index [nostarch.com]index 611 armlinux_server server component, 570 array access operations, 135,...

I N D E X

Special Characters & Numbers#define statements, 257#hint text# element, 338#ifdef block, 258#ifdef/#else block, 258$ idc_array, 301, 331$ prefix, 297$HOME/.idapro/ida.key, 192$HOME/.idapro/ida.reg file, 44, 207* (asterisk key), 144: (colon) hotkey, 107; (semicolon) hotkey, 107{ } (bracing) syntax, 254>> (right-shift operator), 253, 4581 byte of storage (db), 972 bytes of storage (dw), 974 bytes of storage (dd), 978-byte doubles, 13632-bit version, vs. 64-bit version, 3864-bit version, vs. 32-bit version, 38

AA hotkey, 122-A option, 197-a option, 218A suffix, ASCII strings, 447-a switch, 71Abort command, 205absolute jumps, 436–437accept_file function, 359, 362,

365, 367ACCEPT_FIRST flag, 359accept_simpleton_file function,

362, 367

accept_simpleton_loader function, 362access specifiers, IDC, 256Actions box, Breakpoint Settings

dialog, 526activation records, 65, 83ActiveSync, 517Add Breakpoint option, 463, 523Add standard structure button, Create

Structure/Union dialog, 143, 152

Add Watch option, 529–530add_auto_stkpnt2 function, 392, 394add_entry function, 364add_segm functions, 308add_segm_ex function, 308add_struc function, 307add_struc_member function, 307add_til functions, 367add_til2 function, 367AddBpt function, 531, 554AddBptEx function, 531AddEntryPoint function, 357AddHotkey function, 261Address box, Breakpoint Settings

dialog, 524Address field, Assemble Instruction

dialog, 240AddressOfEntryPoint field, 351ADDSEG_XXX values, 308advanced mode toolbar, 53, 208aiSee, GDL viewer, 193AL register, 458algorithmic analysis, 416alias = register syntax, 105alignment, 352

The IDA Pro Book, 2nd Edition© 2011 by Chris Eagle

610 INDEX

All segments button, Memory snap-shot confirmation dialog, 542

allins.hpp file, 235, 303allmake.mak file, 289allmake.unx file, 289Allocate Heap Block option, Func-

tions menu, 471Allocate Stack Block option, Func-

tions menu, 471alphabetically sorting, in Functions

window, 82ALT-B hotkey, 99alternate display format, selecting, 96ALT-F8 hotkey, 461ALT-H hotkey, 207ALT-K hotkey, 118ALT-L (Anchor) command, 243ALT-P hotkey, 230, 424ALT-Q hotkey, 147altset function, 300altvals, 297ALT-x method, 191Amini, Pedram, 204ana function, 391ana.cpp file, 385analysis.idc script, 197analyzer, for processor modules,

385–390analyzing

algorithms, 416binary, for different platform, 455

Anchor (ALT-L) command, 243android_server server component, 570anterior and posterior lines, 108anti-debugging

hiding debugger, 555–560technique, 452–454and x86emu emulation-oriented

de-obfuscation of binaries, 471–472

anti–dynamic analysis techniques, 449–454

detecting debuggers, 452–453detecting instrumentation,

451–452detecting virtualization, 449–451preventing debugging, 453–454

antipiracy techniques, 32anti–reverse engineering techniques,

433–434

anti–static analysis techniques, 434–449

disassembly desynchronization, 434–437

dynamically computed target addresses, 437–444

imported function obfuscation, 444–448

targeted attacks on analysis tools, 448–449

Apache web server, 23API (Application Programming Inter-

face), 289–314header files, 290–294iteration techniques using,

310–314netnodes, 294–301

creating, 295–297data storage in, 297–301deleting, 301

SDK datatypes, 302–303SDK functions, 304–309

App TRK, 517Appcall feature, for Bochs, 578–580Appcall variable, 579Append Function Tail option, 115Application option, debugger pro-

cess options dialog, 571Application Programming Interface.

See APIApply new signature option, Signa-

tures window, 75AR_LONG constant, 260AR_STR constant, 260ar2idt.exe parser, 231architectures

of processor modules, 409–411RISC-style, 387

archive files, 155area control block, 310area_t (area.hpp), datatypes for SDK,

291, 293, 302areacb_t class, 310areacb_t variables, 310area.hpp, 291, 310arg_ prefix, 95argc, 422, 425argv, 422, 425arithmetic instructions, simple, 11ARM code, 410


INDEX 611

armlinux_server server component, 570array access operations, 135, 172array elements

accessing, 131selecting size for, 125

Array option, 125array tag parameter, 298Array-creation dialog, 124–125array-manipulation functions,

259–260arrays, 130–135

attributes for, 124–126globally allocated arrays, 131–132globally allocated structures, 137heap-allocated arrays, 134–135heap-allocated structures, 138–140stack-allocated arrays, 132–134stack-allocated structures, 138structure member access, 135–137of structures, 140–141

arrows window, IDA text view, 65asc_ prefix, 123ASCII characters, 121, 447Ascii column, PDF Objects

window, 510ASCII dump, searching, 99ASCII printable characters, 27ASCII String Style option, Option

menu, 122ASCII strings, 447ash variable, 292, 399asize_t get_struc_size function, 307AskFile function, 263, 265askfile_c function, 305AskStr function, 263askstr function, 305AskUsingForm_c dialogs, 340AskUsingForm_c function, 305,

337–338, 341AskXXX functions, 263, 292askXXX interface functions, 334AskYN function, 263askyn_c function, 305ASM files, generating, 242–243asm_t struct, 380, 399, 402asms

data member, 402field, 402

ASPack program, 441ASProtect program, 441

Assemble dialog, 239–241Assemble Instruction dialog, 240Assemble option, Patch Program

menu, 239assembler tool, 4assembly language call statement, 164assembly languages, 4Assume GCC v3.x names

checkbox, 163asterisk key (*), 144asynchronous communications, 504asynchronous interaction, 536–537Asynchronous Sockets techniques,

Windows, 504AT&T assembly syntax, 9atoll function, 264Attach option, Debugger menu, 514,

518, 573Attach to Process option, Debugger

menu, 516, 574attributes

for arrays, 124–126for functions, 115–118

auto comments, 233Auto comments option, 110auto keyword, IDC, 252Autogenerated name option, for

named locations, 104autogenerated names

in Names window, 104prefixes for, 73

auto.hpp, for API, 291

BB (button) field, 339-B option, 197b parameter, 94, 160Bachaalany, Elias, 574backdoor-style communications

channels, 450backward navigation button, 83Bad instruction <BAD> marks option,

110–111bar function, 106base address, of array, 131BaseClass, 158–159basic blocks, 61–62, 176–177basic mode toolbar, 53, 208batch mode, 189, 196–198


612 INDEX

BDS (Binary Diffing Suite), 485beginner mode, 206big-endian, CUP, 10bin directory

FLAIR tools, 217for SDK, 287

binariesOS X Mach-O, 24searches, 493statically linked, 178used in first-generation

languages, 4Binary Diffing Suite (BDS), 485binary executable files, 18, 434Binary File Descriptor library

(libbfd), 24Binary File entry, 45–46binary file obfuscation, 19binary files, 347–375

alternative loaders, 372–373analysis of unknown files, 348–349loader for, 47–48loader modules for

overview, 358pcap loader, 366–372simpleton loader, 361–366writing using SDK, 358–360

manually loading Windows PE file, 349–357

scripted loaders, 373–375binary form, plug-ins, 500Binary Search dialog, 99binary searches, of database, 99–100BINARY_ADD byte code instruction, 379BinDiff, 485BinNavi, 280binutils tool suite, GNU, 24block statement, 160blocking operation, 286blocks, in disassembly window, 64Bochs, 574–580

Appcall feature for, 578–580disk image mode for, 577IDB mode for, 575–576PE mode for, 576–577

Bochs configuration dialog, 575Bochs control module, 576bochsrc file, 577

Borlandcode, 419tools, 404

Borland’s Turbo Assembler (TASM), 9

Borland-style make files, 289BOUNDS problem, Problems

Window, 77BP based frame attribute,

117–118, 424BP equals to SP attribute, 118bpt_NtContinue function, 567–568bracing ({ }) syntax, 254branches, 171Break checkbox, Breakpoint Settings

dialog, 526break statement, 279Breakpoint List option, Debugger

menu, 523breakpoint manipulation tools, 519Breakpoint Settings dialog, 523–526breakpoints, in debugger, 522–526bss section, 68, 356B-tree–style database, 49buffer array, 94Bug Reports forum, Hex-Rays bulle-

tin board, 58bugs, reporting, 58BugScam scripts, 481build scripts, 461BUILDING.txt file, 503bulletin boards, Hex-Rays, 58bundled graphing applications, 176Burneye ELF encryption tool, 442,

455–459, 465, 467button (B) field, 339bximage tool, 577byte code, 4, 379Byte function, 262byte_patched notification message, 322bytes.hpp file, 291, 399

CC enum, Enums window, 70C hotkey, 48, 120C notation, 130-c option, 197


INDEX 613

c parameter, 94C_HEADER_PATH option, 203C_PREDEFINED_MACROS option, 203C++, 156–166

calling conventions, 88inheritance relationships, 164–165name mangling in, 162–163object life cycle in, 160–161reverse engineering references,

165–166RTTI, 163–164this pointer in, 156–157virtual functions and vtables,

157–160c++filt utility, 25–26calculator program, Windows, 25call esi instruction, 492call flow type, 62, 171call graphs, 178–180call instructions, 112, 272, 456,

467, 480Call Stack dialog, 529call statement, 437call_vfunc function, 159call-by-reference, 255call-by-value, 255callflow function, 171calling conventions

compiler differences for, 430–432for stack frames, 85–89

call-style cross-references, 171callui function, 305canned search features, 98canonical feature (CF), 381Capture the Flag

binary, DEFCON, 278network, DEFCON, 496

Case-sensitive option, 99–100case-sensitive searches, 100, 493catalog, of named constants, 112–113cdecl calling convention, 85–86, 129cdecl functions, 116_cdecl modifier, 85CF (canonical feature), 381CF_CALL flag, 381CF_CHGn flag, 381CF_STOP flag, 381CF_USEn flag, 381

cfg directory, 39Change Byte menu option, Patch

Program, 238Change Color button, color selection

dialog, 208Change exception definition, Excep-

tion Handling dialog, 564Change segment attributes dialog, 543Change Stack Pointer option, 118Character terminated strings, 122Characteristics field, 357charset function, 300charval function, 297, 300charval interface, 300CheckBptfunction, 531–532choose function, 305, 334Choose project to attach to dialog, 515choose2 dialog, 337choose2 function, 305, 334, 336, 566chooser dialog, 335chunked functions, 114–115, 272CL register, 431Clampi trojan, 442class constructor, 160.class file, 472Class Informer plug-in, 420, 506–508class relationships, deducing

between, 165click-and-drag operation, 119C-like pseudocode, 500closing, IDA database files, 51–52cmd variable, 385, 394cmd.Operands array, 387, 390cnbits field, 385code

converting to data, 119–120display options for, 109–111

code argument, 339code bytes, distinguishing from data

bytes, 48CODE class, 308code cross-references, 65, 168–169Code option, 435CODE XREF, 169coding scheme, used in Names

window, 73COFF libraries, 219collabREate plug-in, 503–506


614 INDEX

Collapse Group button, 187collapsed node demo, 187collapsed structures, 146, 153–154collapsing blocks, in disassembly

window, 64Collect garbage option, 52collisions, 221, 223colon (:) hotkey, 107color key, 54color palettes, 192color selection dialog, 208coloring nodes, 186colorized disassembly listings, 245colors, customizing, 207–208Colors command, 54Columns menu option, Hex

window, 67comma operator, 253COMMAND function, 536command history list, 40command-line

arguments, 22tools

Borland, 418, 426Exports window, 68IDA, 251Segments window, 74

Comment directive, 232comment member, for plug-ins, 317comment.cmt file, 234–235CommentEx function, 270commenting

anterior and posterior lines, 108augmenting information for, with

loadint, 233–235auto, 233function comments, 108overview, 106regular comments, 107repeatable comments, 107–108virtual repeatable, 108

comments option, 110common operations bar, console user

interface, 190compact_til function, 369Compilation successful message, pars-

ing header files, 150Compiler configuration dialog,

Option menu, 151

compiler differences, 415–432alternative calling conventions,

430–432debug vs. release binaries, 428–430jump tables, 416–420locating main, 421–428RTTI implementations, 420switch statements, 416–420

compiler validation, reasons for disassembly, 7

compilersGNU, 86, 136utilizing stack frames, 83

compiling functions, 89computer licenses, 33concrete_class object, 164Condition field, Breakpoint Settings

dialog, 525conditional branching, 11, 171conditional breakpoints, 523conditional jumps, 436–437configuration dialog, Bochs, 575configuration files, 39configuring plug-ins, 330–331connect function, 69, 127console mode, 190–196

common features of, 190–191specific features of

for Linux, 192–194for OS X, 194–196for Windows, 191

consolesI/O library, 190limitations of, 190mouse server, Linux, 192user interface, 190

constant index values, 137constants, formatting options for, 112CONTEXT record, 567CONTEXT structure, 440, 472, 568context-sensitive menus, 60, 102,

112, 501Continue button, toolbar buttons, 521Continue command, 521Continue with Unpacked Base

option, 53control flow graphs, 169, 178, 185control module, Bochs, 576converting data, to code (and vice

versa), 119–120


INDEX 615

Cooper, Jeremy, 193, 195copyright notices, 218CPU flag, 437, 520CPU instructions

sets, 286undocumented, 110

CPU registers, 440cpu_data function, 394crashes, restarting after, 52–53CRC16 value, 220crc16.cpp file, 220Create as array option, 126Create C File option, File menu, 500Create EXE File command, 360, 365Create EXE File option, File

menu, 542create function, 296Create function tails loader option,

Kernel Options, 115Create name anyway option, for

named locations, 105Create Segment command, 353Create Structure/Union dialog,

143, 152Create union checkbox, Create

Structure/Union dialog, 143CREATE_BACKUPS option, 202create_filename_cmt function, 363create_func_frame function, 401CreateArray function, 260, 301createImportLabel function, 553–554CreateNetnode function, 332CreateThread function, 471CRITICAL_SECTION object, 121Cross References option, View

menu, 477cross-references (xrefs), 168–176

code cross-references, 169–171data cross-references, 171–173display window, 174enumerating, using API, 311–314for function calls, 175–176graphs for, 180–185lists of, 173–175navigational purposes, 81subview, opening, 174text, mousing over, 173

Cross-References tab, 172, 187cryptographic library, OpenSSL,

215–216, 229

C-style strings, 71, 122C-style union, 143CTRL-B hotkey, 100CTRL-ENTER hotkey, 83CTRL-F1 hotkey, 203CTRL-F4 hotkey, 191CTRL-Q hotkey, 204CTRL-T hotkey, 99CTRL-X hotkey, 174current instruction location, 386current position indicator, 54custom cross-reference graphs, 183custom data

formats, 474data types, 474

custom_ana code, 408custom_emu code, 408custom_mnem code, 408custom_out code, 408custom_outop code, 408customizing, 201–210

colors, 207–208configuration files, 201–207toolbars, 208–210

cya instruction, 408Cygwin environment, 17

DD command, 144D hotkey, 120, 122d_out function, 394, 398, 401dashed line break, 171data

converting to code, 119–120specifying sizes for, 121–122

data bytes, distinguishing from code bytes, 48

data carousel, 121–122DATA class, 308data cross-references, 168data displays, 55Data Format menu, Hex window, 67data storage, in netnodes, 297–301data structures. See also datatypes

arrays, 130–135IDA structures, 142–146importing new, 149–151and TIL files, 154–156


616 INDEX

data structures (continued)using standard structures, 151–154using structure templates, 146–149

DATA XREF, 169database events, 321Database Restore dialog, 52–53data-flow analysis, 481DataRescue, 32datatype setup dialog, 121datatypes. See also data structures

custom, 474Hex-Rays, 501for SDK, 302–303toggling through, 122

db (1 byte of storage), 97dbg_notification_t enum, 536dbg_step_until_ret notification, 537dbg_trace notification, 537dbg.hpp, for API, 291dd (4 bytes of storage), 97dead listings, 79debug binaries, vs. release binaries,

428–430DEBUG flag, 330debug registers, 440debugger, 513–580

automating with plug-ins, 536–538detecting, 452–453displays, reasons for disassembly, 7displays in, 518–521handling exceptions with, 561–568and IDA databases, 541–543IdaStealth plug-in for, 560–561instruction pointer warning, 549launching, 514–518preventing, 453–454process control with, 521–530

breakpoints, 522–526stack traces, 528–529tracing, 526–528watches, 529–530

process options dialog, 571–572remote debugging with, 569–574

attaching to remote process, 573–574

exception handling during, 574using Hex-Rays debugging

server, 570–573using scripts and plug-ins

during, 574

selection dialog, 515–516sessions, MyNav, 508setup dialog, 545–546, 562–563, 574scripting for, 530–535using Bochs, 574–580

Appcall feature for, 578–580disk image mode for, 577IDB mode for, 575–576PE mode for, 576–577

using with obfuscated code, 543–560

decryption and decompression loops, 546–550

hiding debugger, 555–560import table reconstruction,

550–555launching process, 545–546overview, 540–541

warning message, 518Debugger menu

Attach option, 514, 518, 573Attach to Process option, 516, 574Breakpoint List option, 523Debugger Options command, 562Function Tracing option, 526Instruction Tracing option, 526Pause Process option, 516Process Options command, 571Refresh memory command, 579Run option, 516Run to Cursor option, 516Select debugger option, 548Stack Trace command, 528–529Start Process option, 516, 518Switch Debugger menu, 516Take Memory Snapshot

command, 542Terminate Process option, 517Watch List option, 530

DECISION problem, Problems Window, 77

declarations, in IDA text view, 65decoding function, Burneye,

456–459, 465decompiler editing options,

Hex-Rays, 501decompilers, 5dedicated frame pointer, 91.def files, 403


INDEX 617

Default checkbox, Save Disassembly Desktop dialog, 209

Default offset column, 136DEFAULT_FILE_FILTER option, 206DEFCON 18, Capture the Flag net-

work, 496Deflate (Pack database) option, 52DelBpt function, 531deltas, 392Demangled Names, Options

menu, 162Denial of Service attack, 168de-obfuscation of binaries, static,

454–472script-oriented, 455–460x86emu emulation-oriented,

460–472and anti-debugging, 471–472de-obfuscation using, 465–470features of, 470–471initialization of, 462operation of, 463–465

de-obfuscation stub, 441–442, 446destination buffer (dest), 273destructor table, 492destructors, 160–161detecting

debuggers, 452–453instrumentation, 451–452virtualization, 449–451

DIF files, generating, 244directory layout

overview, 38for SDK, 287–289sig directory, 39til directory, 40

Directory option, debugger process options dialog, 572

disassembler analysis tool, 454disassembly, 3–14


first-generation languages, 4fourth-generation languages, 4how performed, 7–14

basic algorithm for, 8–9linear sweep disassembly, 9–10recursive descent disassembly,

11–14

overview, 5reasons for, 6–7second-generation languages, 4theory of, 4third-generation languages, 4

disassembly line display options, 109disassembly line parts, 109disassembly location, jumping to, 82Disassembly tab

color selection dialog, 208Options menu, 109

disassembly viewIDA desktop, 55synchronizing with hex view, 67

disassembly window, 60–65IDA graph view in, 61–64IDA text view in, 64–65

disassembly window scroll bar, 82disclosure, of vulnerability, 483disclosure event, 483discovery event, 483disk image mode, for Bochs, 577diskio.hpp file, 359, 362dispatcher functions, 305Display at startup checkbox, 44Display Disassembly Line Parts sec-

tion, Disassembly tab, 110display format, selecting, 96Display Graphs option, 487Display indexes option, 126Display only defined strings option,

Strings window, 71display options, disassembly line, 109DISPLAY_COMMAND_LINE option, 204,

206, 251DISPLAY_PATCH_SUBMENU option, 204, 206displays, 59–77

context-sensitive menu actions in, 60in debugger, 518–521principal, 60–66

disassembly window, 60–65Functions window, 66Output window, 66

secondary, 66–70Enums window, 70Exports window, 68Hex View window, 67–68Imports window, 68–69Structures window, 69


618 INDEX

displays (continued)tertiary, 70–77

Function Calls window, 76Names window, 72–74Problems window, 76–77Segments window, 74Signatures window, 74–75Strings window, 70–72Type Libraries window, 75

and undo, 59DisplayWelcome value, 44diStorm utility, 28divide-by-zero error, 440DLL (Dynamic Link Library), 462dll2idt.exe parser, 231dnbits field, 385Dfirst function, 268DfirstB function, 268Dnext function, 268DnextB function, 268Do not display this dialog box again

option, 207Does not return attribute, 117Don’t pack database option, 51DON’T SAVE database option, 52dos.ldw (MS-DOS EXE loader), 45doStruct function, 369DOT language, 176dotty tool, 176double word. See 4 bytes of

storage (dd)double-click navigation, 80–81, 185double-clicking

cross-reference address, 173in Function Calls Window, 76function chunks, 115hexadecimal values, 81listed scripts, 250in Names window, 72in Output window, 81in Segments window, 74strings, in Stings windows, 70structure names, 146symbol names, 175

download page, Hex-Rays, 499DR0–3 registers, 523DR0–7 registers, 523dt_xxx values, 388dummy names, 102, 104, 128, 214Dump Embedded PE option, File

menu, 471

Dump option, File menu, 470Dump Typeinfo to IDC File

command, 155dumpbin utility, 25dup2 function, 498dw (2 bytes of storage), 97Dword function, 262, 269, 456dynamic analysis, of malware, 6Dynamic Link Library (DLL), 462dynamic linking, 22dynamic memory allocation

function, 134dynamic_cast operator, 163dynamically computed target

addresses, anti–static analysis techniques, 437–444

E-e command-line argument, 28e_lfanew field, 350EAX register, 89, 94, 436,

439, 559–560EBP (extended base pointer) register,

91, 439, 451ebc.py, 411ebx register, 552Edit Breakpoint option, 523Edit Exceptions button, Debugger

Setup dialog, 562Edit menu, Plugins menu, 485, 508editing imported functions, 230EIP instruction pointer, 462Element width attribute, 126ELF binaries, 17ELF encryption tool, Burneye,

455–458ELF libraries, 219ELF-specific parsing, 24empty structure definition, 143emu function, 390–391emu.cpp file, 391Emulate menu, Switch Thread

option, 471emulation, advantage of over

debugging, 461emulators, 390–394. See also x86emu

emulator, de-obfuscation of binaries using

Enabled checkbox, Breakpoint Set-tings dialog, 524


INDEX 619

EnableTracing function, 533enabling line prefixes, 63End address attribute, 116ENTRY symbol, 575entry.hpp, for API, 291Enumerate Heap option, View

menu, 471enumerated datatype, C enum, 70enumerating

cross-references, 311–314functions, 310single stack frame, 490structure members, 311

Enums window, 70envp array, 422epilogue, of functions, 85Erdelyi, Gergely, 250, 280error handling, in IDC language,

258–259error messages, 258error strings, 218ESC key, 60, 82ESI register, 457ESP-based stack frame, 90–92etc directory, for SDK, 288event notification, for plug-ins,

321–322exact matches binary searches, 493exception confirmation dialog,

564–565Exception Editing dialog, 563exception handlers, 438–440, 472, 565Exception Handling dialog, 564exceptions

handling during remote debugging, 574

handling with debugger, 561–568Exceptions dialog, 562–563exceptions.cfg file, 563, 574EXE files, generating, 243–244exec_request_t function, 286execstack command, 38executable files

Exports window, 68using strings on, 28

executable statements, grouping, 83execute_sync function, 286execution

of plug-ins, 322–324of scripts, 250–251

execution control commands, 522execution traces, 526exe.sig file, 421_exit function, 422Expand Struct Type option, Edit

menu, 145expanding collapsed structures, 153exploit-development, 6, 488–495

finding useful virtual addresses, 494–495

locating instruction sequences, 492–494

stack frame breakdown, 488–492export entry, 231export ordinal number, 68Exports window, 68, 545expressions, in IDC language, 253expr.hpp file, 292, 331extended base pointer (EBP) register,

91, 439, 451extending IDC, with plug-ins,

331–333extern keyword, 252extern section, 477–478external (global) symbols, 20external mode graphs, 177external-style graph, 176extract_address function, 401

Ff argument, 129f_LOADER type, 410F2 hotkey, 523F12 hotkey, 177fake interrupt descriptor table, 462Falliere, Nicolas, 453, 555–558far addresses, 169Far function attribute, 117Fast Library Acquisition for Identi-

fication and Recognition (FLAIR), 216–217, 583

Fast Library Identification and Recognition Technology (FLIRT) signatures. See FLIRT signatures

fastcall calling convention, 157fastcall convention for x86, 87–88fastcall modifier, 88fclose function, 265


620 INDEX

feature field, 381FF_XXX constants, 307fgetc function, 265field names, 135file classification, 16–20

file, 16–18PE Tools, 18–19PEiD, 19–20

File column, FLIRT signature selection, 214

file command, 16File dialog, 45file extensions, 16file loading, 45–48File menu

Create C File option, 500Create EXE File option, 542Dump Embedded PE option, 471Dump option, 470Script File option, 554

File offset value, 239File Open dialog, 44File Save dialog, 365FILE stream pointer, 365FILE type, 359file utility, 16–18, 218–219FILE_EXTENSIONS option, 205–206file2base function, 364–365FileAlignment field, 352FileAlignment value, 352fileformatname parameter, 359,

362, 365filelength function, 265file-loading dialog, 358FilemonClass class, 452filename pattern, 205FILEREG_PATCHABLE, 364Find all occurrences checkbox, Text

Search dialog, 99FindBinary function, 269, 493FindCode function, 269, 272FindData function, 269FindText function, 269FindWindow function, 452FindXXX functions, 269first_from function, 313first_to function, 313first-generation languages, 4fix_proc utility, 404

fixed-length instructions, 9fl_CF-type cross-references, 273flag field, 385flags field, for plug-ins, 317flags field for loaders, 359FLAIR (Fast Library Acquisition for

Identification and Recogni-tion), 216–217, 583

flair directory, 216flair57.zip version, 216Flake, Halvar, 481flat memory model, 117FLIRT (Fast Library Identification

and Recognition Technol-ogy) signatures, 211–225

applying, 212–216creating signature files, 216–225

creating pattern files, 219–221static libraries for, 217–219

overview, 212startup signatures, 224–225

flowcharts, 177–178flowchart-style graph, graph view, 55flows, 62Follow system keyboard layout option,

Preferences dialog, 196Follow TCP Stream command, 496-fomit-frame-pointer compiler

option, 91Font command, 57Font menu, 519foo function, 12foobar subroutine, 82footer function, 401fopen function, 265for loops, 254forking existing projects,

CollabREate, 505form argument, 338form parameter, 305form function, 264formal parameter names, 228format strings, 305, 492formatting

constants, options for, 112global variables, as structures, 149instruction operands, 112–113stack-allocated structures, 148

formcb_t function, 339


INDEX 621

forward navigation button, 83fourth-generation languages, 4fprintf function, 265, 490–492fpro.h, for API, 292fputc function, 265frame pointer, 84, 118Frame pointer delta attribute, 117frame.hpp, 292, 306free_til function, 369FreeBSD application, 213, 224,

422, 498freeware versions, of IDA, 33from address, in cross-references, 168frregs field, 311frsize field, 311FS register, 439full-line comments, 108func_t (funcs.hpp), datatypes for SDK,

302, 308, 310FuncItems generator, 283funcs control block, 310funcs.hpp, 292, 310function call

graphs, 76, 169, 178instructions, 12tree, 76

Function Calls window, 76function comments, 108Function editing dialog, 116function parameters, 83, 85function tails, 115Function Tracing option, Debugger

menu, 526functions, 113–119

attributes for, 115–118augmenting information for,

228–233calling, 84–85chunks of, 114–115compiling, 89creating new, 114deleting, 114emulated by x86emu, 467enumerating, using API, 310in IDC language

code cross-reference, 267data cross-reference, 268database manipulation, 268–269database search, 269–270

dealing with functions, 266–267disassembly line

components, 270file input/output, 264–265manipulating database

names, 266reading and modifying data,

262–263string-manipulation, 264for user interaction, 263–264

oriented control flow graph, 185overloading, C++, 162overview of, 83for SDK, 304–309signatures for, 229stack pointer adjustments, 118–119tracing, 526types, setting, 129undefine, 119

Functions data display, 55Functions list generator, 282Functions menu, 471Functions window, 56, 60, 66, 82,

175, 443fuzzing technique, 6

GG hotkey, 82, 207g++ compiler, GNU, 86, 156g++ versions, 163Gaobot worm, 19Gas (GNU Assembler), 9gcc compiler, GNU, 86GCC tags, 219gdb(GNU Debugger), 454, 517GDB Configuration dialog, 572–573gdb sessions, 569gdb_server, 569, 572–573gdbserver component, GNU

Debugger, 517GDL (Graph Description Language),

176, 193gdl.hpp, for API, 292General dialog, 60, 123General Registers view, 519–520General Registers window, 520, 525general-purpose searches, 98Generate serial names option, 124


622 INDEX

generating signatures, 39Get prefix, 262get_byte function, 304get_first_cref_from function, 309get_first_cref_to function, 309get_first_dref_from function, 309get_first_dref_to function, 309get_frame function, 306get_frame_retsize function, 401get_func function, 306get_func_name function, 306get_func_qty function, 306get_long function, 304get_next_func function, 306get_many_bytes function, 304get_member function, 307get_member_by_name function, 307get_name function, 306get_name_ea function, 306get_next_area function, 310get_next_cref_from function, 309get_next_cref_to function, 309get_next_dref_from function, 309get_next_dref_to function, 309get_original_byte function, 304get_original_long function, 304get_original_word function, 304get_original_XXX functions, 304get_reg_val function, 538get_screen_ea function, 305get_segm_by_name function, 307get_segm_name function, 308get_struc function, 307get_struc_id function, 307get_true_segm_name function, 308get_word function, 304GetArrayElement function, 301GetBptAttr function, 531GetBptEA function, 531GetBptQty function, 531GetCommandLine function, 426–427GetCommandLineA function, 552GetDebuggerEvent function, 532–533,

538, 556GetDisasm function, 270GetEntryPointQty function, 275GetEnvironmentStrings function, 427GetEventXXX function, 533–535GetFrameLvarSize function, 490GetFrameRegsSize function, 490

getFuncAddr function, 479GetFunctionAttr function, 266, 272GetFunctionFlags function, 277GetFunctionName function, 266GetInputFile function, 275getline function, 334getmainargs library function, 425GetMemberName function, 482GetMemberOffset function, 271GetMemberSize function, 482–483GetMnem function, 270GetModulehandleA function, 444GetOpnd function, 270getn_area function, 310getn_func function, 306getnseg function, 308getopcode.c program, 493GetOperandValue function, 270GetOpType function, 270GetProcAddress function, 445–446, 448,

468–469, 550, 552, 554GetRegValue function, 525, 530getseg function, 307, 363GetStrucSize, 271Gigapede, 541gl_comm variable, 397global (external) symbols, 20global array, 534global offset table (GOT), 274, 492,

494–495global persistent arrays, 259global variables, formatting as

structures, 149globally allocated arrays, 131–132globally allocated structures, 137gnome-terminal, Gnome, 193GNU Assembler (Gas), 9GNU binutils tool suite, 24GNU compilers, 86, 136, 156GNU Debugger (gdb), 454, 517GNU linker, 404Go button, 45GOT (global offset table), 274, 492,

494–495got section, 477–478, 495goto statements, 502graph components, 168Graph Description Language (GDL),

176, 193graph mode, 185


INDEX 623

graph node, 178Graph Overview data display, 55,

62, 185Graph tab, 60graph view, 55, 185–186graph viewer, qwingraph, 176graph view–style display, 55GRAPH_FORMAT variable, 176GRAPH_VISUALIZER option, 176,

193,194, 202graph-based display mode, IDA

freeware 5.0, 583graphing, 176–187

integrated graph view, 185–188third-party graphing, 176–185

call graphs, 178–180cross-reference graphs, 180–182custom cross-reference graphs,

182–185flowcharts, 177–178

graphing applications, 176graphs

grouping nodes in, 187used in Function Calls Window, 76

graphviz project, 176grep-style search, 290Group Nodes option, 64, 187grouping

blocks, in disassembly window, 64executable statements, 83nodes, within graphs, 187

GUI configuration file, 39GUI versions, of IDA, 197gunzip archive, 37

H.h suffix, 290Hall of Shame, Hex-Rays website, 32handling exceptions

with debugger, 561–568during remote debugging, 574

Hardware Breakpoint checkbox, Breakpoint Settings dialog, 524

Hardware breakpoint mode radio buttons, Breakpoint Settings dialog, 524

hardware breakpoints, 523, 524, 544, 546

HAS_CALL flags, 389HAS_JABS flag, 389HAS_JREL flag, 389hash function, 447hashset function, 300hashstr function, 300hashval function, 300hashval_long function, 300hashvals, 297, 300hashXXX functions, 300head command, 212header fields, PE Tools, 19header files, for API, 290–294

area.hpp, 291auto.hpp, 291bytes.hpp, 291dbg.hpp, 291entry.hpp, 291expr.hpp, 292fpro.h, 292frame.hpp, 292funcs.hpp, 292gdl.hpp, 292ida.hpp, 292idp.hpp, 292kernwin.hpp, 292lines.hpp, 292loader.hpp, 292name.hpp, 293netnode.hpp, 293pro.h, 293search.hpp, 293segment.hpp, 293struct.hpp, 293typeinf.hpp, 293ua.hpp, 293xref.hpp, 293–294

header function, 401header structure, MS-DOS, 152.headers program segment, 462.headers section, 354.heap database segment, 462heap program, 134heap_array variable, 135HeapAlloc function, 468heap-allocated arrays, 134–135heap-allocated structures, 138–140help files, 204help member, for plug-ins, 318


624 INDEX

Help menu, IDA, 34HELPFILE option, 203hex dumps, 99, 191hex editor, 67hex searches, conducting, 100hex values, two-digit, 99Hex View window, 40, 67–68, 99, 519hexadecimal constant, 112hexadecimal values, 81Hex-Rays

blog, 579bulletin boards, posting on, 58debugging server, remote debug-

ging using, 570–573download page for, 499plug-in, 500–502stance on piracy, 32support page and forums, 35

hidden messages, restoring, 44Hide Casts option, 501Hide Group option, 187hide_wait_box function, 323HideDebugger.idc script, 560–561hiding debugger, 555–560History subkey, IDA Windows registry

key, 45HKEY_CURRENT_USER\ Software\Hex-Rays\

IDA registry key, 44, 207HKEY_CURRENT_USER\Software\Hex-Rays\

IDA\Hidden Messages registry key, 207

hook_to_notification_point function, 321, 399, 536

Hostname option, debugger process options dialog, 572

hotkey field, 331hotkey reassignment, in

idagui.cfg, 204hotkeys, 40, 261.hpp suffix, 290HT_DBG function, 537HT_DBG notification type, 536HTI_PAK1 constant, 368HTI_XXX values, 368HTML document, 16HTML files, 204, 245HTTP response packet, 371hyperlinks, vs. names, 80HyperUnpackMe2, 472–473

Iicebp instruction, 564id field for processors, 385.id0 file, 49.id1 file, 49IDA command line, 251IDA comments, using semicolon pre-

fix in, 107–108IDA

configuration file, 37crashes, restarting after, 52–53cross-references, 76database, as virtual memory,

460–461database files

closing, 51–52creation of, 50–51and debugger, 541–543overview, 48–50reopening, 52–53searching, 98–100

desktopbehavior of during analysis,

56–57overview, 53–56tips and tricks for, 57

directory, 36download page, 190executables, 36extensions, loaders directory, 39freeware 5.0, 581–583graph view, in disassembly window

creating additional disassembly windows, 64

grouping and collapsing blocks in, 64

overview, 61panning in, 62–63rearranging blocks in, 64

IDA Palace, 36IDA Sync, Windows Asynchronous

Sockets techniques used by, 504

installer, 34loader, 50modules, plug-ins directory, 39notifications, CollabREate, 504parser, 150scripting, 256, 455


INDEX 625

as softwarelicenses, 33purchasing, 34upgrading, 34user interface of, 40versions, 33

stack-pointer analysis, 230Strings options, 123structures, 142–146

creating new, 142–143editing structure members,

144–146stack frames as, 146

text view, in disassembly window, 64–65

View-EIP disassembly window, 519–520

View-ESP disassembly window, 520Windows registry key, 45workspace, 44

ida_export function, 294IDA_SDK_VERSION macro, 293idaapi module, 281, 579idaapi.processor_t class, 411ida.cfg file, 39, 111, 176, 193, 202–203<IDADIR> install location, 36idag64.exe, 38IDA-generated variable names,

mapping, 96–97idag.exe, 36idagui.cfg configuration file, 39,

203–206, 238, 251IDA.HLP file, 338ida.hpp file, 290, 292ida.idc file, 261ida.int file, 233idaidp.hpp 380idainfo (ida.hpp), datatypes for

SDK, 303idainfo structure, 292ida.int comment file, 234ida.key file, 32idamake.pl, 324IdaPdf plug-in, 509–510IDAPython plug-in, 37, 503

examples, 281–284enumerating cross-

references, 283enumerating exported

functions, 283–284

enumerating functions, 282enumerating instructions,

282–283idaq64.exe, 38idaq.exe, 36idasdk61.zip file, 286IDAStealth configuration dialog, 561IdaStealth plug-in, for debugger,

560–561.idata section, 241idatui.cfg file, 39, 206–207idauser.cfg file, 203idauserg.cfg file, 206idausert.cfg file, 206idautils module, 281–282IDA-View window, 55, 60idaw.exe, 36ida-x86emu plug-in, 342, 461–462, 506.idb extension, 51.idb files, 229, 504IDB mode, for Bochs, 575–576IDB_2_PAT utility, 221idb_event::byte_patched, 321idb_event::cmt_changed, 321IDC command dialog, 255idc directory, 39IDC functions, SDK implementation,

586–608IDC language

error handling in, 258–259examples, 270–280

emulating assembly language behavior, 278–280

enumerating cross-references, 272–274

enumerating exported functions, 275

enumerating functions, 270–271enumerating instructions,

271–272finding and labeling function

arguments, 275–277expressions, 253functions

code cross-reference, 267data cross-reference, 268database manipulation, 268–269database search, 269–270dealing with functions, 266–267disassembly line components, 270


626 INDEX

IDC language (continued)functions (continued)

file input/output, 264–265manipulating database



objects, 256–257persistent data storage in, 259–260programs, 257–258SDK cross-reference for, 585–608statements, 254variables, 252–253

idc module, 281IDC script, 455IDC slices, 253IDC statements, 553idc_create_netnode function, 332idc_func_t datatype, 331idc_value_t (expr.hpp), datatypes for

SDK, 302, 332IDC-based loader, 373idc.idc file, 257Identical Functions, PatchDiff2, 486Identifier search, 99IDP_INTERFACE_VERSION constant, 316idp.def file, 404idp.hpp file, 292, 400ids directory, 39IDS files

augmenting information for functions, 230–233

IDA parlance, 39ids hierarchy, 231IDS utilities, 228-229idsnames file, 233idsutils, 229.idt file, 275.idt generator script, 283Ignore instructions/data definitions

option, Strings window, 71–72IMAGE_DOS_HEADER structure,

152–154, 350IMAGE_NT_HEADERS structure, 152–154,

350, 352IMAGE_SECTION_HEADER structure, 352IMAGE_SECTION_HEADER template, 352ImageBase field, 351

Import REConstruction (ImpREC) utility, 541

import table, 68import_node netnode, 294import_type function, 369imported functions

editing, 230obfuscation, anti–static analysis

techniques, 444–448Imports window, 68–69, 443–444ImpREC (Import REConstruction)

utility, 541in instruction, 451include (INC) files, generating, 243include directive, 151, 261include directory, 288include files, 151Include in names list option, for

named locations, 104include statement, 261indent parameter, 397INDENTATION option, 202index function, 222Index of IDC functions, 252, 261Indexes radio buttons, 126inf.mf flag, 400inheritance hierarchy,

determining, 164inheritance relationships, in C++,

164–165init member, for plug-ins, 317init method, 536init_loader_options function, 360, 363initialization, of plug-ins, 320–321inline constructors, 164inline functions, 164Input file option, debugger process

options dialog, 572Input File options, 47ins.cpp file, 381INSERT key, 143, 152, 155Insert option, 149insn_t (ua.hpp), datatypes for SDK,

293, 303, 385install_make.txt file, 289install_visual.txt file, 326install_xxx.txt files, 288, 324installation of 32-bit Python,

IDAPython, 503


INDEX 627

installing, 36–4032-bit vs. 64-bit, 38directory layout, 38–40on Linux, 37–38on OS X, 37–38plug-ins, 329–330and SELinux, 38on Windows, 36–37

instruction emulator, 380, 460–461instruction operands, formatting,

112–113Instruction Pointer (IP), 527instruction sets, CPU, 286Instruction Tracing option, Debugger

menu, 526Instructions constant, 383instrumentation, detecting, 451–452int 3 instruction, 439, 523, 564int get_segm_qty function, 308int set_segm_name function, 308int type, 128integer index, 230Intel syntax, 9intel_data function, 398internal heap implementation, 468interpreter, for Python byte code, 379invoke_callbacks function, 400I/O functions, 292IP (Instruction Pointer), 527iret instruction, 435is_far_jump function, 401is_sp_based function, 401is_switch function, 401iscode member, 313IsDebugged field, PEB, 556IsDebuggerPresent function, 452,

468, 556isLoaded function, 262, 263, 304Items on line attribute, 125iteration techniques, using API,

310–314enumerating cross-references,

311–314enumerating functions, 310enumerating structure

members, 311iTERM, 194itype field, 386

Jj suffix, 171ja instruction, 418Java byte code, 379Java Database Connectivity

(JDBC), 505Java loader, 372Java virtual machine, 472JDBC (Java Database

Connectivity), 505jmp esi instruction, 492jmp esp instruction, 492–493jmp statement, 10Jump command, 477jump flow type, 62, 171Jump function, 263, 264, 428jump tables, compiler differences for,

416–420Jump to Address command, 477Jump to Address dialog, 82Jump To Cursor button, x86emu

Emulator dialog, 464Jump to Next Position option, 83Jump to Previous Position

operation, 82Jump to Problem command, 204JumpQ option, 204jump-style cross-references, 171jumpto function, 305junk strings, 71jz instruction, 436

KKernel Options, 46, 115kernel32_GetCommandLineA, 552kernel32_VirtualAlloc function,

578–579kernel32.dll, 446, 448, 520, 546,

552, 559kernwin.hpp, for API, 292key file, safeguarding, 34keyboards

different layouts, 194zoom control, 62

Kiel OMF 166 object files, 219konsole, KDE’s, 193Koret, Joxean, 508


628 INDEX

L-L option, 23label component, 338launching, 44–48

debugger, 514–518Go button, 45New button, 44Previous button, 45process, 517Windows installer, 36

ldd (list dynamic dependencies) utility, 22–23

ldr directory, for SDK, 288LDRF_RELOAD flag, 359LDSC (loader description) object, 359leave instruction, 93, 408legacy mode graphs, 193len function, 283letter codes, 21Levine, John R., 22lib directory, for SDK, 288libbfd (Binary File Descriptor

library), 24libc_FreeBSD80.exc file, 222libc_FreeBSD80.pat file, 220libc_start_main function, 423–424, 427libc.a version, 213Library func attribute, 117library handle, 468Library name column, FLIRT signa-

ture selection, 214license agreement dialog, 197license enforcement, 32licenses, for IDA, 33life cycle, of plug-ins, 318–319limitations

of consoles, 190of IDA freeware 5.0, 582

line prefixes, enabling, 63Line prefixes option, 110linear sweep disassembly, 9–10lines.hpp file, 292, 395link libraries, 343linking, 22linput_t (loader input type), 359Linux

based IDA installation, 193console mode for, 192–194console mouse server for, 192

installing on, 37–38terminal programs on, 192text display in, 192

linux_server server component, 570linux_serverx64 server component, 570list dynamic dependencies (ldd)

utility, 22–23list_callers function, 313listing view, 55listing-style display, 55Litchfield, David, 493little-endian, CUP, 10lnames data member, 402Load a New File dialog, 46Load Desktop command, 57Load desktop option, Windows

menu, 209Load from file radio button, x86emu

Set Memory Values dialog, 465Load type library option, in Type

Libraries window, 75load_file function, 359, 372, 410load_pcap_file function, 369–370load_simpleton_file, 363loader description (LDSC) object, 359loader input type (linput_t), 359loader modules, for binary files

overview, 358pcap loader, 366–372simpleton loader, 361–366writing using SDK, 358–360

Loader segment checkbox, Change segment attributes dialog, 543

Loader segments button, Memory snapshot confirmation dialog, 542

loader warnings, 49LOADER_EXT variable, 366loader_failure function, 359loader_t structure, 292, 358loader-generated informational

messages, 49loader.hpp file, 292, 316, 358loaders directory, 39, 45loadfile function, 265loading files, 45–47, 155Loading Offset field, 46loading process, 358Loading Segment field, 46loadint utilities, 233–235


INDEX 629

loadint57.zip version, 233LoadLibrary function, 445–446, 550LoadLibraryA function, 447, 468Local Bochs debugger, 575local debugging, 517Local name option, for named

locations, 104Local Types command, 149Local Types entry dialog, 150Local Types window, 149–150local variables

layout, in stack frames, 89naming, 102–103

Local variables area attribute, 116locations, renaming, 104LocByName function, 267, 274LocByNameEx function, 266lodsb instruction, 458Log if same IP option, Tracing

Options dialog, 527logical addresses, 242loopne instruction, 10lowercase letter codes, 21LPH struct, 380, 385lpSubKey parameter, 229lread4bytes function, 362LST files, generating, 243ltoa function, 264

MMac keyboard, vs. PC keyboard, 194mac_server server component, 570mac_serverx64 server component, 570Machine field, 351machine languages, 4, 111Mach-O loader, 410MackT, 541MACRO keyword, 207macros, 206–207, 249magic files, 16magic numbers, 16main method, compiler differences

for, 421–428Main toolbar, turning off, 208make files, plug-ins, 500Make imports section option, 244make_data notification, 401MakeByte function, 269MakeCode function, 268

makecode parameter, 364MakeComm function, 269MakeFunction function, 269MakeLine function, 395, 397MakeNameEx function, 266MakeStr function, 269MakeUnkn function, 268malicious PDF files, 509malloc function, 66, 134, 477malware analysis, reasons for

disassembly, 6mangled names, 163manipulating disassembly, 101–126

arrays, attributes for, 124–126code display options, 109–111commenting, 106–108converting data to code (and vice

versa), 119–120data transformations, 121–124formatting instruction operands,

112–113functions, 113–119naming, 102–105

Manual load option, for file headers, 152

manually overriding purged bytes, 230MAP files, generating, 242mapping, IDA-generated variable

names, 96–97Mark as autogenerated option, 124Mark consecutive traced events with

same IP option, Tracing Options dialog, 527–528

MASM (Microsoft Assembler), 9master list of structures, 152Matched Functions, PatchDiff2,

486–487MAX_NAMES_LENGTH option, 202Maximum possible size attribute, 125MAXSTR constant, 586MD5 value, CollabREate, 505mem2base function, 370member_t (struct.hpp), datatypes for

SDK, 303, 307members array, 311.memcpy, 274Memory Organization dialog, 48Memory snapshot confirmation

dialog, 542memory usage parameters, 202


630 INDEX

memqty field, 311memset operation, 430, 495menu bar, console user interface, 190Message function, 254, 263, 579MessageBoxA function, 444messages

loader-generated informational, 49restoring hidden, 44

Metasploit project, 493, 496Micallef, Steve, 35, 289Microsoft, Patch Tuesday cycle, 476Microsoft Assembler (MASM), 9Microsoft Developer Network

(MSDN), 25Microsoft linker, 404Microsoft Visual C++ compiler, 114Microsoft Visual Studio suite, 25Minimum offset column, 136MIPS binary, 278MIPS processor module, 240Misc tab, color selection dialog, 208mitigation, of vulnerability, 483mitigation event, 483mkidp syntax, 404mkidp.exe utility, 404mnemonics, 4modal dialogs, 174, 337modeless dialogs, 174, 337Modify menu item, 520module directory, for SDK, 288Modules view, 519Modules window, 520–521mouse support, 190mov instructions, 12, 92, 234mov statements, 275–276Move Current Segment

command, 354move_segm function, 360movsb instruction, 527MSDN (Microsoft Developer

Network), 25MS-DOS 8.3 name-length

convention, 221MS-DOS EXE loader (dos.ldw), 45MS-DOS executable file, 18MS-DOS header structure, 152MS-DOS stub, 403–405msfpescan tool, Metasploit project, 493msg function, 305mutual ptrace technique, 453

my_func function, 255MyNav plug-in, 508–509mynav.py script, 508MZ magic number, 16, 152

NN hotkey, 102–103, 105-n option (sigmake), 224-n option (loadint), 234nalt.hpp file, 294.nam file, 49Name conflict dialog, 105name decoration, 162Name directive, 231Name generation area, 123name mangling, 26, 162–163Name of function attribute, 115Name function, 266name parameter, 308, 364name-change dialog, 102NameChars set, 202NameEx function, 266named constants, catalog of, 112–113named licenses, 33named locations, 103–105

Autogenerated name option, 104Create name anyway option, 105Include in names list option, 104Local name option, 104Public name option, 104Weak name option, 105

name-demangling options, 162name.hpp, 293name-length convention,

MS-DOS 8.3, 221names, vs. hyperlinks, 80Names window, 72–74, 102naming, 102–105

conventions, Hex-Rays, 501import table entries, 552parameters and local variables,

102–103register names, 105

NASM (Netwide Assembler), 9, 28navigating disassembly

double-click navigation, 80–81jump to address, 82navigation history, 82–83searching database, 98–100


INDEX 631

navigation band, 54, 443–444navigation history list, 185ncol parameter, 336ndisasm utility, 28NEF_XXX flags, 359neflags parameter, 359negative deltas, 392netnode class, 259, 293–295, 301netnode index value, 331netnode.hpp file, 293–295netnodenumber member, 294, 296netnodes, 294–301, 585

creating, 295–297data storage in, 297–301deleting, 301

Netwide Assembler (NASM), 9, 28network attack sessions, 496network connection, X.25-style, 113New button, 44new operator, 159–160New Project dialog, Visual Studio,

326–327new vertices, introducing, 64Newger, Jan, 560Next Sequence of Bytes option,

Search menu, 100NextFunction function, 266nm utility, 20–21No edge arrow, 62no operation (NOP) instructions,

240, 494NO_OBSOLETE_FUNCS macro, 316nodeidx_t operator, 296nodes, 168, 187noGPM option, TVision, 192nonmodal dialog, 337nonstandard structures, 142NOP (no operation) instructions,

240, 494NOP slides, 494, 496–497Normal edge arrow, 62normal flow, 62notification event, 483notification of vulnerability, 483notify field, 399notify function, 400NOVICE option, 206NtContinue function, 567ntdll_NtQueryInformationProcess

function, 557

ntdll.dll, 546, 557–558, 567NtGlobalFlags field, PEB, 556–557NtQueryInformationProcess

function, 557–558NtSetInformationThread function, 558NTSTATUS code, 558NULL pointer, 299Number of elements attribute, 125Number of opcode bytes option, 111NumberOfSections field, 352

Oo_displ type, 392o_imm type, 392o_mem type, 392o_near type, 392obfuscated code analysis, 433–474

anti–dynamic analysis techniques, 449–454

detecting debuggers, 452–453detecting instrumentation,

451–452detecting virtualization, 449–451preventing debugging, 453–454


disassembly desynchronization, 434–437

dynamically computed target addresses, 437–444

imported function obfuscation, 444–448

targeted attacks on analysis tools, 448–449

static de-obfuscation of binaries, 454–472

script-oriented, 455–460x86emu emulation-oriented,

460–472using debugger with, 543–560

decryption and decompression loops, 546–550

hiding debugger, 555–560import table reconstruction,

550–555launching process, 545–546overview, 540–541

virtual machine-based, 472–474obfuscation process, 19, 541


632 INDEX

obfuscators, 540, 548objdump utility

debugging information, 24disassembly listing, 24private headers, 23section headers, 23symbol information, 24

object class, 256object life cycle, in C++, 160–161objects, in IDC language, 256–257OEP (original entry point)

recognition, 540Offset column, 90offset cross-reference, 172–173OllyDbg, 540OllyDump, 541OMF libraries, 219op_t (ua.hpp), datatypes for SDK, 293,

303, 387opcode bytes, 202opcodes (operation codes), 4Open command, file loading, 45Open Register Window menu

item, 520Open Subviews command, 57, 521Open Subviews menu, 55, 60, 191OpenRCE, 35, 280, 453, 499OpenSSL cryptographic library,

215–216, 229operand values, 303operation codes (opcodes), 4optimization, 428Options checkboxes, 47options for constants, formatting, 112Options menu, Font menu, 519optype_t constants, 388OR operation, 458ord function, 264ord parameter, 364ordinal number, 230ordinary flow type, 62, 170original entry point (OEP)

recognition, 540Original value field, 239OS X

console mode for, 194–196installing on, 37–38

OS X Mach-O binaries, 24Other option, IdaPdf, 510otool utility, 23–24

out function, 395–396out instruction, 456out_line function, 396out_one_operand function, 394, 395, 397out_register function, 396out_snprintf function, 395out_symbol function, 396out_tagoff function, 396out_tagon function, 396out.cpp file, 394OUTDIR variable, 366OutLine function, 396OutMnem function, 395outop function, 394, 398output generator, 380Output window, 56, 60, 66, 469OutputDebugString function, 546OutputDebugStringA function, 559–560outputter, for processor modules,

394–399OutValue function, 396overlapping windowing capability,

TVision library, 190overriding purged bytes,

manually, 230Overview Navigator, 54, 215overview navigator, IDA desktop, 54

Pp suffix, 171__p__environ library function, 425-P<password> command-line option, 571-p<port number> command-line

option, 571Pack database (Deflate) option, 52Pack database (Store) option, 52pack pragma, 136packed data, restoring from, 53PaiMei framework, 177panning, in disassembly window,

62–63para parameter, 308parameters

names, formal, 228naming, 102–103passing, 255recognition, automating, 277

Parameters option, debugger process options dialog, 572


INDEX 633

parsing errors, 258Pascal directive, 231–232Pascal-style strings, 71Password option, debugger process

options dialog, 572patch application event, 484patch availability event, 484Patch Bytes dialog, 238Patch Program menu, 238–241

changing individual database bytes, 238–239

changing word in database, 239using Assemble dialog, 239–241

Patch Tuesday cycle, Microsoft, 476Patch Word dialog, 239patch_byte funtion, 304patch_long function, 304patch_many_bytes function, 304patch_word function, 304patchable parameter, 364PatchByte function, 262, 280, 458, 556PatchDbgByte function, 556PatchDiff2, 485–487

graphical function comparison, 487Identical Functions, 486Matched Functions, 486–487Set Match dialog, 486Set Match feature, 486Unmatched Functions, 486–487

PatchDword function, 262, 279patched files, 484patching binaries, 237–245

after discovering vulnerability, 484–487

Patch Program menu, 238–241Produce File menu, 241–245

ASM files, 242–243DIF files, 244EXE files, 243–244HTML files, 245INC (include) files, 243LST files, 243MAP files, 242

PatchWord function, 262PatchXXX functions, 262, 465pattern files, for FLIRT signature files,

219–221pattern-matching, 39, 212pat.txt file, FLAIR, 220Pause button, toolbar buttons, 522

Pause Process option, Debugger menu, 516

PC keyboard, vs. Mac keyboard, 194pcap file format, 366pcap loader, 366–372pcap_file_header structure, 366, 369pcap_types string, 368pc.cmt file, 234PDB (Program Database) file, 49PDF files, 509PDF Objects window, 510PE (Portable Executable) format, 8,

19, 45, 224, 410, 545binaries, Windows, 462files, Windows, 467mode, for Bochs, 576–577signatures, 224

PE Sniffer utility, 19PE Tools, 18–19pe_ prefix, 224pe_*.pat file, 224pe_gcc.pat file, 224pe_sections.idc script, 244pe_vc.pat file, 224PEB (process environment block),

462, 555–557, 576PEiD, 19–20pe.ldw (Windows PE loader), 45persistent data storage, in IDC

language, 259–260persistent named objects, 259personal settings directory, 192pe.sig file, 421pfn pointer, 392ph variable, 292phrase field, 396piracy, Hex-Rays stance on, 33Pistelli, Daniel, 342PlayStation PSX libraries, Sony, 219plb.exe parser, 220plb.txt file, 220Please confirm dialog, 542PLT (procedure linkage table), 274.plt section, 478plug-in configuration values, Visual

Studio, 328–329PLUGIN object, 316PLUGIN_ENTRY function, 344–345PLUGIN_EXT variable, 366plugin_file field, 330


634 INDEX

PLUGIN_FIX bit, 318PLUGIN_FIX flag, 319–320, 329PLUGIN_KEEP value, 319PLUGIN_OK value, 319PLUGIN_PROC bit, 319PLUGIN_PROC flag, 319–320PLUGIN_SKIP value, 319plugin_t class, 292, 316, 344, 359PLUGIN_UNL flag, 319PLUGIN_XXX constants, 316PLUGIN.flags, 318PLUGIN.init function, 319–320PLUGIN.run function, 319, 323PLUGIN.term function, 319, 322PLUGIN.wanted_hotkey, 331plug-ins, 315–346, 499–510

building, 324–329class informer, 506–508collabREate, 503–506configuring, 330–331for debugger, 536–538directory for, 39, 288event notification for, 321–322execution of, 322–324extending IDC with, 331–333Hex-Rays, 500–502IdaPdf, 509–510IDAPython, 503ida-x86emu, 506initialization of, 320–321installing, 329–330life cycle of, 318–319MyNav, 508–509scripted, 344–346user interface options for, 333–344

customized forms with SDK, 337–341

with Qt, 342–344using SDK chooser dialogs,

334–337Windows-only, 341–342

using during remote debugging, 574

writing, 316–324comment member, 317flags field, 317help member, 318init member, 317run member, 317

term member, 317version field, 317wanted_hotkey member, 318wanted_name member, 318

plug-ins configuration file, 201Plugins menu, Edit menu, 485, 508plugins.cfg file, 201, 330PointerToRawData field, 353, 355polymorphism, 163pop instruction, 392, 436popa instruction, 459, 547–548popf instruction, 459, 564pop-up windows, tool tip–style, 129Port option, debugger process

options dialog, 572Portable Executable (PE) format. See

PE formatpositive deltas, 392POSIX wait function, 454POSIX-style regular expressions, 99PR_xxx flags, 385pragma pack directive, 150predecessor instruction, 177Predefined symbols section, 258Preferences dialog, X11, 196prefixes, for autogenerated names, 73Preserve case, 124preventing debuggers, 453–454PrevFunction function, 267Previous button, 45print function, 263Print recursion dots, 184print_type function, 164printable characters, ASCII, 27printf function, 87printf_line function, 397printf-style format string, 263Problems window, 76–77procedure linkage table (PLT), 274process control tools, 519process control, with debugger,

521–530breakpoints, 522–526stack traces, 528–529tracing, 526–528watches, 529–530

process environment block (PEB), 462, 555–557, 576

process image, 541–542


INDEX 635

Process Monitor, 451Process Options command, Debugger

menu, 571Process Stalker component, PaiMei

framework, 177process tracing, 454ProcessDebugPort function, 557–558processes, attaching debuggers to,

514–515ProcessInformation parameter, 557ProcessInformationClass parameter,

557–558processor modules

architecture of, 409–411building, 403–407customizing existing, 407–409and Python byte code, 378–379scripting, 411–412using SDK, 380–403

analyzer, 385–390emulator, 390–394initialization of LPH structure,

381–385outputter, 394–399processor notifications, 399–401processor_t members, 401–403processor_t struct, 380–381

processor notifications, 321Processor Options button, 47Processor options section, 203Processor Type drop-down menu, 46PROCESSOR_ENTRY function, 411processor_t object, 320processor_t struct, 380–381processor_t.newprc notification, 402procs directory, 39, 46procs file, 403proctemplate.py, 411Produce File menu, 241–245

ASM files, 242–243DIF files, 244EXE files, 243–244HTML files, 245INC (include) files, 243LST files, 243MAP files, 242

Produce file submenu, File menu, 177Program Database (PDB) file, 49program entry point, 8

programs, in IDC language, 257–258pro.h, for API, 290, 293project properties dialog, Visual

Studio, 328Project Selection dialog,

CollabREate, 505prologue, of functions, 85Propagate option, Set Match

dialog, 487Properties dialog, 66protected binary, Burneye, 467pseudocode, Hex-Rays, 502Pseudocode option, View menu, 500pseudocode window, 501ptrace API, 454Public name option, for named

locations, 104purchasing IDA, 34purecall function, 159Purged bytes attribute, 116–117Purged bytes field, 230Push Data button, Set Memory Values

dialog, 465push instruction, 91, 392push operations, 86Push Stack Data dialog, 465push statements, 275pusha instruction, 459pushf instruction, 459, 466puts function, 181.pyc files, 378, 393Python byte code, 378–379Python function, 481–482Python interpreter, 378Python script, 495, 549Python website, IDAPython, 503python_data function, 394PYTHON_LAST constant, 382

QQApplication class, 343qfopen function, 291–292qfprintf function, 291qnumber macro, 383qsnprintf function, 291, 343qstrlen function, 343qstrncpy function, 291qstrXXXX function, 291


636 INDEX

QT namespace, 342–343Qt port, 176Qt socket classes, 504QuickEdit mode, 191QuickUnpack, 442Quit action, 205qwingraph graph viewer, 176qword field, 140

Rr value, 98radio buttons, 339–340RCE forums, 35, 499.rdata section, 355, 419rdtsc instruction, 471–472read cross-reference, 172read function, POSIX, 363readelf utility, 24readlong function, 265readshort function, 265README file, tilib utility, 156readme.txt file

FLAIR, 219idsutils, 231SDK, 287, 380

readstr function, 265read/write traces, 526realcvt function, 401rearranging blocks, in disassembly

window, 64reasons, for disassembly

compiler validation, 7debugging displays, 7malware analysis, 6software interoperability, 7vulnerability analysis, 6–7

Rebase Program menu option, 351Recent Scripts menu option, 250Recent Scripts window, 250recoverying source code, 5recursive descent algorithm, 13recursive descent disassembly, 11–14

conditional branching instructions, 11

function call instructions, 12return instructions, 12–14sequential flow instructions, 11unconditional branching

instructions, 11

Recursive option, 183recvfrom function, 498Red Hat distributions, 219redefine process, 436referenced variables, stack frame

view, 97references, in C++, 165–166Refresh memory command, Debugger

menu, 579reg.cpp file, 383register names, naming, 105register-renaming dialog, 105registry key, Windows, 45RegNames array, 383RegOpenKey function, 127, 228–229regular comments, 107regular expressions, POSIX-style, 99relationships, deducing between

classes, 165relative virtual address (RVA),

351–352release binaries, vs. debug binaries,

428–430Remote debugger configuration

dialog, 573–574remote debugging, 569–574

attaching to remote process, 573–574

exception handling during, 574using Hex-Rays debugging server,

570–573using scripts and plug-ins

during, 574Remove Function Tail option, 115remove option (qwingraph), 194Rename and Set Type option, 502Rename option, context-sensitive

menu, 102renaming

import table entries, 553locations, 104–105

renimp.idc script, 552–554reopening, IDA database files, 52–53REP prefix, 527repair option, Database Repair

dialog, 53repeatable comments, 107–108reporting bugs, 58request_COMMAND function, 536


INDEX 637

res->num field, 332res->set_string, 333Research & Resources forum,

Hex-Rays, 288Reset Desktop command, 57Reset desktop option, Windows

menu, 209restarting IDA, after crashes, 52–53restoring

hidden messages, 44from packed data, 53

ResumeProcess macro, 533RET instruction, 87ret instruction, 91, 129RET N variant, 117return instructions, 12–14return statement, 255–256, 466, 537reversing engineer programs, 5Rfirst function, 267RfirstB function, 267right-click options

constants, 112data items, 121and name changing, 102in Segments window, 74in Signatures window, 75in Type Libraries window, 75

right-shift operator (>>), 253, 458RISC-style architectures, 387Rnext function, 267RnextB function, 267Roberts, J. C., 221Rolles, Rolf, 378, 473ROM images, 29, 348RTCx, 428RtlUserThreadStart function, 546RTTI (Runtime Type Identification)

implementationsin C++, 163–164compiler differences for, 420

RTTICompleteObjectLocator structure, 164rules, for working with malware in

debugging environment, 543Run button

exception confirmation dialog, 565x86emu Emulator dialog, 464

Run command, 521run function, 333, 536run member, for plug-ins, 317Run option, Debugger menu, 516

Run to Cursor buttontoolbar buttons, 522x86emu Emulator dialog, 463, 466

Run to Cursor command, in Burneye, 467

Run to Cursor option, Debugger menu, 516

Run Until Return button, toolbar buttons, 522

run_requests function, 536–537runtime errors, 258Runtime Type Identification imple-

mentations. See RTTI imple-mentations

RunTo function, 532Rutkowska, Joanna, 451RVA (relative virtual address),

351–352

S-S option (IDA), 197Sabanal, Paul Vincent, 165safeguarding key file, 34sandbox environments, 443Save Database dialog, 51Save Desktop command, 57Save Desktop option, Windows

menu, 519Save Disassembly Desktop dialog, 209save_file function, 360, 365Saved registers attribute, 116savefile function, 265ScreenEA function, 263, 272Script cancellation dialog, 258script de-obfuscation of binaries,

455–460script entry dialog, 251Script File option, File menu, 554script-based behavior, 576scripting, 249–284

associating IDC scripts with hotkeys, 261

for debugger, 530–535execution of, 250–251IDAPython, 280–281IDAPython examples, 282–284IDC examples, 270–280

emulating assembly language behavior, 278–280


638 INDEX

scripting (continued)IDC examples (continued)

enumerating cross-references, 272–274

enumerating exported functions, 275

enumerating functions, 270–271enumerating instructions,

271–272finding and labeling function

arguments, 275–277IDC functions, 261–270

code cross-reference, 267data cross-reference, 268database manipulation, 268–269database search, 269–270dealing with functions, 266–267disassembly line

components, 270file input/output, 264–265manipulating database



IDC language, 251–260error handling in, 258–259expressions, 253functions, 254–256objects, 256–257persistent data storage in,

259–260programs, 257–258statements, 254variables, 252–253

loaders, 373–375plug-ins, 344–346processor modules, 411–412using during remote

debugging, 574scripting functions, Hex-Rays, 532SDK (software development kit),

285–314API (Application Programming

Interface), 289–314header files, 290–294iteration techniques using,

310–314

netnodes, 294–301SDK datatypes, 302–303SDK functions, 304

configuring build environment, 289creating loader modules using,

358–360creating processor modules using,

380–403analyzer, 385–390emulator, 390–394initialization of LPH structure,

381–385outputter, 394–399processor notifications, 399–401processor_t members, 401–403processor_t struct, 380–381

directory layoutbin directory, 287etc directory, 288include directory, 288ldr directory, 288lib directory, 288module directory, 288plug-ins directory, 288top-level directory, 288–289

functions, 587IDC language cross-reference for,

585–608implementation, IDC functions,

586–608installing, 287support, Hex-Rays, 58

sdk directory, 36sdk_versions.h file, 293search features, Search menu, 82SEARCH_DOWN flag, 270search.hpp, for API, 293second-generation languages, 4section:address portion, 110SectionAlignment field, 352SectionAlignment value, 352SecureCRT, 193segend function, 401Segment Configuration dialog, 464segment_t (segment.hpp), datatypes for

SDK, 293, 302segment-creation dialog, 353segmented addresses, 169segment.hpp file, 293, 307, 353


INDEX 639

Segments button, x86emu Emulator dialog, 464

Segments window, 74, 543segstart function, 401SEH (structured exception handling)

process, 472Chain plug-in, 566exceptions, Windows, 565handlers, 565–566

Select a debugger dialog, 516Select Command dialog,

CollabREate, 505Select Debugger option, Debugger

menu, 515–516, 548SELinux, 38semaphore, 438semicolon (;) hotkey, 107semicolon prefix, used for IDA

comments, 107–108Sequence of Bytes option, 99, 493sequential flow instructions, 11Set Breakpoint option, 463Set Function Type command, 128, 579Set Import Address Save Point

option, 470Set Match dialog

PatchDiff2, 486Propagate option, 487

Set Match feature, PatchDiff2, 486Set Match option, 487Set Memory button, x86emu Emulator

dialog, 464–465Set Memory Values dialog, 465Set node color to default option, 186Set specific options button, 572Set Video Mode menu option,

Window menu, 191set_idc_func_ex function, 331set_idp_options function, 401set_name function, 306set_processor_type function, 410set_reg_val function, 538set_segm_addressing function, 363SetArrayLong function, 301SetArrayString function, 301SetBptAttr function, 531SetBptCnd function, 531, 554SetRegValuefunction, 531setting function type, 129

Setup Data Types dialog, Options menu, 121, 144

Setup long names button, 163Setup option, Strings window, 458Setup short names button, 163Setup Strings window, 70–71shared library, 516sharing TIL files, 155–156shell script (#!/bin/sh), 16shellcode, 29, 495–498SHIFT-down arrow, 243SHIFT-up arrow, 243Shiva ELF obfuscation tool, 453Shiva process, 454Shiva program, 434–435, 437, 442shnames data member, 401SHOW_SP option, 202show_wait_box function, 323SHOW_XREFS option, 202shr instruction, 458shrd instruction, 458Shrink Struct Type option, Edit

menu, 145sidt instruction, 451Siemens C166 microcontroller

application, 349sig directory, 39.sig file, 214sigmake documentation file, 221sigmake.exe utility, FLAIR, 221sigmake.txt file, 222signature selection dialog, 214signature selection, FLIRT, 214signatures

function type, 229generating, 39Signatures Window, 74–75

Signatures window, 74–75Signed elements option, 126signed shifts, 458simple arithmetic instructions, 11Simpleton file format, 373simpleton loader, 361–366simplex method, 230Simplified Wrapper Interface Genera-

tor (SWIG), IDAPython, 503Sirmabus, 420, 506size field, 386size parameter, 307


640 INDEX

SizeOfRawData field, 354sizer function, 334sizer parameter, 334Skip button, x86emu Emulator

dialog, 463–464Skochinsky, Igor, 165, 420, 507slice operator, 253sockaddr data structure, 69socket descriptor, 489SoftIce, 452software breakpoints, 453, 523,

544, 546software development kit. See SDKsoftware interoperability, reasons for

disassembly, 7Solaris 10 x86 system, 219solid arrows, 65Sony PlayStation PSX libraries, 219sorting alphabetically, in Functions

window, 82source code recovery, 5SPARC code, 410sparse arrays, 259splash screen, 44sprintf function, 264, 273, 477ssleay32.dll library, 232SSLEAY32.idt file, 232stack adjustments, 118stack cleanup, 228.stack database segment, 462stack frames, 83–98

calling conventions for, 85–89examples of, 89–93as IDA structures, 146local variable layout in, 89viewing, 93–98

Stack pointer option, 110stack pointers, adjustments for,

118–119Stack Trace command, Debugger

menu, 528–529stack traces, in debugger, 528–529stack variables, 95, 102Stack View window, 519stack-allocated arrays, 132–134stack-allocated structures, 138, 148stack-based buffer overflow, 488stack-manipulation operations, 11

standard calling convention, 87standard structures, 151–154standard template library (STL), 486Start address attribute, 116start function, 213, 443Start Process option, Debugger menu,

516, 518start symbol, 546STARTITEM directives, 340startup directory, FLAIR, 217, 224startup routine, 224startup signatures, 224–225startup.bat file, 224startup.idc, 577statements, in IDC language, 254static analysis, of malware, 6static de-obfuscation of binaries,

454–472script-oriented, 455–460x86emu emulation-oriented,

460–472and anti-debugging, 471–472de-obfuscation using, 465–470features of, 470–471initialization of, 462operation of, 463–465

Static func attribute, 117static keyword, 254–255static libraries, for FLIRT signatures,

217–219static linking function, 22statically linked binaries, 178stats netnode, 537stdcall calling convention, 87, 118,

230, 294, 468stdcall functions, 116, 228, 464, 467,

558–559_stdcall modifier, 87Step button, x86emu Emulator

dialog, 463Step command, 521Step Into button, toolbar buttons, 522Step Over button, toolbar buttons, 522StepInto function, 532StepOver function, 532–533StepUntilRet function, 532STL (standard template library), 486


INDEX 641

Stop on debugging message option, Debugger Setup dialog, 546

Stop on debugging start option, Debugger Setup dialog, 546

Stop on library load/unload option, Debugger Setup dialog, 546

Stop on process entry point option, Debugger Setup dialog, 546

Stop on thread start/exit option, Debugger Setup dialog, 546

STOP_CODE constant, 383storage, of bytes, 97Store (Pack database) option, 52store_til function, 369stosb instruction, 458strcat function, 253strcpy function, 175, 253, 273,

477–478, 480strdup function, 253stream argument, 491stream disassemblers, 28string data configuration, 72, 123string scanning, 70strings

C-style null-terminated, 122displaying in Strings windows, 70double-clicking, 70options for, 122–124Unicode, 99using on executable files, 28utility, 27–28

strings command, 71, 212strings utility, 446Strings window

Display only defined strings option, 71

Ignore instructions/data defini-tions option, 71–72

overview, 70strip utility, 18stripping binary executable files, 18strlen function, 264strstr function, 264struc_t (struct.hpp), datatypes for SDK,

293, 303, 306, 308, 311Struct Var option, Edit menu, 147struct.hpp (struc_t), datatypes for

SDK, 303

struct.hpp, for API, 293structure definition

collapsed, 146empty, 143

structure members, enumerating, 311Structure name field, Create

Structure/Union dialog, 143structure notation, 149structure offset, applying, 147structure selection dialog, 147structure templates, using, 146–149structured exception handling (SEH)

process, 472structures

collapsing, 154expanding, 153fields, changing name of, 144formatting global variables as, 149master list of, 152

Structures window, 69, 142–143stubs, 403–405substr function, 264successor instruction, 177summary stack view, 97superclass constructors, 164support

Hex-Rays support page and forums, 35

IDA Palace, 36Ilfak’s blog, 36official help documentation, 35OpenRCE.org, 35RCE forums, 35

supset function, 299supstr function, 299supval function, 299supvals, 297–298swidth component, 338SWIG (Simplified Wrapper Interface

Generator), IDAPython, 503Switch Debugger menu, Debugger

menu, 516switch statements, compiler differ-

ences for, 416–420Switch Thread option, Emulate

menu, 471switch variable, 417


642 INDEX

symbolsappearing in comments, 175dispalyed on Imports window, 69global (external), 20

symbol-selection dialog, 113Synchronize to idb option, 150synchronizing activities, using

CollabREate, 504synchronous debugger function, 532synchronous interaction, 536–537system calls, 89

T-t command-line argument

(strings), 28tabs, IDA desktop, 55tags, 297Take Memory Snapshot command,

Debugger menu, 542.tar file, 36Target assembler, 243target assembly language syntax, 243TASM (Borland’s Turbo

Assembler), 9TCP session, 496TEB (thread environment block),

439, 462, 556, 565, 576tElock program, 438, 440, 442Tenable Security, 342term member, for plug-ins, 317term method, 536term_output_buffer function, 395Terminal application, Mac, 194Terminal keyboard settings dialog,

Mac, 195terminal programs, Linux, 192Terminate button, toolbar

buttons, 522Terminate Process option, Debugger

menu, 517text display, Linux, 192Text option, Hex window, 67Text Search dialog, 99text searches, of database, 99.text section, 241, 353, 355, 423text view, switching to graph view, 185text-mode user interface configura-

tion file, 39The initial autoanalysis has been

finished message, 57, 211

third-generation languages, 4third-party graph viewer, 176this pointer, in C++, 156–157This type of output file is not

supported message, 243thiscall calling convention, 88, 156thread environment block (TEB),

439, 462, 556, 565, 576thread information block (TIB), 556Thread Local Storage (TLS) callback

functions, 545–546, 556ThreadInformationClass parameter, 559Threads view, 519thunk functions, 428–429ThunRTMain function, 427TIB (thread information block), 556TIB[NNNNNNNN] database section, 565til directory, 40TIL files, 49

loading new, 155overview, 154sharing, 155–156

til2idb function, 367tilib tool, Hex-Rays, 155time stamp counter (TSC), 471timelimit option, 194tips and tricks, for IDA Desktop, 57Title case, 124TLS (Thread Local Storage) callback

functions, 545–546, 556tmainCRTStartup function, 426to address, in cross-references, 168toggling values, 520tool tip–style pop-up window, 129toolbar

area, IDA desktop, 53arrangements, 208buttons, 208, 521–522configuration menu, 209customizing, 208–210

Toolbars command, 53tools

c++filt utility, 25–26for deep inspection, 27–29dumpbin utility, 25for file classification, 16–20ldd utility, 22–23nm utility, 20–21objdump utility, 23–24otool utility, 24


INDEX 643

Tools menu, PE Tools, 19top-level directory, for SDK, 288–289TouchArg function, 391Trace buffer size option, Tracing

Options dialog, 526Trace checkbox, Breakpoint Settings

dialog, 526trace option, 526Trace over debugger segments option,

Tracing Options dialog, 528Trace over library functions option,

Tracing Options dialog, 528trace_level parameter, 533tracing, in debugger, 526–528Tracing Options dialog, 526–528trampoline, 493translate function, 401TriMedia libraries, 219TSC (time stamp counter), 471TTY console, 197Turbodiff, 485turn color off tag, 396turn color on tag, 396TVHEADLESS environment variable, 197TVision library, 190TVision port, 193TVOPT settings, 193tvtuning.txt, 193two-digit hex values, 99type component, 338type field, 303, 338, 388Type Libraries window, 75typedef statement, 151TypeDescriptor structure, 164typeid operator, 163typeinf.hpp, 293typinf.hpp, 367

UU hotkey, 119, 144u_ana member, 385u_emu member, 391u_out member, 394u_outspec function, 401ua_next_xxx functions, 386ua.hpp file, 293, 385ui_notification_t constants, 305uname command, 326uncollapsing nodes, 187

uncompressing UPX binary, using emulator, 467

unconditional branching instructions, 11

Undefine option, 119, 435undefine process, 436undefining functions, 119undetected string data, 72undo command, absence of, 59undo feature, 40undocumented CPU instructions, 110Ungroup Nodes option, 187Unicode strings option, 71, 99, 447universal unpacker, Hex-Rays, 550Unix-style make files, 289Unmatched Functions, PatchDiff2,

486–487unsigned shifts, 458untar archive, 37upgrading, 34uppercase letter codes, 21UPX

decompression routine, 547–548decompression stub, 442packer, 442program, 441, 548, 552–553

UPX-packed binaries, 540Use “dup” construct option, 126Use graph view by default checkbox,

Graph tab, 55Use option key as meta key checkbox,

Terminal application, 194USE_DANGEROUS_FUNCTIONS macro, 290USE_STANDARD_FILE_FUNCTIONS macro,

291, 365User cross-reference graph dialog, 183user interface

of IDA Pro, 40for plug-ins, 333–344

customized forms with SDK, 337–341

with Qt, 342–344using SDK chooser dialogs,

334–337Windows-only, 341–342

user interface notifications, 321User xref charts, 182User xref graph, 184User Xrefs Chart option, Graphs

menu, 182


644 INDEX

__usercall calling convention, 431user-generated cross-reference

graphs, 185utilities directory, 36

V-v command-line option (debugging

server), 571va_arg macro, C++, 322var_ prefix, 95variables

in IDC language, 252–253index values of, 132names, IDA-generated, 96–97

vc32rtf signatures, 75vcsample file, 289Veracode, 476version field, 317, 385version member, 359versions, 33vertices, 64, 168VGA font, 193View menu

Cross References option, 477Enumerate Heap option, 471Pseudocode option, 500

View window, 530viewing machine language bytes, 111virtual addresses, 64virtual functions, 157–160, 173virtual machine-based obfuscation,

472–474virtual repeatable comment, 108VirtualAddress field, 353VirtualAlloc function, 468, 477, 576,

578–579virtualization

detecting, 449–451processor-specific behavioral

changes, 451specific behaviors, 450–451specific hardware, 450specific software, 450

software, 449virtualizing obfuscator, 442Visual C++ compiler, Microsoft, 114Visual Studio suite, Microsoft, 25

Visual Studio Win32 Application Wizard, 327

VMProtect, 442, 472VMware Tools collection, 450–451VPAGESIZE option, 202vtables, in C++, 157–160vulnerability advisory, 484vulnerability analysis, 475–498

analyzing shellcode, 495–498discovering vulnerabilities,

476–483exploit-development process,

488–495finding useful virtual addresses,

494–495locating instruction sequences,

492–494stack frame breakdown, 488–492

handling after-fact discoveries, 483–487

reasons for disassembly, 6–7vulnerability discovery, 6

Ww suffix, 172, 447Wait For Next Event (WFNE)

flags, 532wait_for_next_event function, 538wanted_hotkey data member, 318, 330wanted_hotkey value, 318wanted_name data member, 318, 330Warning function, 263, 272warning function, 305warnings, for loaders, 49wasBreak function, 323Watch Address dialog, 530Watch List option, Debugger

menu, 530watch lists, 529watch points, 529watches, in debugger, 529–530Weak name option, for named

locations, 105weak symbol, marking, 105web server, Apache, 23Welcome dialog, 44


INDEX 645

WFNE (Wait For Next Event) flags, 532

WFNE_CONT flag, 533WFNE_SUSP event type, 533Whittaker, Andy, 349width characters, 395width component, 338Width field, 124widths parameter, 336wildcards, 205Win32 Application Wizard, Visual

Studio, 327Win32 Project template, 327win32_remote.exe server

component, 570win64_remotex64.exe server

component, 570wince_remote_arm.dll server

component, 570Windows

console mode for, 191installing on, 36–37launching installer, 36

“Windows Anti-Debug Reference” article, 555–558

Windows Asynchronous Sockets techniques, 504

Windows calculator program, 25Windows CE ARM, 517Windows library handle, 468Windows menu, Save Desktop

option, 519Windows PE binaries, ida-x86emu

plug-in, 462Windows PE file, manually loading,

349–357Windows PE loader (pe.ldw), 45Windows registry key, 45Windows SEH exceptions, 565Windows SEH handlers, 565wingraph32 application, 176WinGraph32 window, 180WinHelp-style help files, 204wininet.dll file, 516WinLicense, 442, 448WinMain function, 422WinMain variation, 421

Wireshark, 366, 451, 496word. See 1 byte of storage (db)Word function, 262word-patching capability, 239wrapper code, 180write cross-references, 172write traces, 526write4 capability, 488writelong function, 265writeshort function, 265writestr function, 265ws2_32 networking library, 553

XX Windows consoles, 193X11, installing, 195X.25-style network connection, 113x86 code, 410x86 compiler, 87x86 hardware-debug registers, 472x86 instruction, 204x86 processor module, 47x86emu breakpoints, 463x86emu emulator, de-obfuscation of

binaries using, 460–472and anti-debugging, 471–472de-obfuscation using, 465–470features of, 470–471initialization of, 462operation of, 463–465

x86emu Emulator dialogJump To Cursor button, 464Push Data button, 465Run button, 464Run To Cursor button, 463, 466Segments button, 464Set Memory button, 464–465Skip button, 463–464Step button, 463

x86emu library function dialog, 469x86emu plug-in, 461x86emu Set Memory Values

dialog, 465.xinitrc file, 195XML templates, 360xmodmap command, 196.Xmodmap file, 195


646 INDEX

xmodmap utility, 195xor instruction, 436xrefblk_t structure, 283, 309, 312–313xref.hpp file, 293–294, 309, 392xrefs (cross-references).

See cross-referencesXrefs From graph, 181–182Xrefs To graph, 180–181XrefsFrom generator, 283XrefType function, 267-268, 273, 309xterm, running, 193xtol function, 264XXXset function, 298XXXval function, 298

YY hotkey, 128y variable, 91, 94Yason, Mark Vincent, 165Yes edge arrow, 62You may start to explore the input file

right now message, 57

ZZbikowski, Mark, 16zoom control, keyboard, 62ZwContinue function, 567


index [nostarch.com]index 611 armlinux_server server component, 570 array access operations, 135,...

Documents