemble them.

.text:00564A90 sub_564A90      proc near               ; CODE XREF: ___tmainCRTStartup+10Dp
.text:00564A90                 push    564C87h
.text:00564A95                 retn
.text:00564A95 sub_564A90      endp
Figure 1

Figure 2 shows the same disassembly after I changed the push operand type to offset.

.text:00564A90 sub_564A90      proc near               ; CODE XREF: ___tmainCRTStartup+10Dp
.text:00564A90                 push    (offset loc_564C83+4)
.text:00564A95                 retn
.text:00564A95 sub_564A90      endp
Figure 2

Continue reading “IDA Pro Anti-Disassembly, Basic Blocks, and IDAPython”

Moin Welt!

O Tannenbaum! The year is almost over and my first blog post is here. Publishing some original content has been one of my goals for 2016. So, I am very excited that it is finally happening.

In 2017, I will post at least once a month. Really, I already have a list of topics…

Happy Holidays and an awesome New Year!

O Tannenbaum!