No tool embodies this complementary relationship better than IDA Pro. It is an excellent tool for malware forensics and an excellent tool for malware re-engineering.
IDA Pro is designed to debug and disassemble software that can be critical for reverse engineering malware and doing malware forensics. These are some of the most valuable and most sought after skills in the digital forensic industry. Becoming familiar with IDA Pro and other reverse-engineering tools is a prerequisite to working in this industry.
Reverse engineering is the discipline of studying how a piece of code works and then building something that does the same thing, but differently. In hacking, this would enable us to use a successful piece of malware that has a known signature by antivirus software and intrusion detection systems and build a new piece of malware that does the same thing with anunknown signature.
Malware forensics is the discipline of disassembling malware to determine the origin of the malware. Since hackers often use the same code modules as other malware and other clues are left in the code, often times malware analysts can attribute the malware to a particular hacker, group, or country by doing this type of analysis. Remember, the FBI used this type of analysis to attribute the Sony hack to North Korea.
Using the Free IDA Demo
In this tutorial, I will start you along the path to using and understanding this powerful and widely used piece of software. Although IDA Pro is a commercial software package (the professional version sells for over $1,100), we will initially use the demo version so that everyone can use it and become familiar with it.
The demo version can only disassemble x86 Windows PE files, so that’s what I’ll be using here. The professional version is able to disassemble and analyze just about any type of software on any architecture. Eventually, we will progress to the commercial version in later tutorials.
Step 1: Download the IDA Demo
You can download the demo version of IDA here. After downloading IDA and installing it, it should be in your programs at the Start button in Windows. Locate it and click on the icon. When you do so, IDA will start up with a screen like below.
Step 2: Load a File
We can now drag and drop a file into the working center window or click on File -> Open.
After selecting a file to disassemble and analyze, the window below will pop up. As you can see, IDA was able to automatically determine the type of file (portable executable) and processor type (x86). Click on “OK.”
- name.id0 – contains contents of B-tree-style database
- name.id1 – contains flags that describe each program byte
- name.nam – contains index information related to named program locations
- name.til – contains information about local type definitions
Whenever you go to close IDA, it will ask you whether you want to save these database files. If you do, these files will be saved and available to you at any time. You will see these files saved in the same directory as the file you are analyzing.
Step 3: Start the Disassembly
In this example, I will be using small .exe file that is part of the Acunetix Web Vulnerability scanner. It’s a portable .exe (PE) and is 32-bit, so the demo version of IDA can disassemble it. When we open it, IDA begins its disassembly process and displays the information like in the screenshot below.
As you can see above, IDA provides us with some basic info in the IDA View tab. If we scroll down the IDA View, we can see every line of code.
The colorful bar above this view represents the memory that the file is occupying. It color codes for the different parts of the program that are stored in each part of memory. If we right-click any part of the memory bar, we can zoom in to that segment of the code stored in memory. We are capable of zooming in right down to the single byte level.
We can view the file from many different perspectives by selecting any of these views available. These include the IDA View (as seen here), Hex View, Structures, Enums, Imports, and finally, Exports. By clicking on any one of those tabs, it will give us that particular view of the code (see Import in Step 5 below).