![Application
- Find ‘CALL’ instructions
# searchSystemCalls.py
from idautils import *
seg_ea = SegByName(".text")
# For each instruction
for addr in Heads(seg_ea, SegEnd(seg_ea)):
# Get disassembly
disasmStr = GetDisasm(addr)
if disasmStr.startswith( "int ") == True:
# Print if it is a system call
print "0x%08x [%s]" % (addr, disasmStr)](https://image.slidesharecdn.com/introductiontoidapython-131230160823-phpapp02/85/Introduction-to-ida-python-9-320.jpg)
Introduction to ida python
- 1. Introduction to IDAPython Byoungyoung Lee POSTECH PLUS 038 [email protected]
- 2. Overview • Brief intro to IDAPython • How to install • Examples – Searching disassembly patterns – Searching system calls in the binary – Deobfuscation
- 3. Automatic Reversing with IDA • To do automatic reversing ? – you need to write scripts • IDA supports multiple interfaces – Plugins (C++) – IDC (C-like scripting) – IDAPython (Python)
- 4. Brief intro to IDAPython • Most things you can do w/ your hands – can be done w/ IDAPython
- 5. How to install • COPY ‘python’ directory – to %IDA_DIR% • PUT ‘python.plw’ – to %IDA_DIR%/plugins • ex) C:Program FilesIDA52plugins
- 6. How to execute 1. Press ‘ALT+9’ in IDA 2. Choose Python file you’d like to execute Results would be printed in the log window
- 7. Simple example – walking the functions # walkFunctions.py ### Walk the functions # Get the segment's starting address ea = ScreenEA() # Loop through all the functions for function_ea in Functions(SegStart(ea), SegEnd(ea)): # Print the address and the function name. print hex(function_ea), GetFunctionName(function_ea)
- 8. Simple example – walking the instructions # walkInstructions.py # For each of the segments for seg_ea in Segments(): # For each of the defined elements for head in Heads(seg_ea, SegEnd(seg_ea)): # If it's an instruction if isCode(GetFlags(head)): # Get the Disasm and print it disasm = GetDisasm(head) print disasm
- 9. Application - Find ‘CALL’ instructions # searchSystemCalls.py from idautils import * seg_ea = SegByName(".text") # For each instruction for addr in Heads(seg_ea, SegEnd(seg_ea)): # Get disassembly disasmStr = GetDisasm(addr) if disasmStr.startswith( "int ") == True: # Print if it is a system call print "0x%08x [%s]" % (addr, disasmStr)
- 10. Deobfuscation • What is obfuscation? – To transform binary into something • which has the same executing behavior • which has very different outer representation – To disrupt disassemblers
- 11. Deobfuscation • How to obfuscate the binary – Simple obfuscation methods JMP X = PUSH X RET JMP X = XOR JZ original ECX, ECX X obfuscated
- 12. Deobfuscation • What happens due to these obfuscation? – IDA failed to analyze the binary properly • which means .. • YOU CANNOT USE CFG LAYOUT • YOU CANNOT EASILY FOLLOW THE CONTROL FLOW
- 13. Deobfuscation • Let’s learn deobfuscation w/ an example – 1. – 2. – 3. – 4. load reversing500 in IDA move to 0x08049891, and see ‘PUSH/RET’ execute ‘deobfuscation_simple.py’ see the instructions of 0x08049891 – For full deobfuscation • execute ‘deobfuscation_full.py’
- 14. Exercises (more applications) • 1. To list all string copy functions? – such as strcpy(), strncpy(), strcat(), and etc. – YES ,this is for finding Stack Overflow vulns. • 2. To examine all malloc() calls? – whose arg. is determined dynamically – YES ,this is for finding Heap Overflow vulns. • 3. Memory/Register Computation Back Tracer
- 15. Reference • “Introduction to IDAPython” by Ero Carrera