Skip to content

IDA-Pro-tutorial .md

Latest commit

 

History

History
707 lines (557 loc) · 27.4 KB

IDA-Pro-tutorial .md

File metadata and controls

707 lines (557 loc) · 27.4 KB

Table of Contents

  1. Introduction to IDA Pro
  2. IDA Pro Overview
  3. Installing IDA Pro
  4. The IDA Pro User Interface
  5. Basic Functionality
  6. Search Functionality

1. Introduction to IDA Pro

Why Use IDA Pro?

Source code is often not available during exploit development. While this isn't problematic for simple buffer overflows, more complicated scenarios require crafting very specific input and performing in-depth analysis when issues arise.

Key Challenges:

  • Debugger Limitations: WinDbg displays instructions in plain ordered assembly rather than an intuitive graphical view
  • Code Flow Understanding: Making it difficult for exploit developers to understand target application logic
  • Language-Specific Issues:
    • High-level languages (C#, Java) can be easily decompiled back to pseudo-code
    • Lower-level languages (C, C++) have no easy way of reversing the compilation process

What is a Disassembler?

A disassembler program analyzes a binary and converts the compiled code back to its assembly representation. The best disassemblers also try to visually arrange the assembly code in a more intuitive way.

Usage Pattern:

  • Typically used in tandem with a debugger during reverse engineering
  • Combines static and dynamic analysis for increased efficiency
  • Essential for advanced exploit development

Industry Standard Tools

Tool Description Notes
IDA Pro Industry standard disassembler Primary focus of this course
Ghidra Popular alternative Free NSA tool
Radare Lesser-known alternative Open source
Binary Ninja Commercial alternative Modern interface

2. IDA Pro Overview

Features and Capabilities

IDA Pro is a tried-and-true disassembler with strong product development behind it, reflected in its price.

Key Features:

  • Multi-Architecture Support: 60+ families of processors
  • Integrated Debugger: Built-in debugging capabilities
  • Powerful Decompiler: Available for six different platforms
  • C-Style Output: Decompiler can analyze machine code and provide C-style code representation

Licensing Options

License Type Price Range Features
Professional Licenses $1000+ USD Full feature set
IDA Home Reduced price Limited commercial use
IDA Freeware Free Non-commercial, feature-limited

Note: Decompilers are optional additions to the base license.

Version Used in Course

We will be using IDA Freeware - a version that:

  • Is not for commercial use
  • Does not receive updates or support
  • Provides the features needed for reverse engineering in this course

3. Installing IDA Pro

System Requirements

Supported Architectures:

  • IDA Pro and IDA Freeware can disassemble both 32-bit and 64-bit applications
  • Application itself is only available in 64-bit
  • Requires 64-bit operating system for installation

Installation Process

Step 1: Download

  • Kali version must be 64-bit
  • Download installer: idafree70_linux.run from Hex-Rays
  • Alternative: Windows 10 machine (C:\Installers)

Step 2: Make Executable and Install

kali@kali:~/Downloads$ chmod +x idafree70_linux.run
kali@kali:~/Downloads$ sudo ./idafree70_linux.run

Step 3: Create Symbolic Link

kali@kali:~/Downloads$ sudo ln -s /opt/idafree-7.0/ida64 /usr/bin
kali@kali:~/Downloads$ ida64

Installation Verification

After installation completion:

  1. Symbolic link created to /usr/bin for easy access
  2. Launch IDA Pro by running ida64
  3. Ready to cover interface basics

Important Note: To avoid confusion throughout this module and others, we will simply refer to any version of IDA as IDA Pro instead of being specific about the license version.

4. The IDA Pro User Interface

Opening IDA Pro

Upon opening IDA Pro, you're presented with the main window:

┌─────────────────────────────────────┐
│           IDA: Quick start          │
├─────────────────────────────────────┤
│  [New]    Disassemble a new file    │
│                                     │
│  [Go]     Work on your own         │
│                                     │
│  [Previous] Load the old disassembly│
│                                     │
│  ☑ Display at startup              │
└─────────────────────────────────────┘

Options Available:

  • New: Start a new analysis
  • Previous: Open previous IDA Pro database
  • Go: Work independently
  • Previously analyzed files listed at bottom for quick access

File Analysis Setup

Step 1: File Selection

  1. Select New to start analysis
  2. Choose target file (e.g., notepad.exe from C:\Windows\System32)
  3. Copy file to Kali VM for analysis

Step 2: File Type Selection

┌──────────────────────────────────────┐
│           Load a new file            │
├──────────────────────────────────────┤
│ Load file: /home/kali/.../notepad.exe│
│ [Portable executable for 80386 (PE)] │
│                                      │
│ Processor type:                      │
│ MetaPC (disassemble all opcodes)     │
│                                      │
│ Analysis:    ☑ Enabled              │
│ Loading segment: 0000000000          │
│ Loading offset:  0000000000          │
│                                      │
│ Options:                             │
│ ☑ Fill segment gaps                  │
│ ☑ Create segments                    │
│ ☑ Create FLAT group                  │
│ ☑ Load as code segment               │
│                                      │
│ [Help] [Cancel] [OK]                 │
└──────────────────────────────────────┘

For 32-bit Windows executables and DLLs:

  • Select "Portable executable for 80386"
  • This is the common denominator for all 32-bit x86 processors

Step 3: Automatic Analysis

  • IDA Pro starts automatic analysis on the chosen binary
  • Duration varies from seconds to several minutes depending on:
    • Amount of code in the binary
    • Code complexity
  • Entry point is shown in disassembly window when complete
  • May display "ntapi" message (symbol-related, can be safely ignored)

Saving and Closing Work

Save Options Dialog

┌─────────────────────────────┐
│        Save database        │
├─────────────────────────────┤
│ IDA will save all changes   │
│ to the disk.               │
│                            │
│ ○ Don't pack database      │
│ ● Pack database (Store)    │
│ ○ Pack database (Deflate)  │
│                            │
│ ○ Collect garbage          │
│ ● DON'T SAVE the database │
│                            │
│ [Help] [Cancel] [OK]       │
└─────────────────────────────┘

Important Guidelines:

  • Always check "Pack database" if you want to save changes
  • File needs to be packed properly for successful .idb database file creation
  • Select "DON'T SAVE the database" only if you don't want to preserve changes

Interface Layout

The IDA Pro interface consists of several key windows and tabs:

┌─────────────────────────────────────────────────────────────┐
│ File Edit Jump Search View Options Windows Help             │
├─────────────────────────────────────────────────────────────┤
│ Functions │        Main Disassembly Window                  │
│ Window    │  ┌─────────────────────────────────────┐       │
│           │  │     Graph View / Text View          │       │
│ ┌─────────┤  │                                     │       │
│ │sub_...  │  │   Assembly Code Blocks              │       │
│ │sub_...  │  │                                     │       │
│ │sub_...  │  │   [Basic Block 1]                   │       │
│ │sub_...  │  │        ↓                           │       │
│ │sub_...  │  │   [Basic Block 2] → [Basic Block 3] │       │
│ └─────────┤  └─────────────────────────────────────┘       │
│           │                                                │
│ Graph     │                                                │
│ Overview  │        Output Window                           │
│           │                                                │
└─────────────────────────────────────────────────────────────┘

Main Disassembly Window Views

The main disassembly window can display code in three different ways:

1. Graph View (Default)

  • Breaks program disassembly into functions
  • Organizes function code in basic blocks
  • Shows code control flow through connections
  • Visual Indicators:
    • Green arrows: Condition met (true branch)
    • Red arrows: Condition not met (false branch)
    • Blue arrows: Unconditional jumps (JMP instruction)

Graph View Example:

┌─────────────┐    ┌─────────────┐    ┌─────────────┐
│public start │    │loc_41B6DE: │    │loc_41B6F2: │
│start proc   │    │mov ecx,[ebp]│    │mov esp,[ebp]│
│call sub_41BC│───▶│mov eax,[ecx]│    │mov eax,[ebp]│
│jmp  $+5     │    │mov eax,[eax]│    │mov dword_..│
└─────────────┘    │cmp [ebp-28h]│    │jnz short..│
                   └─────────────┘    └─────────────┘
                          │                  │
                          ▼                  ▼
                   ┌─────────────┐    ┌─────────────┐
                   │push eax     │    │push eax     │
                   │call ds:exit │    │call ds:exit │
                   └─────────────┘    └─────────────┘

2. Text View

  • Presents entire disassembly in linear fashion
  • Control flow indicated by arrows on the left
  • Less intuitive than graph view
  • Switch: Press Space to toggle between Graph and Text view

3. Proximity View

  • Advanced feature for viewing relationships between functions, global variables, and constants
  • Access: View > Open subviews > Proximity browser

Additional Interface Windows

Functions Window

┌─────────────────────────┐
│    Functions window     │
├─────────────────────────┤
│ Function name           │
├─────────────────────────┤
│ ☑ sub_F24D18           │
│ ☑ sub_F24D56           │
│ ☑ sub_F24DE4           │
│ ☑ sub_F24E30           │
│ ☑ sub_F24ED0           │
│ ☑ sub_F24EF0           │
│ ☑ sub_F24F00           │
└─────────────────────────┘

Purpose:

  • Lists all functions in the program identified by automatic analysis
  • Double-click: Navigate to function start in disassembly window

Graph Overview Window

┌─────────────────────────┐
│    Graph overview       │
├─────────────────────────┤
│      ┌─┐               │
│    ┌─┤ ├─┐             │
│    │ └─┘ │             │
│    │  ┌─┐│             │
│    └─┤ ├┘             │
│      └─┘               │
│   [dotted outline]      │
└─────────────────────────┘

Features:

  • Shows same function as main disassembly view
  • Dotted outline: Indicates currently displayed portion
  • Navigation: Click to pan around function graph

Interface Customization

Navigation Controls

  • Forward/Backward arrows: Navigate previously viewed basic blocks
  • Located in navigation bar at top-left of window

Window Management

  • Drag and dock: Place cursor below window title, drag when small bar appears
  • Reset Layout: Windows > Reset desktop

View Options

  • Line Prefixes: Options > General > tick "Line prefixes box"
  • Adds virtual addresses to graph view (normally only in text view)

5. Basic Functionality

Color Coding Basic Blocks

Color coding helps empower visual understanding of code flow in graph view.

How to Apply Colors

  1. Locate: Color palette icon at top-left corner of each basic block
  2. Click: Color palette icon to open color dialog
  3. Select: Choose desired color from color wheel
┌─────────────────────────────────────┐
│           Select Color              │
├─────────────────────────────────────┤
│     ⭕ Color Wheel                  │
│    Red:   [254] Green: [254]        │
│    Blue:  [254] Hue:   [0]          │
│    Saturation: [0] Value: [100]     │
│    Color name: #FEFEFE              │
│                                     │
│    [Color Preview Box]              │
│                                     │
│    ● Cancel    ✓ OK                 │
└─────────────────────────────────────┘

Strategic Color Usage

Recommended Approach:

  • Use two-color combination to show desired vs undesired paths
  • Green: Desired execution paths
  • Red: Undesired or error paths
  • Blue: Neutral or conditional paths

Adding Comments

Comments help remember exactly what happens at specific code locations.

Creating Comments

  1. Position cursor at specific line of assembly code
  2. Press colon (:) key
  3. Enter comment in dialog box
┌─────────────────────────────────────┐
│          Please enter text          │
├─────────────────────────────────────┤
│ Enter comment                       │
│                                     │
│ This is my comment                  │
│                                     │
│                                     │
│ [Help] [Cancel] [OK]                │
└─────────────────────────────────────┘

Comment Display

Comments appear to the right of assembly instructions:

0000000000041B5C1 cmp    dword_41E568, ebx
0000000000041B5C7 jnz    short loc_41B5F5  ; This is my comment

Renaming Functions and Variables

Default Naming Convention

When symbols files are not loaded:

  • Functions: sub_XXXXXX (where XXXXXX is address)
  • Global Variables: dword_XXXXXX

Renaming Methods

Method 1: Functions Window

  1. Right-click function in Functions window
  2. Select "Edit function..."
  3. Modify function name in dialog

Method 2: Direct Rename

  1. Position cursor on function/variable name in main window
  2. Press N key
  3. Enter new name
┌─────────────────────────────────────┐
│           Edit function             │
├─────────────────────────────────────┤
│ Name of function: [MyFunc        ▼] │
│ Start address:    .text:0041BB90 ▼  │
│ End address:      .text:0041BBD5 ▼  │
│ Color:            [DEFAULT]         │
│                                     │
│ Enter size of (in bytes)            │
│ Local variables area: [0xC      ▼]  │
│ Saved registers:      [0x4      ▼]  │
│ Purged bytes:         [0x0      ▼]  │
│ Frame pointer delta:  [0x0      ▼]  │
│                                     │
│ [Help] [Cancel] [OK]                │
└─────────────────────────────────────┘

Bookmarks Management

Bookmarks allow quick navigation to important code locations.

Creating Bookmarks

  1. Select line to bookmark
  2. Press Alt+M
  3. Name bookmark in dialog
┌─────────────────────────────────────┐
│         Please enter a string       │
├─────────────────────────────────────┤
│ Enter mark description              │
│                                     │
│ MyBookmark                          │
│                                     │
│ [Help] [Cancel] [OK]                │
└─────────────────────────────────────┘

Accessing Bookmarks

  1. Press Ctrl+M
  2. Select bookmark from list
  3. Double-click to navigate
┌─────────────────────────────────────┐
│      Choose marked location         │
├─────────────────────────────────────┤
│ Address      Description            │
├─────────────────────────────────────┤
│ 00000000... MyBookmark             │
│                                     │
│                                     │
│ [Help] [Search] [Cancel] [OK]       │
│                                     │
│ Line 1 of 1                         │
└─────────────────────────────────────┘

6. Search Functionality

Search Capabilities Overview

During IDA Pro analysis, you often need to search for:

  • Sequences of bytes
  • Strings
  • Function names
  • Variables and constants

Information Sources:

  • Static analysis programs (Windows SysInternals Strings tool)
  • Dynamic analysis sessions
  • Network traffic analysis
  • Public vulnerability disclosures
  • Suspected code behaviors

Text String Searches

Basic String Search

Access: Search menu > Text option

┌─────────────────────────────────────┐
│         Text search (slow)          │
├─────────────────────────────────────┤
│ String: [                        ▼] │
│                                     │
│ ☐ Match case                        │
│ ☐ Regular expression                │
│ ☐ Identifier                        │
│ ☐ Search Up                         │
│ ☐ Find all occurrences              │
│                                     │
│ [Help] [Cancel] [OK]                │
└─────────────────────────────────────┘

Search Options:

  • Match case: Case-sensitive search
  • Regular expression: Pattern matching
  • Identifier: Search for identifiers only
  • Search Up: Search backwards
  • Find all occurrences: Show all instances

Value and Byte Searches

Immediate Value Search

  • Hotkey: Alt+I
  • Purpose: Search for hardcoded DWORD values

Byte Sequence Search

  • Hotkey: Alt+B
  • Purpose: Search for specific byte patterns

Function Name Searches

Method 1: Functions Window Filter

  1. Open Functions window
  2. Right-click in window
  3. Select "Quick filter"
  4. Enter search term
┌─────────────────────────────────────┐
│    Choose function to jump to        │
├─────────────────────────────────────┤
│ Function name  Segment  Start  Length│
│ malloc         .text    00000000F3BF1F│
│                                     │
│ [×] malloc                          │
│                                     │
│ [Help] [Search] [Cancel] [OK]       │
└─────────────────────────────────────┘

Method 2: Jump to Function

Access: Jump menu > Jump to function command

Import and Export Analysis

Viewing Imports and Exports

Tabs Available:

  • Imports Tab: Shows all imported functions
  • Exports Tab: Shows all exported functions (for DLLs)
┌─────────────────────────────────────────────────────────────┐
│ IDA View-A     Hex View-1    Structures   Enums   Imports   │
├─────────────────────────────────────────────────────────────┤
│ Address              Name                Library             │
│ 0000000000F40100    OpenProcess         ADVAPI32           │
│ 0000000000F40104    GetTokenInformation ADVAPI32           │
│ 0000000000F40108    DuplicateTokenEx    ADVAPI32           │
│ 0000000000F4010C    RegQueryValueExW    ADVAPI32           │
│ 0000000000F40110    RegQueryValueExW    ADVAPI32           │
└─────────────────────────────────────────────────────────────┘

Features:

  • Right-click for "Quick filter" option
  • Filter by function name
  • Navigate to usage locations

Cross-Referencing (xref)

Cross-referencing detects all usages of a specific function or global variable in the entire executable or DLL.

Performing Cross-Reference Analysis

  1. Select function name or global variable in graph view
  2. Press X key
  3. View results in xref dialog
┌─────────────────────────────────────┐
│           xrefs to SubKey           │
├─────────────────────────────────────┤
│ Direction Type Address    Text      │
│ ⬇  o    sub_F29764+8E   push offset│
│ ⬇  Do.. o    sub_F29B12+53  push offset│
│                                     │
│                                     │
│                                     │
│ [Help] [Search] [Cancel] [OK]       │
│                                     │
│ Line 1 of 2                         │
└─────────────────────────────────────┘

Result Information:

  • Direction: Data flow direction
  • Type: Reference type (call, data, etc.)
  • Address: Location of reference
  • Text: Assembly instruction context

Advanced Search Techniques

Global Variable Search

Access: Jump menu > Jump by name... submenu

Search Best Practices

  1. Start Specific: Use precise search terms first
  2. Broaden Gradually: If no results, try broader terms
  3. Use Multiple Methods: Combine different search approaches
  4. Document Results: Use comments and bookmarks for findings
  5. Cross-Reference: Use xref for comprehensive analysis

Search Workflow Example

Scenario: Locating file operation functions

  1. String Search: Search for "CreateFile", "ReadFile", "WriteFile"
  2. Import Analysis: Check Imports tab for file I/O functions
  3. Cross-Reference: Use xref on found functions
  4. Code Analysis: Examine calling functions
  5. Documentation: Comment and bookmark important locations

Exercises and Practice

Exercise Set 1: Interface Familiarization

  1. Download and install IDA Pro on your Kali VM
  2. Copy notepad.exe from Windows 10 machine to Kali VM
  3. Analyze notepad.exe with IDA Pro
  4. Practice switching between different views (Graph, Text, Proximity)
  5. Navigate around the disassembled file
  6. Save the disassembled file properly

Exercise Set 2: Basic Functionality

  1. Experiment with color coding different basic blocks
  2. Add comments to assembly instructions
  3. Rename functions using both methods (Functions window and N key)
  4. Create bookmarks and practice jumping back to them

Exercise Set 3: Search Operations

  1. Perform different searches using explained methods
  2. Search for text strings in the binary
  3. Use the Functions window filter to find specific functions
  4. Locate the SubKey global variable and find where it's used
  5. Practice cross-referencing functions and variables

Exercise Set 4: Combined Analysis

  1. Use IDA Pro with WinDbg for combined static/dynamic analysis
  2. Set breakpoint on CreateFileW and save a file with Notepad
  3. Locate subsequent calls to WriteFile using both tools
  4. Practice synchronizing addresses between debugger and disassembler

Key Takeaways

  1. IDA Pro is Essential: Industry standard for reverse engineering and exploit development
  2. Static + Dynamic: Combine IDA Pro with debuggers for maximum effectiveness
  3. Interface Mastery: Understanding views, windows, and navigation is crucial
  4. Analysis Features: Color coding, comments, and renaming improve analysis efficiency
  5. Search Power: Multiple search methods enable comprehensive code analysis
  6. Cross-Referencing: Xref functionality reveals code relationships and usage patterns

References and Additional Resources

  • Official Documentation: Hex-Rays IDA Pro Documentation
  • Hex-Rays Website: https://www.hex-rays.com/products/ida/
  • Alternative Tools: Ghidra, Radare2, Binary Ninja
  • Microsoft Documentation: Windows API references for function analysis
  • Practice Materials: Use various Windows executables for hands-on practice