Title | IDA pro introduction |
---|---|
Course | Ece Seminar |
Institution | Georgia Institute of Technology |
Pages | 49 |
File Size | 5.1 MB |
File Type | |
Total Downloads | 41 |
Total Views | 149 |
Intro to malware reverse engineering...
WELCOME TO IDA PRO P R O F. B R E N D A N S A LTA F O R M A G G I O SCHOOL OF ECE
PLEASE CONS IDER THE N V I R O N M E N T, A V O I D RINTING SL IDES!
WHAT IS IDA PRO?
• IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin environment • IDA Pro is the industry standard for hostile code analysis, vulnerability research, software validation, interactive debugging, and much more
© Brendan Saltaformaggio, Georgia Tech
Slide 2
THA NK YOU TO THE S CHOOL OF ECE !!
• IDA Pro enables multi-processor disassembly and debugging across more than 50 processor families • IDA Pro provides a unique advantage to software security research and education • Simply having IDA Pro experience makes you a top candidate for many careers •
Malware analyst, low-level software developer, security researcher, …
• The School of ECE saw the exciting potential of providing students access to IDA Pro • IDA Pro is not cheap --- A single floating license costs over $2800 USD! • The School of ECE has graciously purchased 30 floating licenses for this course! • We are among a small group of universities which have this educational benefit
© Brendan Saltaformaggio, Georgia Tech
Slide 3
HOW TO ACCESS IDA PRO • IDA Pro is installed in the School of ECE’s cloud servers • Two very powerful Red Hat Linux 7 machines •
ecelinsrvw.ece.gatech.edu = 196GB memory and 24 cores
•
ecelinsrvv.ece.gatech.edu = 132GB memory and 24 cores
• IDA Pro runs on those machines, we can connect to the GUI in 2 ways: 1) Standard SSH with X11 forwarding Best on fast internet connections (e.g., on campus) 2) FastX Client Best on slow internet connections
ecelinsrvw.ece.gatech.edu ecelinsrvv.ece.gatech.edu © Brendan Saltaformaggio, Georgia Tech
Slide 4
FA STX CLIENT
• FastX is a custom X server & client implementation •
It is optimized to be more efficient over slow internet connections
•
Standard SSH with X forwarding is terrible over slow connections
• Georgia Tech OIT provides FastX Client for Windows, Linux, and Mac •
Available at: http://software.oit.gatech.edu
• The IDA Pro Servers are running the custom FastX server • The FastX Client handles connecting to the IDA Pro Servers and displaying the X11 GUI • Supported by Georgia Tech OIT
© Brendan Saltaformaggio, Georgia Tech
Slide 5
DO NOT FORGET TO V PN !
• We can only access these machines through the Georgia Tech VPN! •
Even on eduroam you need the VPN
•
Only the on-campus ECE computer labs can access them without the VPN
• Georgia Tech OIT provides & supports VPN clients for Linux, Windows, Mac, … • https://faq.oit.gatech.edu/content/how-do-i-get-started-campus-vpn
• Must use the anyc.vpn.gatech.edu VPN server!
© Brendan Saltaformaggio, Georgia Tech
Slide 6
HOW TO CONNECT TO IDA PRO SERVERS FROM LINUX
LINUX VPN
© Brendan Saltaformaggio, Georgia Tech
Slide 8
AFT ER VPN , STANDA RD SSH WITH X11 FO RWA RDING
• Be sure to set X11 forwarding on, compression on, and cipher preferences for fast ciphers
© Brendan Saltaformaggio, Georgia Tech
Slide 9
EN TE R PA SSWO RD A ND YOU’ RE CON NECT ED!
• Now you have a terminal with X11 forwarding from ecelinsrvv or ecelinsrvw
© Brendan Saltaformaggio, Georgia Tech
Slide 10
ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T
• SSH with X forwarding is terrible over slow connections • FastX is optimized for slow connections •
Also, Georgia Tech OIT will always recommend that you use FastX
1. Download FastX from GT OIT •
http://software.oit.gatech.edu
2. Extract the tar.gz file 3. cd to the extracted FastX directory 4. Execute: $ PATH=$PATH:./ ./FastX
•
There is a BUG in the Linux FastX client!
•
It needs the FastX directory in the PATH to correctly find its dependencies!
© Brendan Saltaformaggio, Georgia Tech
Slide 11
ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T
© Brendan Saltaformaggio, Georgia Tech
Slide 12
ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T
© Brendan Saltaformaggio, Georgia Tech
Slide 13
ANOTH ER LIN UX OPTIO N: LINUX FASTX CLIEN T
• Now you have a terminal with X11 forwarding from ecelinsrvv or ecelinsrvw
© Brendan Saltaformaggio, Georgia Tech
Slide 14
HOW TO CONNECT TO IDA PRO SERVERS FROM WINDOWS
WIN DOWS VPN
© Brendan Saltaformaggio, Georgia Tech
Slide 16
AFT ER VPN , WINDOWS FASTX CLIENT
© Brendan Saltaformaggio, Georgia Tech
Slide 17
LAUNCH APPS IN FA STX
© Brendan Saltaformaggio, Georgia Tech
Slide 18
LAUNCH APPS IN FA STX
• Now you have a terminal with X11 forwarding from ecelinsrvv or ecelinsrvw
© Brendan Saltaformaggio, Georgia Tech
Slide 19
ANOTH ER OPTIO N: PUT TY
• There is another option: PuTTY •
I love PuTTY because I am a Linux geek --- If you are too then you may prefer PuTTY
1. Connect to the VPN 2. Use PuTTY to SSH to the IDA Pro servers 3. PuTTY will use the Xming program (installed on your Windows machine) to display the X11 forwarding
•
Download PuTTY executable from: http://www.putty.org/
•
Download Xming installer from: http://www.straightrunning.com/XmingNotes/
• Benefits: PuTTY can do more --- The exact same as Linux SSH, but for Windows • Problems: Not supported by Georgia Tech OIT & terrible over slow internet connections! © Brendan Saltaformaggio, Georgia Tech
Slide 20
SECOND W INDOWS OPTION: PUTT Y
• Set preferred ciphers like the Linux SSH command
• Add host and name the session
© Brendan Saltaformaggio, Georgia Tech
Slide 21
SECOND W INDOWS OPTION: PUTT Y • Enable X11 forwarding • Be sure you have Xming installed & background running (execute Xming.exe)
© Brendan Saltaformaggio, Georgia Tech
Slide 22
• Enable compression
SECOND W INDOWS OPTION: PUTT Y
• DON’T FORGET TO SAVE!!
© Brendan Saltaformaggio, Georgia Tech
• Open the session & now you have a terminal with X11 forwarding
Slide 23
ONCE YOU ARE CONNECTED TO THE IDA PRO SERVERS… YO U AR E IN ECE TER RITO RY ! ALL PROBLEMS MUST BE SENT TO: H E L P @ E C E . G AT E C H . E D U
IDA PRO EN VIRONMENT
• Before you can do anything with IDA Pro, you must first set up the running environment • Use the following command: $ source /tools/idapro/ida-70/cshrc.idapro • Note: You can not see the /tools/idapro directory until you execute that command •
It is our “secret” key!
• Only needs to be done once (per terminal) to set up the environment
• Everything related to IDA Pro is available in /tools/idapro •
We have read & execute permissions in that folder (after executing “$ source …”)
• Feel free to look through the directories, read the docs, and check out the SDK!
© Brendan Saltaformaggio, Georgia Tech
Slide 25
A TALE OF TWO IDAS
• IDA Pro has two different executables •
Which executable you use depends on what binary you are analyzing
• ida for working with 32-bit binaries • ida64 for working with 64-bit binaries • You will get an error if you use the wrong one • I recommend executing them with “&” after to put the process in the background
© Brendan Saltaformaggio, Georgia Tech
Slide 26
NOT ICE THE TCSH!
• The default shell on the ECE machines should be /bin/tcsh • THIS IS NOT BASH! But it is similar • The “$ source /tools/idapro/ida-70/cshrc.idapro” command will ONLY work in tcsh! • You can check your current shell with “echo $0” • After you run “$ source …” you can switch to /bin/bash if you want
© Brendan Saltaformaggio, Georgia Tech
Slide 27
CLOUD IDA
• Notice that IDA Pro will be executing on the remote server • So you have to move any files/test cases/etc. to your home directory before you begin • Many remote file copy utilities exist for every platform • On Linux, use the scp command: •
Please see this helpful cheat-sheet for a range of scp uses: http://www.hypexr.org/linux_scp_help.php
© Brendan Saltaformaggio, Georgia Tech
Slide 28
SCP ON W INDOWS
• On Windows, use PSCP •
“PuTTY SCP”
• The exact same source code as SCP, just compiled for Windows (by the PuTTY team) • Also download from http://www.putty.org/ •
Click “You can download PuTTY here.” then scroll down, pscp.exe will be in the list
• Run pscp.exe in the Windows command prompt •
It uses all the same command line flags as Linux SCP
•
Please see this helpful cheat-sheet for a range of scp uses: http://www.hypexr.org/linux_scp_help.php
© Brendan Saltaformaggio, Georgia Tech
Slide 29
WIN SCP FOR T HOSE WH O LIKE GUI S
• Another great option on Windows is WinSCP • Download from: https://winscp.net/eng/download.php • The exact same source code as SCP, just wrapped in a Windows GUI • Simply drag and drop files between the two machines
© Brendan Saltaformaggio, Georgia Tech
SIGNING INTO WINS CP
• Protocol = SFTP • Fill in the host name and username fields • Port = 22 • Remember to save! • Give the session a nice name
© Brendan Saltaformaggio, Georgia Tech
Slide 31
EN TE R PA SSWO RD & YO U’RE ALL S ET!
• Now simply drag and drop files between the hosts
© Brendan Saltaformaggio, Georgia Tech
Slide 32
SELECT YO UR A NALYSIS TA RGET !
• When IDA Pro starts it will ask you to start a new disassembly or open a previous one
© Brendan Saltaformaggio, Georgia Tech
Slide 33
LOA DIN G A NE W FILE
© Brendan Saltaformaggio, Georgia Tech
Slide 34
IDA W ILL THEN AS K FO R LOADING INSTR UCTION S • The defaults are almost always correct … unless you are dealing with nasty malware!
© Brendan Saltaformaggio, Georgia Tech
Slide 35
IDA W ILL OPE N IN CON TROL F LOW GR APH VIEW • Right-click and select Text View to view the flat disassembled code
© Brendan Saltaformaggio, Georgia Tech
Slide 36
COMMEN TS: R IGHT -CLICK - > EN TER COMM ENTS (OR PRES S “:”)
© Brendan Saltaformaggio, Georgia Tech
Slide 37
PRO TIP: REN AME LABELS AS YO U GO!
1. Click on the element to rename 2. Press the “n” key 3. Enter name and settings (if any) 4. Enjoy easier to read assembly!
© Brendan Saltaformaggio, Georgia Tech
Slide 38
PRO TIP #2 : SWI TCH BET WEEN VIEWS ! • Text View may be easier to read, but Graph View gives better context • Comments still show in both views
© Brendan Saltaformaggio, Georgia Tech
Slide 39
PRO TIP #3 : NAVIGATION BUT TONS! • Double-click on a label to jump to it. Want to go back? IDA remembers!
© Brendan Saltaformaggio, Georgia Tech
Slide 40
PRO TIP #4 : RENA ME SYM BOLIC CON STANTS
• IDA’s FLIRT signatures know the arguments for common APIs • But IDA also knows the symbolic names for most defined constants! • You just have to tell IDA what value you are looking for LONG WINAPI RegCreateKeyEx( _In_ HKEY _In_ LPCTSTR _Reserved_ DWORD _In_opt_ LPTSTR _In_ DWORD _In_ REGSAM _In_opt_ LPSECURITY_ATTRIBUTES _Out_ PHKEY _Out_opt_ LPDWORD )
© Brendan Saltaformaggio, Georgia Tech
Slide 41
hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition
PRO TIP #4 : RENA ME SYM BOLIC CON STANTS (2) • Right Click -> Use standard symbolic constant • Then simply find the constant name you are looking for
• If you can’t find the symbol, you may need to add it • First, look up the symbol’s header file definition • Second, read about adding new Enums and symbolic constants here: https://www.hex-rays.com/products/ida/support/idadoc/499.shtml © Brendan Saltaformaggio, Georgia Tech
Slide 42
SAVE OFTE N! • Losing hours of reverse engineering can be hazardous to your health!
© Brendan Saltaformaggio, Georgia Tech
Slide 43
EXPO RT YOUR AS SEMBLY LIST ING • IDA can export all the Text View content to a “Listing” file •
You will often turn these in for reverse engineering assignments
© Brendan Saltaformaggio, Georgia Tech
Slide 44
READY TO CLOS E IDA? SAV E YOUR DATA BASE (OR N OT) • IDA will compress all of its data into a single database to save your progress •
The save file is called an idb file for 32-bit and i64 for 64-bit
• You can also tell IDA to not save a database (i.e., you lose everything you’ve done)
© Brendan Saltaformaggio, Georgia Tech
Slide 45
AS YO U WORK, SO DOES IDA
• IDA performs very substantial analysis for you and saves the results in a number of files while you work • If you kill IDA (or lose connection to the IDA servers), these files will be corrupted! • So save often!! Saving will create/update the database file
© Brendan Saltaformaggio, Georgia Tech
Slide 46
LAB #1 - -- INTRO TO IDA Get your feet wet in IDA Pro… or maybe your eyes :’( Instructions: (1) Compile the hello world C code from before into an executable (2) Load the executable into IDA Pro (3) Locate the main function & comment the same instructions from Extra Credit #1
Grade: 100 points
Teams: This assignment can be done individually or in a team of 2. Please join a group in Canvas prior to submission. Submission Instructions: Upload hello.lst to the “Lab #1” Assignment in Canvas
Due Date: The beginning of next class!
© Brendan Saltaformaggio, Georgia Tech
Slide 47
ADDITIONAL REA DINGS (OPT IONAL)
• Chris Eagle. The IDA Pro Book. No Starch Press (2nd Edition), 2011. ISBN: 978-1593272890 •
You can probably find the PDF version online!
• Guided Hacking’s “How To Reverse Engineer” Videos •
https://www.youtube.com/playlist?list=PLt9cUwGw6CYFXtAElzDLob2aOaSfZqHJc
© Brendan Saltaformaggio, Georgia Tech
Slide 48
QUESTIONS?...