Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to ida python

4,981 views

Published on

Published in: Education, Technology

Introduction to ida python

  1. 1. Introduction to IDAPython Byoungyoung Lee POSTECH PLUS 038 override@postech.ac.kr
  2. 2. Overview • Brief intro to IDAPython • How to install • Examples – Searching disassembly patterns – Searching system calls in the binary – Deobfuscation
  3. 3. Automatic Reversing with IDA • To do automatic reversing ? – you need to write scripts • IDA supports multiple interfaces – Plugins (C++) – IDC (C-like scripting) – IDAPython (Python)
  4. 4. Brief intro to IDAPython • Most things you can do w/ your hands – can be done w/ IDAPython
  5. 5. How to install • COPY ‘python’ directory – to %IDA_DIR% • PUT ‘python.plw’ – to %IDA_DIR%/plugins • ex) C:Program FilesIDA52plugins
  6. 6. How to execute 1. Press ‘ALT+9’ in IDA 2. Choose Python file you’d like to execute  Results would be printed in the log window
  7. 7. Simple example – walking the functions # walkFunctions.py ### Walk the functions # Get the segment's starting address ea = ScreenEA() # Loop through all the functions for function_ea in Functions(SegStart(ea), SegEnd(ea)): # Print the address and the function name. print hex(function_ea), GetFunctionName(function_ea)
  8. 8. Simple example – walking the instructions # walkInstructions.py # For each of the segments for seg_ea in Segments(): # For each of the defined elements for head in Heads(seg_ea, SegEnd(seg_ea)): # If it's an instruction if isCode(GetFlags(head)): # Get the Disasm and print it disasm = GetDisasm(head) print disasm
  9. 9. Application - Find ‘CALL’ instructions # searchSystemCalls.py from idautils import * seg_ea = SegByName(".text") # For each instruction for addr in Heads(seg_ea, SegEnd(seg_ea)): # Get disassembly disasmStr = GetDisasm(addr) if disasmStr.startswith( "int ") == True: # Print if it is a system call print "0x%08x [%s]" % (addr, disasmStr)
  10. 10. Deobfuscation • What is obfuscation? – To transform binary into something • which has the same executing behavior • which has very different outer representation – To disrupt disassemblers
  11. 11. Deobfuscation • How to obfuscate the binary – Simple obfuscation methods JMP X = PUSH X RET JMP X = XOR JZ original ECX, ECX X obfuscated
  12. 12. Deobfuscation • What happens due to these obfuscation? – IDA failed to analyze the binary properly • which means .. • YOU CANNOT USE CFG LAYOUT • YOU CANNOT EASILY FOLLOW THE CONTROL FLOW
  13. 13. Deobfuscation • Let’s learn deobfuscation w/ an example – 1. – 2. – 3. – 4. load reversing500 in IDA move to 0x08049891, and see ‘PUSH/RET’ execute ‘deobfuscation_simple.py’ see the instructions of 0x08049891 – For full deobfuscation • execute ‘deobfuscation_full.py’
  14. 14. Exercises (more applications) • 1. To list all string copy functions? – such as strcpy(), strncpy(), strcat(), and etc. – YES ,this is for finding Stack Overflow vulns. • 2. To examine all malloc() calls? – whose arg. is determined dynamically – YES ,this is for finding Heap Overflow vulns. • 3. Memory/Register Computation Back Tracer
  15. 15. Reference • “Introduction to IDAPython” by Ero Carrera

×