How can IDAPython make your life easier as a reverse engineer?

How can IDAPython make your life easier as a reverse engineer?

Continuing our theme of using IDAPython to make your life as a reverse engineer easier, I’m going to tackle a very common issue: shellcode and malware that uses a hashing algorithm to obfuscate loaded functions and libraries. This technique is widely used and analysts come across it often.

How to create a new enumeration in IDAPython?

In order to create a new enumeration in IDA, we make use of the AddEnum () function. To make the script more versatile, we first check to see if the enumeration already exists, using the GetEnum () function. This enumeration will be modified later on.

What can you do with IDAPython part 5?

In Part 5 of our IDAPython blog series, we used IDAPython to extract embedded executables from malicious samples. For this sixth installment, I’d like to discuss using IDA in a very automated way.

What does the C switch in IDAPython do?

In these examples, the ‘-c’ switch generates a new IDB file, even in the event one already exists. Additionally, the ‘-S’ switch specifies the IDAPython script that will be run upon execution. We’ll be using these switches later on in the post.

Is it possible to use IDAPython with Python?

Of course, users also get the added benefit of using Python, which gives them access to the wealth of capabilities that the scripting language provides. Unfortunately, there’s surprisingly little information in the way of tutorials when it comes to IDAPython.

Which is more powerful IDA Pro or IDAPython?

It should come as no surprise, seeing as IDA Pro is the industry standard (although alternatives such as radare2 and Hopper are gaining traction). One of the more powerful features of IDA that I implore all reverse engineers to make use of is the Python addition, aptly named ‘IDAPython’, which exposes a large number of IDA API calls.

How is the loadlibrarya function used in IDAPython?

The code will initially load the kernel32.dll library at runtime. Then, it continues to use this loaded image to identify and store the LoadLibraryA function, which is used to load additional libraries and functions. This particular technique employs a hashing algorithm that is used to identify a function.