IDA pro introduction PDF

Preview

Summary

Intro to malware reverse engineering...

Description

WELCOME TO IDA PRO P R O F. B R E N D A N S A LTA F O R M A G G I O SCHOOL OF ECE

PLEASE CONS IDER THE N V I R O N M E N T, A V O I D RINTING SL IDES!

WHAT IS IDA PRO?

• IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin environment • IDA Pro is the industry standard for hostile code analysis, vulnerability research, software validation, interactive debugging, and much more

© Brendan Saltaformaggio, Georgia Tech

Slide 2

THA NK YOU TO THE S CHOOL OF ECE !!

• IDA Pro enables multi-processor disassembly and debugging across more than 50 processor families • IDA Pro provides a unique advantage to software security research and education • Simply having IDA Pro experience makes you a top candidate for many careers •

Malware analyst, low-level software developer, security researcher, …

• The School of ECE saw the exciting potential of providing students access to IDA Pro • IDA Pro is not cheap --- A single floating license costs over $2800 USD! • The School of ECE has graciously purchased 30 floating licenses for this course! • We are among a small group of universities which have this educational benefit

© Brendan Saltaformaggio, Georgia Tech

Slide 3

HOW TO ACCESS IDA PRO • IDA Pro is installed in the School of ECE’s cloud servers • Two very powerful Red Hat Linux 7 machines •

ecelinsrvw.ece.gatech.edu = 196GB memory and 24 cores

•

ecelinsrvv.ece.gatech.edu = 132GB memory and 24 cores

• IDA Pro runs on those machines, we can connect to the GUI in 2 ways: 1) Standard SSH with X11 forwarding  Best on fast internet connections (e.g., on campus) 2) FastX Client  Best on slow internet connections

ecelinsrvw.ece.gatech.edu ecelinsrvv.ece.gatech.edu © Brendan Saltaformaggio, Georgia Tech

Slide 4

FA STX CLIENT

• FastX is a custom X server & client implementation •

It is optimized to be more efficient over slow internet connections

•

Standard SSH with X forwarding is terrible over slow connections

• Georgia Tech OIT provides FastX Client for Windows, Linux, and Mac •

Available at: http://software.oit.gatech.edu

• The IDA Pro Servers are running the custom FastX server • The FastX Client handles connecting to the IDA Pro Servers and displaying the X11 GUI • Supported by Georgia Tech OIT 

© Brendan Saltaformaggio, Georgia Tech

Slide 5

DO NOT FORGET TO V PN !

• We can only access these machines through the Georgia Tech VPN! •

Even on eduroam you need the VPN

•

Only the on-campus ECE computer labs can access them without the VPN

• Georgia Tech OIT provides & supports VPN clients for Linux, Windows, Mac, … • https://faq.oit.gatech.edu/content/how-do-i-get-started-campus-vpn

• Must use the anyc.vpn.gatech.edu VPN server!

© Brendan Saltaformaggio, Georgia Tech

Slide 6

HOW TO CONNECT TO IDA PRO SERVERS FROM LINUX

LINUX VPN

© Brendan Saltaformaggio, Georgia Tech

Slide 8

AFT ER VPN , STANDA RD SSH WITH X11 FO RWA RDING

• Be sure to set X11 forwarding on, compression on, and cipher preferences for fast ciphers

© Brendan Saltaformaggio, Georgia Tech

Slide 9

EN TE R PA SSWO RD A ND YOU’ RE CON NECT ED!

• Now you have a terminal with X11 forwarding from ecelinsrvv or ecelinsrvw

© Brendan Saltaformaggio, Georgia Tech

Slide 10

ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T

• SSH with X forwarding is terrible over slow connections • FastX is optimized for slow connections •

Also, Georgia Tech OIT will always recommend that you use FastX

1. Download FastX from GT OIT •

http://software.oit.gatech.edu

2. Extract the tar.gz file 3. cd to the extracted FastX directory 4. Execute: $ PATH=$PATH:./ ./FastX

•

There is a BUG in the Linux FastX client!

•

It needs the FastX directory in the PATH to correctly find its dependencies!

© Brendan Saltaformaggio, Georgia Tech

Slide 11

ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T

© Brendan Saltaformaggio, Georgia Tech

Slide 12

ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T

© Brendan Saltaformaggio, Georgia Tech

Slide 13

ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T

• Now you have a terminal with X11 forwarding from ecelinsrvv or ecelinsrvw

© Brendan Saltaformaggio, Georgia Tech

Slide 14

HOW TO CONNECT TO IDA PRO SERVERS FROM WINDOWS

WIN DOWS VPN

© Brendan Saltaformaggio, Georgia Tech

Slide 16

AFT ER VPN , WINDOWS FASTX CLIENT

© Brendan Saltaformaggio, Georgia Tech

Slide 17

LAUNCH APPS IN FA STX

© Brendan Saltaformaggio, Georgia Tech

Slide 18

LAUNCH APPS IN FA STX

• Now you have a terminal with X11 forwarding from ecelinsrvv or ecelinsrvw

© Brendan Saltaformaggio, Georgia Tech

Slide 19

ANOTH ER OPTIO N: PUT TY

• There is another option: PuTTY •

I love PuTTY because I am a Linux geek --- If you are too then you may prefer PuTTY

1. Connect to the VPN 2. Use PuTTY to SSH to the IDA Pro servers 3. PuTTY will use the Xming program (installed on your Windows machine) to display the X11 forwarding

•

Download PuTTY executable from: http://www.putty.org/

•

Download Xming installer from: http://www.straightrunning.com/XmingNotes/

• Benefits: PuTTY can do more --- The exact same as Linux SSH, but for Windows • Problems: Not supported by Georgia Tech OIT & terrible over slow internet connections! © Brendan Saltaformaggio, Georgia Tech

Slide 20

SECOND W INDOWS OPTION: PUTT Y

• Set preferred ciphers like the Linux SSH command

• Add host and name the session

© Brendan Saltaformaggio, Georgia Tech

Slide 21

SECOND W INDOWS OPTION: PUTT Y • Enable X11 forwarding • Be sure you have Xming installed & background running (execute Xming.exe)

© Brendan Saltaformaggio, Georgia Tech

Slide 22

• Enable compression

SECOND W INDOWS OPTION: PUTT Y

• DON’T FORGET TO SAVE!!

© Brendan Saltaformaggio, Georgia Tech

• Open the session & now you have a terminal with X11 forwarding

Slide 23

ONCE YOU ARE CONNECTED TO THE IDA PRO SERVERS… YO U AR E IN ECE TER RITO RY ! ALL PROBLEMS MUST BE SENT TO: H E L P @ E C E . G AT E C H . E D U

IDA PRO EN VIRONMENT

• Before you can do anything with IDA Pro, you must first set up the running environment • Use the following command: $ source /tools/idapro/ida-70/cshrc.idapro • Note: You can not see the /tools/idapro directory until you execute that command •

It is our “secret” key!

• Only needs to be done once (per terminal) to set up the environment

• Everything related to IDA Pro is available in /tools/idapro •

We have read & execute permissions in that folder (after executing “$ source …”)

• Feel free to look through the directories, read the docs, and check out the SDK!

© Brendan Saltaformaggio, Georgia Tech

Slide 25

A TALE OF TWO IDAS

• IDA Pro has two different executables •

Which executable you use depends on what binary you are analyzing

• ida for working with 32-bit binaries • ida64 for working with 64-bit binaries • You will get an error if you use the wrong one • I recommend executing them with “&” after to put the process in the background

© Brendan Saltaformaggio, Georgia Tech

Slide 26

NOT ICE THE TCSH!

• The default shell on the ECE machines should be /bin/tcsh • THIS IS NOT BASH! But it is similar • The “$ source /tools/idapro/ida-70/cshrc.idapro” command will ONLY work in tcsh! • You can check your current shell with “echo $0” • After you run “$ source …” you can switch to /bin/bash if you want

© Brendan Saltaformaggio, Georgia Tech

Slide 27

CLOUD IDA

• Notice that IDA Pro will be executing on the remote server • So you have to move any files/test cases/etc. to your home directory before you begin • Many remote file copy utilities exist for every platform • On Linux, use the scp command: •

Please see this helpful cheat-sheet for a range of scp uses: http://www.hypexr.org/linux_scp_help.php

© Brendan Saltaformaggio, Georgia Tech

Slide 28

SCP ON W INDOWS

• On Windows, use PSCP •

“PuTTY SCP”

• The exact same source code as SCP, just compiled for Windows (by the PuTTY team) • Also download from http://www.putty.org/ •

Click “You can download PuTTY here.” then scroll down, pscp.exe will be in the list

• Run pscp.exe in the Windows command prompt •

It uses all the same command line flags as Linux SCP

•

Please see this helpful cheat-sheet for a range of scp uses: http://www.hypexr.org/linux_scp_help.php

© Brendan Saltaformaggio, Georgia Tech

Slide 29

WIN SCP FOR T HOSE WH O LIKE GUI S

• Another great option on Windows is WinSCP • Download from: https://winscp.net/eng/download.php • The exact same source code as SCP, just wrapped in a Windows GUI • Simply drag and drop files between the two machines 

© Brendan Saltaformaggio, Georgia Tech

SIGNING INTO WINS CP

• Protocol = SFTP • Fill in the host name and username fields • Port = 22 • Remember to save! • Give the session a nice name

© Brendan Saltaformaggio, Georgia Tech

Slide 31

EN TE R PA SSWO RD & YO U’RE ALL S ET!

• Now simply drag and drop files between the hosts

© Brendan Saltaformaggio, Georgia Tech

Slide 32

SELECT YO UR A NALYSIS TA RGET !

• When IDA Pro starts it will ask you to start a new disassembly or open a previous one

© Brendan Saltaformaggio, Georgia Tech

Slide 33

LOA DIN G A NE W FILE

© Brendan Saltaformaggio, Georgia Tech

Slide 34

IDA W ILL THEN AS K FO R LOADING INSTR UCTION S • The defaults are almost always correct … unless you are dealing with nasty malware!

© Brendan Saltaformaggio, Georgia Tech

Slide 35

IDA W ILL OPE N IN CON TROL F LOW GR APH VIEW • Right-click and select Text View to view the flat disassembled code

© Brendan Saltaformaggio, Georgia Tech

Slide 36

COMMEN TS: R IGHT -CLICK - > EN TER COMM ENTS (OR PRES S “:”)

© Brendan Saltaformaggio, Georgia Tech

Slide 37

PRO TIP: REN AME LABELS AS YO U GO!

1. Click on the element to rename 2. Press the “n” key 3. Enter name and settings (if any) 4. Enjoy easier to read assembly!

© Brendan Saltaformaggio, Georgia Tech

Slide 38

PRO TIP #2 : SWI TCH BET WEEN VIEWS ! • Text View may be easier to read, but Graph View gives better context • Comments still show in both views 

© Brendan Saltaformaggio, Georgia Tech

Slide 39

PRO TIP #3 : NAVIGATION BUT TONS! • Double-click on a label to jump to it. Want to go back? IDA remembers!

© Brendan Saltaformaggio, Georgia Tech

Slide 40

PRO TIP #4 : RENA ME SYM BOLIC CON STANTS

• IDA’s FLIRT signatures know the arguments for common APIs • But IDA also knows the symbolic names for most defined constants! • You just have to tell IDA what value you are looking for LONG WINAPI RegCreateKeyEx( _In_ HKEY _In_ LPCTSTR _Reserved_ DWORD _In_opt_ LPTSTR _In_ DWORD _In_ REGSAM _In_opt_ LPSECURITY_ATTRIBUTES _Out_ PHKEY _Out_opt_ LPDWORD )

© Brendan Saltaformaggio, Georgia Tech

Slide 41

hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition

PRO TIP #4 : RENA ME SYM BOLIC CON STANTS (2) • Right Click -> Use standard symbolic constant • Then simply find the constant name you are looking for

• If you can’t find the symbol, you may need to add it • First, look up the symbol’s header file definition • Second, read about adding new Enums and symbolic constants here: https://www.hex-rays.com/products/ida/support/idadoc/499.shtml © Brendan Saltaformaggio, Georgia Tech

Slide 42

SAVE OFTE N! • Losing hours of reverse engineering can be hazardous to your health!

© Brendan Saltaformaggio, Georgia Tech

Slide 43

EXPO RT YOUR AS SEMBLY LIST ING • IDA can export all the Text View content to a “Listing” file •

You will often turn these in for reverse engineering assignments

© Brendan Saltaformaggio, Georgia Tech

Slide 44

READY TO CLOS E IDA? SAV E YOUR DATA BASE (OR N OT) • IDA will compress all of its data into a single database to save your progress •

The save file is called an idb file for 32-bit and i64 for 64-bit

• You can also tell IDA to not save a database (i.e., you lose everything you’ve done)

© Brendan Saltaformaggio, Georgia Tech

Slide 45

AS YO U WORK, SO DOES IDA

• IDA performs very substantial analysis for you and saves the results in a number of files while you work • If you kill IDA (or lose connection to the IDA servers), these files will be corrupted! • So save often!! Saving will create/update the database file

© Brendan Saltaformaggio, Georgia Tech

Slide 46

LAB #1 - -- INTRO TO IDA Get your feet wet in IDA Pro… or maybe your eyes :’( Instructions: (1) Compile the hello world C code from before into an executable (2) Load the executable into IDA Pro (3) Locate the main function & comment the same instructions from Extra Credit #1

Grade: 100 points

Teams: This assignment can be done individually or in a team of 2. Please join a group in Canvas prior to submission. Submission Instructions: Upload hello.lst to the “Lab #1” Assignment in Canvas

Due Date: The beginning of next class!

© Brendan Saltaformaggio, Georgia Tech

Slide 47

ADDITIONAL REA DINGS (OPT IONAL)

• Chris Eagle. The IDA Pro Book. No Starch Press (2nd Edition), 2011. ISBN: 978-1593272890 •

You can probably find the PDF version online!

• Guided Hacking’s “How To Reverse Engineer” Videos •

https://www.youtube.com/playlist?list=PLt9cUwGw6CYFXtAElzDLob2aOaSfZqHJc

© Brendan Saltaformaggio, Georgia Tech

Slide 48

QUESTIONS?...