Reverse Engineering Code with IDA Pro
Format: PDF / Kindle (mobi) / ePub
If you want to master the art and science of reverse engineering code with IDA Pro for security R&D or software debugging, this is the book for you. Highly organized and sophisticated criminal entities are constantly developing more complex, obfuscated, and armored viruses, worms, Trojans, and botnets. IDA Pro’s interactive interface and programmable development language provide you with complete control over code disassembly and debugging. This is the only book which focuses exclusively on the world’s most powerful and popular took for reverse engineering code.
*Reverse Engineer REAL Hostile Code
To follow along with this chapter, you must download a file called !DANGER!INFECTEDMALWARE!DANGER!... ‘nuff said.
*Download the Code!
The companion Web site to this book offers up really evil code for you to reverse engineer and really nice code for you to automate tasks with the IDC Scripting Language.
*Portable Executable (PE) and Executable and Linking Formats (ELF)
Understand the physical layout of PE and ELF files, and analyze the components that are essential to reverse engineering.
*Break Hostile Code Armor and Write your own Exploits
Understand execution flow, trace functions, recover hard coded passwords, find vulnerable functions, backtrace execution, and craft a buffer overflow.
Debug in IDA Pro, use a debugger while reverse engineering, perform heap and stack access modification, and use other debuggers.
Anti-reversing, like reverse engineering or coding in assembly, is an art form. The trick of course is to try to stop the person reversing the application. Find out how!
*Track a Protocol through a Binary and Recover its Message Structure
Trace execution flow from a read event, determine the structure of a protocol, determine if the protocol has any undocumented messages, and use IDA Pro to determine the functions that process a particular message.
*Develop IDA Scripts and Plug-ins
Learn the basics of IDA scripting and syntax, and write IDC scripts and plug-ins to automate even the most complex tasks.
characteristics specify various attributes of the Ýle, such as whether the Ýle is a dynamically loaded library (DLL) or not, if the Ýle is part of the system, if the Ýle has had its relocation information stripped, if the Ýle uses 32-bit words, and so on. For a full table describing this information, please consult the ofÝcial Microsoft documentation. The optional header, if one exists (it does not exist in object Ýles), is broken into three major sections, the Ýrst being eight Ýelds that are
Null-terminated variable length string names of exported functions/data/etc. Export address table Name pointer table Ordinal table Export name table It should be noted that not all of these tables are required to be present; if exports are only to be done via ordinal, then only the export directory table and export address table are required. The interesting Ýelds of the export directory table (EDT) are: the name RVA, ordinal base, address table entries, number of name pointers, export address
what type of segment is being described and by implication tells the system how to interpret its contents. The deÝned values are shown in Table 3.7. www.syngress.com Portable Executable and Executable and Linking Formats • Chapter 3 Table 3.7 Defined Values Name Value PT_NULL PT_LOAD PT_DYNAMIC PT_INTERP PT_NOTE PT_SHLIB PT_PHDR PT_LOPROC PT_HIPROC 0 1 2 3 4 5 6 0x700000000 0x7FFFFFFF Figure 3.12 Program Header Structure Segments of type PT_NULL are unused; the values of its other members
uses this information to locate the PE header and performs other light verifications of the data. As we can see in the second to last section of code, if a total match is found, we branch off to the left, and if not then we jump to the location loc_40165A, which takes the pointer, decrements it by one and repeats the loop. Now that we know the body of the routine, let’s examine the branches we haven’t yet looked at and also take a look at the return value. Figure 6.10 Jump to loc_401668 In
layers of abstraction and, as advances in computing continue, we add more and more layers of abstraction, such as virtual machines used by Java and .NET applications. However, everything in the end is assembly, and that is just fixed www.syngress.com 9 10 Chapter 2 • Assembly and Reverse Engineering Basics sequences of ones and zeros being sent to the processor. For a more complete discussion of opcodes please refer to the Intel ® 64 and IA-32 Architectures Software Developer’s Manual Volume