| |
| |
Dedication | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
Introduction to IDA | |
| |
| |
| |
Introduction to Disassembly | |
| |
| |
| |
Disassembly Theory | |
| |
| |
| |
The What of Disassembly | |
| |
| |
| |
The Why of Disassembly | |
| |
| |
| |
The How of Disassembly | |
| |
| |
| |
Summary | |
| |
| |
| |
Reversing and Disassembly Tools | |
| |
| |
| |
Classification Tools | |
| |
| |
| |
Summary Tools | |
| |
| |
| |
Deep Inspection Tools | |
| |
| |
| |
Summary | |
| |
| |
| |
IDA Pro Background | |
| |
| |
| |
Hex-Rays' Stance on Piracy | |
| |
| |
| |
Obtaining IDA Pro | |
| |
| |
| |
IDA Support Resources | |
| |
| |
| |
Your IDA Installation | |
| |
| |
| |
Thoughts on IDA's User Interface | |
| |
| |
| |
Summary; Basic IDA Usage | |
| |
| |
| |
Getting Started with IDA | |
| |
| |
| |
Launching IDA | |
| |
| |
| |
IDA Database Files | |
| |
| |
| |
Introduction to the IDA Desktop | |
| |
| |
| |
Desktop Behavior During Initial Analysis | |
| |
| |
| |
IDA Desktop Tips and Tricks | |
| |
| |
| |
Reporting Bugs | |
| |
| |
| |
Summary | |
| |
| |
| |
IDA Data Displays | |
| |
| |
| |
The Principal IDA Displays | |
| |
| |
| |
Secondary IDA Displays | |
| |
| |
| |
Tertiary IDA Displays | |
| |
| |
| |
Summary | |
| |
| |
| |
Disassembly Navigation | |
| |
| |
| |
Basic IDA Navigation | |
| |
| |
| |
Stack Frames | |
| |
| |
| |
Searching the Database | |
| |
| |
| |
Summary | |
| |
| |
| |
Disassembly Manipulation | |
| |
| |
| |
Names and Naming | |
| |
| |
| |
Commenting in IDA | |
| |
| |
| |
Basic Code Transformations | |
| |
| |
| |
Basic Data Transformations | |
| |
| |
| |
Summary | |
| |
| |
| |
Datatypes and Data Structures | |
| |
| |
| |
Recognizing Data Structure Use | |
| |
| |
| |
Creating IDA Structures | |
| |
| |
| |
Using Structure Templates | |
| |
| |
| |
Importing New Structures | |
| |
| |
| |
Using Standard Structures | |
| |
| |
| |
IDA TIL Files | |
| |
| |
| |
C++ Reversing Primer | |
| |
| |
| |
Summary | |
| |
| |
| |
Cross-References and Graphing | |
| |
| |
| |
Cross-References | |
| |
| |
| |
IDA Graphing | |
| |
| |
| |
Summary | |
| |
| |
| |
The Many Faces of IDA | |
| |
| |
| |
Console Mode IDA | |
| |
| |
| |
Using IDA's Batch Mode | |
| |
| |
| |
Summary; Advanced IDA Usage | |
| |
| |
| |
Customizing IDA | |
| |
| |
| |
Configuration Files | |
| |
| |
| |
Additional IDA Configuration Options | |
| |
| |
| |
Summary | |
| |
| |
| |
Library Recognition Using FLIRT Signatures | |
| |
| |
| |
Fast Library Identification and Recognition Technology | |
| |
| |
| |
Applying FLIRT Signatures | |
| |
| |
| |
Creating FLIRT Signature Files | |
| |
| |
| |
Summary | |
| |
| |
| |
Extending IDA's Knowledge | |
| |
| |
| |
Augmenting Function Information | |
| |
| |
| |
Augmenting Predefined Comments with loadint | |
| |
| |
| |
Summary | |
| |
| |
| |
Patching Binaries and Other IDA Limitations | |
| |
| |
| |
The Infamous Patch Program Menu | |
| |
| |
| |
IDA Output Files and Patch Generation | |
| |
| |
| |
Summary; Extending IDA's Capabilities | |
| |
| |
| |
IDA Scripting | |
| |
| |
| |
Basic Script Execution | |
| |
| |
| |
The IDC Language | |
| |
| |
| |
Associating IDC Scripts with Hotkeys | |
| |
| |
| |
Useful IDC Functions | |
| |
| |
| |
IDC Scripting Examples | |
| |
| |
| |
IDAPython | |
| |
| |
| |
IDAPython Scripting Examples | |
| |
| |
| |
Summary | |
| |
| |
| |
The IDA Software Development Kit | |
| |
| |
| |
SDK Introduction | |
| |
| |
| |
The IDA Application Programming Interface | |
| |
| |
| |
Summary | |
| |
| |
| |
The IDA Plug-in Architecture | |
| |
| |
| |
Writing a Plug-in | |
| |
| |
| |
Building Your Plug-ins | |
| |
| |
| |
Installing Plug-ins | |
| |
| |
| |
Configuring Plug-ins | |
| |
| |
| |
Extending IDC | |
| |
| |
| |
Plug-in User Interface Options | |
| |
| |
| |
Scripted Plug-ins | |
| |
| |
| |
Summary | |
| |
| |
| |
Binary Files and IDA Loader Modules | |
| |
| |
| |
Unknown File Analysis | |
| |
| |
| |
Manually Loading a Windows PE File | |
| |
| |
| |
IDA Loader Modules | |
| |
| |
| |
Writing an IDA Loader Using the SDK | |
| |
| |
| |
Alternative Loader Strategies | |
| |
| |
| |
Writing a Scripted Loader | |
| |
| |
| |
Summary | |
| |
| |
| |
IDA Processor Modules | |
| |
| |
| |
Python Byte Code | |
| |
| |
| |
The Python Interpreter | |
| |
| |
| |
Writing a Processor Module Using the SDK | |
| |
| |
| |
Building Processor Modules | |
| |
| |
| |
Customizing Existing Processors | |
| |
| |
| |
Processor Module Architecture | |
| |
| |
| |
Scripting a Processor Module | |
| |
| |
| |
Summary; Real-World Applications | |
| |
| |
| |
Compiler Personalities | |
| |
| |
| |
Jump Tables and Switch Statements | |
| |
| |
| |
RTTI Implementations | |
| |
| |
| |
Locating main | |
| |
| |
| |
Debug vs. Release Binaries | |
| |
| |
| |
Alternative Calling Conventions | |
| |
| |
| |
Summary | |
| |
| |
| |
Obfuscated Code Analysis | |
| |
| |
| |
Anti–Static Analysis Techniques | |
| |
| |
| |
Anti–Dynamic Analysis Techniques | |
| |
| |
| |
Static De-obfuscation of Binaries Using IDA | |
| |
| |
| |
Virtual Machine-Based Obfuscation | |
| |
| |
| |
Summary | |
| |
| |
| |
Vulnerability Analysis | |
| |
| |
| |
Discovering New Vulnerabilities with IDA | |
| |
| |
| |
After-the-Fact Vulnerability Discovery with IDA | |
| |
| |
| |
IDA and the Exploit-Development Process | |
| |
| |
| |
Analyzing Shellcode | |
| |
| |
| |
Summary | |
| |
| |
| |
Real-World IDA Plug-ins | |
| |
| |
| |
Hex-Rays | |
| |
| |
| |
IDAPython | |
| |
| |
| |
collabREate | |
| |
| |
| |
ida-x86emu | |
| |
| |
| |
Class Informer | |
| |
| |
| |
MyNav | |
| |
| |
| |
IdaPdf | |
| |
| |
| |
Summary; The IDA Debugger | |
| |
| |
| |
The IDA Debugger | |
| |
| |
| |
Launching the Debugger | |
| |
| |
| |
Basic Debuuuuuugger Displays | |
| |
| |
| |
Process Control | |
| |
| |
| |
Automating Debugger Tasks | |
| |
| |
| |
Summary | |
| |
| |
| |
Disassembler/Debugger Integration | |
| |
| |
| |
Background | |
| |
| |
| |
IDA Databases and the IDA Debugger | |
| |
| |
| |
Debugging Obfuscated Code | |
| |
| |
| |
IdaStealth | |
| |
| |
| |
Dealing with Exceptions | |
| |
| |
| |
Summary | |
| |
| |
| |
Additional Debugger Features | |
| |
| |
| |
Remote Debugging with IDA | |
| |
| |
| |
Debugging with Bochs | |
| |
| |
| |
Appcall | |
| |
| |
| |
Summary; Using IDA Freeware 5.0 | |
| |
| |
Restrictions on IDA Freeware | |
| |
| |
Using IDA Freeware; IDC/SDK Cross-Reference; | |