In my previous blog post, I demonstrated the process of identifying executable packers and static analysis tools. In this blog, we will explore how to analyze the sample using a powerful Disassembler called IDA Pro.
IDA Pro, developed by Hex-Rays, is a renowned software program utilized for reverse engineering binary code. As a disassembler and debugger, it enables users to delve into the intricate details of executable files, including executables, shared libraries, object files, and firmware. With its support for diverse processor architectures and file formats, IDA Pro proves to be a versatile tool for code analysis across various platforms.
Let’s explore the built-in features of IDA Pro:
- Code Analysis
- Processor and File Format Support
- Graph View
- Scripting Interface
- Collaboration and Sharing
Upon launching IDA, you will encounter the initial window, which presents the option to “Disassemble a New File” for opening.
Fig 1: Opening Window
Fig 2: Basic View of IDA Pro
IDA Pro automatically identifies and recognizes the file format of the executable upon opening. Also, it thoroughly analyzes the entire executable file and generates an .idb (IDA database) archive. This archive serves as a comprehensive database containing the disassembled code, analysis results, and other relevant information extracted from the executable.
Fig 3: Loading a new file
Within IDA Pro, specific files serve distinct purposes:
ID0: This file contains the contents of the B-tree style database. It stores the actual data and structures used by IDA Pro for analysis, disassembly, and various other operations.
ID1: The .id1 file holds flags that provide descriptions for each program byte. These flags help characterize and identify specific characteristics of the code during analysis.
NAM: The .nam file serves as an index that houses information related to named program locations. It assists in efficiently referencing and accessing named entities within the disassembled code, aiding in the overall understanding of the program’s structure.
Fig 4: Loaded Sample’s EntryPoint
IDA Pro Interfaces:
Let’s see the important and useful interfaces of IDA Pro.
- IDA View-A
- Hex View-A
- Help window
IDA View-A represents the primary disassembly view in IDA Pro, showcasing the code disassembly of the program. It presents the disassembly instructions, function boundaries, and control flow of the analyzed binary code. This view provides a comprehensive overview of the program’s assembly instructions, allowing users to navigate, analyze, and understand the functionality and logic of the code.
Fig 5: Normal IDA View-A
Fig 6: Detailed IDA View
Displays the hexadecimal representation of the program, which easily correlates the hexadecimal representation with the disassembly instructions, facilitating a comprehensive analysis of the program’s binary code.
Fig 7: Hex-View Window
Strings window organizes the extracted strings into a list, allowing users to browse, search, and manipulate them. Each string entry typically includes the string value itself, the address where it was found, and additional contextual information.
The Strings window enables users to view cross-references to strings from different parts of the disassembled code. This feature helps identify how the strings are utilized and provides insights into program functionality.
Fig 8: Strings Window
Exports & Imports Window:
Exports: This section displays the functions or symbols exported by the analyzed program. Exported functions are typically accessible to other modules or executables, allowing them to be used as an interface for external components.
Imports: In this section, the window lists the functions or symbols that the analyzed program imports from external libraries or modules. Imported functions are references to functions that the program relies on but are implemented externally.
Fig 9: Export & Import Window
Fig 10: Import Functions
Fig 11: Export Functions
Fig 12: Switching Shortcut Tiles
Fig 13: Help Window
In short, IDA Pro is a powerful and versatile tool for reverse engineers, security researchers, and software analysts. Its robust features, such as disassembly, code analysis, debugging, and support for various processor architectures and file formats, enable in-depth analysis and understanding of binary code.
While this overview provides a glimpse into the capabilities of IDA Pro, security professionals can continue to expand their knowledge, skills, and application of this powerful tool, unlocking its full potential for complex security challenges.
Keep learning and be on the lookout for my next blog!! PD