第1页 / 共676页
第2页 / 共676页
第3页 / 共676页
第4页 / 共676页
第5页 / 共676页
第6页 / 共676页
第7页 / 共676页
第8页 / 共676页
The IDA Pro Book 2nd Edition.pdf
Copyright
Dedication
Brief Contents
Contents in Detail
Acknowledgments
Introduction
PART I: Introduction to IDA
1: Introduction to Disassembly
Disassembly Theory
The What of Disassembly
The Why of Disassembly
Malware Analysis
Vulnerability Analysis
Software Interoperability
Compiler Validation
Debugging Displays
The How of Disassembly
A Basic Disassembly Algorithm
Linear Sweep Disassembly
Recursive Descent Disassembly
Summary
2: Reversing and Disassembly Tools
Classification Tools
file
PE Tools
PEiD
Summary Tools
nm
ldd
objdump
otool
dumpbin
c++filt
Deep Inspection Tools
strings
Disassemblers
Summary
3: IDA Pro Background
Hex-Rays’ Stance on Piracy
Obtaining IDA Pro
IDA Versions
IDA Licenses
Purchasing IDA
Upgrading IDA
IDA Support Resources
Your IDA Installation
Windows Installation
OS X and Linux Installation
IDA and SELinux
32-bit vs. 64-bit IDA
The IDA Directory Layout
Thoughts on IDA’s User Interface
Summary
PART II: Basic IDA Usage
4: Getting Started with IDA
Launching IDA
IDA File Loading
Using the Binary File Loader
IDA Database Files
IDA Database Creation
Closing IDA Databases
Reopening a Database
Introduction to the IDA Desktop
Desktop Behavior During Initial Analysis
IDA Desktop Tips and Tricks
Reporting Bugs
Summary
5: IDA Data Displays
The Principal IDA Displays
The Disassembly Window
The Functions Window
The Output Window
Secondary IDA Displays
The Hex View Window
The Exports Window
The Imports Window
The Structures Window
The Enums Window
Tertiary IDA Displays
The Strings Window
The result is that the string at location .rdata:0040C19C (“Please guess a number between 1 and %d.”) remains undetected. The mo...
The Names Window
The Segments Window
The Signatures Window
The Type Libraries Window
The Function Calls Window
The Problems Window
Summary
6: Disassembly Navigation
Basic IDA Navigation
Double-Click Navigation
Jump to Address
Navigation History
Stack Frames
Calling Conventions
Local Variable Layout
Stack Frame Examples
IDA Stack Views
Searching the Database
Text Searches
Binary Searches
Summary
7: Disassembly Manipulation
Names and Naming
Parameters and Local Variables
Named Locations
Register Names
Commenting in IDA
Regular Comments
Repeatable Comments
Anterior and Posterior Lines
Function Comments
Basic Code Transformations
Code Display Options
Formatting Instruction Operands
Manipulating Functions
Converting Data to Code (and Vice Versa)
Basic Data Transformations
Specifying Data Sizes
Working with Strings
Specifying Arrays
Summary
8: Datatypes and Data Structures
Recognizing Data Structure Use
Array Member Access
Structure Member Access
Creating IDA Structures
Creating a New Structure (or Union)
Editing Structure Members
Stack Frames as Specialized Structures
Using Structure Templates
Importing New Structures
Parsing C Structure Declarations
Parsing C Header Files
Using Standard Structures
IDA TIL Files
Loading New TIL Files
Sharing TIL Files
C++ Reversing Primer
The this Pointer
Virtual Functions and Vtables
The Object Life Cycle
Name Mangling
Runtime Type Identification
Inheritance Relationships
C++ Reverse Engineering References
Summary
9: Cross-References and Graphing
Cross-References
Code Cross-References
Data Cross-References
Cross-Reference Lists
Function Calls
IDA Graphing
IDA External (Third-Party) Graphing
IDA’s Integrated Graph View
Summary
10: The Many Faces of IDA
Console Mode IDA
Common Features of Console Mode
Windows Console Specifics
Linux Console Specifics
OS X Console Specifics
Using IDA’s Batch Mode
Summary
PART III: Advanced IDA Usage
11: Customizing IDA
Configuration Files
The Main Configuration File: ida.cfg
The GUI Configuration File: idagui.cfg
The Console Configuration File: idatui.cfg
Additional IDA Configuration Options
IDA Colors
Customizing IDA Toolbars
Summary
12: Library Recognition Using FLIRT Signatures
Fast Library Identification and Recognition Technology
Applying FLIRT Signatures
Creating FLIRT Signature Files
Signature-Creation Overview
Identifying and Acquiring Static Libraries
Creating Pattern Files
Creating Signature Files
Startup Signatures
Summary
13: Extending IDA’s Knowledge
Augmenting Function Information
IDS Files
Creating IDS Files
Augmenting Predefined Comments with loadint
Summary
14: Patching Binaries and Other IDA Limitations
The Infamous Patch Program Menu
Changing Individual Database Bytes
Changing a Word in the Database
Using the Assemble Dialog
IDA Output Files and Patch Generation
IDA-Generated MAP Files
IDA-Generated ASM Files
IDA-Generated INC Files
IDA-Generated LST Files
IDA-Generated EXE Files
IDA-Generated DIF Files
IDA-Generated HTML Files
Summary
PART IV: Extending IDA's Capabilities
15: IDA Scripting
Basic Script Execution
The IDC Language
IDC Variables
IDC Expressions
IDC Statements
IDC Functions
IDC Objects
IDC Programs
Error Handling in IDC
Persistent Data Storage in IDC
Associating IDC Scripts with Hotkeys
Useful IDC Functions
Functions for Reading and Modifying Data
User Interaction Functions
String-Manipulation Functions
File Input/Output Functions
Manipulating Database Names
Functions Dealing with Functions
Code Cross-Reference Functions
Data Cross-Reference Functions
Database Manipulation Functions
Database Search Functions
Disassembly Line Components
IDC Scripting Examples
Enumerating Functions
Enumerating Instructions
Enumerating Cross-References
Enumerating Exported Functions
Finding and Labeling Function Arguments
Emulating Assembly Language Behavior
IDAPython
Using IDAPython
IDAPython Scripting Examples
Enumerating Functions
Enumerating Instructions
Enumerating Cross-References
Enumerating Exported Functions
Summary
16: The IDA Software Development Kit
SDK Introduction
SDK Installation
SDK Layout
Configuring a Build Environment
The IDA Application Programming Interface
Header Files Overview
Netnodes
Useful SDK Datatypes
Commonly Used SDK Functions
Iteration Techniques Using the IDA API
Summary
17: The IDA Plug-in Architecture
Writing a Plug-in
The Plug-in Life Cycle
Plug-in Initialization
Event Notification
Plug-in Execution
Building Your Plug-ins
Installing Plug-ins
Configuring Plug-ins
Extending IDC
Plug-in User Interface Options
Using the SDK’s Chooser Dialogs
Creating Customized Forms with the SDK
Windows-Only User Interface-Generation Techniques
User Interface Generation with Qt
Scripted Plug-ins
Summary
18: Binary Files and IDA Loader Modules
Unknown File Analysis
Manually Loading a Windows PE File
IDA Loader Modules
Writing an IDA Loader Using the SDK
The Simpleton Loader
Building an IDA Loader Module
A pcap Loader for IDA
Alternative Loader Strategies
Writing a Scripted Loader
Summary
19: IDA Processor Modules
Python Byte Code
The Python Interpreter
Writing a Processor Module Using the SDK
The processor_t Struct
Basic Initialization of the LPH Structure
The Analyzer
The Emulator
The Outputter
Processor Notifications
Other processor_t Members
Building Processor Modules
Customizing Existing Processors
Processor Module Architecture
Scripting a Processor Module
Summary
PART V: Real-World Applications
20: Compiler Personalities
Jump Tables and Switch Statements
RTTI Implementations
Locating main
Debug vs. Release Binaries
Alternative Calling Conventions
Summary
21: Obfuscated Code Analysis
Anti-Static Analysis Techniques
Disassembly Desynchronization
Dynamically Computed Target Addresses
Imported Function Obfuscation
Targeted Attacks on Analysis Tools
Anti-Dynamic Analysis Techniques
Detecting Virtualization
Detecting Instrumentation
Detecting Debuggers
Preventing Debugging
Static De-obfuscation of Binaries Using IDA
Script-Oriented De-obfuscation
Emulation-Oriented De-obfuscation
Virtual Machine-Based Obfuscation
Summary
22: Vulnerability Analysis
Discovering New Vulnerabilities with IDA
After-the-Fact Vulnerability Discovery with IDA
IDA and the Exploit-Development Process
Stack Frame Breakdown
Locating Instruction Sequences
Finding Useful Virtual Addresses
Analyzing Shellcode
Summary
23: Real-World IDA Plug-ins
Hex-Rays
IDAPython
collabREate
ida-x86emu
Class Informer
MyNav
IdaPdf
Summary
PART VI: The IDA Debugger
24: The IDA Debugger
Launching the Debugger
Basic Debugger Displays
Process Control
Breakpoints
Tracing
Stack Traces
Watches
Automating Debugger Tasks
Scripting Debugger Actions
Automating Debugger Actions with IDA Plug-ins
Summary
25: Disassembler/Debugger Integration
Background
IDA Databases and the IDA Debugger
Debugging Obfuscated Code
Launching the Process
Simple Decryption and Decompression Loops
Import Table Reconstruction
Hiding the Debugger
IdaStealth
Dealing with Exceptions
Summary
26: Additional Debugger Features
Remote Debugging with IDA
Using a Hex-Rays Debugging Server
Attaching to a Remote Process
Exception Handling During Remote Debugging
Using Scripts and Plug-ins During Remote Debugging
Debugging with Bochs
Bochs IDB Mode
Bochs PE Mode
Bochs Disk Image Mode
Appcall
Summary
A: Using IDA Freeware 5.0
Restrictions on IDA Freeware
Using IDA Freeware
B: IDC/SDK Cross-Reference
Index
I D A P R O
I D A P R O
J
M
P
EBP
D E - O B F U S C AT E D
D E - O B F U S C AT E D
B
U
S
2 N D E D I T I O N
J
M
P
EBP
B
U
S
No source code? No problem. With IDA Pro, the inter-
active disassembler, you live in a source code–optional
world. IDA can automatically analyze the millions of
opcodes that make up an executable and present you
with a disassembly. But at that point, your work is just
beginning. With The IDA Pro Book, you’ll learn how
to turn that mountain of mnemonics into something you
can actually use.
Hailed by the creator of IDA Pro as “profound, compre-
hensive, and accurate,” the second edition of The IDA
Pro Book covers everything from the very first steps to
advanced automation techniques. You’ll find complete
coverage of IDA’s new Qt-based user interface, as
well as increased coverage of the IDA debugger, the
Bochs debugger, and IDA scripting (especially using
IDAPython). But because humans are still smarter than
computers, you’ll even learn how to use IDA’s latest
interactive and scriptable interfaces to your advantage.
Save time and effort as you learn to:
• Navigate, comment, and modify disassembly
• Identify known library routines, so you can focus your
analysis on other areas of the code
• Use code graphing to quickly make sense of cross-
references and function calls
• Extend IDA to support new processors and filetypes
using the SDK
• Explore popular plug-ins that make writing IDA scripts
easier, allow collaborative reverse engineering, and
much more
• Use IDA’s built-in debugger to tackle hostile and
obfuscated code
Whether you’re analyzing malware, conducting vulnerabil-
ity research, or reverse engineering software, a mastery
of IDA Pro is crucial to your success. Take your skills to the
next level with this 2nd edition of The IDA Pro Book.
A B O U T T H E A U T H O R
Chris Eagle is a Senior Lecturer of Computer Science
at the Naval Postgraduate School in Monterey, CA.
He is the author of many IDA plug-ins and co-author of
Gray Hat Hacking (McGraw-Hill), and he has spoken
at numerous security conferences, including Blackhat,
Defcon, Toorcon, and Shmoocon.
TH E FI N EST I N G E E K E NTE RTAI N M E NT ™
www.nostarch.com
“I LI E FLAT.”
This book uses a lay-flat binding that won’t snap shut.
$69.95 ($79.95 CDN)
S
H
E
L
V
E
I
N
:
P
R
O
G
R
A
M
M
N
G
/
I
S
O
F
T
W
A
R
E
D
E
V
E
L
O
P
M
E
N
T
T
H
E
I
D
A
P
R
O
B
O
O
K
E
A
G
L
E
E
2
D
N
I
T
D
I
O
I D A P R O
N
T H E
B O O K
T H E U N O F F I C I A L G U I D E T O T H E
W O R L D ’ S M O S T P O P U L A R D I S A S S E M B L E R
C H R I S E A G L E
“I wholeheartedly recommend The
IDA Pro Book to all IDA Pro users.”
—Ilfak Guilfanov,
creator of IDA Pro
J
M
P
EBP
B
U
S
THEIDA PROBOOKTHE IDA PRO BOOK
PRAISE FOR THE FIRST EDITION OF THE IDA PRO BOOK
“I wholeheartedly recommend The IDA Pro Book to all IDA Pro users.”
—ILFAK GUILFANOV, CREATOR OF IDA PRO
“A very concise, well laid out book. . . . The step by step examples, and much
needed detail of all aspects of IDA alone make this book a good choice.”
—CODY PIERCE, TIPPINGPOINT DVLABS
“Chris Eagle is clearly an excellent educator, as he makes the sometimes very
dense and technically involved material easy to read and understand and also
chooses his examples well.”
—DINO DAI ZOVI, TRAIL OF BITS BLOG
“Provides a significantly better understanding not of just IDA Pro itself, but
of the entire RE process.”
—RYAN LINN, THE ETHICAL HACKER NETWORK
“This book has no fluff or filler, it’s solid information!”
—ERIC HULSE, CARNAL0WNAGE BLOG
“The densest, most accurate, and, by far, the best IDA Pro book ever
released.”
—PIERRE VANDEVENNE, OWNER AND CEO OF DATARESCUE SA
“I highly recommend this book to anyone, from the person looking to begin
using IDA Pro to the seasoned veteran.”
—DUSTIN D. TRAMMELL, SECURITY RESEARCHER
“This book does definitely get a strong buy recommendation from me. It’s
well written and it covers IDA Pro more comprehensively than any other
written document I am aware of (including the actual IDA Pro Manual).”
—SEBASTIAN PORST, SENIOR SOFTWARE SECURITY ENGINEER, MICROSOFT
“Whether you need to solve a tough runtime defect or examine your
application security from the inside out, IDA Pro is a great tool and this book
is THE guide for coming up to speed.”
—JOE STAGNER, PROGRAM MANAGER, MICROSOFT
THE IDA PRO BOOK
2 N D E D I T I O N
The Unofficial Guide to the
World’s Most Popular
Disassembler
by Chris Eagle
San Francisco
THE IDA PRO BOOK, 2ND EDITION. Copyright © 2011 by Chris Eagle.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior
written permission of the copyright owner and the publisher.
Printed in Canada
15 14 13 12 11
1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-289-8
ISBN-13: 978-1-59327-289-0
Publisher: William Pollock
Production Editor: Alison Law
Cover and Interior Design: Octopod Studios
Developmental Editor: Tyler Ortman
Technical Reviewer: Tim Vidas
Copyeditor: Linda Recktenwald
Compositor: Alison Law
Proofreader: Paula L. Fleming
Indexer: BIM Indexing & Proofreading Services
For information on book distributors or translations, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
38 Ringold Street, San Francisco, CA 94103
phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com
The Library of Congress has cataloged the first edition as follows:
Eagle, Chris.
The IDA Pro book : the unofficial guide to the world's most popular disassembler / Chris Eagle.
p. cm.
Includes bibliographical references and index.
ISBN-13: 978-1-59327-178-7
ISBN-10: 1-59327-178-6
1. IDA Pro (Electronic resource) 2. Disassemblers (Computer programs) 3. Debugging in computer science. I.
Title.
QA76.76.D57E245 2008
005.1'4--dc22
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and
company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark
symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been
taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the
information contained in it.
This book is dedicated to my mother.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
