Traditionally, this has required running the code under the control of a debugger until
the de-obfuscation has been completed, then capturing a memory dump of the process,
and finally, disassembling the captured memory dump. Unfortunately, many obfuscation
techniques have been developed that attempt to thwart the use of debuggers and
virtual machine environments. The x86emu plug-in embeds an x86 emulator within
IDA and offers users the opportunity to step through disassembled code as if it were
loaded into memory and running. The emulator treats the IDA database as its virtual
memory and provides an emulation stack, heap, and register set. If the code being emulated
is self-modifying, then the emulator reflects the modifications in the loaded database.
In this way emulation becomes the tool to both de-obfuscate the code and to
update the IDA database to reflect all self-modifications without ever running the malicious
code in question. X86emu will be discussed further in Chapter 21.
IDA Pro Loaders and Processor Modules
The IDA SDK can be used to create two additional types of extensions for use with IDA.
IDA processor modules are used to provide disassembly capability for new or unsupported
processor families; while IDA loader modules are used to provide support for new
or unsupported file formats.
Pages:
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597