Reverse Engineering with IDA Pro. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Transcription

1 1 Reverse Engineering with IDA Pro CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

2 2 Reversing Techniques Static Analysis Dynamic Analysis

3 3 Reversing Techniques Static Analysis (e.g., strings, PEid) + safe (don t actually run anything) - more complex/time consuming Dynamic Analysis +runtime analysis - may be difficult to setup

4 4 Reversing Techniques Static Analysis (e.g., string PEid) + safe (don t actually run anything) - more complex/time consuming Dynamic Analysis +runtime analysis - may be difficult to setup Sometimes this is the only choice

5 5 Reversing Techniques Static Analysis (e.g., string PEid) + safe (don t actually run anything) - more complex/time consuming Dynamic Analysis +runtime analysis - may be difficult to setup Sometimes this is the only choice Usually the best approach is a hybrid

6 6 Disassembling Two algorithms 1. Exhaustive: 2. Recursive traversal:

7 7 Disassembling Two algorithms 1. Exhaustive: Disassemble all instructions line by line regardless of semantics 2. Recursive traversal: Find the entry point and explore all control flow options

8 8 IDAPro - The Interactive Disassembler Developed by Hex-Rays The weapon of choice for most reversing/analysis Supports PE/COFF, (ELF),.NET, Supports several ISAs (x86, x64, ARM, etc..) Saves progress in IDB Files Includes user comments, breakpoints, custom labels, etc.

9 9 IDA Pro Version 5.0 is (still) free, but No 64-bit support Limited ISA support Performs Function discovery Stack analysis Local variable identification Interactive Implemented using a plugin architecture

10 10 For More The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler by Chris Eagle (Author)

11 Hexdump hex ASCII 11

12 Hexdump 12 Good ground truth reference May be the only option

13 Disassembler (Text View) 13

14 14 Disassembler (Text View) Memory address labels Assembly, labels, and cross references

15 Disassembler What is this code doing? 15 Hint: focus on the function calls and auto-generated comments

16 Disassembler IDA Fast Library Identification and Recognition Technology (FLIRT) recognizes library functions generated by supported compilers 16

17 Disassembler C program that opens a file The filename is an argument An error is printed to the screen if the file cannot be opened 17 Check if correct # of arguments Open as read-only Push filename as a parameter to fopen

18 Disassembler C program that opens a file The filename is an argument An error is printed to the screen if the file cannot be opened 18 Check if correct # of arguments Open as read-only Push filename as a parameter to fopen Print an error if file cannot be opened

19 Disassembler Graphical View the current function is represented as a collection of nodes (code blocks) and edges (cross references between nodes). 19

20 Disassembler Red lines: path if jump not taken; Green lines: path if jump is taken Blue lines: unconditional path 20

21 21 Ida is a Disassembler & Debugger These are the common and default windows for debugging

22 22 Ida is a Disassembler & Debugger Hex dump These are the common and default windows for debugging

23 23 Ida is a Disassembler & Debugger Hex dump These are the common and default windows for debugging Synchronized (corresponding opcodes/operands are highlighted)

24 24 Ida is a Disassembler & Debugger These are the common and default windows for debugging Registers Registers with memory addresses are shown Stack

25 25 Loading an Executable for the first time Open IDA and select Go

26 26 Loading an Executable New: open an executable file Open: open an executable or Ida DB file Load file: load a supplementary file Produce file: export database IDC file: load a scripts file IDC command: select a script to execute

27 27 Loading an Executable Auto-detects a windows executable.

28 28 Disassembly Window Modes Text View Graph View

29 29 Customization Turn on the auto-comment feature.

30 Customization 30

31 31 Comments Description of opcode, but no execution flow semantics You can add your own comments however.

32 32 Comments Here I ve added more semantically rich meanings to the assembly by pressing the : (single instance) ; will create a repeatable comment (will add this same comment to references to this location)

33 33 Useful Windows for Analysis As shown in previous slides, these show the assembly/binary/addresses/etc.

34 34 Functions Window R: returns F: Far function (requires 32-bits) L: Library function S: Static function (not accessible by external functions only to the given code file) B: BP based frame T: Has type information (variables have known types --- probably provided by debugging information) = BP equals SP

35 35 Names Window Lists every address with a labels F: function (user) L: library function C: lines with instructions A: ascii data

36 36 Strings Window Lists all ASCII strings (by default character sequences of length >= 5)

37 37 Imports/Exports Windows Imports: functions used from other libraries Exports: functions that are available to other processes

38 38 Structures Window Data structures defined by groupings of memory IDA finds some, but you can specify your own to increase readability

39 39 Using Links and Cross-References link cross reference

40 See All XREFS at Once 40

41 41 Using Links and Cross-References Press escape to return to previous (same as the back arrow).

42 42 Navigation Band Dark blue: user defined code Light blue: library code Pink: imports Gray: defined/referenced data Brown: undefined/unreferenced data

43 43 Searching Next Code take me to the next sequential instruction Text search ascii text Sequence of Bytes search for specific hex bytes

44 44 Searching C:/>

45 45 Searching C:/>password.exe Enter password for this malware:

46 46 Searching C:/>password.exe Enter password for this malware: test

47 47 Searching C:/>password.exe Enter password for this malware: test Bad key How can we figure out the password??

48 48 Searching Demonstration

49 49 Analyzing Functions IDA has the ability to recognize, functions and label local variables and parameters.

50 50 Parameters and Local Variables 32-bits ebp-18h Lower Memory Address ESP EBP ebp-4 ebp ebp+8 Push Direction Higher Memory Address

51 Parameters and Local Variables 51

52 52 IDA Representation of Operand Types Type Register Operand Example Immediate Memory Address

53 53 Debugging Mode Breakpoints Traces Step-by-step Register inspection Memory inspection

54 54 Other Useful Features Rename locations Use this for your homework!! It will make your life easier!

55 55 Other Useful Features Operand formatting

56 56 Other Useful Features Graph node groups Create groups and name them to improve readability

57 57 Sample.dll At 0x , there is a call to Sleep (an API function that takes one parameter containing the number of milliseconds to sleep). Looking backward through the code, how long will the program sleep if this code executes? (Keep in mind that IDA Pro is not perfect).

58 58 IDA Pro is not perfect Instruction code as data and vice versa

59 59 IDA Pro is not perfect Instruction code as data and vice versa

60 60 IDA Pro is not perfect Instruction code as data and vice versa

61 61 IDA Pro is not perfect Instruction code as data and vice versa Now we end up with a label to a location with some values.