IDA Pro provides a nice interface and serves as good platform for reverse engineering. I miss, however, some features. Gladly, IDA provides a well-documented (*cough*) API that makes it easy for anyone enhance it as he wishes.
In this mini-series I will present some scripts to ease the process of malware analysis with IDA.
Recognizing FunctionsFor example, IDA does not always correctly recognize functions as such. A short script changes that:
def findUnidentifiedFunctions(): next = idaapi.cvar.inf.minEA while next != idaapi.BADADDR: next = idaapi.find_not_func(next, SEARCH_DOWN) flags = idaapi.getFlags(next) if idaapi.isCode(flags): idc.MakeFunction(next)
This IDAPython snippet searches for code that is not inside a function and simply assumes that it should be in a function. Therefore, it creates a function. Simple as that.
Highlighting Call Instructions
In larger functions, you can easily miss some calls that lead to important sub-functions. Hence, it's a good idea to mark all calls with a special color. Note that the IDA coloring scheme is somewhat different from what you would expect: it uses 0xBBGGRR as coloring scheme.
You can achieve this by the following snippet:
COLOR_CALL = 0xffffd0 call_instructions = [idaapi.NN_call, idaapi.NN_callfi,
idaapi.NN_callni] if cmd.itype in self.call_instructions: idaapi.set_item_color(cmd.ea, COLOR_CALL)
Highlighting Crypto-related InstructionsCrypto-related instructions are assembler instructions that are the essence of many cryptographic functions. For example, almost each block cipher makes use of the XOR instruction. As this instruction is also used in order to zero registers, some care has to be put into finding the ones relevant for cryptography. Hence, I added another condition that checks if the operands differ:
COLOR_CRYPTO = 0xffd2f8 xor_instructions = [idaapi.NN_xor, idaapi.NN_pxor,
idaapi.NN_xorps, idaapi.NN_xorpd] if cmd.itype in self.xor_instructions: # check if different operands if cmd.Op1.type != cmd.Op2.type or cmd.Op1.reg != cmd.Op2.reg or cmd.Op1.value != cmd.Op2.value: idaapi.set_item_color(cmd.ea, COLOR_CRYPTO)
There are several other vital cryptographic-related instructions such as ROL, ROR and NOT. But these don't need the check for different operands.
Putting it all together and adding some "syntactic sugar" we get a nice script which you can download from my GitHub page. The output looks for example like this:
|Sample run for the initialAnalysis script|