Scribd
Upload
85 views

Funcap: Rapid Reversing With Ida Pro Debugger Andrzej Dereszowski

Funcap is an IDApython script that aims to combine runtime information observed using IDA's debugger with static analysis by adding comments to the disassembly based on the execution traced, such as capturing function arguments and return values and building a runtime call graph to provide context without additional reversing work. It supports architectures including x86, ARM, and operating systems like Windows and Linux, and has features like code discovery mode to handle packed binaries and can resolve indirect calls.

Uploaded by

james wright
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views

Funcap: Rapid Reversing With Ida Pro Debugger Andrzej Dereszowski

Funcap is an IDApython script that aims to combine runtime information observed using IDA's debugger with static analysis by adding comments to the disassembly based on the execution traced, such as capturing function arguments and return values and building a runtime call graph to provide context without additional reversing work. It supports architectures including x86, ARM, and operating systems like Windows and Linux, and has features like code discovery mode to handle packed binaries and can resolve indirect calls.

Uploaded by

james wright
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

FunCap

RAPID REVERSING WITH IDA PRO DEBUGGER


ANDRZEJ DERESZOWSKI
Who am I ?
Security consultant with focus on incident handling, forensics and malware analysis
Not a dedicated reverser RE is just part of my job
=> I avoid RE as much as possible as it is just too time consuming
Tools we use
IDA Pro for static analysis
OllyDbg for debugging
(other tools used by real reversing gurus like PIN, metasm etc. are out of scope here)
Problem
=> Olly gives a lot of good info during debugging

but this wont be visible in IDA


=> Unpacked code needs rebuilding to load in IDA, not always easy
IN SHORT: No automatic connection between the two tools
Idea
Why not connect both worlds and provide automated solution ?
First I wanted to use IDA Pro tracer but realized it is too slow and generating not easily-readable data with
too much noise
The inspiration:
PaiMei Stalker by Pedram Amini - old and not developed any more, with only win32 userland support
(uses PyDbg)
Places breakpoints at each function start based on imported IDB from IDA
Exports a script to load comments from the debugger to IDAs listing

Lets implement a solution by using IDA debugger !


Introducing FunCap
IDApython script/plugin
Aims to combine runtime info and feeds it into the static listing
IN SHORT: you can run some code in the sandbox VM and it will add useful comments to your
IDA listing based on the recorded code execution

RESULT: you understand some functions without even looking at them SAVES TIME!
Funcap how it works
Places breakpoints on function call instructions (alternatively breakpoints can be places on
function start and end)
Runs IDA debugger
When a breakpoint is hit it captures the arguments and function address and tries to
dereference them and guess their type (currently only string, int and pointers)
Places a breakpoint directly after the call instruction
When the call returns they are dereferenced again to see how the memory was changed
This information is dumped to a text file and inserted into the IDA listing
Funcap features (1)
Supports ia-32, ia-64 and ARM more can easily be added
Supports Win32, Win64, Linux32, Linux64, Android. No MacOS or iOS yet.
Supports almost any IDA debugger connector, even PIN tracer connector
Funcap features (2)
Builds a runtime call graph

code_discovery mode to automatically deal with packers


Python> code_discovery = True


0x9c299a: new code section detected: [0x9c1000, 0x9c3000]
hooking function: sub_9C299A()
Function call: sub_1000156E+147 to sub_9C299A (0x9c299a)
Funcap features (3)
Resolves indirect calls
API calls can be captured as well

Full context is dumped to the file, subset of the context is pasted into IDAs listing annotations
Hexdump or ASCII capture format
Python> hexdump = True
Funcap features (4)
Recursive argument dereferencing idea taken from PEDA for GDB

Capture scope easily configurable (which registers etc.)


Recursive function hooking mode for large binaries
Python> d.recursive = True

Easy command line interface in Python


Functions that were executed are marked by a different color
Funcap DEMO
1. Taidoor basic example
2. ZEUS/Citadel usage of the call graph
3. Unknown APT code_discovery mode
4. Snake/Uroburos Funcap in kernel mode (just results)
5. Android Funcap for ARM/Thumb (just results)
Funcap limitations
No threads following (recursive mode)
Code injected to another process is not going to be followed
Call graph a bit unfriendly to the user
Only basic types are dereferenced (no structures)
Argument count determination not very accurate on ia64 and ARM
Funcap future directions
Threads following
Breakpoint on thread creation ?

Remote process code injection following


Cuckoo plugin ?
Switching to kernel mode debugger ?

Better graph solution


Visualize outside IDA (Gephi perhaps?)

Better argcount determination and complex types support


Using decompiler plugin ?

Automation and database storage


Questions ?

[email protected]
http://github.com/deresz/funcap

You might also like