Practical Malware Analysis using IDA Pro….

September 15, 2013


Two versions of IDA Pro are commercially available. While both versions support x86, the advanced version supports many more processors than the standard version, most notably x64. IDA Pro also supports several file formats,
such as Portable Executable (PE), Common Object File Format (COFF), Executable and Linking Format (ELF), and a.out. We’ll focus our discussion on the x86 and x64 architectures and the PE file format.

The IDA Pro Interface
After you load a program into IDA Pro, you will see the disassembly window, as shown in Figure 5-2. This will be your primary space for manipulating and analyzing binaries, and it’s where the assembly code resides.

Disassembly Window Modes
You can display the disassembly window in one of two modes: graph (the default, shown in Figure 5-2) and text. To switch between modes, press the spacebar.

Graph Mode
In graph mode, IDA Pro excludes certain information that we recommend you display, such as line numbers and operation codes. To change these options, select OptionsGeneral, and then select Line prefixes and set the
Number of Opcode Bytes to 6. Because most instructions contain 6 or fewer bytes, this setting will allow you to see the memory locations and opcode values for each instruction in the code listing. (If these settings make everything
scroll off the screen to the right, try setting the Instruction Indentation to 8.)

Text Mode
The text mode of the disassembly window is a more traditional view, and you must use it to view data regions of a binary. Figure 5-3 displays the text mode view of a disassembled function. It displays the memory address (0040105B) and section name (.text) in which the opcodes (83EC18) will reside in memory .



The left portion of the text-mode display is known as the arrows window and shows the program’s nonlinear flow. Solid lines mark unconditional jumps, and dashed lines mark conditional jumps. Arrows facing up
indicate a loop. The example includes the stack layout for the function at and a comment (beginning with a semicolon) that was automatically added by IDA Pro .

Using Cross-References
A cross-reference, known as an xref in IDA Pro, can tell you where a function is called or where a string is used. If you identify a useful function and want to know the parameters with which it is called, you can use a cross-reference to
navigate quickly to the location where the parameters are placed on the stack. Interesting graphs can also be generated based on cross-references, which are helpful to performing analysis.

Code Cross-References
Listing 5-2 shows a code cross-reference at  that tells us that this function (sub_401000) is called from inside the main function at offset 0x3 into the main function. The code cross-reference for the jump at  tells us which
jump takes us to this location, which in this example corresponds to the location marked at . We know this because at offset 0x19 into sub_401000 is the jmp at memory address 0x401019.

00401000 sub_401000 proc near ; CODE XREF: _main+3p
00401000 push ebp
00401001 mov ebp, esp
00401003 loc_401003: ; CODE XREF: sub_401000+19j
00401003 mov eax, 1

00401008 test eax, eax
0040100A jz short loc_40101B
0040100C push offset aLoop ; “Loop\n”
00401011 call printf
00401016 add esp, 4
00401019 jmp short loc_401003 
Listing 5-2: Code cross-references

This chapter offered only a cursory exposure to IDA Pro. Throughout this article , we will use IDA Pro in our labs as we demonstrate interesting ways to use it.
As you’ve seen, IDA Pro’s ability to view disassembly is only one small aspect of its power. IDA Pro’s true power comes from its interactive ability, and we’ve discussed ways to use it to mark up disassembly to help perform
analysis. We’ve also discussed ways to use IDA Pro to browse the assembly code, including navigational browsing, utilizing the power of cross-references, and viewing graphs, which all speed up the analysis process.

IDA Pro is a good tools for dissasembly a program and making a reverse engineering IDA Pro is widely use for malware analysis to analyze malware. We can use IDA Pro to see the overall dissasembly process and the program code in graph view and text view. We need to have some assembly language knowledge to dissasemble a program.

p/s:- The above article is taken from excerpt ” Practical Malware Analysis – by Michael Sikorski”.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: