The IDA Pro Book, 2nd Edition: The Unofficial Guide to the World's Most Popular Disassembler

Copyright
Dedication
Brief Contents
Contents in Detail
Acknowledgments
Introduction
PART I: Introduction to IDA
	1: Introduction to Disassembly
		Disassembly Theory
		The What of Disassembly
		The Why of Disassembly
			Malware Analysis
			Vulnerability Analysis
			Software Interoperability
			Compiler Validation
			Debugging Displays
		The How of Disassembly
			A Basic Disassembly Algorithm
			Linear Sweep Disassembly
			Recursive Descent Disassembly
		Summary
	2: Reversing and Disassembly Tools
		Classification Tools
			file
			PE Tools
			PEiD
		Summary Tools
			nm
			ldd
			objdump
			otool
			dumpbin
			c++filt
		Deep Inspection Tools
			strings
			Disassemblers
		Summary
	3: IDA Pro Background
		Hex-Rays’ Stance on Piracy
		Obtaining IDA Pro
			IDA Versions
			IDA Licenses
			Purchasing IDA
			Upgrading IDA
		IDA Support Resources
		Your IDA Installation
			Windows Installation
			OS X and Linux Installation
			IDA and SELinux
			32-bit vs. 64-bit IDA
			The IDA Directory Layout
		Thoughts on IDA’s User Interface
		Summary
PART II: Basic IDA Usage
	4: Getting Started with IDA
		Launching IDA
			IDA File Loading
			Using the Binary File Loader
		IDA Database Files
			IDA Database Creation
			Closing IDA Databases
			Reopening a Database
		Introduction to the IDA Desktop
		Desktop Behavior During Initial Analysis
		IDA Desktop Tips and Tricks
		Reporting Bugs
		Summary
	5: IDA Data Displays
		The Principal IDA Displays
			The Disassembly Window
			The Functions Window
			The Output Window
		Secondary IDA Displays
			The Hex View Window
			The Exports Window
			The Imports Window
			The Structures Window
			The Enums Window
		Tertiary IDA Displays
			The Strings Window
			The result is that the string at location .rdata:0040C19C (“Please guess a number between 1 and %d.”) remains undetected. The mo...
			The Names Window
			The Segments Window
			The Signatures Window
			The Type Libraries Window
			The Function Calls Window
			The Problems Window
		Summary
	6: Disassembly Navigation
		Basic IDA Navigation
			Double-Click Navigation
			Jump to Address
			Navigation History
		Stack Frames
			Calling Conventions
			Local Variable Layout
			Stack Frame Examples
			IDA Stack Views
		Searching the Database
			Text Searches
			Binary Searches
		Summary
	7: Disassembly Manipulation
		Names and Naming
			Parameters and Local Variables
			Named Locations
			Register Names
		Commenting in IDA
			Regular Comments
			Repeatable Comments
			Anterior and Posterior Lines
			Function Comments
		Basic Code Transformations
			Code Display Options
			Formatting Instruction Operands
			Manipulating Functions
			Converting Data to Code (and Vice Versa)
		Basic Data Transformations
			Specifying Data Sizes
			Working with Strings
			Specifying Arrays
		Summary
	8: Datatypes and Data Structures
		Recognizing Data Structure Use
			Array Member Access
			Structure Member Access
		Creating IDA Structures
			Creating a New Structure (or Union)
			Editing Structure Members
			Stack Frames as Specialized Structures
		Using Structure Templates
		Importing New Structures
			Parsing C Structure Declarations
			Parsing C Header Files
		Using Standard Structures
		IDA TIL Files
			Loading New TIL Files
			Sharing TIL Files
		C++ Reversing Primer
			The this Pointer
			Virtual Functions and Vtables
			The Object Life Cycle
			Name Mangling
			Runtime Type Identification
			Inheritance Relationships
			C++ Reverse Engineering References
		Summary
	9: Cross-References and Graphing
		Cross-References
			Code Cross-References
			Data Cross-References
			Cross-Reference Lists
			Function Calls
		IDA Graphing
			IDA External (Third-Party) Graphing
			IDA’s Integrated Graph View
		Summary
	10: The Many Faces of IDA
		Console Mode IDA
			Common Features of Console Mode
			Windows Console Specifics
			Linux Console Specifics
			OS X Console Specifics
		Using IDA’s Batch Mode
		Summary
PART III: Advanced IDA Usage
	11: Customizing IDA
		Configuration Files
			The Main Configuration File: ida.cfg
			The GUI Configuration File: idagui.cfg
			The Console Configuration File: idatui.cfg
		Additional IDA Configuration Options
			IDA Colors
			Customizing IDA Toolbars
		Summary
	12: Library Recognition Using FLIRT Signatures
		Fast Library Identification and Recognition Technology
		Applying FLIRT Signatures
		Creating FLIRT Signature Files
			Signature-Creation Overview
			Identifying and Acquiring Static Libraries
			Creating Pattern Files
			Creating Signature Files
			Startup Signatures
		Summary
	13: Extending IDA’s Knowledge
		Augmenting Function Information
			IDS Files
			Creating IDS Files
		Augmenting Predefined Comments with loadint
		Summary
	14: Patching Binaries and Other IDA Limitations
		The Infamous Patch Program Menu
			Changing Individual Database Bytes
			Changing a Word in the Database
			Using the Assemble Dialog
		IDA Output Files and Patch Generation
			IDA-Generated MAP Files
			IDA-Generated ASM Files
			IDA-Generated INC Files
			IDA-Generated LST Files
			IDA-Generated EXE Files
			IDA-Generated DIF Files
			IDA-Generated HTML Files
		Summary
PART IV: Extending IDA\'s Capabilities
	15: IDA Scripting
		Basic Script Execution
		The IDC Language
			IDC Variables
			IDC Expressions
			IDC Statements
			IDC Functions
			IDC Objects
			IDC Programs
			Error Handling in IDC
			Persistent Data Storage in IDC
		Associating IDC Scripts with Hotkeys
		Useful IDC Functions
			Functions for Reading and Modifying Data
			User Interaction Functions
			String-Manipulation Functions
			File Input/Output Functions
			Manipulating Database Names
			Functions Dealing with Functions
			Code Cross-Reference Functions
			Data Cross-Reference Functions
			Database Manipulation Functions
			Database Search Functions
			Disassembly Line Components
		IDC Scripting Examples
			Enumerating Functions
			Enumerating Instructions
			Enumerating Cross-References
			Enumerating Exported Functions
			Finding and Labeling Function Arguments
			Emulating Assembly Language Behavior
		IDAPython
			Using IDAPython
		IDAPython Scripting Examples
			Enumerating Functions
			Enumerating Instructions
			Enumerating Cross-References
			Enumerating Exported Functions
		Summary
	16: The IDA Software Development Kit
		SDK Introduction
			SDK Installation
			SDK Layout
			Configuring a Build Environment
		The IDA Application Programming Interface
			Header Files Overview
			Netnodes
			Useful SDK Datatypes
			Commonly Used SDK Functions
			Iteration Techniques Using the IDA API
		Summary
	17: The IDA Plug-in Architecture
		Writing a Plug-in
			The Plug-in Life Cycle
			Plug-in Initialization
			Event Notification
			Plug-in Execution
		Building Your Plug-ins
		Installing Plug-ins
		Configuring Plug-ins
		Extending IDC
		Plug-in User Interface Options
			Using the SDK’s Chooser Dialogs
			Creating Customized Forms with the SDK
			Windows-Only User Interface-Generation Techniques
			User Interface Generation with Qt
		Scripted Plug-ins
		Summary
	18: Binary Files and IDA Loader Modules
		Unknown File Analysis
		Manually Loading a Windows PE File
		IDA Loader Modules
		Writing an IDA Loader Using the SDK
			The Simpleton Loader
			Building an IDA Loader Module
			A pcap Loader for IDA
		Alternative Loader Strategies
		Writing a Scripted Loader
		Summary
	19: IDA Processor Modules
		Python Byte Code
		The Python Interpreter
		Writing a Processor Module Using the SDK
			The processor_t Struct
			Basic Initialization of the LPH Structure
			The Analyzer
			The Emulator
			The Outputter
			Processor Notifications
			Other processor_t Members
		Building Processor Modules
		Customizing Existing Processors
		Processor Module Architecture
		Scripting a Processor Module
		Summary
PART V: Real-World Applications
	20: Compiler Personalities
		Jump Tables and Switch Statements
		RTTI Implementations
		Locating main
		Debug vs. Release Binaries
		Alternative Calling Conventions
		Summary
	21: Obfuscated Code Analysis
		Anti-Static Analysis Techniques
			Disassembly Desynchronization
			Dynamically Computed Target Addresses
			Imported Function Obfuscation
			Targeted Attacks on Analysis Tools
		Anti-Dynamic Analysis Techniques
			Detecting Virtualization
			Detecting Instrumentation
			Detecting Debuggers
			Preventing Debugging
		Static De-obfuscation of Binaries Using IDA
			Script-Oriented De-obfuscation
			Emulation-Oriented De-obfuscation
		Virtual Machine-Based Obfuscation
		Summary
	22: Vulnerability Analysis
		Discovering New Vulnerabilities with IDA
		After-the-Fact Vulnerability Discovery with IDA
		IDA and the Exploit-Development Process
			Stack Frame Breakdown
			Locating Instruction Sequences
			Finding Useful Virtual Addresses
		Analyzing Shellcode
		Summary
	23: Real-World IDA Plug-ins
		Hex-Rays
		IDAPython
		collabREate
		ida-x86emu
		Class Informer
		MyNav
		IdaPdf
		Summary
PART VI: The IDA Debugger
	24: The IDA Debugger
		Launching the Debugger
		Basic Debugger Displays
		Process Control
			Breakpoints
			Tracing
			Stack Traces
			Watches
		Automating Debugger Tasks
			Scripting Debugger Actions
			Automating Debugger Actions with IDA Plug-ins
		Summary
	25: Disassembler/Debugger Integration
		Background
		IDA Databases and the IDA Debugger
		Debugging Obfuscated Code
			Launching the Process
			Simple Decryption and Decompression Loops
			Import Table Reconstruction
			Hiding the Debugger
		IdaStealth
		Dealing with Exceptions
		Summary
	26: Additional Debugger Features
		Remote Debugging with IDA
			Using a Hex-Rays Debugging Server
			Attaching to a Remote Process
			Exception Handling During Remote Debugging
			Using Scripts and Plug-ins During Remote Debugging
		Debugging with Bochs
			Bochs IDB Mode
			Bochs PE Mode
			Bochs Disk Image Mode
		Appcall
		Summary
A: Using IDA Freeware 5.0
	Restrictions on IDA Freeware
	Using IDA Freeware
B: IDC/SDK Cross-Reference
Index