The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler

The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler

Language: English

Pages: 672

ISBN: 1593272898

Format: PDF / Kindle (mobi) / ePub


No source code? No problem. With IDA Pro, the interactive disassembler, you live in a source code-optional world. IDA can automatically analyze the millions of opcodes that make up an executable and present you with a disassembly. But at that point, your work is just beginning. With The IDA Pro Book, you'll learn how to turn that mountain of mnemonics into something you can actually use.

Hailed by the creator of IDA Pro as "profound, comprehensive, and accurate," the second edition of The IDA Pro Book covers everything from the very first steps to advanced automation techniques. You'll find complete coverage of IDA's new Qt-based user interface, as well as increased coverage of the IDA debugger, the Bochs debugger, and IDA scripting (especially using IDAPython). But because humans are still smarter than computers, you'll even learn how to use IDA's latest interactive and scriptable interfaces to your advantage.

Save time and effort as you learn to:

  • Navigate, comment, and modify disassembly
  • Identify known library routines, so you can focus your analysis on other areas of the code
  • Use code graphing to quickly make sense of cross references and function calls
  • Extend IDA to support new processors and filetypes using the SDK
  • Explore popular plug-ins that make writing IDA scripts easier, allow collaborative reverse engineering, and much more
  • Use IDA's built-in debugger to tackle hostile and obfuscated code

Whether you're analyzing malware, conducting vulnerability research, or reverse engineering software, a mastery of IDA is crucial to your success. Take your skills to the next level with this 2nd edition of The IDA Pro Book.

 

 

 

 

 

 

 

 

 

 

 

 

may be associated with a name of up to 512 characters and a primary value of up to 1,024 bytes. Member functions of the netnode class are provided to retrieve (name) or modify (rename) a netnode’s name. Additional member functions allow you to treat a netnode’s primary value as an integer (set_long, long_value), a string (set, valstr), or an arbitrary binary blob[116] (set, valobj). The function used inherently determines how the primary value is treated. Here is where things get a little

invocations of the plug-in but also across IDA sessions. For plug-ins in which each invocation is completely independent of any previous invocations, it is often suitable for PLUGIN.init to return PLUGIN_OK, which has the advantage of reducing IDA’s memory footprint by keeping fewer modules loaded in memory at any given time. Event Notification While plug-ins are quite frequently activated directly by a user via a menu selection (Edit ▸ Plugins) or through the use of a hotkey, IDA’s

be edited to create a plug-in project. Note that Visual Studio allows you to specify separate configuration options for Debug and Release versions of the project (see top left of Figure 17-3). If you intend to build separate Debug and Release versions of your plug-in, make certain that you have modified the properties in both configurations. Alternatively, you may save some time by selecting All Configurations from the Configurations drop-down list (at the top left of the Properties dialog), in

define your custom behaviors. For any library, foolib.dll for example, the Bochs plug-in scans for a related script named api_foolib.idc or api_foolib.py within the /plugins/bochs directory. IDA ships with /plugins/bochs/api_kernel32.idc, which provides a good example of the structure of such a file and the implementation of custom behaviors for a number of functions. The ability to hook library functions and define custom implementations is important in PE mode because there is

24 through Chapter 26. Chapter 24 begins by introducing the basic features of the debugger. Chapter 25 discusses some of the challenges of using the debugger to examine obfuscated code, including the challenge of dealing with any anti-debugging feature that may be present. Chapter 26 concludes the book with a discussion of IDA’s remote debugging capabilities and the use of the Bochs emulator as an integrated debugging platform. At the time of this writing, IDA version 6.1 was the most current

Download sample

Download