AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Hex-rays ida pro12/31/2022 Rather than calling GetProcAddress malware commonly manually revolves needed imports by walking the Export Address Table (EAT) and comparing the hashes of a DLL’s exports looking for pre-computed values. This new script is both easier to understand and does not rely on manually walking the AST.įigure 4: Script that uses the FIDL API to map all calls to GetProcAddress to global variables Figure 4 shows this script rewritten using the FIDL API. In our previous blog post we introduced a script which uses the HexRays API to rename global variables based on the parameter to GetProcAddress. Readily available access to variables and API calls used in a function makes creating scripts to leverage the Hex-Rays API much more straightforward. This gives analysts a much more logical structure to iterate when trying to determine context for a particular expression. Figure 2 and Figure 3 show the AST and controlFlowinator representations of the same function.įigure 2: The default rendering of the AST of a functionįigure 3: The control flow graph created by the controlFlowinator for the function shown in Figure 2Ĭompared to the default AST, this graph is organized by potential code paths that can be taken through a function. When parsing the AST during construction, the controlFlowinator also combines nodes representing the same logical expression into a more digestible form where each block translates roughly to one line of pseudocode. When constructing this object FIDL will parse the AST for us and provides a high-level summary of a function using information extracted via the decompiler including APIs called, their parameters, and a summary of local variables and parameters for the function.įigure 1 shows a subset of information available via a controlFlowinator next to the decompilation of the function.įigure 1: Sample output available as part of a controlFlowinator Many of FIDL’s benefits are exposed to users via the controlFlowinator class. Provides documented examples on how to use various Hex-Rays APIs.Provides helper implementations for commonly needed functionality when working with the decompiler.Abstracts away the minutiae of processing the AST.Provides analysts an easy-to-understand API layer which can be used to write more complicated binary processing scripts.FIDL’s main goal is to abstract away the lower level details of the default decompiler API. FIDLįIDL, the FLARE IDA Decompiler Library, is our implementation of a wrapper around the Hex-Rays API. Handling each of these cases in a single visitor callback function is untenable, so we need a way to more flexibly interact with the decompiler. The amount of cases to handle when walking up or down the AST can increase exponentially.Any problem which requires multiple steps requires multiple visitors or complicated logic in our callback function.When visiting a node, we have no context about where we are in the AST.The order nodes are visited in, is not always obvious based on the decompiler output.While powerful, this workflow can be difficult to use when creating a generic API for several reasons: For more information on these constructs see our previous blog post. For every callback we can check to see what kind of node we are visiting (calls, additions, assignments, etc.) and then process that node. Out of the box, processing a binary using the Hex-Rays API means iterating this AST using a tree visitor class which visits each node in the tree and issues a callback. Output from the Hex-Rays decompiler is exposed to analysts via an Abstract Syntax Tree (AST). This blog post introduces the FLARE IDA Decompiler Library (FIDL), FireEye’s open source library which provides a wrapper layer around the Hex-Rays API. However, interacting with the HexRays API and its underlying data sources can be daunting, making the creation of generic analysis scripts difficult or tedious. Having access to a higher-level representation of binary code makes the Hex-Rays decompiler a powerful tool for reverse engineering. In a previous blog post we discussed how the Hex-Rays API can be used to solve small, well-defined problems commonly seen as part of malware analysis. IDA Pro and the Hex Rays decompiler are a core part of any toolkit for reverse engineering and vulnerability research.
0 Comments
Read More
Leave a Reply. |