Disassembly Using IDA

This chapter will introduce you to one such code analysis tool, named
IDA Pro (also known as IDA)
1. Code Analysis Tools
2. Static Code Analysis (Disassembly) Using IDA
• Hex-Rays IDA Pro is the most powerful and popular commercial
disassembler/debugger
• (https://www.hex-rays.com/products/ida/index.shtml)
• It is used by reverse engineers, malware analysts, and vulnerability
researchers.
• IDA can run on various platforms (Windows, Linux, and macOS) and
supports analysis of various file formats, including the PE/ELF
formats.
• ELF is the standard binary format on operating system such as Linux.
Cont’d
• Will learn how to use IDA to perform static code analysis
(disassembly).
• It is not possible to cover all the features of IDA; only those features
that are relevant to malware analysis will be covered in this chapter.
2.1 Loading Binary in IDA
2.2 Exploring IDA Displays
2.2.1 Disassembly Window
• After the executable has been loaded, you will be presented with the disassembly window (also known as the IDA-view
window).
• This is the primary window, and it displays the disassembled code. You will mostly be using this window for analyzing
binaries.
• IDA can show the disassembled code in two display modes: Graph view and Text view.
• Graph view is the default view, and when the disassembly view (IDA-view) is active, you can switch between the graph and
text views by pressing the spacebar button.
Graphic View
• In the graph view mode, IDA displays only one function at a time, in a flowchart-style graph, and
the function is broken down into basic blocks. This mode is useful to quickly recognize branching
and looping statements.
• The conditional jumps use green and red arrows; the green arrow indicates that the jump will be taken if the condition is true, and the red
arrow indicates that the jump will not be taken (normal flow).
• The blue arrow is used for an unconditional jump(The JMP instruction transfers control unconditionally to another instruction)
• The following screenshot shows the disassembly of the main function in the graph view mode.
Text View
• In the text view mode, the entire disassembly is presented in a linear fashion.
• The left-hand portion of the text view window is called the arrows window; it is used to indicate the program's nonlinear
flow.
• The dashed arrows represent conditional jumps, the solid arrows indicate unconditional jumps, and the backward arrows
(arrows facing up) indicate loops:
Function Windows
• The functions window displays all the functions recognized by IDA
• The functions window displays all the functions recognized by IDA, and it also shows the virtual address where each
function can be found, the size of each function, and various other properties of the function.
Output Window
• The output window displays the messages generated by IDA and the IDA plugins. These messages can give
information about the analysis of the binary and the various operations that you perform.
Hex View Window
• You can click on the Hex View-1 tab to display the hex window.
• The hex window displays a sequence of bytes in a hex dump and the ASCII format.
• By default, the hex window is synchronized with the disassembly window; this means, when you select any
item in the disassembly window, the corresponding bytes are highlighted in the hex window.
Structures Window
• Clicking on the Structures tab will bring up the structures window. The structures window lists the layout
of the standard data structures used in the program, and it also allows you to create your own data
structures.
Imports Window
• The imports window lists all of the functions imported by the binary.
• Detailed information about imports was covered in Chapter 2, Static Analysis
Exports Window
• The exports window lists all of the exported functions. The exported functions are normally found in the
DLLs, so this window can be useful when you are analyzing malicious DLLs.
Strings Window
• IDA does not show strings window by default; you can bring up the strings window by clicking on View | Open
Subviews | Strings (or Shift + F12).
• The strings window displays the list of strings extracted from the binary and the address where these strings can be
found.
Segments Window
• The segments window is available via View | Open Subviews | Segments (or Shift + F7).
• The segments window lists the sections (.text, .data, and so on) in the binary file.
• The displayed information contains the start address, the end address, and the memory permissions of each section.
Disassembling Windows API
• Malware normally uses Windows API functions (Application Programming Interface) to interact with the
operating system (for performing filesystem, process, memory, and network operations).

• Windows exports the majority of its functions required for these interactions in Dynamic Link Libary (DLL)
files.

• To call the API, the executable process loads the DLL into its memory and then calls the API function.
Inspecting the DLLs that a malware relies upon and the API functions that it imports can give an idea of the
functionality and capability of the malware.
3.1 Understanding Windows API
• Loading the malware sample in IDA and inspecting the imported functions in the Imports window show
reference to the CreateFile API function, as shown in the following screenshot:

• you can learn more about the API function by simply searching for it in the Microsoft Developer Network (MSDN)
at https://msdn. microsoft.com/, or by Googling it.

• The MSDN documentation gives a description of the API function, its function parameters (their data types), and
the return value.

• From the documentation, you can tell that this function is used to create or open a file.
• To understand what file the program creates or opens, you will have to inspect the first parameter
(lpFilename), which specifies the filename. The second parameter (dwDesiredAccess) specifies the
requested access (such as read or write access), and the fifth parameter specifies the action to take on the
file (such as creating a new file or opening an existing file)
• The Windows API uses Hungarian notation for naming variables. In this notation, the variable is prefixed
with an abbreviation of its datatype; this makes it easy to understand the data type of a given variable.

• In the preceding example, consider the second parameter, dwDesiredAccess; the dw prefix specifies that it is
of the DWORD data type.

• The Win32 API supports many different data types.

A signed int can store both positive and negative values. Unsigned integer values can only store non-negative
values.
 ANSI and Unicode API Functions
• Windows supports two parallel sets of APIs: one for ANSI strings, and the other for Unicode strings.
• Many functions that take a string as an argument include an A or W at the end of their names, such as
CreateFileA.

• In other words, the trailing character can give you an idea of what type of string (ANSI or Unicode) is
passed to the function.

• The trailing character A specifies that the CreateFile function takes an ANSI string as input. You will also see
malware using APIs such as CreateFileW; the W at the end specifies that the function takes a Unicode string
as input.

• During malware analysis, when you come across a function such as CreateFileA or CreateFileW, just remove
the trailing A and W characters and use CreateFile to search MSDN for the function documentation

• ANSI is a set of character encodings with restricted language coverage that is primarily used in older systems, whereas Unico de is a comprehensive

character encoding standard that supports all languages and symbols, making it the preferred choice for current applications and platforms.
Extended API Functions
• You will often encounter function names with an Ex suffix in their names, such as
RegCreateKeyEx (which is an extended version of RegCreateKey). When Microsoft updates a
function that is incompatible with an old function, the updated function has an Ex suffix added to
its name.