Dienstag, 23. Oktober 2012

Enhancing IDA Pro. Part 1: Highlighting Calls and Crypto-Operations

This blog entry is to be regarded as a short intermezzo -- I will explain in my next article why it was taking so long ;-)

IDA Pro provides a nice interface and serves as good platform for reverse engineering. I miss, however, some features. Gladly, IDA provides a well-documented (*cough*) API that makes it easy for anyone enhance it as he wishes.

In this mini-series I will present some scripts to ease the process of malware analysis with IDA.

Recognizing Functions

For example, IDA does not always correctly recognize functions as such.  A short script changes that:

def findUnidentifiedFunctions():

 next = idaapi.cvar.inf.minEA

 while next != idaapi.BADADDR:

  next = idaapi.find_not_func(next, SEARCH_DOWN)
  flags = idaapi.getFlags(next)

  if idaapi.isCode(flags):

This IDAPython snippet searches for code that is not inside a function and simply assumes that it should be in a function. Therefore, it creates a function. Simple as that.

Highlighting Call Instructions

In larger functions, you can easily miss some calls that lead to important sub-functions. Hence, it's a good idea to mark all calls with a special color. Note that the IDA coloring scheme is somewhat different from what you would expect: it uses 0xBBGGRR as coloring scheme.

You can achieve this by the following snippet:

COLOR_CALL = 0xffffd0

call_instructions = [idaapi.NN_call, idaapi.NN_callfi, 

if cmd.itype in self.call_instructions:

 idaapi.set_item_color(cmd.ea, COLOR_CALL)

Highlighting Crypto-related Instructions

Crypto-related instructions are assembler instructions that are the essence of many cryptographic functions. For example, almost each block cipher makes use of the XOR instruction. As this instruction is also used in order to zero registers, some care has to be put into finding the ones relevant for cryptography. Hence, I added another condition that checks if the operands differ:

COLOR_CRYPTO = 0xffd2f8

xor_instructions = [idaapi.NN_xor, idaapi.NN_pxor, 
 idaapi.NN_xorps, idaapi.NN_xorpd]

if cmd.itype in self.xor_instructions:

 # check if different operands
 if cmd.Op1.type != cmd.Op2.type or
  cmd.Op1.reg != cmd.Op2.reg or
  cmd.Op1.value != cmd.Op2.value:

  idaapi.set_item_color(cmd.ea, COLOR_CRYPTO)

There are several other vital cryptographic-related instructions such as ROL, ROR and NOT. But these don't need the check for different operands.

Putting it all together and adding some "syntactic sugar" we get a nice script which you can download from my GitHub page. The output looks for example like this:

Sample run for the initialAnalysis script

Keine Kommentare:

Kommentar veröffentlichen