The IDA pro book : the unofficial guide to the world's most popular disassembler

IDA Pro is a commercial disassembler and debugger used by reverse engineers to dissect compiled computer programs, and is the industry standard tool for analysis of hostile code. The IDA Pro Book provides a comprehensive, top-down overview of IDA Pro and its use for reverse engineering software. Aut...

Full description

Saved in:
Bibliographic Details
Main Author: Eagle, Chris
Format: eBook Book
Language:English
Published: San Francisco No Starch Press 2011
No Starch Press, Incorporated
Edition:2
Subjects:
Debugging in computer science
Disassemblers (Computer programs)
IDA Pro (Electronic resource)
ISBN:9781593272890, 1593272898
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Table of Contents:
  • Intro -- The IDA Pro Book -- PRAISE FOR THE FIRST EDITION OF THE IDA PRO BOOK -- Acknowledgments -- Introduction -- I. Introduction to IDA -- 1. Introduction to Disassembly -- Disassembly Theory -- The What of Disassembly -- The Why of Disassembly -- Malware Analysis -- Vulnerability Analysis -- Software Interoperability -- Compiler Validation -- Debugging Displays -- The How of Disassembly -- A Basic Disassembly Algorithm -- Linear Sweep Disassembly -- Recursive Descent Disassembly -- Sequential Flow Instructions -- Conditional Branching Instructions -- Unconditional Branching Instructions -- Function Call Instructions -- Return Instructions -- Summary -- 2. Reversing and Disassembly Tools -- Classification Tools -- file -- PE Tools -- PEiD -- Summary Tools -- nm -- ldd -- objdump -- otool -- dumpbin -- c++filt -- Deep Inspection Tools -- strings -- Disassemblers -- Summary -- 3. IDA Pro Background -- Hex-Rays' Stance on Piracy -- Obtaining IDA Pro -- IDA Versions -- IDA Licenses -- Purchasing IDA -- Upgrading IDA -- IDA Support Resources -- Your IDA Installation -- Windows Installation -- OS X and Linux Installation -- IDA and SELinux -- 32-bit vs. 64-bit IDA -- The IDA Directory Layout -- Thoughts on IDA's User Interface -- Summary -- II. Basic IDA Usage -- 4. Getting Started with IDA -- Launching IDA -- IDA File Loading -- Using the Binary File Loader -- IDA Database Files -- IDA Database Creation -- Closing IDA Databases -- Reopening a Database -- Introduction to the IDA Desktop -- Desktop Behavior During Initial Analysis -- IDA Desktop Tips and Tricks -- Reporting Bugs -- Summary -- 5. IDA Data Displays -- The Principal IDA Displays -- The Disassembly Window -- IDA Graph View -- IDA Text View -- The Functions Window -- The Output Window -- Secondary IDA Displays -- The Hex View Window -- The Exports Window -- The Imports Window
  • Using the Assemble Dialog -- IDA Output Files and Patch Generation -- IDA-Generated MAP Files -- IDA-Generated ASM Files -- IDA-Generated INC Files -- IDA-Generated LST Files -- IDA-Generated EXE Files -- IDA-Generated DIF Files -- IDA-Generated HTML Files -- Summary -- IV. Extending IDA's Capabilities -- 15. IDA Scripting -- Basic Script Execution -- The IDC Language -- IDC Variables -- IDC Expressions -- IDC Statements -- IDC Functions -- IDC Objects -- IDC Programs -- Error Handling in IDC -- Persistent Data Storage in IDC -- Associating IDC Scripts with Hotkeys -- Useful IDC Functions -- Functions for Reading and Modifying Data -- User Interaction Functions -- String-Manipulation Functions -- File Input/Output Functions -- Manipulating Database Names -- Functions Dealing with Functions -- Code Cross-Reference Functions -- Data Cross-Reference Functions -- Database Manipulation Functions -- Database Search Functions -- Disassembly Line Components -- IDC Scripting Examples -- Enumerating Functions -- Enumerating Instructions -- Enumerating Cross-References -- Enumerating Exported Functions -- Finding and Labeling Function Arguments -- Emulating Assembly Language Behavior -- IDAPython -- Using IDAPython -- IDAPython Scripting Examples -- Enumerating Functions -- Enumerating Instructions -- Enumerating Cross-References -- Enumerating Exported Functions -- Summary -- 16. The IDA Software Development Kit -- SDK Introduction -- SDK Installation -- SDK Layout -- Configuring a Build Environment -- The IDA Application Programming Interface -- Header Files Overview -- Netnodes -- Creating Netnodes -- Data Storage in Netnodes -- Deleting Netnodes and Netnode Data -- Useful SDK Datatypes -- Commonly Used SDK Functions -- Basic Database Access -- User Interface Functions -- Manipulating Database Names -- Function Manipulation -- Structure Manipulation
  • The Structures Window -- The Enums Window -- Tertiary IDA Displays -- The Strings Window -- The Names Window -- The Segments Window -- The Signatures Window -- The Type Libraries Window -- The Function Calls Window -- The Problems Window -- Summary -- 6. Disassembly Navigation -- Basic IDA Navigation -- Double-Click Navigation -- Jump to Address -- Navigation History -- Stack Frames -- Calling Conventions -- The C Calling Convention -- The Standard Calling Convention -- The fastcall Convention for x86 -- C++ Calling Conventions -- Other Calling Conventions -- Local Variable Layout -- Stack Frame Examples -- IDA Stack Views -- Searching the Database -- Text Searches -- Binary Searches -- Summary -- 7. Disassembly Manipulation -- Names and Naming -- Parameters and Local Variables -- Named Locations -- Register Names -- Commenting in IDA -- Regular Comments -- Repeatable Comments -- Anterior and Posterior Lines -- Function Comments -- Basic Code Transformations -- Code Display Options -- Formatting Instruction Operands -- Manipulating Functions -- Creating New Functions -- Deleting Functions -- Function Chunks -- Function Attributes -- Stack Pointer Adjustments -- Converting Data to Code (and Vice Versa) -- Basic Data Transformations -- Specifying Data Sizes -- Working with Strings -- Specifying Arrays -- Summary -- 8. Datatypes and Data Structures -- Recognizing Data Structure Use -- Array Member Access -- Globally Allocated Arrays -- Stack-Allocated Arrays -- Heap-Allocated Arrays -- Structure Member Access -- Globally Allocated Structures -- Stack-Allocated Structures -- Heap-Allocated Structures -- Arrays of Structures -- Creating IDA Structures -- Creating a New Structure (or Union) -- Editing Structure Members -- Stack Frames as Specialized Structures -- Using Structure Templates -- Importing New Structures -- Parsing C Structure Declarations
  • Segment Manipulation -- Code Cross-References -- Data Cross-References -- Iteration Techniques Using the IDA API -- Enumerating Functions -- Enumerating Structure Members -- Enumerating Cross-References -- Summary -- 17. The IDA Plug-in Architecture -- Writing a Plug-in -- The Plug-in Life Cycle -- Plug-in Initialization -- Event Notification -- Plug-in Execution -- Building Your Plug-ins -- Installing Plug-ins -- Configuring Plug-ins -- Extending IDC -- Plug-in User Interface Options -- Using the SDK's Chooser Dialogs -- Creating Customized Forms with the SDK -- Windows-Only User Interface-Generation Techniques -- User Interface Generation with Qt -- Scripted Plug-ins -- Summary -- 18. Binary Files and IDA Loader Modules -- Unknown File Analysis -- Manually Loading a Windows PE File -- IDA Loader Modules -- Writing an IDA Loader Using the SDK -- The Simpleton Loader -- Building an IDA Loader Module -- A pcap Loader for IDA -- Alternative Loader Strategies -- Writing a Scripted Loader -- Summary -- 19. IDA Processor Modules -- Python Byte Code -- The Python Interpreter -- Writing a Processor Module Using the SDK -- The processor_t Struct -- Basic Initialization of the LPH Structure -- The Analyzer -- The Emulator -- The Outputter -- Processor Notifications -- Other processor_t Members -- Building Processor Modules -- Customizing Existing Processors -- Processor Module Architecture -- Scripting a Processor Module -- Summary -- V. Real-World Applications -- 20. Compiler Personalities -- Jump Tables and Switch Statements -- RTTI Implementations -- Locating main -- Debug vs. Release Binaries -- Alternative Calling Conventions -- Summary -- 21. Obfuscated Code Analysis -- Anti-Static Analysis Techniques -- Disassembly Desynchronization -- Dynamically Computed Target Addresses -- Opcode Obfuscation -- Imported Function Obfuscation
  • Parsing C Header Files -- Using Standard Structures -- IDA TIL Files -- Loading New TIL Files -- Sharing TIL Files -- C++ Reversing Primer -- The this Pointer -- Virtual Functions and Vtables -- The Object Life Cycle -- Name Mangling -- Runtime Type Identification -- Inheritance Relationships -- C++ Reverse Engineering References -- Summary -- 9. Cross-References and Graphing -- Cross-References -- Code Cross-References -- Data Cross-References -- Cross-Reference Lists -- Function Calls -- IDA Graphing -- IDA External (Third-Party) Graphing -- External Flowcharts -- External Call Graphs -- External Cross-Reference Graphs -- Custom Cross-Reference Graphs -- IDA's Integrated Graph View -- Summary -- 10. The Many Faces of IDA -- Console Mode IDA -- Common Features of Console Mode -- Windows Console Specifics -- Linux Console Specifics -- OS X Console Specifics -- Using IDA's Batch Mode -- Summary -- III. Advanced IDA Usage -- 11. Customizing IDA -- Configuration Files -- The Main Configuration File: ida.cfg -- The GUI Configuration File: idagui.cfg -- The Console Configuration File: idatui.cfg -- Additional IDA Configuration Options -- IDA Colors -- Customizing IDA Toolbars -- Summary -- 12. Library Recognition Using FLIRT Signatures -- Fast Library Identification and Recognition Technology -- Applying FLIRT Signatures -- Creating FLIRT Signature Files -- Signature-Creation Overview -- Identifying and Acquiring Static Libraries -- Creating Pattern Files -- Creating Signature Files -- Startup Signatures -- Summary -- 13. Extending IDA's Knowledge -- Augmenting Function Information -- IDS Files -- Creating IDS Files -- Augmenting Predefined Comments with loadint -- Summary -- 14. Patching Binaries and Other IDA Limitations -- The Infamous Patch Program Menu -- Changing Individual Database Bytes -- Changing a Word in the Database
  • Targeted Attacks on Analysis Tools