Table of Contents for
The IDA Pro Book, 2nd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition The IDA Pro Book, 2nd Edition by Chris Eagle Published by No Starch Press, 2011
  1. Cover
  2. The IDA Pro Book
  3. PRAISE FOR THE FIRST EDITION OF THE IDA PRO BOOK
  4. Acknowledgments
  5. Introduction
  6. I. Introduction to IDA
  7. 1. Introduction to Disassembly
  8. The What of Disassembly
  9. The Why of Disassembly
  10. The How of Disassembly
  11. Summary
  12. 2. Reversing and Disassembly Tools
  13. Summary Tools
  14. Deep Inspection Tools
  15. Summary
  16. 3. IDA Pro Background
  17. Obtaining IDA Pro
  18. IDA Support Resources
  19. Your IDA Installation
  20. Thoughts on IDA’s User Interface
  21. Summary
  22. II. Basic IDA Usage
  23. 4. Getting Started with IDA
  24. IDA Database Files
  25. Introduction to the IDA Desktop
  26. Desktop Behavior During Initial Analysis
  27. IDA Desktop Tips and Tricks
  28. Reporting Bugs
  29. Summary
  30. 5. IDA Data Displays
  31. Secondary IDA Displays
  32. Tertiary IDA Displays
  33. Summary
  34. 6. Disassembly Navigation
  35. Stack Frames
  36. Searching the Database
  37. Summary
  38. 7. Disassembly Manipulation
  39. Commenting in IDA
  40. Basic Code Transformations
  41. Basic Data Transformations
  42. Summary
  43. 8. Datatypes and Data Structures
  44. Creating IDA Structures
  45. Using Structure Templates
  46. Importing New Structures
  47. Using Standard Structures
  48. IDA TIL Files
  49. C++ Reversing Primer
  50. Summary
  51. 9. Cross-References and Graphing
  52. IDA Graphing
  53. Summary
  54. 10. The Many Faces of IDA
  55. Using IDA’s Batch Mode
  56. Summary
  57. III. Advanced IDA Usage
  58. 11. Customizing IDA
  59. Additional IDA Configuration Options
  60. Summary
  61. 12. Library Recognition Using FLIRT Signatures
  62. Applying FLIRT Signatures
  63. Creating FLIRT Signature Files
  64. Summary
  65. 13. Extending IDA’s Knowledge
  66. Augmenting Predefined Comments with loadint
  67. Summary
  68. 14. Patching Binaries and Other IDA Limitations
  69. IDA Output Files and Patch Generation
  70. Summary
  71. IV. Extending IDA’s Capabilities
  72. 15. IDA Scripting
  73. The IDC Language
  74. Associating IDC Scripts with Hotkeys
  75. Useful IDC Functions
  76. IDC Scripting Examples
  77. IDAPython
  78. IDAPython Scripting Examples
  79. Summary
  80. 16. The IDA Software Development Kit
  81. The IDA Application Programming Interface
  82. Summary
  83. 17. The IDA Plug-in Architecture
  84. Building Your Plug-ins
  85. Installing Plug-ins
  86. Configuring Plug-ins
  87. Extending IDC
  88. Plug-in User Interface Options
  89. Scripted Plug-ins
  90. Summary
  91. 18. Binary Files and IDA Loader Modules
  92. Manually Loading a Windows PE File
  93. IDA Loader Modules
  94. Writing an IDA Loader Using the SDK
  95. Alternative Loader Strategies
  96. Writing a Scripted Loader
  97. Summary
  98. 19. IDA Processor Modules
  99. The Python Interpreter
  100. Writing a Processor Module Using the SDK
  101. Building Processor Modules
  102. Customizing Existing Processors
  103. Processor Module Architecture
  104. Scripting a Processor Module
  105. Summary
  106. V. Real-World Applications
  107. 20. Compiler Personalities
  108. RTTI Implementations
  109. Locating main
  110. Debug vs. Release Binaries
  111. Alternative Calling Conventions
  112. Summary
  113. 21. Obfuscated Code Analysis
  114. Anti–Dynamic Analysis Techniques
  115. Static De-obfuscation of Binaries Using IDA
  116. Virtual Machine-Based Obfuscation
  117. Summary
  118. 22. Vulnerability Analysis
  119. After-the-Fact Vulnerability Discovery with IDA
  120. IDA and the Exploit-Development Process
  121. Analyzing Shellcode
  122. Summary
  123. 23. Real-World IDA Plug-ins
  124. IDAPython
  125. collabREate
  126. ida-x86emu
  127. Class Informer
  128. MyNav
  129. IdaPdf
  130. Summary
  131. VI. The IDA Debugger
  132. 24. The IDA Debugger
  133. Basic Debugger Displays
  134. Process Control
  135. Automating Debugger Tasks
  136. Summary
  137. 25. Disassembler/Debugger Integration
  138. IDA Databases and the IDA Debugger
  139. Debugging Obfuscated Code
  140. IdaStealth
  141. Dealing with Exceptions
  142. Summary
  143. 26. Additional Debugger Features
  144. Debugging with Bochs
  145. Appcall
  146. Summary
  147. A. Using IDA Freeware 5.0
  148. Using IDA Freeware
  149. B. IDC/SDK Cross-Reference
  150. Index
  151. About the Author

Debugging with Bochs

Bochs is an open source x86 emulation environment. Bochs is capable of full-system emulation of x86 computer systems and includes emulation for common I/O devices and a custom BIOS. Bochs provides an emulation-based alternative to virtualization software such as VMware Workstation. Elias Bachaalany of the Hex-Rays development team has taken the lead on integrating Bochs with IDA to provide an emulation-based alternative to traditional debugging.[240] Windows versions of IDA ship with and install a compatible version of Bochs, while non-Windows users wishing to make use of Bochs must make sure that version 2.4.2 or later is installed on their system.

With Bochs installed, IDA offers a Local Bochs debugger choice whenever you have an x86 binary open in IDA. The availability of Bochs offers the opportunity to perform local debugging of Windows applications on non-Windows systems, because the application will be emulated rather than executed as a native process. Because it’s an emulator, Bochs configuration options differ somewhat from those available with more traditional debuggers. One of the most important things to understand about Bochs is that it can operate in three distinct modes: disk image mode, IDB mode, and PE mode. The choice of mode is made using the Bochs specific debugger configuration dialog shown in Figure 26-4.

Bochs debugger options dialog

Figure 26-4. Bochs debugger options dialog

Each of the available modes offers a drastically different degree of fidelity in terms of the quality and type of emulation being performed.

Bochs IDB Mode

Working from the ground up, IDB is the most basic Bochs mode. In IDB mode, the only code that Bochs is aware of is the code contained in your database. Memory regions are mapped into Bochs and populated by copying bytes from the database. A configurable amount of stack space is provided based on settings in the Bochs options dialog, and IDA will make its own decision as to where the stack will be allocated. Emulated execution begins (meaning the instruction pointer is initially positioned) at the database symbol named ENTRY if one has been defined. If an ENTRY symbol is not present, IDA tests to see if a range of locations is currently selected in the open database and uses the beginning of the range as the debugger entry point. If no selection exists, then the current cursor location is taken as the initial instruction pointer value. When running in IDB mode, keep in mind that Bochs has no notion of any operating system support such as shared libraries or the location of any well-known structures within a typical process address space. It is equally possible to step through a PE file, an ELF file, a Mach-O file, or a raw blob of machine code such as an exploit payload as long as the code makes no reference to anything that might reside outside the database. One way that IDB might be used is for executing a single function in an effort to understand its behavior without the requirement to craft a complete process or disk image to do so.

Bochs PE Mode

PE mode offers the opportunity to debug at something approaching the process level. When PE mode is selected and activated, IDA’s Bochs control module (an IDA plug-in) takes over and behaves much like the Windows process loader would if you were actually launching a native Windows process. A PE mode process receives process (PEB) and thread (TEB) environment blocks, along with a stack that mimics those that would be created in an actual process.

The Bochs plug-in also loads (without executing any code) a number of common Windows libraries into the emulated process address space in order to properly handle any library calls made by the process. The exact set of libraries that Bochs loads on debugger start is configurable and is specified in <IDADIR>/plugins/bochs/startup.idc. Any library may be loaded as is or may be designated to be stubbed out. If a library is marked to be stubbed, then the Bochs plug-in will automatically hook every function exported by that library and redirect execution to a Bochs interception function (refer to startup.idc and the IDA help system for more details). This stubbing technique provides an extensible means for users to define custom behaviors for any library function. For any library that is stubbed by IDA, it is possible to define a corresponding script file in which you may define your custom behaviors. For any library, foolib.dll for example, the Bochs plug-in scans for a related script named api_foolib.idc or api_foolib.py within the <IDADIR>/plugins/bochs directory. IDA ships with <IDADIR>/plugins/bochs/api_kernel32.idc, which provides a good example of the structure of such a file and the implementation of custom behaviors for a number of functions.

The ability to hook library functions and define custom implementations is important in PE mode because there is no operating system layer to perform all of the heavy lifting needed by the shared libraries. For example, by providing an alternate, script-based behavior for a function such as VirtualAlloc, which would fail if it could not communicate with the operating system, it is possible to convince (to some degree) the emulated process that it is running as an actual process. The goal when creating such script-based behaviors is to provide the emulated process with the responses it would expect to see if were communicating with the actual library functions, which in turn were communicating with the actual operating system.

If you use IDA on a non-Windows platform, you may take full advantage of Bochs PE mode by copying any required libraries (as specified in startup.idc) from a Windows system onto your IDA system and editing startup.idc to point at the directory containing all of the copied libraries. The following listing shows an example of the required changes.

// Define additional DLL path
// (add triple slashes to enable the following lines)
/// path /home/idauser/xp_dlls/=c:\winnt\system32\

When using PE mode, one difference you will note when launching a process under Bochs is that IDA does not open a warning dialog to remind you of the danger of launching a potentially malicious process under debugger control. This is because the only process that gets created is the Bochs emulator process, and all of the code that you are debugging is viewed by the Bochs emulator as data that happens to represent code for it to emulate. No native process is ever created from the binary that you are debugging.

Bochs Disk Image Mode

The third mode of operation for the Bochs debugger is called disk image mode. Aside from IDA’s ability to make use of Bochs, Bochs is a full-blown x86 system emulator on its own. It is quite possible to create hard drive images, using the bximage tool supplied with Bochs; install an operating system on the disk image, using Bochs and any required installation medium for the desired operating system; and ultimately use Bochs to run your guest operating system within an emulated environment.

If your primary goal in using IDA/Bochs is to understand the behavior of a single process, then disk image mode may not be for you. Isolating and observing a single process executing within a fully emulated operating system is not an easy task and requires a detailed understanding of the operating system and how it manages processes and memory. Where you may find IDA/Bochs useful is in analyzing system BIOS and boot code, which can be followed relatively easily before the operating system code takes over.

In disk image mode, you have no executable file image to load into IDA. Instead, IDA ships with a loader that recognizes Bochs configuration (boch-src) files.[241] A bochsrc file is used to describe the hardware execution environment when Bochs is used as a full system emulator. IDA’s default bochsrc file is located at <IDADIR>/cfg/bochsrc.cfg. Among other things, a bochsrc file is used to specify the locations of the system BIOS, video ROM, and disk image files. IDA’s bochsrc loader offers minimal loading services, doing nothing more than reading the first sector of the first disk image file specified in the Bochs configuration file being loaded and then selecting the Bochs debugger for use with the new database. The use of IDA/Bochs in a master boot record development scenario is discussed on the Hex-Rays blog.[242]


[240] See “Designing a minimal operating system to emulate 32/64bits x86 code snippets, shellcode or malware in Bochs” from Recon 2011 (http://www.recon.cx/).

[241] See http://bochs.sourceforge.net/doc/docbook/user/bochsrc.html for information on the bochsrc file format.

[242] See http://www.hexblog.com/?p=103.