IDAPRO

mrvieyra 395 views 42 slides Feb 04, 2018
Slide 1
Slide 1 of 42
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42

About This Presentation

A presentation on the security tool IDAPRO including features and demonstrations.

Size: 3.33 MB
Language: en
Added: Feb 04, 2018
Slides: 42 pages

Slide Content

1 - 1 IDAPro Dr. Gregory Vert By Cristian gArcia and Matthew Vieyra cs - 432

Download and Installation The IDAPRO software (Now called IDA by Hex-Rays) can be downloaded form : https://www.hex-rays.com/products/ida/support/download.shtml

Download and Installation Select demo/evaluation version and choose the version appropriate for the your operating system. For our project we choose the IDA demo for MS Windows.

Navigate to Setup File Navigate to File Explorer to the location where the IDA demo was downloaded. This is usually the Downloads Folder unless otherwise specified.

Installation: License Agreement Double-Click the setup file to begin the installation process. Read and Agree to the License Agreement.

Installation: File Location Select destination for IDA Demo to install. Default is the Program Files Folder.

Installation: Desktop Icon You will be given the option to create a Desktop Icon. By default the option will unchecked.

Installation: Review Before installing IDA will go over the options you selected. Take time to review all selection are correct. If anything is incorrect use the back button to correct. Otherwise, continue with installation.

Installation: Finished Once the installation finishes IDA will ask the you computer if you want to launch. Select the finish button to finalize installation and start using IDA.

Assembly Language Assembly language, often abbreviated as asm . Low-level programming language for a computer Very strong correspondence between the language and architectures machine code instructions.

Assembly Language Each assembly language is specific to a particular computer architecture In contrast, most high-level programming languages are portable across different architectures. Assembly language is converted into executable machine code by a utility program called an assembler. The conversion process is referred to as assembly or assembling the source code.

Assembly Language Assembly time is the computational step where an assembler is run Assembly language uses a mnemonic to represent each low-level machine instruction or opcode. Many operations require one or more operands to complete instruction Most assemblers can take expressions of numbers and named constants as well as registers and labels as operands, freeing the programmer from tedious repetitive calculations

Assembly Language Depending on the architecture, these elements may also be combined for specific instructions or addressing modes using offsets or other data as well as fixed addresses Many assemblers offer additional mechanisms facilitate program development Control the assembly process Aid debugging Motorola MC6800 Assembly listing, showing original assembly language and the assembled form

Terminology A Macro assembler includes macroinstruction facility so that assembly language text can be represented by a name, and that name can be used to insert the expanded text into other code. A cross assembler is an assembler that is run on a computer or operating system of a different type from the system on which the resulting code is to run. A high-level assembler is a program that provides language abstractions more often associated with high-level languages, such as advanced control structures (IF/THEN/ELSE, DO CASE, etc.) and high-level abstract data types, including structures/records, unions, classes, and sets.

Key Concepts An assembler program creates object code by translating combinations of mnemonics and syntax for operations and addressing modes into their numerical equivalents. This representation typically includes an operation code ("opcode") as well as other control bits and data. The assembler also calculates constant expressions and resolves symbolic names for memory locations and other entities. The use of symbolic references is a key feature of assemblers, saving tedious calculations and manual address updates after program modifications.

Key Concept Most assemblers also include macro facilities for performing textual substitution – e.g., to generate common short sequences of instructions as inline, instead of called subroutines. Some assemblers may also be able to perform some simple types of instruction set-specific optimizations. One concrete example of this may be the ubiquitous x86 assemblers from various vendors. Most of them are able to perform jump-instruction replacements (long jumps replaced by short or relative jumps) in any number of passes, on request.

Basic Elements There is a large degree of diversity in the way the authors of assemblers categorize statements and in the nomenclature that they use. In particular, some describe anything other than a machine mnemonic or extended mnemonic as a pseudo-operation (pseudo-op). A typical assembly language consists of 3 types of instruction statements that are used to define program operations: Opcode mnemonics Data definitions Assembly directives

Historical Perspective Assembly languages, and the use of the word assembly, date to the introduction of the stored-program computer. The Electronic Delay Storage Automatic Calculator (EDSAC) had an assembler called initial orders featuring one-letter mnemonics in 1949. SOAP (Symbolic Optimal Assembly Program) was an assembly language for the IBM 650 computer written by Stan Poley in 1955. An IBM 650 at Texas A&M University. The IBM 533 Card Read Punch unit is on the right.

Historical Perspective Assembly languages eliminate much of the error-prone, tedious, and time-consuming first-generation programming needed with the earliest computers, freeing programmers from tedium such as remembering numeric codes and calculating addresses. They were once widely used for all sorts of programming. However, by the 1980s (1990s on microcomputers), their use had largely been supplanted by higher-level languages, in the search for improved programming productivity. Today assembly language is still used for direct hardware manipulation, access to specialized processor instructions, or to address critical performance issues.

IDA: Quick Start IDA has a “Quick Start” at startup to start a new project or open a current one. Select your desired initiation of the program.

IDA: 1 st attempt at Disassembly We used a malware executable “Google_Adobe_FlashPlayer.exe”

IDA: Malware Disassemble Fail IDA refused to disassemble the malware .exe. Windows Defender identify the malware and proceeded to try and remove it.

IDA: Quarantined Trojan Windows Defender Identified the Malware as a Trojan with a security lever alert of “Severe.” Proceeded to Remove Malware .

IDA: 2 nd attempt at Disassembly We used malware executable “ Bombermania ” Source: TekDefense.com

IDA: Loading New File Load a new file into IDA. In this case we used “ Bombermania.exe ” We used the default selected options for disassembly.

IDA: Demo Warning IDA warning is in place because the IAT is located in a non-standard section. Procced to click ”OK” as you are using the Demo version.

Ida: Disassembly successful IDA will give you a full “workstation” from the get to analyze the disassembled malware. This will include several windows which include view graphs, functions and search tools.

IDA: Function & List of Problems Functions for this file currently include “read” .  List of problems will include all occurrences when IDA was unable to properly dissemble components of the malware. 

IDA: Output Window The “Output Window” includes the full description of the current total memory allocation for the malware and also includes such things of the b-tree , virtual array , and pointers .

Ida: Output W indow IDA will let you know if your malware has been successfully added into your database and will proceed to analyze the different functions such as the main , on load , input file , and types .

IDA: View Graph Overview IDA will take your malware and create an overview graph of its components. The arrows show flow of execution . This helps you understand the how the malware operates at different stages .

IDA: View Graph – Beginning The view graph will show you the initiation process of the malware. The traversal of the malware at point of execution has has many different options to execute its different components.

IDA: View Graph – Middle As traversal continues through the view graph it locates all possible pathways of execution . This disassembly shows that there is complexity in the malware.

IDA: View Graph – end At the end of the view graph we have components that show the point of termination for the malware or loop back . This particular malware has both options in place.

IDA: Hex View The “Hex View” shows the hexadecimal version of the malware code. This allow us to see the malware from a different source view in an editor format.

IDA: structures and Enumbs IDA gives you the option to create or delete structures to modify your current project.  IDA gives you the option to create, delete, or edict numeration types to modify your current project. 

IDA: Imports and Exports IDA gives you the option to use “Imports” found in libraries and lets you use this libraries or include new ones for different functions.  IDA also give you the option to “Export” some of your work. 

Ida: Search Tools IDA has great variety of “Search Tools” such as Immediate , Text and Binary . This tools can be used to search through your disassembled malware to identify key elements.

IDA: Function Calls IDA has a lot “Function Calls” for example here it is taking our malware and executed what appears to be the GUI of our start button in our malware .

IDA: Disassembly View The ”Disassembly View” summarizes the disassembly as whole. Here on the right was our output for our malware.

IDA: Proximity Browser IDA’s ”Proximity Browser” allows you to identify all major components in your malware as by group types.

Works Cited "IDA Support: Download Center."  IDA Support: Download Center . N.p ., n.d. Web. 19 Mar. 2017. https:// www.hex-rays.com /products/ ida /support/ download.shtml " TekDefense ."  Downloads . N.p ., n.d. Web. 20 Mar. 2017. http://www.tekdefense.com/downloads / "IBM Knowledge Center."  IBM Knowledge Center . N.p ., 1990. Web. 24 Mar. 2017. <https:// www.ibm.com /support/ knowledgecenter /SSLTBW_2.1.0/com.ibm.zos.v2r1.asma400/asmr102112.htm>. 1 - 42
Tags
information security malware idapro
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 395
  • Slides 42
  • Age 2858 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
31 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category