Harlan Carvey
Win The War Against Hackers: Reverse Engineer The Tools The Are Using!
Justin Ferguson
Dan Kaminsky
Jason Larsen
Luis Miras
Walter Pearce
Dan Kaminsky
Jason Larsen
Luis Miras
Walter Pearce
 |
| Reverse Engineering Code with IDA Pro |
About IOActive
Established in 1998, IOActive has successfully positioned itself as an industryleader in the Northwest’s computer security community, where it specializes
in infrastructure assessment services, application security services, managed
services, incident response services, and education services. The company
has helped various Fortune 500 organizations with services ranging from
enterprise risk management to independent technical validations of security
hardware and a wide range of applications. It has also been commissioned
to work on IT disaster recovery and business continuity planning for major
insurance companies, state organizations and energy companies. IOActive’s
consultants are members and active contributors to local and nationally
recognized computer security organizations such as SANS, Agora, CRIME,
ISSA, CTIN, WSA, HoneyNet Research Alliance, OWASP, and the University
of Washington Information Assurance School.
Technical Editor and Contributing Author
Dan Kaminsky is the Director of Penetration Testing for IOActive. Previously ofCisco and Avaya, Dan has been operating professionally in the security space since
1999. He is best known for his “Black Ops” series of talks at the well respected Black
Hat Briefi ngs conferences. He is also the only speaker who has attended and spoken at
every single “Blue Hat” Microsoft internal training event. Dan focuses on design level
fault analysis, particularly against massive-scale network applications. Dan regularly
collects detailed data on the health of the worldwide Internet, and recently used this
data to detect the worldwide proliferation of a major rootkit. Dan is one of the few
individuals in the world to combine both technical expertise with executive level
consulting skills and prowess.
Contributing Authors
Justin Ferguson is a security consultant and researcher at IOActive. He is
involved with helping Fortune 500 companies understand and mitigate risk
introduced in complex software computing environments via the Application
Security Practice at IOActive. Justin has over six years experience working
as a reverse engineer, source code auditor, malware analyst, and enterprise
security analyst for industries ranging from fi nancial institutions to the
federal government.
I would like to thank my father, Bruce Dennis Ferguson, who was a great man;
I regret never having apologized to you nor allowing you to see the man your son
has become. I would like to thank all of the blue collar union workers from Boston
who worked themselves to the bone to make sure their children had a better life. No
mention of these men would be complete if I neglected the women who stood by their
sides and saw them through each day; you all truly are beautiful. I’d like to take
a moment to remember everyone from the South End and Brockton/South Shore
who didn’t make it and for those still struggling; continue on with the belief that
unearned suffering is redemptive. Saint Jude, pray for us all.
Jason Larsen has penetrated and owned some of the most integral systems
on the planet. His career began when he was at Idaho State University and
detected Internet-wide stealth scanning. He was awarded two scholarships
in order to support his research into and creation of detection systems,
including authorship of one of the fi rst Intrusion Prevention Systems that
actually blocked penetration. Mr. Larsen has been unable to publish most of
his work due to national security concerns. His work for the Department
of Energy through the Idaho National Laboratories allowed him to develop
even more elegant solutions to the security problems of major SCADA and
PCS systems. His security work has benefi ted hundreds of clients among
several industries, including US and foreign.
I’d like to dedicate this book to the infi nite patience and understanding of The
Girlfriend. Thank you for the quiet nods when listening to the latest problem and
the occasional push out the door to get some sunlight. Every geek should be required
to have a permanent tattooed companion.
involved with helping Fortune 500 companies understand and mitigate risk
introduced in complex software computing environments via the Application
Security Practice at IOActive. Justin has over six years experience working
as a reverse engineer, source code auditor, malware analyst, and enterprise
security analyst for industries ranging from fi nancial institutions to the
federal government.
I would like to thank my father, Bruce Dennis Ferguson, who was a great man;
I regret never having apologized to you nor allowing you to see the man your son
has become. I would like to thank all of the blue collar union workers from Boston
who worked themselves to the bone to make sure their children had a better life. No
mention of these men would be complete if I neglected the women who stood by their
sides and saw them through each day; you all truly are beautiful. I’d like to take
a moment to remember everyone from the South End and Brockton/South Shore
who didn’t make it and for those still struggling; continue on with the belief that
unearned suffering is redemptive. Saint Jude, pray for us all.
Jason Larsen has penetrated and owned some of the most integral systems
on the planet. His career began when he was at Idaho State University and
detected Internet-wide stealth scanning. He was awarded two scholarships
in order to support his research into and creation of detection systems,
including authorship of one of the fi rst Intrusion Prevention Systems that
actually blocked penetration. Mr. Larsen has been unable to publish most of
his work due to national security concerns. His work for the Department
of Energy through the Idaho National Laboratories allowed him to develop
even more elegant solutions to the security problems of major SCADA and
PCS systems. His security work has benefi ted hundreds of clients among
several industries, including US and foreign.
I’d like to dedicate this book to the infi nite patience and understanding of The
Girlfriend. Thank you for the quiet nods when listening to the latest problem and
the occasional push out the door to get some sunlight. Every geek should be required
to have a permanent tattooed companion.
Luis Miras is an independent security researcher. He has worked for both
security product vendors and leading consulting fi rms. His interests include
vulnerability research, binary analysis, and hardware/software reversal.
In the past, he has worked in digital design and embedded programming.
He has presented at CanSecWest, Black Hat, CCC Congress, XCon,
REcon, DefCon, and other conferences worldwide. When he isn’t heads
down in IDA or a circuit board, you will likely fi nd him boarding down
some sweet powder.
I dedicate this book to my parents and brothers. I would like to thank Don Omar,
Sister Nancy, and Nas for providing the coding soundtrack. I would like to send greetz
to all my friends and let them know that, yes, I’m alive and no longer MIA. Thanks
to Sebastian “topo” Muniz for the IDA discussions and bouncing ideas.
Walter Pearce provides application security and penetration testing services
for IOActive, and is a regular contributor to the ongoing research and
development of advanced tools that automate IT security testing and protective
functions. His career began at 12, and his fi rst professional role was as the
operator of a data center cluster for an online retailer, which led to Senior
Programming Engineer positions at fi nancial service fi rms and institutions.
During his time in the fi nance industry, Walter specialized in the conception
of internal threats and designed mitigations to reduce incidence of such
events. Mr. Pearce is often requested by clients to provide expert application
security services involving a variety of platforms and languages.
To Becca, Mom, David. Love ya all.
Table of Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
An Overview of Code Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 2 Assembly and Reverse Engineering Basics . . . . . . . . . . . . . . . . . . 7
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Assembly and the IA-32 Processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The Stack, the Heap and Other Sections of a Binary Executable . . . . . . . . . . . . 19
IA-32 Instruction Set Refresher and Reference . . . . . . . . . . . . . . . . . . . . . . . . 24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Chapter 3 Portable Executable and Executable
and Linking Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Portable Executable Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Executable and Linking Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Chapter 4 Walkthroughs One and Two . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Following Execution Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Reversing What the Binary Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
The Processing Subroutine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 5 Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Debugging Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Hardware Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Software Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Using Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Single Stepping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Watches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Debugging in IDA Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Use of Debugging while Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . 94
Heap and Stack Access and Modifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Other Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Windbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Ollydbg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Immunity Debugger (Immdbg). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
PaiMei/PyDbg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
GDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Chapter 6 Anti-Reversing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Example Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Obfuscation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Chapter 7 Walkthrough Four . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
The Protocol Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Protocol Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Framing and Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Self Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Hit Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Example Hitlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Chapter 8 Advanced Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Reversing Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Chapter 9 IDA Scripting and Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Basics of IDA Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
IDC Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Conditionals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Local and Global Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Global Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Simple Script Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Writing IDC Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Problem solving with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Problem Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Proposed solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Possible Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
New IDC Debugger Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Useful IDC Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Reading and Writing Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Cross References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Code Xrefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Data Xrefs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Data Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Code Traversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Input and Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Basics of IDA Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Module/Plug-in Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Introducing the IDA Pro SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
SDK Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Plug-in Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Setting up the Development Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Simple Plug-in Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
The Hello World Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
The fi nd memcpy Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Collecting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Displaying Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
The Indirect Call Plug-in. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Collecting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Implementing the Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
dbg_bpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
dbg_step_into . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
dbg_process_exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Presenting Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Plug-in Development and Debugging Strategies . . . . . . . . . . . . . . . . . . . . . . . 301
Create a new IDA Development Directory . . . . . . . . . . . . . . . . . . . . . . . . 301
Editing Confi guration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Using an Unpacked Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Enabling Exit without Saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Plug-in Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Scripting to Help Plug-in Development . . . . . . . . . . . . . . . . . . . . . . . . 304
Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Processor Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Third-party Scripting Plug-ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
IDAPython . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
IDARub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
2.00 USD |
|---|---|
Pages
| 329 p |
File Size
|
4,050 KB |
File Type
|
PDF format |
ISBN
| 978-1-59749-237-9 |
Copyright
| 2008 by Elsevier, Inc |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
