You are browsing the archive for Software Releases.

Creating IDT/IDS files for IDA from MS libraries with symbols

April 22, 2016 in Malware Analysis, Reversing, Software Releases

In a reversing world it is a regular experience to come across samples that are linked to OS APIs that are imported from well-known libraries. However, on occasion we can come across files that use importing in a slightly different way – they import not via names but via ordinals. A good example are samples linking to MFC libraries.

When loaded into IDA, such samples contain lots of autogenerated function names f.ex. mfc_1234. This is pretty annoying. Of course (and luckily) there exists a lot descriptions and solutions to it – we need an IDT or an IDS file. An IDT (or its compressed version IDS) file is a ‘translator’ between ordinal numbers and actual API names – many of these exist in a default installation package of IDA, but not all… One can generate these by hand – using existing scripts – and in case the MS symbols exist for a given library – one can try to generate these automagically using a simple script I am attaching to this post.

This is the recipe:

  • Ensure your IDA is set up to use symbols from Microsoft
  • Open the MS library you analyze
  • Load its symbols from the MS web site (you are either asked, or they are loaded automatically – depends on your config)
  • When the database is fully loaded and autoanalysis is completed, launch the following script:
import idaapi
import idc
import types
import os

idt = GetIdbPath()

print "Original IDB: %s" % idt

idt = idt.replace('.idb','.idt')
idt = idt.replace('.i64','.idt')

dll = GetInputFile()

print "Saving to %s" % idt

f = open(idt, 'wb')
f.write("0 Name=%s\n" % (dll))
for i in xrange(idaapi.get_entry_qty()):
    fn = idaapi.getn_func(i)
    a = fn.startEA
    if a != BADADDR:
       eo = GetEntryOrdinal(i)
       nm = GetFunctionName(GetEntryPoint(eo))
       #cm = GetFunctionCmt(a,0)
       #print "%x: %0d, %s, %s" %  (a,eo,nm,cm)
       if nm!='':
          f.write("%d Name=%s\n" % (eo,nm))
f.close()
print "done!"
  • Now you should have the IDT file autogenerated in the same directory where the library is f.ex.
    • mfcXYZ.idb
    • mfcXYZ.idt  — this is the IDT file
  • You can now
    • Open sample linking to the MS library via ordinals
    • Load newly created IDT file
    • All mfc_1234 function names should be automatically converted to respective function/method names
  • You can also use zipids.exe to convert IDT file to IDS, but it’s not necessary

DeXRAY – Twentin Quarantino

April 6, 2016 in Batch Analysis, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Reversing, Software Releases

DeXRAY now supports over twenty Quarantine filetypes. I set a goal to look at one AV per day, unless I am busy with other stuff. So far, the results are kinda predictable: the most difficult to access with a debugger / crack / analyze are Chinese, Russian, and… Microsoft. The rest of the files took between 2 minutes to 2h of work max. It’s a great reversing experience as it’s heavily time-sensitive research (I want to crack it in one session), and at the same time I am learning about many pointers which I can use for further research and study. The guys @ProjectZero are unfortunately right. The moment you start looking at AV internals you discover lots of juicy stuff. Ouch. I strongly believe the AV is _needed_ in a current ‘open ecosystem’ setup existing in most of the companies, but it’s time AV vendors really review their code.

Anyway…

I have added support for Baidu .qv, CMC Antivirus *.cmc, and F-Prot .tmp Quarantine files. Confirmed Lavasoft AdAware  to be using BitDefender’s Quarantine files (.bdq), confirmed Comodo stores Quarantine files w/o encryption 🙂

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP)
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – not handled yet; only recognized
  • Panda <GUID> Zip files
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

The script can be downloaded here.