Thursday, October 25, 2012

IDAscope a great SwissKnife for reversers

Hi Folks,
today I'd like to introduce a great tool made by Daniel Plohmann and Alexander Hanel from University of Bonn and Fraunhofer FKIE called IDAscope. IDAscope is an IDAPro extension for easier (malware) reverse engineering: it offers three main functionalities:
From Hacklu slides (click to make it bigger).







  1. Function Inspection. This function implements the ability to tag specific series of called API. The tracked API could be selected and modified into a specific config file (config.json). IDAscope will alert you when specific API patterns will occur. The function inspection functionality enables another super feature called: basic bloc coloring. Having colored blocks in IDAPro is really useful to quick understand what is the purpose of the analyzed pieace of code. What it's common to do, right now, is to collapse blocks by giving high level names. IDAscope offers the possibility to automatically coloring blocks making you way more efficient in recognize useless blocks. Code to Function convertion and automatic rename of wrapper functions are additional usefull functionalities as well.
  2. WinAPI Browsing. Obviously for windows reversers is incredibly useful having Windows API reference manual. Here, by using IDAscope the API reference is next to your eyes for quick and smart lookup. The following image shows both: Blocks Coloring and WinAPI browsing.
  3. From Haclu slides (click to make it bigger).
  4. Crypto Identification. Maybe the most useufl functionality to all the reversers that are used to struggle with multiple tools to figure out what encryption algorithm has been used on the code. IDAscope detects the used algorithm basing its analysis on the ratio of arithmetic / logic instructions to all instructions in a basic block. More details on how it works here (by Juan Caballero). 
For sure a great tool helping out reverse engineers and a great example to everybody who is going to finish his/her PhD on how to "pack" all (or most of) the reseaches done in the past years.

A personal suggestion to push the project to the next step.
What about improving the tagging function to reach out the "behavior analisys" ? You already have implemented some of the basic functions to be able to understand the behavior of the analyzed binary; for instance you already have implemented the lookup function and the tagging function.  What about shipping out the extension within configuration files representing some of the most used malicious behaviors ? There are tons of researches on this field that can be easily implemented in your estension with relatively few effort.

4 comments:

Alexander Hanel said...

Thank you for the kind words. A comment on "A personal suggestion to push the project to the next step.", Dan and I discussed this months ago and is currently in the works. Just a note, Dan is the PHD student. I happen to be just another random malware analyst.

Marco Ramilli said...

Alexander, thank you for your comment. I am happy that you are already looking for behaviour analysis. I actually plan to use IDAscope quite regurarly, so I don't mind to invest some time there. Having said that if you need another "working man" just drop me an email at mramilli a gmail d com, otherwise looking forward to see next version ;)

Anonymous said...

Just a small correction here: Bonn is the right spelling and not Bohn...

Greetings and thanks for the nice article.

J.

Marco Ramilli said...

Thanks J. ! Just cprrected !