Practical Malware Analysis

Ch 5: IDA Pro
 IDA Pro Versions
• Full-featured paid version (IDA Teams, Pro, Home)
• IDA Free (2023)
• Old Demo version
– Both support x64/x86
– Pay version supports ARM and other processors
– Linux, Windows and MacOS
• All have code signatures for common library code
in FLIRT (Fast Library identification and
Recognition Technology)
• https://hex-rays.com/ida-free/
Graph and
Text Mode
• Spacebar
switches
mode
Default Graph Mode Display
Options, General
Better Graph Mode View
 Arrows
• Colors
– Red Conditional jump not taken
– Green Conditional jump taken
– Blue Unconditional jump
• Direction
– Up Loop
Arrow Color Example
 Highlighting
• Highlighting text in graph mode highlights
every instance of that text
Arrows
Solid = Unconditional
Text Mode
Dashed = Conditional Comment
Up = Loop Generated by
IDA Pro
Section
Address
Options, General
Adds Comments to Each Instruction
Useful Windows for Analysis
 Functions
• Shows each function, length, and flags
– L = Library functions
• Sortable
– Large functions usually more important
 Names Window
• Every address with a name
– Functions, named code, named data, strings
Strings
Imports & Exports
 Structures
• All active data structures
– Hover to see yellow pop-up window
 Cross-
Reference
• Double-
click
function
• Jump to
code in
other
views
 Function Call
• Parameters pushed onto stack
• CALL to start function
 Returning to the Default View
• Windows, Reset Desktop
• Windows, Save Desktop
– To save a new view
Navigating IDA Pro
 Imports or Strings
• Double-click any entry to display it in the
disassembly window
 Using Links
• Double-click any address in the disassembly
window to display that location
 History
• Forward and Back buttons work like a Web
browser
 Navigation Band

• Light blue: Library code

• Red: Compiler-generated code
• Dark blue: User-written code – Analyze this
 Jump to Location
• Press G
• Can jump to address or named location
Searching
• Many options
• Search, Text is
handy
Using Cross-References
 Code Cross-References

• XREF comment shows where this function is

called
• But it only shows a couple of cross-references
by default
 To See All Cross-References
• Click function name and press X
 Data Cross-References
• Demo:
– Start with strings
– Double-click an interesting string
– Hover over DATA XREF to see where that string is
used
– X shows all references
BYTE | WORD | DWORD | QWORD

IDA Pro Data Notation

• IDA declares initialized data as follows
– db – BYTE - byte (8 bit integer)
– dw – WORD - word (16 bit integer)
– dd – DWORD - double word (32 bit integer)
– dq – QWORD - quad word (64 bit integer)
– ? denotes that this value is unknown and will only
be known at runtime.
• Example: an uninitialized data section.
• if you start a debug session with IDA, the address will
eventually contain some value
– DT, DO, DY and DZ for floating point data values.
Analyzing Functions
 Function and Argument Recognition
• IDA Pro identifies a function, names it, and
also names the local variables
– Local variables labeled with (var_EBP-Offset)
– Parameters labeled with (arg_EBP-Offset)
– It's not always correct
Using Graphing Options
Navigating IDA Pro
 Navigating IDA Pro
• Most windows are linked to the disassembly
window (text mode).
• Double click an entry in imports windows to
take you to that in entry in text mode
• Three most common link types
– Sub links to the start of functions sub_40110A0
– Loc Links to destination address loc_40107E
– Offset Links to memory offset
• XREF can also be used to jumping to the
referencing location
Graphing Options

+
Graphing
Options

• These are "Legacy Graphs" and cannot be

manipulated with IDA
• The first two seem obsolete
– Flow chart
• Create flow chart of current function
– Function calls
• Graph function calls for entire program
Graphing
Options

• Xrefs to
– Graphs XREFs to get to selected XREF
– Can show all the paths that get to a function
Windows Genuine Status in Calc.exe
Graphing
Options

• Xrefs from
– Graphs XREFs from selected XREF
– Can show all the paths that exit from a function
Graphing
Options

• User xrefs chart...

– Customize graph's recursive depth, symbols
used, to or from symbol, etc.
– The only way to modify legacy graphs
Enhancing Disassembly
 Warning
• There's no Undo, so if you make changes and
mess them up, you may be sorry
 Renaming Locations
• IDA gives discovered values Dummy names
which may not be very meaningful
• You can change a name like sub_401000 to
ReverseBackdoorThread
• Change it in one place, IDA will change it
everywhere else
 Adding Comments
• Press colon (:) to add a single comment
• Press semicolon (;) to echo this comment to
all Xrefs
 Formatting Operands
• Hexadecimal by default
• Right-click to use other formats
 Using Named Constants
• Makes Windows API arguments clearer
 Redefining Data and Code
• After disassembly IDA pro may categorize
bytes incorrectly either data or code!
• You may redefine raw data as follows.
– U used to undefine function, data or code
– C define raw bytes as code
– D define raw bytes as data
– A define raw bytes as ASCII
IDA Notation and Assembler Directives
• Size Directives
– The intended size of the data item at a given memory
address can be inferred from the assembly code
instruction in which it is referenced.
• E.g., the size of the memory regions could be inferred from the
size of the register operand.
• 32-bit register➔ the assembler could infer that the region of
memory we were referring to was 4 bytes wide.
– In some cases the size of a referred-to memory region is
ambiguous.
– mov [ebx], 2
– use <size> ptr <offset from stack base>
– mov dword ptr [ebp-4], 2
 References
• x86 Assembly Guide
• NASM: Netwide x64/x86 Assembler
 Extending IDA with Plug-ins
• IDC (IDA's scripting language) and Python
scripts available (link Ch 6a)