Shulou(Shulou.com)06/01 Report--

Problem description: in the process of reverse analysis, it is often necessary to track the calls to the operating system API. In the process of debugging with IDA, you can set breakpoints for the specified API through interface operations. However, there are some defects in interface operation, such as inconvenient operation, not conducive to analysis automation and so on. Using IDAPython script to give conditional breakpoints to API function can effectively solve the above problems.

First, give the breakpoint to Windows API through interface operation.

1. Operation process

Taking the breakpoint for the LoadLibraryA function as an example, the source code corresponding to the program ida01.exe (EXE file) is as follows:

# include "windows.h" int main () {LoadLibrary ("E:\\ Office10\\ SAEXT.DLL"); LoadLibrary ("E:\\ document\\ My Knowledge\\ Update_x86\ WizTools.dll"); return 0;}

After ① opens the EXE file with IDA, set the debugger to pause at the portal. Operation path: click Debugger → Debugger setup and select Suspend on process entry point.

② press F9 to run EXE

③ finds kernel32.dll in the modules window in the image above, then double-clicks, and the Module:kernel32.dll tab window appears on the right, as shown in the following figure

④ finds the LoadLibraryA function, then double-clicks, and the IDA View window will navigate to the LoadLibraryA function and click the dot to the left of the specified address to get the breakpoint. After setting the breakpoint, it is shown in the following figure

⑤ can set a breakpoint as a conditional breakpoint if it interrupts execution only when SAEXT.DLL is loaded. Specific method: right-click to specify a breakpoint in the Breakpoints window, click Edit, and then enter strstr (GetString (Dword (esp+4),-1, 0), "SAEXT.DLL")! =-1 in the condition edit box. It is important to note that this edit box must be an IDC script expression and cannot use an IDAPython script. Dword (esp+4) is the first parameter value in the expression, in this case it is the pointer to the file path, GetString (Dword (esp+4)) is the get path, and strstr searches. The breakpoint is valid only if the path contains SAEXT.DLL as true.

2. Problem analysis.

In the process of the above breakpoint of ①, the first step is to determine the DLL where the API function is located, but it is difficult for analysts to remember the corresponding relationship between the API function and the DLL.

② cannot be combined with automated scripts, and the whole process requires human intervention

2. IDAPython script to realize Windows API conditional breakpoint

1. Ideas

Save all the correspondence between Windows API and DLL to a file, and when the user sets a breakpoint, the script automatically looks up the DLL file name corresponding to the API function. After finding the file name, use the file name + function name to locate the function address, and then set the breakpoint and set the relevant conditions.

2. Script code

It consists of two files, one is the IDAPython script break_api.py, and the other is the data file win_api.dat (which can be downloaded from the attachment) that stores the corresponding relationship between the API function and DLL. Both files are placed in [IDA installation directory]\ Python\ script. The break_api.py script is as follows:

Def GetApiModule (api_name): try: path = GetIdaDirectory () path = path +'\ python\\ script\\ win_api.dat' f = open (path,'r') strall = f.read () f.close () except IOError: Message ('Can\ 't open win_api.dat.') Return 'none' pos = strall.find (api_name) if (- 1 = = pos): Message (' Can\'t find the api.') Return 'none' beg = strall.rfind (', beg) return strall [beg: end] def BptAPI (api_name): dll_name = GetApiModule (api_name) if dll_name = = 'none': Message (' API err.') Return name = dll_ name [0: len (dll_name)-4] +'_'+ api_name ea = LocByName (name) AddBpt (ea) SetBptCnd (ea, 'strstr (GetString (Dword (esp+4),-1, 0), "SAEXT.DLL")! =-1')

The code is simple and does not make unnecessary explanations.

3. How to use script

After ① opens the EXE file with IDA, set the debugger to pause at the portal. Operation path: click Debugger → Debugger setup and select Suspend on process entry point.

② press F9 to run EXE

③ alt+f7, importing break_api.py

④ in the Output window window, select the Python script, and then call BptAPI ('LoadLibraryA') to set a conditional breakpoint for the LoadLibraryA function. The specific conditions are the same as the previous interface operation. If there are other requirements, you can modify the conditional expression.

III. Summary

This paper simply gives the method of using IDAPython script to give conditional breakpoints to windows API function. Readers can apply flexibly according to their own needs, so as to realize the automation of complex analysis process. I hope it will be helpful to you all.

Attachment download

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.