introduction to ida python
TRANSCRIPT
Overview
• Brief intro to IDAPython
• How to install
• Examples– Searching disassembly patterns– Searching system calls in the binary– Deobfuscation
Automatic Reversing with IDA
• To do automatic reversing ?– you need to write scripts
• IDA supports multiple interfaces– Plugins (C++)– IDC (C-like scripting)– IDAPython (Python)
Brief intro to IDAPython
• Most things you can do w/ your hands– can be done w/ IDAPython
How to install
• COPY ‘python’ directory– to %IDA_DIR%
• PUT ‘python.plw’ – to %IDA_DIR%/plugins
• ex) C:\Program Files\IDA52\plugins
How to execute
1. Press ‘ALT+9’ in IDA2. Choose Python file you’d like to execute
Results would be printed in the log window
Simple example– walking the functions
# walkFunctions.py
### Walk the functions# Get the segment's starting addressea = ScreenEA()
# Loop through all the functionsfor function_ea in Functions(SegStart(ea), SegEnd(ea)):
# Print the address and the function name.print hex(function_ea), GetFunctionName(function_ea)
Simple example– walking the instructions
# walkInstructions.py
# For each of the segmentsfor seg_ea in Segments():
# For each of the defined elementsfor head in Heads(seg_ea, SegEnd(seg_ea)):
# If it's an instructionif isCode(GetFlags(head)):
# Get the Disasm and print itdisasm = GetDisasm(head)print disasm
Application- Find ‘CALL’ instructions
# searchSystemCalls.pyfrom idautils import *seg_ea = SegByName(".text")
# For each instructionfor addr in Heads(seg_ea, SegEnd(seg_ea)):
# Get disassemblydisasmStr = GetDisasm(addr)
if disasmStr.startswith( "int ") == True:# Print if it is a system call print "0x%08x [%s]" % (addr, disasmStr)
Deobfuscation
• What is obfuscation?– To transform binary into something
• which has the same executing behavior• which has very different outer representation
– To disrupt disassemblers
Deobfuscation
• How to obfuscate the binary– Simple obfuscation methods
PUSH XRETJMP X
XOR ECX, ECXJZ X
JMP X
=
=
original obfuscated
Deobfuscation
• What happens due to these obfuscation?– IDA failed to analyze the binary properly
• which means .. • YOU CANNOT USE CFG LAYOUT• YOU CANNOT EASILY FOLLOW THE CONTROL
FLOW
Deobfuscation
• Let’s learn deobfuscation w/ an example– 1. load reversing500 in IDA– 2. move to 0x08049891, and see ‘PUSH/RET’– 3. execute ‘deobfuscation_simple.py’– 4. see the instructions of 0x08049891
– For full deobfuscation• execute ‘deobfuscation_full.py’
Exercises (more applications)
• 1. To list all string copy functions?– such as strcpy(), strncpy(), strcat(), and etc.– YES ,this is for finding Stack Overflow vulns.
• 2. To examine all malloc() calls?– whose arg. is determined dynamically– YES ,this is for finding Heap Overflow vulns.
• 3. Memory/Register Computation Back Tracer
Reference
• “Introduction to IDAPython” by Ero Carrera