Figure 12-1 shows the initial analysis window displayed by IDA once a file has been
opened. Note that IDA has already recognized this particular file as a PE format
executable for Microsoft Windows and has chosen x86 as the processor type. When a file
is loaded into IDA, a significant amount of initial analysis takes place. IDA analyzes the
instruction sequence, assigning location names to all program addresses referred to by
jump or call instructions, and assigning data names to all program locations referred to
in data references. If symbol table information is present in the binary, IDA will utilize
names derived from the symbol table rather than automatically generated names.
IDA assigns global function names to all locations referenced by call instructions and
attempts to locate the end of each function by searching for corresponding return
instructions. A particularly impressive feature of IDA is its ability to track program stack
Gray Hat Hacking: The Ethical Hacker??™s Handbook
294
Figure 12-1 The IDA Pro file loading dialog
usage within each recognized function. In doing so, IDA builds an accurate picture of
the stack frame structure used by each function, including the precise layout of local
variables and function parameters.
Pages:
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535