8.

Getting Started with

IDA Pro
MALWARE ANALYSIS

1
What is IDA Pro?
o IDA Pro – Interactive Disassembler Professional
o It is a recursive descent disassembler
o It uses many heuristic techniques during the process
o Not a free software
o A limited-functionality freeware version is available
o Marketed by a company called Hex-Rays, located in Belgium
o IDA’s license allows users the right to reverse engineer IDA

2
 IDA Freeware
o Download available at
https://www.hex-
rays.com/products/ida/support/
download_freeware.shtml
o Set up

3
Launching IDA
o When you launch IDA, a
splash screen will show a
greetings
o It shows the version
information etc.

4
Launching IDA
o Shortly after, the Quick
Start screen appears
o By unchecking “Display at
startup” will take you to
empty workspace when you
start IDA the next time.

5
Launching IDA
o Click “New” to disassemble a
new file
o Clicking on “Go” opens an empty
workspace. You may drag and drop
a binary file to open it.
o “Previous” will let you open one
from the list of recent files that
appear directly below the
“Previous” button (Max is set to
10?? It can be raised to 100??).
6
Loading a file into IDA
o You can click on “New” and it will bring up an window where
you can choose files
o Else, click on “Go”
o Then you can drag a file into the empty workspace
Or
o Click on the File Open icon to select a file

7
Loading a file into IDA
o The “Load a new file” window
appears
o IDA automatically selects some
options for you
o It is safe to use those options
and click “ok”
o You will then see the assembly
code obtained through the RE
process

8
IDA Database Files
o When a file is successfully loaded, IDA creates a database
o The DB contains four files with extensions .id0, .id1, .nam and .til
o The file’s base name is the same as that of the loaded executable
o These files are proprietary to IDA
o All four files can be combined into a single IDB file, and be
compressed
o An uncompressed IDB file is usually 10 times the size of the original input binary file

9
IDA Database Files
o When a database is properly closed, the four files disappear
o So, the presence of the four files indicate improper closing of DB
o Once an IDB is created, the original executable is no longer needed
o Analysis can be done from the IDB
o A good security feature – particularly from malware analysis viewpoint

10
IDA Database Files
o At its heart, IDA is simply a database application
o The various displays are nothing but views of the corresponding DB
o Any changes to the DB appears in corresponding views
o However, such changes do not modify the original executable file

11
Closing IDA Database
o There is no auto-save
o The choices while closing are:
o Don’t pack database
o Leaves the four files on desktop and does not create IDB (not recommended if you want to
continue to work on the executable later)
o Pack database (Store)
o Creates IDB file (overwrites previous IDB if exists)
o Pack database (Deflate)
o Same as the previous option; but, compresses the IDB

12
Closing IDA Database
o The other choices while closing
o Collect garbage
o Deletes unused memory pages from the DB before closing.
o May be used along with Deflate option to create the smallest possible IDB file.

o DON’T SAVE the database

o Use this option to discard changes to the IDB since the last time it was saved
o IDA deletes all four DB files and leaves the existing IDB file untouched

13
 IDA’s Interface

Functions
Functions Window
Window

Graph
Graph Overview
Overview

14
Interface Overview - Toolbar
o Shows most commonly used IDA operations
o Items can be added and removed by using View -> Toolbars
o Advanced mode toolbar can be displayed by using
View -> Toolbars -> Advanced
o Note that there is no “undo”

15
Interface Overview - Overview
Navigator
o Also called Navigation Band
o Presents a linear view of address space of the loaded file
o By default, the entire address range of the executable is represented
o Right clicking on the band gives options to zoom in or out
o Different colors represent different types of content: data, code, etc .

16
Interface Overview - Overview
Navigator
o A current position indicator (yellow downward arrow) shows the
current address range being displayed in disassembly window
o Use Options -> Color to customize the colors

o Since it is easy to get lost in a binary, use this to help stay oriented
o We may want to spend more time on “Regular Function”

17
Interface Overview - Tabs
o A tab exists for each of the currently open data displays
o Each tab shows a view (developed from the database)
o More views can be added using View -> Open Subviews
o View -> Open Subviews can also be used to restore any display that
has been closed

18
Interface Overview – Graph Overview
o This window shows a complete view of the graph
o This display appears only when the Graph View is active
o A dotted rectangle, which can be moved around, shows the current
display area in the Graph View window

19
Interface Overview – Disassembly View
o It is the main data display area
o There are two styles available
o Graph View and Text View
o When this window is active, one can toggle between the two styles
by hitting the spacebar
o Graph View shows a flowchart type graph for one function at a
time

20
Interface Overview – Disassembly View
o The Disassembly window is the primary tool for analysis
o To open additional disassembly window
o Use Views -> Open Subviews -> Disassembly
o Windows titled as IDA View-A, IDA View-B, IDA View-C and so on
o Thus, one window can be used to view a graph and text listing in another

21
Disassembly View – Graph View
o Each rectangle is a basic block
o That is no branching from inside the block
o The last instruction of the block is often a branch instruction

o The colored arrows represent the type of control flow

between blocks
o From conditional blocks
o Yes edge (yes, the branch is taken) – appears in green by default
o No edge (no, the branch is not taken) – appears in red by default
o From uconditional blocks
o Normal edge (from a block that has only one choice to go to) – blue by default

22
Disassembly View – Graph View
o Panning
o A graph can be repositioned by clicking and dragging the background

o Rearranging blocks
o Click on the title bar of the desired block and drag to a new position

o Grouping and collapsing blocks

o Right click on the block’s title bar and select Group Nodes
o This way you can keep track of blocks you have already analyzed

23
Disassembly View – Text View
o Used for viewing and manipulating disassembled code
o Shows the entire disassembly listing of a program
o Unlike the Graph View mode, which shows one function at a time

o This is the only way to see the data regions of a binary

o Virtual addresses are typically displayed in
[Section name]: [Virtual Address] format

24
Disassembly View – Text View
o The left side is called the arrows window
o They depict nonlinear flow within a
function
o Solid arrows depict unconditional jumps
o Dashed arrows depict conditional jumps
o A heavy weighted line (solid or dashed)
indicates jump to an earlier address in the program
o This reverse flow often indicates a loop in the program

25
Disassembly View – Text View
o Comments can be added to a line
o Click on the desired line and press the colon “:”

o Variables or functions can be renamed

o Left-click once to highlight and press “n”
o Then type the new name in the pop up window

o Code cross-reference: another program instruction transfers

control to the location containing the cross-reference comment

26
Interface Overview – Output Window
o Various messages appear here
o When a binary is first opened, this window shows at what phase of
analysis IDA is in at a given time and what actions IDA is carrying out
o When working with a DB, the window shows the status of various
operations the user performs
o Right clicking on the window background will give options such as
copying text, clearing them, etc.

27
Interface Overview – Functions Window
o It shows every function IDA found in the database
o Example:
o malloc .text 00BD260 00000180 R...B..
o “Malloc” is the function name
o It can be found in the text section of the binary
o It appears at virtual address 00BD260 and is 384 bytes (hex 180)
long
o It returns to the caller (R)
o It uses the EBP register (B) to reference its local variables

o Double-clicking on a function will jump the disassembly

window to the address associated with that function

28
Hex View Tab
o The hex view window displays the raw hex of the executable
o Its content can be edited to change program behavior
o Default length of hex dump content is 16 bytes per line
o ASCII equivalents also displayed alongside

29
Hex View Tab
o Similar to disassembly window, several hex view Windows can be
opened simultaneously
o They will be named as Hex View-1, Hex View-2 and so on

o Each of these windows can be synchronized with a disassembly

window (and vice versa)
o To synchronize, right click anywhere on the window and select
“synchronize”
o When synchronized, scrolling one window will scroll the other
o Right clicking on the window gives several options: Data Format,
Columns, Text, Edit, Font so one can set their values
30
Exports Window Tab
o Shows a list of entry points into a file.
o Includes program’s execution entry point and any functions or
variables the file exports for use by other files
o Double-clicking on an entry will jump the disassembly window to
the address associated with that entry

31
Imports Window Tab
o Lists all functions that are imported by the binary
o Double-clicking on an entry will jump the disassembly window to
the address associated with that entry

32
Strings Window
o Opens by using View -> Open Subviews -> Strings
o Displays a list of strings extracted from the binary and their
corresponding address
o Double-clicking on a string will jump the disassembly window to
the address associated with that string
o By right clicking and selecting “Setup”, allows to select various
string types
o Quick Filter under the Setup window allows to filter the strings
33
Names Window
o Opens by using View -> Open Subviews -> Names
o Name is a symbolic description given to a program virtual address
o Double-clicking on a name will jump the disassembly window to
that location

34