You can extend the functionality of IDA Pro in several ways, typically via its scripting facilities. Potential uses for scripts are infinite and can range from simple code markup to complicated functionality such as performing difference comparisons between IDA Pro database files.
Here, we’ll give you a taste of the two most popular ways of scripting using IDC and Python scripts. IDC and Python scripts can be run easily as files by choosing File ▶ Script File or as individual commands by selecting File ▶ IDC Command or File ▶ Python Command, as shown in Figure 5-12. The output window at the bottom of the workspace contains a log view that is extensively used by plug-ins for debugging and status messages.
Table 5-4. Manually Disassembling Shellcode in the paycuts.pdf Document
IDA Pro has had a built-in scripting language known as IDC that predates the widespread popularity of scripting languages such as Python and Ruby. The IDC subdirectory within the IDA installation directory contains several sample IDC scripts that IDA Pro uses to analyze disassembled texts. Refer to these programs if you want to learn IDC.
IDC scripts are programs made up of functions, with all functions declared as static.
Arguments don’t need the type specified, and auto
is used
to define local variables. IDC has many built-in functions, as described in the IDA Pro help index
or the idc.idc file typically included with scripts that use the built-in
functions.
In Chapter 1, we discussed the PEiD tool and its plug-in Krypto ANALyzer (KANAL), which can export an IDC script. The IDC script sets bookmarks and comments in the IDA Pro database for a given binary, as shown in Example 5-5.
Example 5-5. IDC script generated by the PEiD KANAL plug-in
#include <idc.idc> static main(void){ auto slotidx; slotidx = 1; MarkPosition(0x00403108, 0, 0, 0, slotidx + 0, "RIJNDAEL [S] [char]"); MakeComm(PrevNotTail(0x00403109), "RIJNDAEL [S] [char] RIJNDAEL (AES): SBOX (also used in other ciphers)."); MarkPosition(0x00403208, 0, 0, 0, slotidx + 1, "RIJNDAEL [S-inv] [char]"); MakeComm(PrevNotTail(0x00403209), "RIJNDAEL [S-inv] [char] RIJNDAEL (AES): inverse SBOX (for decryption)"); }
To load an IDC script, select File ▶ Script File. The IDC script should be executed immediately, and a toolbar window should open with one button for editing and another for re-executing the script if needed.
IDAPython is fully integrated into the current version of IDA Pro, bringing the power and convenience of Python scripting to binary analysis. IDAPython exposes a significant portion of IDA Pro’s SDK functionality, allowing for far more powerful scripting than offered with IDC. IDAPython has three modules that provide access to the IDA API (idaapi), IDC interface (idc), and IDAPython utility functions (idautils).
IDAPython scripts are programs that use an effective address (EA) to perform the primary method of referencing. There are no abstract data types, and most calls take either an EA or a symbol name string. IDAPython has many wrapper functions around the core IDC functions.
Example 5-6 shows a sample IDAPython script.
The goal of this script is to color-code all call
instructions in
an idb to make them stand out more to the analyst. For example, ScreenEA
is a common function that gets the location of the cursor.
Heads
is a function that will be used to walk through the defined
elements, which is each instruction in this case. Once we’ve collected all of the function
calls in functionCalls
, we iterate through those instructions and
use SetColor
to set the color.
Example 5-6. Useful Python script to color all function calls
from idautils import * from idc import * heads =Heads
(SegStart(ScreenEA
()), SegEnd(ScreenEA
()))functionCalls
= [] for i in heads: if GetMnem(i) == "call":functionCalls
.append(i) print "Number of calls found: %d" % (len(functionCalls
)) for i infunctionCalls
:SetColor
(i, CIC_ITEM, 0xc7fdff)
After you have gained solid experience with IDA Pro, you should consider purchasing a few commercial plug-ins, such as the Hex-Rays Decompiler and zynamics BinDiff. The Hex-Rays Decompiler is a useful plug-in that converts IDA Pro disassembly into a human-readable, C-like pseudocode text. Reading C-like code instead of disassembly can often speed up your analysis because it gets you closer to the original source code the malware author wrote.
zynamics BinDiff is a useful tool for comparing two IDA Pro databases. It allows you to pinpoint differences between malware variants, including new functions and differences between similar functions. One of its features is the ability to provide a similarity rating when you’re comparing two pieces of malware. We describe these IDA Pro extensions more extensively in Appendix B.