1. 8. Getting Started with IDA Pro
Malware Analysis

2. What is IDA Pro? IDA Pro – Interactive Disassembler Professional
It is a recursive descent disassembler
It uses many heuristic techniques during the process
Not a free software
A limited-functionality freeware version is available
Marketed by a company called Hex-Rays, located in Belgium
IDA’s license allows users the right to reverse engineer IDA

3. IDA Freeware Download available at Set up
rays.com/products/ida/support/ download_freeware.shtml
Set up

4. Launching IDA
When you launch IDA, a splash screen will show a greetings
It shows the version information etc.

5. Launching IDA Shortly after, the Quick Start screen appears
By unchecking “Display at startup” will take you to empty workspace when you start IDA the next time.

6. Launching IDA Click “New” to disassemble a new file
Clicking on “Go” opens an empty workspace. You may drag and drop a binary file to open it.
“Previous” will let you open one from the list of recent files that appear directly below the “Previous” button (Max is set to 10?? It can be raised to 100??).

7. Loading a file into IDA
You can click on “New” and it will bring up an window where you can choose files
Else, click on “Go”
Then you can drag a file into the empty workspace Or
Click on the File Open icon to select a file

8. Loading a file into IDA The “Load a new file” window appears
IDA automatically selects some options for you
It is safe to use those options and click “ok”
You will then see the assembly code obtained through the RE process

9. IDA Database Files
When a file is successfully loaded, IDA creates a database
The DB contains four files with extensions .id0, .id1, .nam and .til
The file’s base name is the same as that of the loaded executable
These files are proprietary to IDA
All four files can be combined into a single IDB file, and be compressed
An uncompressed IDB file is usually 10 times the size of the original input binary file

10. IDA Database Files
When a database is properly closed, the four files disappear
So, the presence of the four files indicate improper closing of DB
Once an IDB is created, the original executable is no longer needed
Analysis can be done from the IDB
A good security feature – particularly from malware analysis viewpoint

11. IDA Database Files At its heart, IDA is simply a database application
The various displays are nothing but views of the corresponding DB
Any changes to the DB appears in corresponding views
However, such changes do not modify the original executable file

12. Closing IDA Database There is no auto-save
The choices while closing are:
Don’t pack database
Leaves the four files on desktop and does not create IDB (not recommended if you want to continue to work on the executable later)
Pack database (Store)
Creates IDB file (overwrites previous IDB if exists)
Pack database (Deflate)
Same as the previous option; but, compresses the IDB

13. Closing IDA Database The other choices while closing Collect garbage
Deletes unused memory pages from the DB before closing.
May be used along with Deflate option to create the smallest possible IDB file.
DON’T SAVE the database
Use this option to discard changes to the IDB since the last time it was saved
IDA deletes all four DB files and leaves the existing IDB file untouched

14. IDA’s Interface
Functions Window
Graph Overview

15. Interface Overview - Toolbar
Shows most commonly used IDA operations
Items can be added and removed by using View -> Toolbars
Advanced mode toolbar can be displayed by using
View -> Toolbars -> Advanced
Note that there is no “undo”

16. Interface Overview - Overview Navigator
Also called Navigation Band
Presents a linear view of address space of the loaded file
By default, the entire address range of the executable is represented
Right clicking on the band gives options to zoom in or out
Different colors represent different types of content: data, code, etc.

17. Interface Overview - Overview Navigator
A current position indicator (yellow downward arrow) shows the current address range being displayed in disassembly window
Use Options -> Color to customize the colors
Since it is easy to get lost in a binary, use this to help stay oriented
We may want to spend more time on “Regular Function”

18. Interface Overview - Tabs
A tab exists for each of the currently open data displays
Each tab shows a view (developed from the database)
More views can be added using View -> Open Subviews
View -> Open Subviews can also be used to restore any display that has been closed

19. Interface Overview – Graph Overview
This window shows a complete view of the graph
This display appears only when the Graph View is active
A dotted rectangle, which can be moved around, shows the current display area in the Graph View window

20. Interface Overview – Disassembly View
It is the main data display area
There are two styles available
Graph View and Text View
When this window is active, one can toggle between the two styles by hitting the spacebar
Graph View shows a flowchart type graph for one function at a time

21. Interface Overview – Disassembly View
The Disassembly window is the primary tool for analysis
To open additional disassembly window
Use Views -> Open Subviews -> Disassembly
Windows titled as IDA View-A, IDA View-B, IDA View-C and so on
Thus, one window can be used to view a graph and text listing in another

22. Disassembly View – Graph View
Each rectangle is a basic block
That is no branching from inside the block
The last instruction of the block is often a branch instruction
The colored arrows represent the type of control flow
between blocks
From conditional blocks
Yes edge (yes, the branch is taken) – appears in green by default
No edge (no, the branch is not taken) – appears in red by default
From uconditional blocks
Normal edge (from a block that has only one choice to go to) – blue by default

23. Disassembly View – Graph View
Panning
A graph can be repositioned by clicking and dragging the background
Rearranging blocks
Click on the title bar of the desired block and drag to a new position
Grouping and collapsing blocks
Right click on the block’s title bar and select Group Nodes
This way you can keep track of blocks you have already analyzed

24. Disassembly View – Text View
Used for viewing and manipulating disassembled code
Shows the entire disassembly listing of a program
Unlike the Graph View mode, which shows one function at a time
This is the only way to see the data regions of a binary
Virtual addresses are typically displayed in
[Section name]: [Virtual Address] format

25. Disassembly View – Text View
The left side is called the arrows window
They depict nonlinear flow within a
function
Solid arrows depict unconditional jumps
Dashed arrows depict conditional jumps
A heavy weighted line (solid or dashed)
indicates jump to an earlier address in the program
This reverse flow often indicates a loop in the program

26. Disassembly View – Text View
Comments can be added to a line
Click on the desired line and press the colon “:”
Variables or functions can be renamed
Left-click once to highlight and press “n”
Then type the new name in the pop up window
Code cross-reference: another program instruction transfers control to the location containing the cross-reference comment

27. Interface Overview – Output Window
Various messages appear here
When a binary is first opened, this window shows at what phase of analysis IDA is in at a given time and what actions IDA is carrying out
When working with a DB, the window shows the status of various operations the user performs
Right clicking on the window background will give options such as copying text, clearing them, etc.

28. Interface Overview – Functions Window
It shows every function IDA found in the database
Example:
malloc text 00BD R B . .
“Malloc” is the function name
It can be found in the text section of the binary
It appears at virtual address 00BD260 and is 384 bytes (hex 180) long
It returns to the caller (R)
It uses the EBP register (B) to reference its local variables
Double-clicking on a function will jump the disassembly window to the address associated with that function

29. Hex View Tab
The hex view window displays the raw hex of the executable
Its content can be edited to change program behavior
Default length of hex dump content is 16 bytes per line
ASCII equivalents also displayed alongside

30. Hex View Tab
Similar to disassembly window, several hex view Windows can be opened simultaneously
They will be named as Hex View-1, Hex View-2 and so on
Each of these windows can be synchronized with a disassembly window (and vice versa)
To synchronize, right click anywhere on the window and select “synchronize”
When synchronized, scrolling one window will scroll the other
Right clicking on the window gives several options: Data Format, Columns, Text, Edit, Font so one can set their values

31. Exports Window Tab Shows a list of entry points into a file.
Includes program’s execution entry point and any functions or variables the file exports for use by other files
Double-clicking on an entry will jump the disassembly window to the address associated with that entry

32. Imports Window Tab Lists all functions that are imported by the binary
Double-clicking on an entry will jump the disassembly window to the address associated with that entry

33. Strings Window Opens by using View -> Open Subviews -> Strings
Displays a list of strings extracted from the binary and their corresponding address
Double-clicking on a string will jump the disassembly window to the address associated with that string
By right clicking and selecting “Setup”, allows to select various string types
Quick Filter under the Setup window allows to filter the strings

34. Names Window Opens by using View -> Open Subviews -> Names
Name is a symbolic description given to a program virtual address
Double-clicking on a name will jump the disassembly window to that location